Debug UT

Author: drighetto

src/main/java/eu/righettod/SecurityUtils.java

@@ -1177,7 +1177,11 @@ public static boolean isPathSafe(String path) {
                 //URL decode the path if case of data coming from a web context
                 String decodedPath = applyURLDecoding(path, decodingRoundThreshold);
                 //Remove any path escaping sequence
-                decodedPath = decodedPath.replace("\\/", "/").replace("\\\\", "\\");
+                if (File.separatorChar == '/') {
+                    decodedPath = decodedPath.replace("\\", "");
+                } else {
+                    decodedPath = decodedPath.replace("\\\\", "");
+                }
                 //Ensure that no path traversal path is present
                 File f = new File(decodedPath);
                 String canonicalPath = f.getCanonicalPath();

src/test/java/eu/righettod/TestSecurityUtils.java

@@ -541,7 +541,8 @@ public void isPathSafe() {
                 "%252Fhome%252F%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpassword", //URL encoding X2
                 "%25252525252Fhome%25252525252F%25252525252E%25252525252E%25252525252F%25252525252E%25252525252E%25252525252F%25252525252E%25252525252E%25252525252F%25252525252E%25252525252E%25252525252Fetc%25252525252Fpassword", //URL encoding X6
                 "/home/..\\/..\\/..\\/..\\/etc/password",
-                "/home/..\\\\/..\\/..\\\\/..\\/etc/password"
+                "/home/..\\\\/..\\/..\\\\/..\\/etc/password",
+                "D:\\test..\\\\\\test"
         );
         invalidPaths.forEach(p -> {
             assertFalse(SecurityUtils.isPathSafe(p), String.format(templateMsgFalseNegative, p));