From efc5a870a0e1e61b45270762b7680edf8636db47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Tue, 14 Apr 2020 16:13:43 +0200
Subject: [PATCH] Path traversal windows unittest fix (#780)

* fixes to support windows and linux/unix/mac

* fix in matcher
---
 .../webgoat/path_traversal/ProfileUploadFixTest.java   |  2 +-
 .../ProfileUploadRemoveUserInputTest.java              |  8 +++++---
 .../path_traversal/ProfileUploadRetrievalTest.java     |  5 +++--
 .../webgoat/path_traversal/ProfileUploadTest.java      | 10 +++++++---
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java
index 152e17075..c9f717b6d 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java
+++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java
@@ -55,7 +55,7 @@ public class ProfileUploadFixTest extends LessonTest {
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/John Doe\\\"")))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"John Doe")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java
index e0e3d5cde..8a68c0030 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java
+++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java
@@ -15,14 +15,16 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+
 @RunWith(SpringJUnit4ClassRunner.class)
 public class ProfileUploadRemoveUserInputTest extends LessonTest {
-
+	
     @Autowired
     private PathTraversal pathTraversal;
 
     @Before
-    public void setup() {
+    public void setup() { 
         Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal);
         this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
         Mockito.when(webSession.getUserName()).thenReturn("unit-test");
@@ -48,7 +50,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
                 .file(profilePicture)
                 .param("fullNameFix", "John Doe"))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/picture.jpg\\\"")))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"picture.jpg")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }
 
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
index bbade5855..821735fae 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
+++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
@@ -13,6 +13,7 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 
+import java.io.File;
 import java.net.URI;
 
 import static org.hamcrest.CoreMatchers.equalTo;
@@ -48,7 +49,7 @@ public class ProfileUploadRetrievalTest extends LessonTest {
         mockMvc.perform(get(uri))
                 .andExpect(status().is(404))
                 .andDo(MockMvcResultHandlers.print())
-                .andExpect(content().string(containsString("/path-traversal-secret.jpg")));
+                .andExpect(content().string(containsString("path-traversal-secret.jpg")));
 
         //Retrieve the secret file (note: .jpg is added by the server)
         uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret");
@@ -76,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest {
     public void unknownFileShouldGiveDirectoryContents() throws Exception {
         mockMvc.perform(get("/PathTraversal/random-picture?id=test"))
                 .andExpect(status().is(404))
-                .andExpect(content().string(containsString("cats/8.jpg")));
+                .andExpect(content().string(containsString("cats"+File.separator+"8.jpg")));
     }
 }
\ No newline at end of file
diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java
index a23afe227..7fd57a572 100644
--- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java
+++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java
@@ -17,6 +17,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
+import java.io.File;
+
 @RunWith(SpringJUnit4ClassRunner.class)
 public class ProfileUploadTest extends LessonTest {
 
@@ -60,8 +62,10 @@ public class ProfileUploadTest extends LessonTest {
         var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
         mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
                 .file(profilePicture)
-                .param("fullName", "../" + webSession.getUserName()))
-                .andExpect(jsonPath("$.output", CoreMatchers.containsString("Is a directory")))
+                .param("fullName", ".."+File.separator + webSession.getUserName()))
+                .andExpect(jsonPath("$.output", CoreMatchers.anyOf(
+                		CoreMatchers.containsString("Is a directory"),
+                		CoreMatchers.containsString("..\\\\"+ webSession.getUserName()))))
                 .andExpect(status().is(200));
     }
 
@@ -73,7 +77,7 @@ public class ProfileUploadTest extends LessonTest {
                 .file(profilePicture)
                 .param("fullName", "John Doe"))
                 .andExpect(status().is(200))
-                .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/PathTraversal\\/unit-test\\/John Doe\\\"")))
+                .andExpect(jsonPath("$.feedback", CoreMatchers.containsStringIgnoringCase("PathTraversal\\"+File.separator+"unit-test\\"+File.separator+"John Doe")))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
     }