juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5

6
import frisby = require('frisby')
7
import config from 'config'
8

9
const URL = 'http://localhost:3000'
10

11
describe('/redirect', () => {
12
  it('GET redirected to https://github.com/juice-shop/juice-shop when this URL is passed as "to" parameter', () => {
13
    return frisby.get(`${URL}/redirect?to=https://github.com/juice-shop/juice-shop`, { redirect: 'manual' })
14
      .expect('status', 302)
15
  })
16

17
  it('GET redirected to https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm when this URL is passed as "to" parameter', () => {
18
    return frisby.get(`${URL}/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm`, { redirect: 'manual' })
19
      .expect('status', 302)
20
  })
21

22
  it('GET redirected to http://shop.spreadshirt.com/juiceshop when this URL is passed as "to" parameter', () => {
23
    return frisby.get(`${URL}/redirect?to=http://shop.spreadshirt.com/juiceshop`, { redirect: 'manual' })
24
      .expect('status', 302)
25
  })
26

27
  it('GET redirected to http://shop.spreadshirt.de/juiceshop when this URL is passed as "to" parameter', () => {
28
    return frisby.get(`${URL}/redirect?to=http://shop.spreadshirt.de/juiceshop`, { redirect: 'manual' })
29
      .expect('status', 302)
30
  })
31

32
  it('GET redirected to https://www.stickeryou.com/products/owasp-juice-shop/794 when this URL is passed as "to" parameter', () => {
33
    return frisby.get(`${URL}/redirect?to=https://www.stickeryou.com/products/owasp-juice-shop/794`, { redirect: 'manual' })
34
      .expect('status', 302)
35
  })
36

37
  it('GET redirected to https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW when this URL is passed as "to" parameter', () => {
38
    return frisby.get(`${URL}/redirect?to=https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW`, { redirect: 'manual' })
39
      .expect('status', 302)
40
  })
41

42
  it('GET redirected to https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6 when this URL is passed as "to" parameter', () => {
43
    return frisby.get(`${URL}/redirect?to=https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6`, { redirect: 'manual' })
44
      .expect('status', 302)
45
  })
46

47
  it('GET error message with information leakage when calling /redirect without query parameter', () => {
48
    return frisby.get(`${URL}/redirect`)
49
      .expect('status', 500)
50
      .expect('header', 'content-type', /text\/html/)
51
      .expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
52
      .expect('bodyContains', 'TypeError')
53
      .expect('bodyContains', 'of undefined')
54
      .expect('bodyContains', '&#39;includes&#39;')
55
  })
56

57
  it('GET error message with information leakage when calling /redirect with unrecognized query parameter', () => {
58
    return frisby.get(`${URL}/redirect?x=y`)
59
      .expect('status', 500)
60
      .expect('header', 'content-type', /text\/html/)
61
      .expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
62
      .expect('bodyContains', 'TypeError')
63
      .expect('bodyContains', 'of undefined')
64
      .expect('bodyContains', '&#39;includes&#39;')
65
  })
66

67
  it('GET error message hinting at allowlist validation when calling /redirect with an unrecognized "to" target', () => {
68
    return frisby.get(`${URL}/redirect?to=whatever`)
69
      .expect('status', 406)
70
      .expect('header', 'content-type', /text\/html/)
71
      .expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)
72
      .expect('bodyContains', 'Unrecognized target URL for redirect: whatever')
73
  })
74

75
  it('GET redirected to target URL in "to" parameter when a allow-listed URL is part of the query string', () => {
76
    return frisby.get(`${URL}/redirect?to=/score-board?satisfyIndexOf=https://github.com/juice-shop/juice-shop`)
77
      .expect('status', 200)
78
      .expect('header', 'content-type', /text\/html/)
79
      .expect('bodyContains', 'main.js')
80
      .expect('bodyContains', 'runtime.js')
81
      .expect('bodyContains', 'polyfills.js')
82
  })
83
})
84