juice-shop
156 строк · 5.0 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7
8const jsonHeader = { 'content-type': 'application/json' }
9const BASE_URL = 'http://localhost:3000'
10const REST_URL = 'http://localhost:3000/rest'
11
12describe('/dataerasure', () => {
13it('GET erasure form for logged-in users includes their email and security question', () => {
14return frisby.post(REST_URL + '/user/login', {
15headers: jsonHeader,
16body: {
17email: 'bjoern@owasp.org',
18password: 'kitten lesser pooch karate buffoon indoors'
19}
20})
21.expect('status', 200)
22.then(({ json: jsonLogin }) => {
23return frisby.get(BASE_URL + '/dataerasure/', {
24headers: { Cookie: 'token=' + jsonLogin.authentication.token }
25})
26.expect('status', 200)
27.expect('bodyContains', 'bjoern@owasp.org')
28.expect('bodyContains', 'Name of your favorite pet?')
29})
30})
31
32it('GET erasure form rendering fails for users without assigned security answer', () => {
33return frisby.post(REST_URL + '/user/login', {
34headers: jsonHeader,
35body: {
36email: 'bjoern.kimminich@gmail.com',
37password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
38}
39})
40.expect('status', 200)
41.then(({ json: jsonLogin }) => {
42return frisby.get(BASE_URL + '/dataerasure/', {
43headers: { Cookie: 'token=' + jsonLogin.authentication.token }
44})
45.expect('status', 500)
46.expect('bodyContains', 'Error: No answer found!')
47})
48})
49
50it('GET erasure form rendering fails on unauthenticated access', () => {
51return frisby.get(BASE_URL + '/dataerasure/')
52.expect('status', 500)
53.expect('bodyContains', 'Error: Blocked illegal activity')
54})
55
56it('POST erasure request does not actually delete the user', () => {
57const form = frisby.formData()
58form.append('email', 'bjoern.kimminich@gmail.com')
59
60return frisby.post(REST_URL + '/user/login', {
61headers: jsonHeader,
62body: {
63email: 'bjoern.kimminich@gmail.com',
64password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
65}
66})
67.expect('status', 200)
68.then(({ json: jsonLogin }) => {
69return frisby.post(BASE_URL + '/dataerasure/', {
70headers: { Cookie: 'token=' + jsonLogin.authentication.token },
71body: form
72})
73.expect('status', 200)
74.expect('header', 'Content-Type', 'text/html; charset=utf-8')
75.then(() => {
76return frisby.post(REST_URL + '/user/login', {
77headers: jsonHeader,
78body: {
79email: 'bjoern.kimminich@gmail.com',
80password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
81}
82})
83.expect('status', 200)
84})
85})
86})
87
88it('POST erasure form fails on unauthenticated access', () => {
89return frisby.post(BASE_URL + '/dataerasure/')
90.expect('status', 500)
91.expect('bodyContains', 'Error: Blocked illegal activity')
92})
93
94it('POST erasure request with empty layout parameter returns', () => {
95return frisby.post(REST_URL + '/user/login', {
96headers: jsonHeader,
97body: {
98email: 'bjoern.kimminich@gmail.com',
99password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
100}
101})
102.expect('status', 200)
103.then(({ json: jsonLogin }) => {
104return frisby.post(BASE_URL + '/dataerasure/', {
105headers: { Cookie: 'token=' + jsonLogin.authentication.token },
106body: {
107layout: null
108}
109})
110.expect('status', 200)
111})
112})
113
114it('POST erasure request with non-existing file path as layout parameter throws error', () => {
115return frisby.post(REST_URL + '/user/login', {
116headers: jsonHeader,
117body: {
118email: 'bjoern.kimminich@gmail.com',
119password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
120}
121})
122.expect('status', 200)
123.then(({ json: jsonLogin }) => {
124return frisby.post(BASE_URL + '/dataerasure/', {
125headers: { Cookie: 'token=' + jsonLogin.authentication.token },
126body: {
127layout: '../this/file/does/not/exist'
128}
129})
130.expect('status', 500)
131.expect('bodyContains', 'no such file or directory')
132})
133})
134
135it('POST erasure request with existing file path as layout parameter returns content truncated', () => {
136return frisby.post(REST_URL + '/user/login', {
137headers: jsonHeader,
138body: {
139email: 'bjoern.kimminich@gmail.com',
140password: 'bW9jLmxpYW1nQGhjaW5pbW1pay5ucmVvamI='
141}
142})
143.expect('status', 200)
144.then(({ json: jsonLogin }) => {
145return frisby.post(BASE_URL + '/dataerasure/', {
146headers: { Cookie: 'token=' + jsonLogin.authentication.token },
147body: {
148layout: '../package.json'
149}
150})
151.expect('status', 200)
152.expect('bodyContains', 'juice-shop')
153.expect('bodyContains', '......')
154})
155})
156})
157