juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import frisby = require('frisby')
7

8
const jsonHeader = { 'content-type': 'application/json' }
9
const BASE_URL = 'http://localhost:3000'
10
const REST_URL = 'http://localhost:3000/rest'
11

12
describe('/dataerasure', () => {
13
  it('GET erasure form for logged-in users includes their email and security question', () => {
14
    return frisby.post(REST_URL + '/user/login', {
15
      headers: jsonHeader,
16
      body: {
17
        email: 'bjoern@owasp.org',
18
        password: 'kitten lesser pooch karate buffoon indoors'
19
      }
20
    })
21
      .expect('status', 200)
22
      .then(({ json: jsonLogin }) => {
23
        return frisby.get(BASE_URL + '/dataerasure/', {
24
          headers: { Cookie: 'token=' + jsonLogin.authentication.token }
25
        })
26
          .expect('status', 200)
27
          .expect('bodyContains', 'bjoern@owasp.org')
28
          .expect('bodyContains', 'Name of your favorite pet?')
29
      })
30
  })
31

32
  it('GET erasure form rendering fails for users without assigned security answer', () => {
33
    return frisby.post(REST_URL + '/user/login', {
34
      headers: jsonHeader,
35
      body: {
36
        email: 'bjoern.kimminich@gmail.com',
37
        password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
38
      }
39
    })
40
      .expect('status', 200)
41
      .then(({ json: jsonLogin }) => {
42
        return frisby.get(BASE_URL + '/dataerasure/', {
43
          headers: { Cookie: 'token=' + jsonLogin.authentication.token }
44
        })
45
          .expect('status', 500)
46
          .expect('bodyContains', 'Error: No answer found!')
47
      })
48
  })
49

50
  it('GET erasure form rendering fails on unauthenticated access', () => {
51
    return frisby.get(BASE_URL + '/dataerasure/')
52
      .expect('status', 500)
53
      .expect('bodyContains', 'Error: Blocked illegal activity')
54
  })
55

56
  it('POST erasure request does not actually delete the user', () => {
57
    const form = frisby.formData()
58
    form.append('email', 'bjoern.kimminich@gmail.com')
59

60
    return frisby.post(REST_URL + '/user/login', {
61
      headers: jsonHeader,
62
      body: {
63
        email: 'bjoern.kimminich@gmail.com',
64
        password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
65
      }
66
    })
67
      .expect('status', 200)
68
      .then(({ json: jsonLogin }) => {
69
        return frisby.post(BASE_URL + '/dataerasure/', {
70
          headers: { Cookie: 'token=' + jsonLogin.authentication.token },
71
          body: form
72
        })
73
          .expect('status', 200)
74
          .expect('header', 'Content-Type', 'text/html; charset=utf-8')
75
          .then(() => {
76
            return frisby.post(REST_URL + '/user/login', {
77
              headers: jsonHeader,
78
              body: {
79
                email: 'bjoern.kimminich@gmail.com',
80
                password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
81
              }
82
            })
83
              .expect('status', 200)
84
          })
85
      })
86
  })
87

88
  it('POST erasure form  fails on unauthenticated access', () => {
89
    return frisby.post(BASE_URL + '/dataerasure/')
90
      .expect('status', 500)
91
      .expect('bodyContains', 'Error: Blocked illegal activity')
92
  })
93

94
  it('POST erasure request with empty layout parameter returns', () => {
95
    return frisby.post(REST_URL + '/user/login', {
96
      headers: jsonHeader,
97
      body: {
98
        email: 'bjoern.kimminich@gmail.com',
99
        password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
100
      }
101
    })
102
      .expect('status', 200)
103
      .then(({ json: jsonLogin }) => {
104
        return frisby.post(BASE_URL + '/dataerasure/', {
105
          headers: { Cookie: 'token=' + jsonLogin.authentication.token },
106
          body: {
107
            layout: null
108
          }
109
        })
110
          .expect('status', 200)
111
      })
112
  })
113

114
  it('POST erasure request with non-existing file path as layout parameter throws error', () => {
115
    return frisby.post(REST_URL + '/user/login', {
116
      headers: jsonHeader,
117
      body: {
118
        email: 'bjoern.kimminich@gmail.com',
119
        password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
120
      }
121
    })
122
      .expect('status', 200)
123
      .then(({ json: jsonLogin }) => {
124
        return frisby.post(BASE_URL + '/dataerasure/', {
125
          headers: { Cookie: 'token=' + jsonLogin.authentication.token },
126
          body: {
127
            layout: '../this/file/does/not/exist'
128
          }
129
        })
130
          .expect('status', 500)
131
          .expect('bodyContains', 'no such file or directory')
132
      })
133
  })
134

135
  it('POST erasure request with existing file path as layout parameter returns content truncated', () => {
136
    return frisby.post(REST_URL + '/user/login', {
137
      headers: jsonHeader,
138
      body: {
139
        email: 'bjoern.kimminich@gmail.com',
140
        password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
141
      }
142
    })
143
      .expect('status', 200)
144
      .then(({ json: jsonLogin }) => {
145
        return frisby.post(BASE_URL + '/dataerasure/', {
146
          headers: { Cookie: 'token=' + jsonLogin.authentication.token },
147
          body: {
148
            layout: '../package.json'
149
          }
150
        })
151
          .expect('status', 200)
152
          .expect('bodyContains', 'juice-shop')
153
          .expect('bodyContains', '......')
154
      })
155
  })
156
})
157