カート削除のペネトレーションテスト追加

EC-CUBE · Feb 18, 2022 · b2942d6 · b2942d6
1 parent 665ebbc
commit b2942d6
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 1 deletion.
diff --git a/.github/workflows/penetration-tests.yml b/.github/workflows/penetration-tests.yml
@@ -13,6 +13,7 @@ jobs:
         group:
           - 'test/front_login/contact.test.ts'
           - 'test/front_login/cart/cart.test.ts'
+          - 'test/front_login/cart/cart_delete.test.ts'
 
     steps:
     - name: Checkout
@@ -28,6 +29,9 @@ jobs:
         git config --global user.name "$(git --no-pager log --format=format:'%an' -n 1)"
         git config --global user.email "$(git --no-pager log --format=format:'%ae' -n 1)"
         git am zap/patches/0001-CSRF-OWASP-ZAP.patch
+    - name: Apply patch to cart_delete
+      if: matrix.group == 'test/front_login/cart/cart_delete.test.ts'
+      run: git am zap/patches/0009-cart_delete.patch
 
     - name: Setup environment
       run: echo "COMPOSE_FILE=docker-compose.yml:docker-compose.pgsql.yml:docker-compose.dev.yml:docker-compose.owaspzap.yml:docker-compose.owaspzap.daemon.yml" >> $GITHUB_ENV

diff --git a/e2e-tests/test/front_login/cart/cart.test.ts b/e2e-tests/test/front_login/cart/cart.test.ts
@@ -4,7 +4,6 @@ import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../../utils/
 import { intervalRepeater } from '../../../utils/Progress';
 const zapClient = new ZapClient();
 
-// XXX define.php で USE_FILENAME_DIR_INDEX = true にしないと Active Scan が動作しない
 const url = `${PlaywrightConfig.use.baseURL}/cart/index.php`;
 
 test.describe.serial('カートページのテストをします', () => {

diff --git a/e2e-tests/test/front_login/cart/cart_delete.test.ts b/e2e-tests/test/front_login/cart/cart_delete.test.ts
@@ -0,0 +1,70 @@
+import { test, expect, chromium, Page } from '@playwright/test';
+import PlaywrightConfig from '../../../../playwright.config';
+import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../../utils/ZapClient';
+import { intervalRepeater } from '../../../utils/Progress';
+const zapClient = new ZapClient();
+
+const url = `${PlaywrightConfig.use.baseURL}/cart/index.php`;
+
+// zap/patches/0009-cart_delete.patch を適用する必要があります
+test.describe.serial('カートページのテストをします', () => {
+  let page: Page;
+  test.beforeAll(async () => {
+    await zapClient.setMode(Mode.Protect);
+    await zapClient.newSession('/zap/wrk/sessions/front_login_contact', true);
+    await zapClient.importContext(ContextType.FrontLogin);
+
+    if (!await zapClient.isForcedUserModeEnabled()) {
+      await zapClient.setForcedUserModeEnabled();
+      expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy();
+    }
+    const browser = await chromium.launch();
+    page = await browser.newPage();
+    await page.goto(url);
+  });
+
+  const detailURL = `${PlaywrightConfig.use.baseURL}/products/detail.php?product_id=1`;
+  test('商品詳細ページを表示します', async () => {
+    await page.goto(detailURL);
+    await expect(page.locator('#detailrightbloc > h2')).toContainText('アイスクリーム');
+  });
+
+  test('商品をカートに入れます', async () => {
+    await page.selectOption('select[name=classcategory_id1]', { label: '抹茶' });
+    await page.selectOption('select[name=classcategory_id2]', { label: 'S' });
+    await page.fill('input[name=quantity]', '2');
+    await page.click('[alt=カゴに入れる]');
+  });
+
+  test('カートの内容を確認します', async () => {
+    await expect(page.locator('h2.title')).toContainText('現在のカゴの中');
+    await expect(page.locator('table[summary=商品情報] >> tr >> nth=1')).toContainText('アイスクリーム');
+  });
+
+  test('カートを削除します', async () => {
+    page.on('dialog', dialog => dialog.accept());
+    await page.reload();
+    await page.click('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=0 >> text=削除');
+  });
+
+  test.describe('カート削除のテストを実行します[POST] @attack', () => {
+
+    let message: HttpMessage;
+    test('履歴を取得します', async () => {
+      const result = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1);
+      message = result.pop();
+    });
+
+    let scanId: number;
+    test('アクティブスキャンを実行します', async () => {
+      expect(message.requestBody).toContain('mode=delete');
+      scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', message.requestBody);
+      await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+    });
+
+    test('結果を確認します', async () => {
+      await zapClient.getAlerts(url, 0, 1, Risk.High)
+        .then(alerts => expect(alerts).toEqual([]));
+    });
+  });
+});
diff --git a/zap/patches/0009-cart_delete.patch b/zap/patches/0009-cart_delete.patch
@@ -0,0 +1,30 @@
+From 274562f19542ac7548c75a65677d0e46af89a655 Mon Sep 17 00:00:00 2001
+From: Kentaro Ohkouchi <[email protected]>
+Date: Fri, 18 Feb 2022 15:56:54 +0900
+Subject: [PATCH] =?UTF-8?q?=E3=82=AB=E3=83=BC=E3=83=88=E5=89=8A=E9=99=A4?=
+ =?UTF-8?q?=E3=81=97=E3=81=AA=E3=81=84=E3=82=88=E3=81=86=E3=81=AB=E3=81=99?=
+ =?UTF-8?q?=E3=82=8B=E3=83=91=E3=83=83=E3=83=81?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ data/class/SC_CartSession.php | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/data/class/SC_CartSession.php b/data/class/SC_CartSession.php
+index add3a0555..b022d932f 100644
+--- a/data/class/SC_CartSession.php
++++ b/data/class/SC_CartSession.php
+@@ -518,7 +518,7 @@ class SC_CartSession
+         $max = $this->getMax($productTypeId);
+         for ($i = 0; $i <= $max; $i++) {
+             if ($this->cartSession[$productTypeId][$i]['cart_no'] == $cart_no) {
+-                unset($this->cartSession[$productTypeId][$i]);
++                // unset($this->cartSession[$productTypeId][$i]);
+             }
+         }
+     }
+-- 
+2.34.1
+