Unit tests for Http3 xx status code based injection vulnerability#374
Conversation
…tion_vulnerability_fix' into Http3_xx_status_code_based_injection_vulnerability_fix
| vulnerabilityExposed = {VulnerabilityType.OPEN_REDIRECT_3XX_STATUS_CODE}, | ||
| description = | ||
| "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_OR_DOMAIN_IS_SAME") | ||
| "OPEN_REDIRECT_QUERY_PARAM_DIRECTLY_ADD_TO_LOCATION_HEADER_IF_NOT_HTTP_HTTPS_WWW_OR_DOMAIN_IS_SAME") |
There was a problem hiding this comment.
Ehis, we need to update in:
- https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/resources/i18n/messages.properties
- https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/resources/i18n/messages_en_US.properties
as well. Actually these strings are locale specific strings so if we don't update them then we will not be able to run the project. I would suggest to please build and run the project after the change to see if everything is running as expected.
preetkaran20
left a comment
There was a problem hiding this comment.
Please add the strings to message.properties files as well.
| verify(http3xxStatusCodeBasedInjection, times(1)) | ||
| .getVulnerablePayloadLevel6(requestEntity, "somedomain.com"); | ||
| } catch (URISyntaxException | MalformedURLException exception) { | ||
| exception.printStackTrace(); |
There was a problem hiding this comment.
I think it is better to throw error.
| assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK); | ||
| assertThat(responseEntity.getHeaders().get(LOCATION_HEADER_KEY)).isEqualTo(null); | ||
| verify(http3xxStatusCodeBasedInjection, times(1)) | ||
| .getVulnerablePayloadLevel5(requestEntity, (char) 0 + "//www.somedomain.com"); |
There was a problem hiding this comment.
Try using null character present in Constants file.
| "Level 2- test that the returnTo query parameter's value is not added to the Location header when it starts with http") | ||
| void | ||
| test_That_ReturnToQueryParameterValue_IsNotAddedToLocationHeader_WhenItStartsWith_Http_Level2() { | ||
| try { |
| import org.mockito.Mockito; | ||
| import org.springframework.http.*; | ||
|
|
||
| class Http3xxStatusCodeBasedInjectionTest { |
- added vulnerability description to messages.properties
| requestEntity, redirectUrl); | ||
| assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.FOUND); | ||
| assertThat(responseEntity.getHeaders().get(LOCATION_HEADER_KEY)).contains("/"); | ||
| verify(http3xxStatusCodeBasedInjection, times(1)) |
There was a problem hiding this comment.
as we have called this method at line 651 so this should be giving 1 time invocation. we can ignore this check.
| requestEntity, redirectUrl); | ||
| assertThat(responseEntity.getStatusCode()).isEqualTo(HttpStatus.OK); | ||
| assertThat(responseEntity.getHeaders().get(LOCATION_HEADER_KEY)).isEqualTo(null); | ||
| verify(http3xxStatusCodeBasedInjection, times(1)) |
There was a problem hiding this comment.
same we have called this method
There was a problem hiding this comment.
Hi @preetkaran20 ,
I need some clarity, should I remove the verify checks?
There was a problem hiding this comment.
yes as you have called the method from test case only so checking the verify doesn't give any benefit.
preetkaran20
left a comment
There was a problem hiding this comment.
overall looks good. only one cosmetic change.
- added vulnerability description to messages.properties - removed verify assertions
|
Thank you !!! |
|
Thank you Karan!!!
…On Mon, 18 Jul 2022, 12:15 pm Karan Preet Singh Sasan, < ***@***.***> wrote:
Thank you !!!
—
Reply to this email directly, view it on GitHub
<#374 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AFRLSUX4ZVYVZXNMSO7UADLVUU4GNANCNFSM53XRIAZQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
No description provided.