juice-shop
123 строки · 4.1 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7import { expect } from '@jest/globals'
8import config from 'config'
9import path from 'path'
10const fs = require('fs')
11
12const jsonHeader = { 'content-type': 'application/json' }
13const REST_URL = 'http://localhost:3000/rest'
14
15describe('/rest/memories', () => {
16it('GET memories via public API', () => {
17return frisby.get(REST_URL + '/memories')
18.expect('status', 200)
19})
20
21it('GET memories via a valid authorization token', () => {
22return frisby.post(REST_URL + '/user/login', {
23headers: jsonHeader,
24body: {
25email: 'jim@' + config.get<string>('application.domain'),
26password: 'ncc-1701'
27}
28})
29.expect('status', 200)
30.then(({ json: jsonLogin }) => {
31return frisby.get(REST_URL + '/memories', {
32headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' }
33})
34.expect('status', 200)
35})
36})
37
38it('POST new memory is forbidden via public API', () => {
39const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
40const form = frisby.formData()
41form.append('image', fs.createReadStream(file), 'Valid Image')
42form.append('caption', 'Valid Image')
43
44return frisby.post(REST_URL + '/memories', {
45headers: {
46// @ts-expect-error FIXME form.getHeaders() is not found
47'Content-Type': form.getHeaders()['content-type']
48},
49body: form
50})
51.expect('status', 401)
52})
53
54it('POST new memory image file invalid type', () => {
55const file = path.resolve(__dirname, '../files/invalidProfileImageType.docx')
56const form = frisby.formData()
57form.append('image', fs.createReadStream(file), 'Valid Image')
58form.append('caption', 'Valid Image')
59
60return frisby.post(REST_URL + '/user/login', {
61headers: jsonHeader,
62body: {
63email: 'jim@' + config.get<string>('application.domain'),
64password: 'ncc-1701'
65}
66})
67.expect('status', 200)
68.then(({ json: jsonLogin }) => {
69return frisby.post(REST_URL + '/memories', {
70headers: {
71Authorization: 'Bearer ' + jsonLogin.authentication.token,
72// @ts-expect-error FIXME form.getHeaders() is not found
73'Content-Type': form.getHeaders()['content-type']
74},
75body: form
76})
77.expect('status', 500)
78})
79})
80
81it('POST new memory with valid for JPG format image', () => {
82const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
83const form = frisby.formData()
84form.append('image', fs.createReadStream(file), 'Valid Image')
85form.append('caption', 'Valid Image')
86
87return frisby.post(REST_URL + '/user/login', {
88headers: jsonHeader,
89body: {
90email: 'jim@' + config.get<string>('application.domain'),
91password: 'ncc-1701'
92}
93})
94.expect('status', 200)
95.then(({ json: jsonLogin }) => {
96return frisby.post(REST_URL + '/memories', {
97headers: {
98Authorization: 'Bearer ' + jsonLogin.authentication.token,
99// @ts-expect-error FIXME form.getHeaders() is not found
100'Content-Type': form.getHeaders()['content-type']
101},
102body: form
103})
104.expect('status', 200)
105.then(({ json }) => {
106expect(json.data.caption).toBe('Valid Image')
107expect(json.data.UserId).toBe(2)
108})
109})
110})
111
112it('Should not crash the node-js server when sending invalid content like described in CVE-2022-24434', () => {
113return frisby.post(REST_URL + '/memories', {
114headers: {
115'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',
116'Content-Length': '145'
117},
118body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'
119})
120.expect('status', 500)
121.expect('bodyContains', 'Error: Malformed part header')
122})
123})
124