folderweb/devel/tests/helpers/build_breadcrumbs_security_traversal.phpt

--TEST--
buildBreadcrumbs: skips path traversal attempts (security)
--FILE--
<?php
require '/var/www/app/context.php';
require '/var/www/app/hooks.php';
require '/var/www/app/constants.php';
require '/var/www/app/helpers.php';
require '/var/www/app/content.php';

// Create temp directory structure
$tempBase = sys_get_temp_dir() . '/phpt_' . getmypid();
$tempContent = $tempBase . '/content';
$tempLevel1 = $tempContent . '/nyheter';
$tempLevel2 = $tempLevel1 . '/riksrevisjonen';

mkdir($tempLevel1, 0777, true);
mkdir($tempLevel2, 0777, true);

// Create metadata files
file_put_contents($tempLevel1 . '/metadata.ini', "title = Nyheter\n");
file_put_contents($tempLevel2 . '/metadata.ini', "title = Riksrevisjonen\n");

// Path with ".." should be skipped - the .. segment is ignored but valid dirs before it are included
$ctx = new Context(
    contentDir: $tempContent,
    templates: new Templates('/tmp/base.php', '/tmp/page.php', '/tmp/list.php'),
    requestPath: 'nyheter/riksrevisjonen/../test',
    hasTrailingSlash: false
);

$result = buildBreadcrumbs($ctx);

// Output count - nyheter and riksrevisjonen exist, .. is skipped, test doesn't exist
echo count($result) . "\n";
// Verify no ".." appears in any URL
$hasTraversal = false;
foreach ($result as $crumb) {
    if (str_contains($crumb['url'], '..')) {
        $hasTraversal = true;
    }
}
echo ($hasTraversal ? "traversal" : "safe") . "\n";

// Cleanup
unlink($tempLevel2 . '/metadata.ini');
unlink($tempLevel1 . '/metadata.ini');
rmdir($tempLevel2);
rmdir($tempLevel1);
rmdir($tempContent);
rmdir($tempBase);
?>
--EXPECT--
2
safe