From e808abd5042c6f0391bd651e918258d185a52ba7 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Fri, 16 Jun 2017 00:23:40 +0200
Subject: [PATCH] Added testcase for SQL lesson 6a

---
 .../org/owasp/webgoat/plugins/LessonTest.java |  4 +
 .../SqlInjectionLesson6aTest.java             | 81 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java

diff --git a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
index 4677b499c..3e6dffe9e 100644
--- a/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
+++ b/webgoat-container/src/test/java/org/owasp/webgoat/plugins/LessonTest.java
@@ -4,6 +4,7 @@ import org.junit.Before;
 import org.owasp.webgoat.i18n.Language;
 import org.owasp.webgoat.i18n.PluginMessages;
 import org.owasp.webgoat.session.WebSession;
+import org.owasp.webgoat.session.WebgoatContext;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.context.embedded.LocalServerPort;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -33,6 +34,8 @@ public abstract class LessonTest {
     protected PluginMessages messages;
     @MockBean
     protected WebSession webSession;
+    @Autowired
+    private WebgoatContext context;
     @MockBean
     private Language language;
 
@@ -40,6 +43,7 @@ public abstract class LessonTest {
     public void init() {
         when(webSession.getUserName()).thenReturn("unit-test");
         when(language.getLocale()).thenReturn(Locale.getDefault());
+        when(webSession.getWebgoatContext()).thenReturn(context);
     }
 
 }
diff --git a/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
new file mode 100644
index 000000000..83f5b7777
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/test/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson6aTest.java
@@ -0,0 +1,81 @@
+package org.owasp.webgoat.plugin.introduction;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.owasp.webgoat.plugins.LessonTest;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+import static org.mockito.Mockito.when;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * @author nbaars
+ * @since 6/15/17.
+ */
+@RunWith(SpringJUnit4ClassRunner.class)
+public class SqlInjectionLesson6aTest extends LessonTest {
+
+    @Before
+    public void setup() throws Exception {
+        when(webSession.getCurrentLesson()).thenReturn(new SqlInjection());
+        this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
+    }
+
+    @Test
+    public void wrongSolution() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+                .param("userid_6a", "John"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)));
+    }
+
+    @Test
+    public void wrongNumberOfColumns() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+                .param("userid_6a", "Smith' union select userid,user_name, password,cookie from user_system_data --"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.output", is("column number mismatch detected in rows of UNION, INTERSECT, EXCEPT, or VALUES operation")));
+    }
+
+    @Test
+    public void wrongDataTypeOfColumns() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+                .param("userid_6a", "Smith' union select 1,password, 1,'2','3', '4',1 from user_system_data --"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.output", containsString("incompatible data types in combination")));
+    }
+
+    @Test
+    public void correctSolution() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+                .param("userid_6a", "Smith' union select 1,password, '1','2','3', '4',1 from user_system_data --"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(true)))
+                .andExpect(jsonPath("$.feedback", containsString("dave")));
+    }
+
+    @Test
+    public void noResultsReturned() throws Exception {
+        mockMvc.perform(MockMvcRequestBuilders.post("/SqlInjection/attack6a")
+                .param("userid_6a", "Smith' and 1 = 2 --"))
+                .andDo(MockMvcResultHandlers.print())
+                .andExpect(status().isOk())
+                .andExpect(status().isOk()).andExpect(jsonPath("$.lessonCompleted", is(false)))
+                .andExpect(jsonPath("$.feedback", is(messages.getMessage("sql-injection.6a.no.results"))));
+    }
+
+
+}
\ No newline at end of file