From b8eaab5665b78e58bb5e66259c03874be53ba217 Mon Sep 17 00:00:00 2001 From: Dominik Hanak Date: Fri, 16 Jun 2023 13:23:23 +0200 Subject: [PATCH] RHPAM-4719: Add unit test cases for XSS data --- .../OrganizationalUnitServiceTest.java | 106 ++++++++++++++++++ 1 file changed, 106 insertions(+) diff --git a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java index ad4f813252..845157b11a 100644 --- a/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java +++ b/uberfire-structure/uberfire-structure-backend/src/test/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java @@ -25,6 +25,7 @@ import javax.enterprise.event.Event; +import org.apache.commons.text.StringEscapeUtils; import org.assertj.core.api.Assertions; import org.assertj.core.api.Condition; import org.guvnor.structure.backend.organizationalunit.config.SpaceConfigStorageRegistryImpl; @@ -268,6 +269,77 @@ public void createValidOrganizationalUnitTest() { assertEquals(SPACE_DESCRIPTION, ou.getDescription()); assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId()); assertEquals(contributors, ou.getContributors()); + Assertions.assertThat(ou.getContributors()).hasSize(1); + Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> { + contributor.getUsername().equals(StringEscapeUtils.escapeHtml4(ADMIN)); + }); + } + + @Test + public void createOrganizationalUnitWithPersistentXssInContributorTest() { + final String persistentXssContributor = ""; + final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor); + + List contributors = new ArrayList<>(); + contributors.add(new Contributor(persistentXssContributor, + ContributorType.ADMIN)); + + setOUCreationPermission(true); + + final OrganizationalUnit ou = organizationalUnitService.createOrganizationalUnit(SPACE_NAME, + DEFAULT_GROUP_ID, + new ArrayList<>(), + contributors, + SPACE_DESCRIPTION); + + assertNotNull(ou); + verify(organizationalUnitFactory).newOrganizationalUnit(any()); + assertEquals(SPACE_NAME, ou.getName()); + assertEquals(SPACE_DESCRIPTION, ou.getDescription()); + assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId()); + + Assertions.assertThat(ou.getContributors()).hasSize(1); + Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> { + contributor.getUsername().equals(escapedPersistentXssContributor); + }); + } + + @Test + public void createOrganizationalUnitWithPersistentXssAndValidContributorTest() { + final String persistentXssContributor = ""; + final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor); + final String escapedAdminContributor = StringEscapeUtils.escapeHtml4(ADMIN); + final String regularContributor = "head_technician_junior-intern"; + + List contributors = new ArrayList<>(); + contributors.add(new Contributor(persistentXssContributor, + ContributorType.CONTRIBUTOR)); + contributors.add(new Contributor(ADMIN, + ContributorType.ADMIN)); + contributors.add(new Contributor(regularContributor, + ContributorType.OWNER)); + + setOUCreationPermission(true); + + final OrganizationalUnit ou = organizationalUnitService.createOrganizationalUnit(SPACE_NAME, + DEFAULT_GROUP_ID, + new ArrayList<>(), + contributors, + SPACE_DESCRIPTION); + + assertNotNull(ou); + verify(organizationalUnitFactory).newOrganizationalUnit(any()); + assertEquals(SPACE_NAME, ou.getName()); + assertEquals(SPACE_DESCRIPTION, ou.getDescription()); + assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId()); + + Assertions.assertThat(ou.getContributors()).hasSize(3); + Assertions.assertThat(ou.getContributors()).containsExactly(new Contributor(escapedPersistentXssContributor, + ContributorType.CONTRIBUTOR), + new Contributor(escapedAdminContributor, + ContributorType.ADMIN), + new Contributor(StringEscapeUtils.escapeHtml4(regularContributor), + ContributorType.OWNER)); } @Test @@ -326,6 +398,40 @@ public void testUpdateOrganizationalUnit() { verify(spaceConfigStorage).endBatch(); } + @Test + public void testContributorsPersistentXssOnUpdateOrganizationalUnit() { + final String persistentXssContributor = ""; + final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor); + + OrganizationalUnit organizationalUnit = + organizationalUnitService.updateOrganizationalUnit(SPACE_NAME, + DEFAULT_GROUP_ID, + Collections.singletonList( + new Contributor( + persistentXssContributor, + ContributorType.ADMIN + ) + ) + ); + + Assertions.assertThat(organizationalUnit) + .hasFieldOrPropertyWithValue("name", SPACE_NAME) + .hasFieldOrPropertyWithValue("defaultGroupId", DEFAULT_GROUP_ID); + + Assertions.assertThat(organizationalUnit.getContributors()).hasSize(1); + Assertions.assertThat(organizationalUnit.getContributors()).hasOnlyOneElementSatisfying((contributor) -> { + contributor.getUsername().equals(escapedPersistentXssContributor); + }); + + Assertions.assertThat(spaceInfo) + .hasFieldOrPropertyWithValue("name", SPACE_NAME) + .hasFieldOrPropertyWithValue("defaultGroupId", DEFAULT_GROUP_ID); + + verify(spaceConfigStorage).startBatch(); + verify(spaceConfigStorage).saveSpaceInfo(eq(spaceInfo)); + verify(spaceConfigStorage).endBatch(); + } + @Test public void testCheckChildrenRepositoryContributors() { OrganizationalUnit organizationalUnit = new OrganizationalUnitImpl(SPACE_NAME, DEFAULT_GROUP_ID);