juice-shop
154 строки · 5.2 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')
7import config from 'config'
8import path from 'path'
9const fs = require('fs')
10
11const jsonHeader = { 'content-type': 'application/json' }
12const REST_URL = 'http://localhost:3000/rest'
13const URL = 'http://localhost:3000'
14
15describe('/profile/image/file', () => {
16it('POST profile image file valid for JPG format', () => {
17const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
18const form = frisby.formData()
19form.append('file', fs.createReadStream(file))
20
21return frisby.post(`${REST_URL}/user/login`, {
22headers: jsonHeader,
23body: {
24email: `jim@${config.get<string>('application.domain')}`,
25password: 'ncc-1701'
26}
27})
28.expect('status', 200)
29.then(({ json: jsonLogin }) => {
30return frisby.post(`${URL}/profile/image/file`, {
31headers: {
32Cookie: `token=${jsonLogin.authentication.token}`,
33// @ts-expect-error FIXME form.getHeaders() is not found
34'Content-Type': form.getHeaders()['content-type']
35},
36body: form,
37redirect: 'manual'
38})
39.expect('status', 302)
40})
41})
42
43it('POST profile image file invalid type', () => {
44const file = path.resolve(__dirname, '../files/invalidProfileImageType.docx')
45const form = frisby.formData()
46form.append('file', fs.createReadStream(file))
47
48return frisby.post(`${REST_URL}/user/login`, {
49headers: jsonHeader,
50body: {
51email: `jim@${config.get<string>('application.domain')}`,
52password: 'ncc-1701'
53}
54})
55.expect('status', 200)
56.then(({ json: jsonLogin }) => {
57return frisby.post(`${URL}/profile/image/file`, {
58headers: {
59Cookie: `token=${jsonLogin.authentication.token}`,
60// @ts-expect-error FIXME form.getHeaders() is not found
61'Content-Type': form.getHeaders()['content-type']
62},
63body: form
64})
65.expect('status', 415)
66.expect('header', 'content-type', /text\/html/)
67.expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
68.expect('bodyContains', 'Error: Profile image upload does not accept this file type')
69})
70})
71
72it('POST profile image file forbidden for anonymous user', () => {
73const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
74const form = frisby.formData()
75form.append('file', fs.createReadStream(file))
76
77return frisby.post(`${URL}/profile/image/file`, {
78// @ts-expect-error FIXME form.getHeaders() is not found
79headers: { 'Content-Type': form.getHeaders()['content-type'] },
80body: form
81})
82.expect('status', 500)
83.expect('header', 'content-type', /text\/html/)
84.expect('bodyContains', 'Error: Blocked illegal activity')
85})
86})
87
88describe('/profile/image/url', () => {
89it('POST profile image URL valid for image available online', () => {
90const form = frisby.formData()
91form.append('imageUrl', 'https://placekitten.com/g/100/100')
92
93return frisby.post(`${REST_URL}/user/login`, {
94headers: jsonHeader,
95body: {
96email: `jim@${config.get<string>('application.domain')}`,
97password: 'ncc-1701'
98}
99})
100.expect('status', 200)
101.then(({ json: jsonLogin }) => {
102return frisby.post(`${URL}/profile/image/url`, {
103headers: {
104Cookie: `token=${jsonLogin.authentication.token}`,
105// @ts-expect-error FIXME form.getHeaders() is not found
106'Content-Type': form.getHeaders()['content-type']
107},
108body: form,
109redirect: 'manual'
110})
111.expect('status', 302)
112})
113})
114
115it('POST profile image URL redirects even for invalid image URL', () => {
116const form = frisby.formData()
117form.append('imageUrl', 'https://notanimage.here/100/100')
118
119return frisby.post(`${REST_URL}/user/login`, {
120headers: jsonHeader,
121body: {
122email: `jim@${config.get<string>('application.domain')}`,
123password: 'ncc-1701'
124}
125})
126.expect('status', 200)
127.then(({ json: jsonLogin }) => {
128return frisby.post(`${URL}/profile/image/url`, {
129headers: {
130Cookie: `token=${jsonLogin.authentication.token}`,
131// @ts-expect-error FIXME form.getHeaders() is not found
132'Content-Type': form.getHeaders()['content-type']
133},
134body: form,
135redirect: 'manual'
136})
137.expect('status', 302)
138})
139})
140
141xit('POST profile image URL forbidden for anonymous user', () => { // FIXME runs into "socket hang up"
142const form = frisby.formData()
143form.append('imageUrl', 'https://placekitten.com/g/100/100')
144
145return frisby.post(`${URL}/profile/image/url`, {
146// @ts-expect-error FIXME form.getHeaders() is not found
147headers: { 'Content-Type': form.getHeaders()['content-type'] },
148body: form
149})
150.expect('status', 500)
151.expect('header', 'content-type', /text\/html/)
152.expect('bodyContains', 'Error: Blocked illegal activity')
153})
154})
155