juice-shop
83 строки · 4.0 Кб
1/*
2* Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3* SPDX-License-Identifier: MIT
4*/
5
6import frisby = require('frisby')7import config from 'config'8
9const URL = 'http://localhost:3000'10
11describe('/redirect', () => {12it('GET redirected to https://github.com/juice-shop/juice-shop when this URL is passed as "to" parameter', () => {13return frisby.get(`${URL}/redirect?to=https://github.com/juice-shop/juice-shop`, { redirect: 'manual' })14.expect('status', 302)15})16
17it('GET redirected to https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm when this URL is passed as "to" parameter', () => {18return frisby.get(`${URL}/redirect?to=https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm`, { redirect: 'manual' })19.expect('status', 302)20})21
22it('GET redirected to http://shop.spreadshirt.com/juiceshop when this URL is passed as "to" parameter', () => {23return frisby.get(`${URL}/redirect?to=http://shop.spreadshirt.com/juiceshop`, { redirect: 'manual' })24.expect('status', 302)25})26
27it('GET redirected to http://shop.spreadshirt.de/juiceshop when this URL is passed as "to" parameter', () => {28return frisby.get(`${URL}/redirect?to=http://shop.spreadshirt.de/juiceshop`, { redirect: 'manual' })29.expect('status', 302)30})31
32it('GET redirected to https://www.stickeryou.com/products/owasp-juice-shop/794 when this URL is passed as "to" parameter', () => {33return frisby.get(`${URL}/redirect?to=https://www.stickeryou.com/products/owasp-juice-shop/794`, { redirect: 'manual' })34.expect('status', 302)35})36
37it('GET redirected to https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW when this URL is passed as "to" parameter', () => {38return frisby.get(`${URL}/redirect?to=https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW`, { redirect: 'manual' })39.expect('status', 302)40})41
42it('GET redirected to https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6 when this URL is passed as "to" parameter', () => {43return frisby.get(`${URL}/redirect?to=https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6`, { redirect: 'manual' })44.expect('status', 302)45})46
47it('GET error message with information leakage when calling /redirect without query parameter', () => {48return frisby.get(`${URL}/redirect`)49.expect('status', 500)50.expect('header', 'content-type', /text\/html/)51.expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)52.expect('bodyContains', 'TypeError')53.expect('bodyContains', 'of undefined')54.expect('bodyContains', ''includes'')55})56
57it('GET error message with information leakage when calling /redirect with unrecognized query parameter', () => {58return frisby.get(`${URL}/redirect?x=y`)59.expect('status', 500)60.expect('header', 'content-type', /text\/html/)61.expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)62.expect('bodyContains', 'TypeError')63.expect('bodyContains', 'of undefined')64.expect('bodyContains', ''includes'')65})66
67it('GET error message hinting at allowlist validation when calling /redirect with an unrecognized "to" target', () => {68return frisby.get(`${URL}/redirect?to=whatever`)69.expect('status', 406)70.expect('header', 'content-type', /text\/html/)71.expect('bodyContains', `<h1>${config.get<string>('application.name')} (Express`)72.expect('bodyContains', 'Unrecognized target URL for redirect: whatever')73})74
75it('GET redirected to target URL in "to" parameter when a allow-listed URL is part of the query string', () => {76return frisby.get(`${URL}/redirect?to=/score-board?satisfyIndexOf=https://github.com/juice-shop/juice-shop`)77.expect('status', 200)78.expect('header', 'content-type', /text\/html/)79.expect('bodyContains', 'main.js')80.expect('bodyContains', 'runtime.js')81.expect('bodyContains', 'polyfills.js')82})83})84