juice-shop
123 строки · 4.1 Кб
1/*2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.3* SPDX-License-Identifier: MIT4*/5import frisby = require('frisby')7import { expect } from '@jest/globals'8import config from 'config'9import path from 'path'10const fs = require('fs')11const jsonHeader = { 'content-type': 'application/json' }13const REST_URL = 'http://localhost:3000/rest'14describe('/rest/memories', () => {16it('GET memories via public API', () => {17return frisby.get(REST_URL + '/memories')18.expect('status', 200)19})20it('GET memories via a valid authorization token', () => {22return frisby.post(REST_URL + '/user/login', {23headers: jsonHeader,24body: {25email: 'jim@' + config.get<string>('application.domain'),26password: 'ncc-1701'27}28})29.expect('status', 200)30.then(({ json: jsonLogin }) => {31return frisby.get(REST_URL + '/memories', {32headers: { Authorization: 'Bearer ' + jsonLogin.authentication.token, 'content-type': 'application/json' }33})34.expect('status', 200)35})36})37it('POST new memory is forbidden via public API', () => {39const file = path.resolve(__dirname, '../files/validProfileImage.jpg')40const form = frisby.formData()41form.append('image', fs.createReadStream(file), 'Valid Image')42form.append('caption', 'Valid Image')43return frisby.post(REST_URL + '/memories', {45headers: {46// @ts-expect-error FIXME form.getHeaders() is not found47'Content-Type': form.getHeaders()['content-type']48},49body: form50})51.expect('status', 401)52})53it('POST new memory image file invalid type', () => {55const file = path.resolve(__dirname, '../files/invalidProfileImageType.docx')56const form = frisby.formData()57form.append('image', fs.createReadStream(file), 'Valid Image')58form.append('caption', 'Valid Image')59return frisby.post(REST_URL + '/user/login', {61headers: jsonHeader,62body: {63email: 'jim@' + config.get<string>('application.domain'),64password: 'ncc-1701'65}66})67.expect('status', 200)68.then(({ json: jsonLogin }) => {69return frisby.post(REST_URL + '/memories', {70headers: {71Authorization: 'Bearer ' + jsonLogin.authentication.token,72// @ts-expect-error FIXME form.getHeaders() is not found73'Content-Type': form.getHeaders()['content-type']74},75body: form76})77.expect('status', 500)78})79})80it('POST new memory with valid for JPG format image', () => {82const file = path.resolve(__dirname, '../files/validProfileImage.jpg')83const form = frisby.formData()84form.append('image', fs.createReadStream(file), 'Valid Image')85form.append('caption', 'Valid Image')86return frisby.post(REST_URL + '/user/login', {88headers: jsonHeader,89body: {90email: 'jim@' + config.get<string>('application.domain'),91password: 'ncc-1701'92}93})94.expect('status', 200)95.then(({ json: jsonLogin }) => {96return frisby.post(REST_URL + '/memories', {97headers: {98Authorization: 'Bearer ' + jsonLogin.authentication.token,99// @ts-expect-error FIXME form.getHeaders() is not found100'Content-Type': form.getHeaders()['content-type']101},102body: form103})104.expect('status', 200)105.then(({ json }) => {106expect(json.data.caption).toBe('Valid Image')107expect(json.data.UserId).toBe(2)108})109})110})111it('Should not crash the node-js server when sending invalid content like described in CVE-2022-24434', () => {113return frisby.post(REST_URL + '/memories', {114headers: {115'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryoo6vortfDzBsDiro',116'Content-Length': '145'117},118body: '------WebKitFormBoundaryoo6vortfDzBsDiro\r\n Content-Disposition: form-data; name="bildbeschreibung"\r\n\r\n\r\n------WebKitFormBoundaryoo6vortfDzBsDiro--'119})120.expect('status', 500)121.expect('bodyContains', 'Error: Malformed part header')122})123})124