test(storemodel): three regression tests for path-traversal rejection in dropMimeData (#1466)

annejan · claude · web-flow · commit 90828adde7aa · 2026-05-12T17:52:21.000+02:00
#1464 added a canonical-path check in StoreModel::executeDropAction that refuses any drop whose source or destination resolves outside the password store. The patch shipped with unit tests on the Util::isPathInStore helper, but the integration of that helper into the drop flow was only manually verified. These three tests close that gap by crafting mime data with out-of-store source paths and asserting dropMimeData() returns false without ever reaching Pass::Move/Copy. - dropMimeDataRejectsSourceOutsideStore: mime carries /etc/passwd as the source. canDropMimeData() lets it through (it's a UI policy layer, not a fs check); executeDropAction's Util::isPathInStore call must reject. - dropMimeDataRejectsAbsoluteOutsideSource: source is a real filesystem path inside a sibling QTemporaryDir, so the check runs through canonical resolution on an existing path rather than a non-existent one. - dropMimeDataRejectsSymlinkEscape: creates a symlink physically inside the store that resolves to a sibling QTemporaryDir, then drops it onto a store-internal folder. canonicalFilePath() must follow the link and reject. Unix-only — symlink creation on Windows needs developer-mode / elevation. Validated by temporarily defanging the guard (replacing the if condition with `false && (...)`) — all three tests fail without the check, confirming they actually exercise the security boundary. With the guard in place, the qWarning output names each rejection. Build clean. 33/33 storemodel tests pass (was 30, +3 new). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/tests/auto/model/tst_storemodel.cpp b/tests/auto/model/tst_storemodel.cpp
@@ -31,6 +31,9 @@ private Q_SLOTS:
   void canDropFileOnDir();
   void canDropFileOnFile();
   void canDropDirOnFile();
+  void dropMimeDataRejectsSourceOutsideStore();
+  void dropMimeDataRejectsAbsoluteOutsideSource();
+  void dropMimeDataRejectsSymlinkEscape();
   void lessThan();
   void lessThanDirsFirst();
   void supportedDropActions();
@@ -456,5 +459,64 @@ void tst_storemodel::canDropDirOnFile() {
       !fx.sm.canDropMimeData(mime.get(), Qt::MoveAction, 0, 0, fx.fileProxy()));
 }
 
+// ---------------------------------------------------------------------------
+// dropMimeData() path-traversal rejection (security regression for #1464)
+//
+// canDropMimeData is a UI policy layer (kind/column/MIME-type constraints)
+// and intentionally does not touch the filesystem. The store-boundary check
+// lives one layer down in executeDropAction. These tests exercise that
+// layer with crafted mime data whose source path escapes the store and
+// verify the drop is refused (returns false) without ever reaching Pass::Move
+// or Pass::Copy.
+// ---------------------------------------------------------------------------
+
+void tst_storemodel::dropMimeDataRejectsSourceOutsideStore() {
+  DropFixture fx;
+  // The fs model rooted at the store has no concept of /etc/passwd as a
+  // child; crafting that path into the mime payload simulates a malicious
+  // (or buggy) source that doesn't go through StoreModel::mimeData().
+  auto mime = makeMimeData(dragAndDropInfoPasswordStore::ItemKind::File,
+                           QStringLiteral("/etc/passwd"));
+  QVERIFY2(
+      !fx.sm.dropMimeData(mime.get(), Qt::MoveAction, 0, 0, fx.folderProxy()),
+      "drop with src=/etc/passwd must be refused");
+}
+
+void tst_storemodel::dropMimeDataRejectsAbsoluteOutsideSource() {
+  DropFixture fx;
+  // Use a path inside QTemporaryDir's parent (system tempdir) but outside
+  // the store to exercise the canonical-path check on a path that exists
+  // on disk, not just one that the filesystem can't resolve.
+  QTemporaryDir outside;
+  QVERIFY2(outside.isValid(), "outside temp dir should be valid");
+  auto mime = makeMimeData(dragAndDropInfoPasswordStore::ItemKind::File,
+                           outside.path() + "/elsewhere.gpg");
+  QVERIFY2(
+      !fx.sm.dropMimeData(mime.get(), Qt::CopyAction, 0, 0, fx.folderProxy()),
+      "drop with src in a sibling tempdir must be refused");
+}
+
+void tst_storemodel::dropMimeDataRejectsSymlinkEscape() {
+#ifdef Q_OS_WIN
+  QSKIP("symlink creation requires elevation on Windows");
+#else
+  DropFixture fx;
+  // A symlink physically inside the store that resolves outside —
+  // canonical-path resolution catches this even though the path string
+  // starts with the store root.
+  QTemporaryDir outside;
+  QVERIFY2(outside.isValid(), "outside temp dir should be valid");
+  const QString linkPath = fx.tempDir.path() + "/escape";
+  QVERIFY2(QFile::link(outside.path(), linkPath),
+           "QFile::link should create symlink in store");
+
+  auto mime =
+      makeMimeData(dragAndDropInfoPasswordStore::ItemKind::File, linkPath);
+  QVERIFY2(
+      !fx.sm.dropMimeData(mime.get(), Qt::MoveAction, 0, 0, fx.folderProxy()),
+      "drop with src=<symlink-out-of-store> must be refused");
+#endif
+}
+
 QTEST_MAIN(tst_storemodel)
 #include "tst_storemodel.moc"
