additional validation of requests

test/unit/coffee/StaticServerForbidSymlinksTests.coffee

@@ -20,6 +20,7 @@ describe "StaticServerForbidSymlinks", ->
 			"logger-sharelatex": 
 				log:->
 				warn:->
+				error:->
 			"fs":@fs
 
 		@dummyStatic = (rootDir, options) ->
@@ -69,6 +70,70 @@ describe "StaticServerForbidSymlinks", ->
 				done()
 			@StaticServerForbidSymlinks @req, @res
 
+
+	describe "with a relative file", ->
+		beforeEach ->
+			@req.url = "/12345/../67890/output.pdf"
+
+		it "should send a 404", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 404
+				done()
+			@StaticServerForbidSymlinks @req, @res
+
+
+	describe "with a unnormalized file containing .", ->
+		beforeEach ->
+			@req.url = "/12345/foo/./output.pdf"
+
+		it "should send a 404", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 404
+				done()
+			@StaticServerForbidSymlinks @req, @res
+
+
+	describe "with a file containing an empty path", ->
+		beforeEach ->
+			@req.url = "/12345/foo//output.pdf"
+
+		it "should send a 404", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 404
+				done()
+			@StaticServerForbidSymlinks @req, @res
+
+	describe "with a non-project file", ->
+		beforeEach ->
+			@req.url = "/.foo/output.pdf"
+
+		it "should send a 404", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 404
+				done()
+			@StaticServerForbidSymlinks @req, @res
+
+	describe "with a file outside the compiledir", ->
+		beforeEach ->
+			@req.url = "/../bar/output.pdf"
+
+		it "should send a 404", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 404
+				done()
+			@StaticServerForbidSymlinks @req, @res
+
+
+	describe "with a file with no leading /", ->
+		beforeEach ->
+			@req.url = "./../bar/output.pdf"
+
+		it "should send a 404", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 404
+				done()
+			@StaticServerForbidSymlinks @req, @res
+
 	describe "with an error from fs.realpath", ->
 
 		beforeEach ->