From efc5a870a0e1e61b45270762b7680edf8636db47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= Date: Tue, 14 Apr 2020 16:13:43 +0200 Subject: [PATCH] Path traversal windows unittest fix (#780) * fixes to support windows and linux/unix/mac * fix in matcher --- .../webgoat/path_traversal/ProfileUploadFixTest.java | 2 +- .../ProfileUploadRemoveUserInputTest.java | 8 +++++--- .../path_traversal/ProfileUploadRetrievalTest.java | 5 +++-- .../webgoat/path_traversal/ProfileUploadTest.java | 10 +++++++--- 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java index 152e17075..c9f717b6d 100644 --- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java +++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java @@ -55,7 +55,7 @@ public class ProfileUploadFixTest extends LessonTest { .file(profilePicture) .param("fullNameFix", "John Doe")) .andExpect(status().is(200)) - .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/John Doe\\\""))) + .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"John Doe"))) .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); } diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java index e0e3d5cde..8a68c0030 100644 --- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java +++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java @@ -15,14 +15,16 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import java.io.File; + @RunWith(SpringJUnit4ClassRunner.class) public class ProfileUploadRemoveUserInputTest extends LessonTest { - + @Autowired private PathTraversal pathTraversal; @Before - public void setup() { + public void setup() { Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal); this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build(); Mockito.when(webSession.getUserName()).thenReturn("unit-test"); @@ -48,7 +50,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest { .file(profilePicture) .param("fullNameFix", "John Doe")) .andExpect(status().is(200)) - .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/picture.jpg\\\""))) + .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"picture.jpg"))) .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); } diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java index bbade5855..821735fae 100644 --- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java +++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java @@ -13,6 +13,7 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; import org.springframework.test.web.servlet.result.MockMvcResultHandlers; import org.springframework.test.web.servlet.setup.MockMvcBuilders; +import java.io.File; import java.net.URI; import static org.hamcrest.CoreMatchers.equalTo; @@ -48,7 +49,7 @@ public class ProfileUploadRetrievalTest extends LessonTest { mockMvc.perform(get(uri)) .andExpect(status().is(404)) .andDo(MockMvcResultHandlers.print()) - .andExpect(content().string(containsString("/path-traversal-secret.jpg"))); + .andExpect(content().string(containsString("path-traversal-secret.jpg"))); //Retrieve the secret file (note: .jpg is added by the server) uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret"); @@ -76,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest { public void unknownFileShouldGiveDirectoryContents() throws Exception { mockMvc.perform(get("/PathTraversal/random-picture?id=test")) .andExpect(status().is(404)) - .andExpect(content().string(containsString("cats/8.jpg"))); + .andExpect(content().string(containsString("cats"+File.separator+"8.jpg"))); } } \ No newline at end of file diff --git a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java index a23afe227..7fd57a572 100644 --- a/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java +++ b/webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java @@ -17,6 +17,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultHandlers. import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath; import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import java.io.File; + @RunWith(SpringJUnit4ClassRunner.class) public class ProfileUploadTest extends LessonTest { @@ -60,8 +62,10 @@ public class ProfileUploadTest extends LessonTest { var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes()); mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload") .file(profilePicture) - .param("fullName", "../" + webSession.getUserName())) - .andExpect(jsonPath("$.output", CoreMatchers.containsString("Is a directory"))) + .param("fullName", ".."+File.separator + webSession.getUserName())) + .andExpect(jsonPath("$.output", CoreMatchers.anyOf( + CoreMatchers.containsString("Is a directory"), + CoreMatchers.containsString("..\\\\"+ webSession.getUserName())))) .andExpect(status().is(200)); } @@ -73,7 +77,7 @@ public class ProfileUploadTest extends LessonTest { .file(profilePicture) .param("fullName", "John Doe")) .andExpect(status().is(200)) - .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/PathTraversal\\/unit-test\\/John Doe\\\""))) + .andExpect(jsonPath("$.feedback", CoreMatchers.containsStringIgnoringCase("PathTraversal\\"+File.separator+"unit-test\\"+File.separator+"John Doe"))) .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false))); }