test(storemodel): regression tests for path-traversal rejection in dropMimeData

[annejan]

Summary

#1464 added a canonical-path check in `StoreModel::executeDropAction` that refuses any drop whose source or destination resolves outside the password store. That patch shipped with unit tests on the `Util::isPathInStore` helper but the integration into the drop flow was only manually verified.

These three regression tests close that gap.

Tests

Case	What it crafts	What it asserts
`dropMimeDataRejectsSourceOutsideStore`	mime payload with `info.path = /etc/passwd`	`dropMimeData()` returns false; never reaches `Pass::Move`
`dropMimeDataRejectsAbsoluteOutsideSource`	source in a sibling `QTemporaryDir` (real, existing fs path)	same — exercises canonicalisation on an existing path
`dropMimeDataRejectsSymlinkEscape`	symlink inside the store pointing at a sibling `QTemporaryDir`	`canonicalFilePath()` follows the link; rejected. Unix-only.

`canDropMimeData` is a UI-policy layer (kind / column / MIME-type) that intentionally doesn't touch the filesystem — these tests pass through `canDropMimeData` and verify the deeper `executeDropAction` check is the one doing the work.

Negative verification

To prove the tests aren't tautologically passing, I temporarily defanged the guard with `if (false && (...))` in `storemodel.cpp`. With that change all 3 tests fail:

```
FAIL! : dropMimeDataRejectsSourceOutsideStore() ... (drop with src=/etc/passwd must be refused)
FAIL! : dropMimeDataRejectsAbsoluteOutsideSource() ... (drop with src in a sibling tempdir must be refused)
FAIL! : dropMimeDataRejectsSymlinkEscape() ... (drop with src= must be refused)
```

Restoring the guard, all pass and the existing `qWarning("executeDropAction: rejecting drop that escapes the store ...")` fires for each.

Test plan

• `qmake6 -r && make -j4` clean
• `tests/auto/model/tst_model` — 33/33 pass (was 30, +3)
• Verified the tests actually exercise the security boundary (see negative verification above)
• clang-format applied

Scope

Test-only — no production-code changes. Source-traversal protection only; destination-traversal would require constructing a manipulated `QModelIndex` outside the proxy, which has no realistic attack surface in the current UI (the destination always comes from a tree-view click). Skipping happy-path `dropMimeData` tests for now: those would need a Pass-singleton stub.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Tests
  • Added regression tests to improve coverage of drag-and-drop data source validation scenarios, ensuring proper handling of various source configurations.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: a4150db4-4c27-4d42-8c48-01990aee1149

📥 Commits

Reviewing files that changed from the base of the PR and between 318fd78 and c61c56d.

📒 Files selected for processing (1)

• tests/auto/model/tst_storemodel.cpp

---

📝 Walkthrough

Walkthrough

Three new regression tests validate that StoreModel::dropMimeData() rejects MIME payloads with sources outside the store, including absolute paths and symlink-escape scenarios. Test declarations, documentation, and implementations are added to the existing test suite.

Changes

dropMimeData security regression tests

Layer / File(s)	Summary
dropMimeData path-traversal rejection tests tests/auto/model/tst_storemodel.cpp	Three new test functions verify dropMimeData() rejects sources outside the store: /etc/passwd paths, absolute paths to sibling directories, and symlinks inside the store resolving outside it (Windows-skipped). Test declarations and documentation block are included.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• IJHack/QtPass#1196: Adds and extends tests for StoreModel drag-and-drop MIME handling in the same test file.
• IJHack/QtPass#1046: Modifies StoreModel dropMimeData logic that these new security tests directly validate.
• IJHack/QtPass#1066: Changes StoreModel's drag-and-drop data structure and canDrop/executeDrop logic that these tests exercise.

Suggested labels

size:S

Poem

🐰 A rabbit hops through storehouse doors,
And finds the guards are working more—
Three tests now guard the crossing gate,
No symlinks slip, no paths escape! ✓

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately describes the main change: adding regression tests for path-traversal rejection in the dropMimeData function.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch tests/storemodel-drop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 34.27%. Comparing base (318fd78) to head (c61c56d).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1466      +/-   ##
==========================================
+ Coverage   33.68%   34.27%   +0.59%     
==========================================
  Files          44       44              
  Lines        4379     4379              
==========================================
+ Hits         1475     1501      +26     
+ Misses       2904     2878      -26     

Flag	Coverage Δ
qtpass	34.27% <ø> (+0.59%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[coveralls]

coverage: 28.988% (+0.4%) from 28.571% — tests/storemodel-drop into main