From 42ca164f21336ea9c64c78d128e9d880d59b91f5 Mon Sep 17 00:00:00 2001
From: Hiroyasu OHYAMA <user.localhost2000@gmail.com>
Date: Tue, 2 Jul 2024 05:43:20 +0000
Subject: [PATCH] Added supplemental tests that were detected by OWASP ZAP.

---
 group/tests/test_api_v2.py              | 26 +++++++++++++++++++++++
 group/tests/test_security_inspection.py | 28 +++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 group/tests/test_security_inspection.py

diff --git a/group/tests/test_api_v2.py b/group/tests/test_api_v2.py
index fc31c92a7..8d8ae3cea 100644
--- a/group/tests/test_api_v2.py
+++ b/group/tests/test_api_v2.py
@@ -1,4 +1,7 @@
+import json
+
 import yaml
+from rest_framework import status
 
 from airone.lib.test import AironeViewTest
 from group.models import Group
@@ -41,6 +44,29 @@ def test_retrieve(self):
         self.assertEqual(len(body["members"]), 1)
         self.assertEqual(body["members"][0]["id"], user.id)
 
+    def test_update_group(self):
+        self.admin_login()
+
+        users = [self._create_user(x) for x in ["userA", "userB", "userC"]]
+        group = self._create_group("hoge")
+        users[0].groups.add(group)
+
+        update_params = {
+            "name": "fuga",
+            "members": [str(users[1].id), int(users[2].id)],
+        }
+        resp = self.client.put(
+            "/group/api/v2/groups/%s" % group.id, json.dumps(update_params), "application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_200_OK)
+
+        # These statements checks whether "group" was updated expectedly
+        group.refresh_from_db()
+        self.assertEqual(group.name, "fuga")
+        self.assertEqual([x.id for x in users[0].groups.all()], [])
+        self.assertEqual([x.id for x in users[1].groups.all()], [group.id])
+        self.assertEqual([x.id for x in users[2].groups.all()], [group.id])
+
     def test_import(self):
         self.admin_login()
 
diff --git a/group/tests/test_security_inspection.py b/group/tests/test_security_inspection.py
new file mode 100644
index 000000000..1f77f4fe0
--- /dev/null
+++ b/group/tests/test_security_inspection.py
@@ -0,0 +1,28 @@
+import json
+
+from rest_framework import status
+
+from airone.lib.test import AironeViewTest
+from group.models import Group
+
+
+class ViewTest(AironeViewTest):
+    def test_path_traversal(self):
+        self.admin_login()
+
+        # create a group to be tested
+        group = Group.objects.create(name="hoge")
+
+        # This is a parameter that has path traverasl attacking command
+        update_params = {
+            "name": "fuga",
+            "members": ["1", 2, "cat ../../../../../../../etc/os-release"],
+        }
+        resp = self.client.put(
+            "/group/api/v2/groups/%s" % group.id, json.dumps(update_params), "application/json"
+        )
+        self.assertEqual(resp.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertEqual(
+            resp.json(),
+            {"members": {"2": [{"message": "A valid integer is required.", "code": "AE-121000"}]}},
+        )