Path traversal windows unittest fix (#780)
* fixes to support windows and linux/unix/mac * fix in matcher
This commit is contained in:
@ -55,7 +55,7 @@ public class ProfileUploadFixTest extends LessonTest {
|
||||
.file(profilePicture)
|
||||
.param("fullNameFix", "John Doe"))
|
||||
.andExpect(status().is(200))
|
||||
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/John Doe\\\"")))
|
||||
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"John Doe")))
|
||||
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
|
||||
}
|
||||
|
||||
|
@ -15,6 +15,8 @@ import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
import java.io.File;
|
||||
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class ProfileUploadRemoveUserInputTest extends LessonTest {
|
||||
|
||||
@ -48,7 +50,7 @@ public class ProfileUploadRemoveUserInputTest extends LessonTest {
|
||||
.file(profilePicture)
|
||||
.param("fullNameFix", "John Doe"))
|
||||
.andExpect(status().is(200))
|
||||
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/unit-test\\/picture.jpg\\\"")))
|
||||
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("unit-test\\"+File.separator+"picture.jpg")))
|
||||
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
|
||||
}
|
||||
|
||||
|
@ -13,6 +13,7 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||
import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
|
||||
import org.springframework.test.web.servlet.setup.MockMvcBuilders;
|
||||
|
||||
import java.io.File;
|
||||
import java.net.URI;
|
||||
|
||||
import static org.hamcrest.CoreMatchers.equalTo;
|
||||
@ -48,7 +49,7 @@ public class ProfileUploadRetrievalTest extends LessonTest {
|
||||
mockMvc.perform(get(uri))
|
||||
.andExpect(status().is(404))
|
||||
.andDo(MockMvcResultHandlers.print())
|
||||
.andExpect(content().string(containsString("/path-traversal-secret.jpg")));
|
||||
.andExpect(content().string(containsString("path-traversal-secret.jpg")));
|
||||
|
||||
//Retrieve the secret file (note: .jpg is added by the server)
|
||||
uri = new URI("/PathTraversal/random-picture?id=%2E%2E%2F%2E%2E%2Fpath-traversal-secret");
|
||||
@ -76,6 +77,6 @@ public class ProfileUploadRetrievalTest extends LessonTest {
|
||||
public void unknownFileShouldGiveDirectoryContents() throws Exception {
|
||||
mockMvc.perform(get("/PathTraversal/random-picture?id=test"))
|
||||
.andExpect(status().is(404))
|
||||
.andExpect(content().string(containsString("cats/8.jpg")));
|
||||
.andExpect(content().string(containsString("cats"+File.separator+"8.jpg")));
|
||||
}
|
||||
}
|
@ -17,6 +17,8 @@ import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
import java.io.File;
|
||||
|
||||
@RunWith(SpringJUnit4ClassRunner.class)
|
||||
public class ProfileUploadTest extends LessonTest {
|
||||
|
||||
@ -60,8 +62,10 @@ public class ProfileUploadTest extends LessonTest {
|
||||
var profilePicture = new MockMultipartFile("uploadedFile", "picture.jpg", "text/plain", "an image".getBytes());
|
||||
mockMvc.perform(MockMvcRequestBuilders.multipart("/PathTraversal/profile-upload")
|
||||
.file(profilePicture)
|
||||
.param("fullName", "../" + webSession.getUserName()))
|
||||
.andExpect(jsonPath("$.output", CoreMatchers.containsString("Is a directory")))
|
||||
.param("fullName", ".."+File.separator + webSession.getUserName()))
|
||||
.andExpect(jsonPath("$.output", CoreMatchers.anyOf(
|
||||
CoreMatchers.containsString("Is a directory"),
|
||||
CoreMatchers.containsString("..\\\\"+ webSession.getUserName()))))
|
||||
.andExpect(status().is(200));
|
||||
}
|
||||
|
||||
@ -73,7 +77,7 @@ public class ProfileUploadTest extends LessonTest {
|
||||
.file(profilePicture)
|
||||
.param("fullName", "John Doe"))
|
||||
.andExpect(status().is(200))
|
||||
.andExpect(jsonPath("$.feedback", CoreMatchers.containsString("/PathTraversal\\/unit-test\\/John Doe\\\"")))
|
||||
.andExpect(jsonPath("$.feedback", CoreMatchers.containsStringIgnoringCase("PathTraversal\\"+File.separator+"unit-test\\"+File.separator+"John Doe")))
|
||||
.andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(false)));
|
||||
}
|
||||
|
||||
|
Reference in New Issue
Block a user