juice-shop

profileImageUploadSpec.ts
154 строки · 5.2 Кб
Перенос по словам
1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import frisby = require('frisby')
7
import config from 'config'
8
import path from 'path'
9
const fs = require('fs')
10

11
const jsonHeader = { 'content-type': 'application/json' }
12
const REST_URL = 'http://localhost:3000/rest'
13
const URL = 'http://localhost:3000'
14

15
describe('/profile/image/file', () => {
16
  it('POST profile image file valid for JPG format', () => {
17
    const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
18
    const form = frisby.formData()
19
    form.append('file', fs.createReadStream(file))
20

21
    return frisby.post(`${REST_URL}/user/login`, {
22
      headers: jsonHeader,
23
      body: {
24
        email: `jim@${config.get<string>('application.domain')}`,
25
        password: 'ncc-1701'
26
      }
27
    })
28
      .expect('status', 200)
29
      .then(({ json: jsonLogin }) => {
30
        return frisby.post(`${URL}/profile/image/file`, {
31
          headers: {
32
            Cookie: `token=${jsonLogin.authentication.token}`,
33
            // @ts-expect-error FIXME form.getHeaders() is not found
34
            'Content-Type': form.getHeaders()['content-type']
35
          },
36
          body: form,
37
          redirect: 'manual'
38
        })
39
          .expect('status', 302)
40
      })
41
  })
42

43
  it('POST profile image file invalid type', () => {
44
    const file = path.resolve(__dirname, '../files/invalidProfileImageType.docx')
45
    const form = frisby.formData()
46
    form.append('file', fs.createReadStream(file))
47

48
    return frisby.post(`${REST_URL}/user/login`, {
49
      headers: jsonHeader,
50
      body: {
51
        email: `jim@${config.get<string>('application.domain')}`,
52
        password: 'ncc-1701'
53
      }
54
    })
55
      .expect('status', 200)
56
      .then(({ json: jsonLogin }) => {
57
        return frisby.post(`${URL}/profile/image/file`, {
58
          headers: {
59
            Cookie: `token=${jsonLogin.authentication.token}`,
60
            // @ts-expect-error FIXME form.getHeaders() is not found
61
            'Content-Type': form.getHeaders()['content-type']
62
          },
63
          body: form
64
        })
65
          .expect('status', 415)
66
          .expect('header', 'content-type', /text\/html/)
67
          .expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
68
          .expect('bodyContains', 'Error: Profile image upload does not accept this file type')
69
      })
70
  })
71

72
  it('POST profile image file forbidden for anonymous user', () => {
73
    const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
74
    const form = frisby.formData()
75
    form.append('file', fs.createReadStream(file))
76

77
    return frisby.post(`${URL}/profile/image/file`, {
78
      // @ts-expect-error FIXME form.getHeaders() is not found
79
      headers: { 'Content-Type': form.getHeaders()['content-type'] },
80
      body: form
81
    })
82
      .expect('status', 500)
83
      .expect('header', 'content-type', /text\/html/)
84
      .expect('bodyContains', 'Error: Blocked illegal activity')
85
  })
86
})
87

88
describe('/profile/image/url', () => {
89
  it('POST profile image URL valid for image available online', () => {
90
    const form = frisby.formData()
91
    form.append('imageUrl', 'https://placekitten.com/g/100/100')
92

93
    return frisby.post(`${REST_URL}/user/login`, {
94
      headers: jsonHeader,
95
      body: {
96
        email: `jim@${config.get<string>('application.domain')}`,
97
        password: 'ncc-1701'
98
      }
99
    })
100
      .expect('status', 200)
101
      .then(({ json: jsonLogin }) => {
102
        return frisby.post(`${URL}/profile/image/url`, {
103
          headers: {
104
            Cookie: `token=${jsonLogin.authentication.token}`,
105
            // @ts-expect-error FIXME form.getHeaders() is not found
106
            'Content-Type': form.getHeaders()['content-type']
107
          },
108
          body: form,
109
          redirect: 'manual'
110
        })
111
          .expect('status', 302)
112
      })
113
  })
114

115
  it('POST profile image URL redirects even for invalid image URL', () => {
116
    const form = frisby.formData()
117
    form.append('imageUrl', 'https://notanimage.here/100/100')
118

119
    return frisby.post(`${REST_URL}/user/login`, {
120
      headers: jsonHeader,
121
      body: {
122
        email: `jim@${config.get<string>('application.domain')}`,
123
        password: 'ncc-1701'
124
      }
125
    })
126
      .expect('status', 200)
127
      .then(({ json: jsonLogin }) => {
128
        return frisby.post(`${URL}/profile/image/url`, {
129
          headers: {
130
            Cookie: `token=${jsonLogin.authentication.token}`,
131
            // @ts-expect-error FIXME form.getHeaders() is not found
132
            'Content-Type': form.getHeaders()['content-type']
133
          },
134
          body: form,
135
          redirect: 'manual'
136
        })
137
          .expect('status', 302)
138
      })
139
  })
140

141
  xit('POST profile image URL forbidden for anonymous user', () => { // FIXME runs into "socket hang up"
142
    const form = frisby.formData()
143
    form.append('imageUrl', 'https://placekitten.com/g/100/100')
144

145
    return frisby.post(`${URL}/profile/image/url`, {
146
      // @ts-expect-error FIXME form.getHeaders() is not found
147
      headers: { 'Content-Type': form.getHeaders()['content-type'] },
148
      body: form
149
    })
150
      .expect('status', 500)
151
      .expect('header', 'content-type', /text\/html/)
152
      .expect('bodyContains', 'Error: Blocked illegal activity')
153
  })
154
})
155
juice-shop

Использование cookies
