Merge pull request #1208 from userlocalhost/fix/security/path_traversal

Added supplemental tests that were detected by OWASP ZAP.
dmm-com · Jul 3, 2024 · 1d9e07e · 1d9e07e
2 parents 689cd44 + 42ca164
commit 1d9e07e
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/group/tests/test_api_v2.py b/group/tests/test_api_v2.py
@@ -1,4 +1,7 @@
+import json
+
 import yaml
+from rest_framework import status
 
 from airone.lib.test import AironeViewTest
 from group.models import Group
@@ -41,6 +44,29 @@ def test_retrieve(self):
         self.assertEqual(len(body["members"]), 1)
         self.assertEqual(body["members"][0]["id"], user.id)
 
+    def test_update_group(self):
+        self.admin_login()
+
+        users = [self._create_user(x) for x in ["userA", "userB", "userC"]]
+        group = self._create_group("hoge")
+        users[0].groups.add(group)
+
+        update_params = {
+            "name": "fuga",
+            "members": [str(users[1].id), int(users[2].id)],
+        }
+        resp = self.client.put(
+            "/group/api/v2/groups/%s" % group.id, json.dumps(update_params), "application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+        # These statements checks whether "group" was updated expectedly
+        group.refresh_from_db()
+        self.assertEqual(group.name, "fuga")
+        self.assertEqual([x.id for x in users[0].groups.all()], [])
+        self.assertEqual([x.id for x in users[1].groups.all()], [group.id])
+        self.assertEqual([x.id for x in users[2].groups.all()], [group.id])
+
     def test_import(self):
         self.admin_login()
 

diff --git a/group/tests/test_security_inspection.py b/group/tests/test_security_inspection.py
@@ -0,0 +1,28 @@
+import json
+
+from rest_framework import status
+
+from airone.lib.test import AironeViewTest
+from group.models import Group
+
+
+class ViewTest(AironeViewTest):
+    def test_path_traversal(self):
+        self.admin_login()
+
+        # create a group to be tested
+        group = Group.objects.create(name="hoge")
+
+        # This is a parameter that has path traverasl attacking command
+        update_params = {
+            "name": "fuga",
+            "members": ["1", 2, "cat ../../../../../../../etc/os-release"],
+        }
+        resp = self.client.put(
+            "/group/api/v2/groups/%s" % group.id, json.dumps(update_params), "application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(
+            resp.json(),
+            {"members": {"2": [{"message": "A valid integer is required.", "code": "AE-121000"}]}},
+        )