1 files changed, 21 insertions, 1 deletions

diff --git a/tests/api/test_eval.py b/tests/api/test_eval.py
index 40369f5..37f90e7 100644
--- a/tests/api/test_eval.py
+++ b/tests/api/test_eval.py
@@ -51,11 +51,14 @@ class TestEvalResource(SnekAPITestCase):
         """Normal paths should work with 200."""
         test_paths = [
             "file.txt",
-            "./file.jpg",
+            "./0.jpg",
             "path/to/file",
             "folder/../hm",
             "folder/./to/./somewhere",
             "traversal/but/../not/beyond/../root",
+            r"backslash\\okay",
+            r"backslash\okay",
+            "numbers/0123456789",
         ]
         for path in test_paths:
             with self.subTest(path=path):
@@ -101,6 +104,23 @@ class TestEvalResource(SnekAPITestCase):
                 self.assertEqual("Request data failed validation", result.json["title"])
                 self.assertIn("does not match", result.json["description"])
 
+    def test_files_illegal_path_null_byte(self):
+        """Paths containing \0 should 400-error at json schema validation stage."""
+        test_paths = [
+            r"etc/passwd\0",
+            r"a\0b",
+            r"\0",
+            r"\\0",
+            r"var/\0/path",
+        ]
+        for path in test_paths:
+            with self.subTest(path=path):
+                body = {"args": ["test.py"], "files": [{"path": path}]}
+                result = self.simulate_post(self.PATH, json=body)
+                self.assertEqual(result.status_code, 400)
+                self.assertEqual("Request data failed validation", result.json["title"])
+                self.assertIn("does not match", result.json["description"])
+
     def test_post_invalid_content_type_415(self):
         body = "{'input': 'foo'}"
         headers = {"Content-Type": "application/xml"}