test: add UploadFromSandbox unit + E2E IDOR test coverage

GenerQAQ · claude · GenerQAQ · commit 5919ccb7a485 · 2026-03-20T22:04:16.000+08:00
Covers the disk ownership check added in PR #460 with: - Unit tests for 404 on cross-project disk access and 400 on invalid body - E2E test for cross-project upload_from_sandbox denial Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/src/server/api/go/internal/modules/handler/artifact_test.go b/src/server/api/go/internal/modules/handler/artifact_test.go
@@ -920,6 +920,68 @@ func TestArtifactHandler_GlobArtifacts(t *testing.T) {
 	}
 }
 
+func TestArtifactHandler_UploadFromSandbox(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	t.Run("returns 404 when disk belongs to different project", func(t *testing.T) {
+		mockService := new(MockArtifactService)
+		mockDiskRepo := new(MockDiskRepo)
+
+		projectID := uuid.New()
+		diskID := uuid.New()
+
+		// Disk not found for this project (IDOR check)
+		mockDiskRepo.On("GetByProjectAndID", mock.Anything, projectID, diskID).
+			Return(nil, fmt.Errorf("record not found"))
+
+		handler := NewArtifactHandler(mockService, mockDiskRepo, createDefaultTestConfig(), nil, nil)
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+
+		body := `{"sandbox_id":"` + uuid.New().String() + `","sandbox_path":"/tmp","sandbox_filename":"test.txt","file_path":"/"}`
+		c.Request = httptest.NewRequest("POST", "/disk/"+diskID.String()+"/artifact/upload_from_sandbox", bytes.NewBufferString(body))
+		c.Request.Header.Set("Content-Type", "application/json")
+		c.Params = gin.Params{{Key: "disk_id", Value: diskID.String()}}
+
+		handler.UploadFromSandbox(c)
+
+		assert.Equal(t, http.StatusNotFound, w.Code)
+		mockService.AssertNotCalled(t, "Create")
+		mockDiskRepo.AssertExpectations(t)
+	})
+
+	t.Run("returns 400 for invalid request body", func(t *testing.T) {
+		mockService := new(MockArtifactService)
+		mockDiskRepo := new(MockDiskRepo)
+
+		projectID := uuid.New()
+		diskID := uuid.New()
+
+		// Disk found for this project
+		mockDiskRepo.On("GetByProjectAndID", mock.Anything, projectID, diskID).
+			Return(&model.Disk{ID: diskID, ProjectID: projectID}, nil)
+
+		handler := NewArtifactHandler(mockService, mockDiskRepo, createDefaultTestConfig(), nil, nil)
+
+		w := httptest.NewRecorder()
+		c, _ := gin.CreateTestContext(w)
+		c.Set("project", &model.Project{ID: projectID})
+
+		// Empty JSON body — missing required fields
+		c.Request = httptest.NewRequest("POST", "/disk/"+diskID.String()+"/artifact/upload_from_sandbox", bytes.NewBufferString(`{}`))
+		c.Request.Header.Set("Content-Type", "application/json")
+		c.Params = gin.Params{{Key: "disk_id", Value: diskID.String()}}
+
+		handler.UploadFromSandbox(c)
+
+		assert.Equal(t, http.StatusBadRequest, w.Code)
+		mockService.AssertNotCalled(t, "Create")
+		mockDiskRepo.AssertExpectations(t)
+	})
+}
+
 func TestArtifactHandler_DownloadArtifact(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 
diff --git a/src/server/tests/e2e/test_project_isolation.py b/src/server/tests/e2e/test_project_isolation.py
@@ -250,6 +250,27 @@ async def test_cross_project_upload_artifact(test_project: ProjectCredentials, s
         await client.delete(f"{API_URL}/api/v1/disk/{disk_id}", headers=test_project.headers)
 
 
+@pytest.mark.asyncio
+async def test_cross_project_upload_from_sandbox(test_project: ProjectCredentials, second_project: ProjectCredentials):
+    assert await wait_for_services()
+    async with httpx.AsyncClient() as client:
+        disk_id = await create_disk(client, test_project.headers)
+
+        resp = await client.post(
+            f"{API_URL}/api/v1/disk/{disk_id}/artifact/upload_from_sandbox",
+            json={
+                "sandbox_id": str(uuid.uuid4()),
+                "sandbox_path": "/tmp",
+                "sandbox_filename": "test.txt",
+                "file_path": "/",
+            },
+            headers=second_project.headers,
+        )
+        assert resp.status_code in DENIED_STATUSES
+
+        await client.delete(f"{API_URL}/api/v1/disk/{disk_id}", headers=test_project.headers)
+
+
 @pytest.mark.asyncio
 async def test_cross_project_download_artifact(test_project: ProjectCredentials, second_project: ProjectCredentials):
     assert await wait_for_services()
