From 898cbc7ce71940ca23b1e2dc98c72d21ee0aab93 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Sat, 28 Mar 2026 01:07:32 +0000
Subject: [PATCH] test: add regression test for findFiles parent-escape bug (PR
 #94)

Add a todo-marked test that demonstrates findFiles can escape above the
parent workspace root when 'directory' is a relative path (e.g. '..') that
resolves above parent, and a matching config file exists there.

The test is marked { todo: ... } so it fails with exit code 0 on master
(documenting the known bug) and will pass once PR #94 is merged.

This complements the existing boundary test (which uses '.', not '..') and
PR #76's outside-parent test (which uses an absolute path and a file that
does not exist, rather than a relative path and a file that does).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 test/unit.test.js | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/test/unit.test.js b/test/unit.test.js
index 0fb759e..00ea170 100644
--- a/test/unit.test.js
+++ b/test/unit.test.js
@@ -103,4 +103,34 @@ describe("findFiles", () => {
         const result = findFiles(path.join(tmpRoot, "single"), ".", "phpcs.xml");
         assert.equal(result, expected);
     });
+
+    // Regression test: findFiles should never return a file above the `parent`
+    // boundary, even when `directory` is a relative path (e.g. "..") that
+    // resolves outside `parent`.  On unpatched code this test fails; it passes
+    // once PR #94 ("fix: prevent findFiles from escaping parent") is merged.
+    test(
+        "does not escape parent when directory is a relative path above workspace root",
+        { todo: "Known bug — fixed by PR #94; marks expected failure until merged" },
+        () => {
+            // Place a config file at tmpRoot level (above the workspace root).
+            const aboveParent = mkFile("relative-escape-sentinel.xml");
+
+            // workspace root is one level below tmpRoot
+            mkDir("ws-escape");
+
+            // directory = ".." resolves to tmpRoot, which is *above* parent
+            const result = findFiles(
+                path.join(tmpRoot, "ws-escape"), // parent (workspace root)
+                "..",                             // resolves to tmpRoot — above parent
+                "relative-escape-sentinel.xml"
+            );
+
+            // Must NOT escape above parent — should return null
+            assert.equal(
+                result,
+                null,
+                `findFiles escaped parent boundary and returned ${result}`
+            );
+        }
+    );
 });