dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Path traversal windows unittest fix (#780)

Browse Source 
* fixes to support windows and linux/unix/mac

* fix in matcher
This commit is contained in:
René Zubcevic
2020-04-14 16:13:43 +02:00
committed by GitHub
parent 0638cae6e5
commit efc5a870a0
4 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadFixTest.java
View File

@ -55,7 +55,7 @@ public class ProfileUploadFixTest extends LessonTest {
.file(profilePicture)
.param("fullNameFix", "John Doe"))
.andExpect(status().is(200))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/John Doe\\\"")))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"John Doe")))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}

8
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRemoveUserInputTest.java
View File

@ -15,14 +15,16 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import java.io.File;
@RunWith(SpringJUnit4ClassRunner.class)
public class ProfileUploadRemoveUserInputTest extends LessonTest {
@Autowired
private PathTraversal pathTraversal;
@Before
public void setup() {
public void setup() {
Mockito.when(webSession.getCurrentLesson()).thenReturn(pathTraversal);
this.mockMvc = MockMvcBuilders.webAppContextSetup(this.wac).build();
Mockito.when(webSession.getUserName()).thenReturn("unit-test");
@ -48,7 +50,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
.file(profilePicture)
.param("fullNameFix", "John Doe"))
.andExpect(status().is(200))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/picture.jpg\\\"")))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"picture.jpg")))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}

5
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadRetrievalTest.java
View File

@ -13,6 +13,7 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
import java.io.File;
import java.net.URI;
import static org.hamcrest.CoreMatchers.equalTo;
@ -48,7 +49,7 @@ public class ProfileUploadRetrievalTest extends LessonTest {
mockMvc.perform(get(uri))
.andExpect(status().is(404))
.andDo(MockMvcResultHandlers.print())
.andExpect(content().string(containsString("/path-traversal-secret.jpg")));
.andExpect(content().string(containsString("path-traversal-secret.jpg")));
//Retrieve the secret file (note: .jpg is added by the server)
uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret");
@ -76,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest {
public void unknownFileShouldGiveDirectoryContents() throws Exception {
mockMvc.perform(get("/PathTraversal/random-picture?id=test"))
.andExpect(status().is(404))
.andExpect(content().string(containsString("cats/8.jpg")));
.andExpect(content().string(containsString("cats"+File.separator+"8.jpg")));
}
}

10
webgoat-lessons/path-traversal/src/test/java/org/owasp/webgoat/path_traversal/ProfileUploadTest.java
View File

@ -17,6 +17,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
import java.io.File;
@RunWith(SpringJUnit4ClassRunner.class)
public class ProfileUploadTest extends LessonTest {
@ -60,8 +62,10 @@ public class ProfileUploadTest extends LessonTest {
var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
.file(profilePicture)
.param("fullName", "../" + webSession.getUserName()))
.andExpect(jsonPath("$.output", CoreMatchers.containsString("Is a directory")))
.param("fullName", ".."+File.separator + webSession.getUserName()))
.andExpect(jsonPath("$.output", CoreMatchers.anyOf(
CoreMatchers.containsString("Is a directory"),
CoreMatchers.containsString("..\\\\"+ webSession.getUserName()))))
.andExpect(status().is(200));
}
@ -73,7 +77,7 @@ public class ProfileUploadTest extends LessonTest {
.file(profilePicture)
.param("fullName", "John Doe"))
.andExpect(status().is(200))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/PathTraversal\\/unit-test\\/John Doe\\\"")))
.andExpect(jsonPath("$.feedback", CoreMatchers.containsStringIgnoringCase("PathTraversal\\"+File.separator+"unit-test\\"+File.separator+"John Doe")))
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
}