From 721f928e860e751de5901b53cdfe1e3895fd0568 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Wed, 18 Aug 2021 22:00:00 +0900 Subject: [PATCH 01/17] =?UTF-8?q?Options=20>=20ActiveScan=20>=20=E3=82=A2?= =?UTF-8?q?=E3=83=B3=E3=83=81CSRF=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- zap/options.properties | 1 + 1 file changed, 1 insertion(+) diff --git a/zap/options.properties b/zap/options.properties index fa8445ac469..64f23e25da6 100644 --- a/zap/options.properties +++ b/zap/options.properties @@ -13,6 +13,7 @@ anticsrf.tokens.token\(4\).name=form[_token] anticsrf.tokens.token\(4\).enabled=true anticsrf.tokens.token\(5\).name=shopping_shipping[_token] anticsrf.tokens.token\(5\).enabled=true +scanner.antiCSFR=true httpsessions.tokens.token\(0\).name=eccube httpsessions.tokens.token\(0\).enabled=true httpsessions.tokens.token\(1\).name=ecsessid From 54a5f79d532d217ec7dcccbb938debf10875ffda Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 19 Aug 2021 11:29:21 +0900 Subject: [PATCH 02/17] =?UTF-8?q?CSRF=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- zap/options.properties | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/zap/options.properties b/zap/options.properties index 64f23e25da6..57378037cdf 100644 --- a/zap/options.properties +++ b/zap/options.properties @@ -13,6 +13,10 @@ anticsrf.tokens.token\(4\).name=form[_token] anticsrf.tokens.token\(4\).enabled=true anticsrf.tokens.token\(5\).name=shopping_shipping[_token] anticsrf.tokens.token\(5\).enabled=true +anticsrf.tokens.token\(6\).name=contact[_token] +anticsrf.tokens.token\(6\).enabled=true +anticsrf.tokens.token\(7\).name=coupon_use[_token] +anticsrf.tokens.token\(7\).enabled=true scanner.antiCSFR=true httpsessions.tokens.token\(0\).name=eccube httpsessions.tokens.token\(0\).enabled=true From 3b6931d88b4acb9f7d4fdc5d34cdc42601c4e111 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Mon, 23 Aug 2021 20:03:13 +0900 Subject: [PATCH 03/17] =?UTF-8?q?CSRF=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- zap/options.properties | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/zap/options.properties b/zap/options.properties index 57378037cdf..700b0cfe334 100644 --- a/zap/options.properties +++ b/zap/options.properties @@ -17,6 +17,18 @@ anticsrf.tokens.token\(6\).name=contact[_token] anticsrf.tokens.token\(6\).enabled=true anticsrf.tokens.token\(7\).name=coupon_use[_token] anticsrf.tokens.token\(7\).enabled=true +anticsrf.tokens.token\(8\).name=customer_address[_token] +anticsrf.tokens.token\(8\).enabled=true +anticsrf.tokens.token\(9\).name=entry[_token] +anticsrf.tokens.token\(9\).enabled=true +anticsrf.tokens.token\(10\).name=admin_product[_token] +anticsrf.tokens.token\(10\).enabled=true +anticsrf.tokens.token\(11\).name=admin_search_product[_token] +anticsrf.tokens.token\(11\).enabled=true +anticsrf.tokens.token\(12\).name=admin_class_name[_token] +anticsrf.tokens.token\(12\).enabled=true +anticsrf.tokens.token\(13\).name=admin_class_category[_token] +anticsrf.tokens.token\(13\).enabled=true scanner.antiCSFR=true httpsessions.tokens.token\(0\).name=eccube httpsessions.tokens.token\(0\).enabled=true From c2672a967aadc8d61d709dfd6dfbc34ee46f72b8 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Mon, 30 Aug 2021 22:00:00 +0900 Subject: [PATCH 04/17] =?UTF-8?q?CSRF=E3=83=88=E3=83=BC=E3=82=AF=E3=83=B3?= =?UTF-8?q?=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- zap/options.properties | 80 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/zap/options.properties b/zap/options.properties index 700b0cfe334..80e8d8a0f0c 100644 --- a/zap/options.properties +++ b/zap/options.properties @@ -29,6 +29,86 @@ anticsrf.tokens.token\(12\).name=admin_class_name[_token] anticsrf.tokens.token\(12\).enabled=true anticsrf.tokens.token\(13\).name=admin_class_category[_token] anticsrf.tokens.token\(13\).enabled=true +anticsrf.tokens.token\(14\).name=class_name[_token] +anticsrf.tokens.token\(14\).enabled=true +anticsrf.tokens.token\(15\).name=admin_category[_token] +anticsrf.tokens.token\(15\).enabled=true +anticsrf.tokens.token\(16\).name=admin_product_tag[_token] +anticsrf.tokens.token\(16\).enabled=true +anticsrf.tokens.token\(17\).name=product_review[_token] +anticsrf.tokens.token\(17\).enabled=true +anticsrf.tokens.token\(18\).name=product_review_search[_token] +anticsrf.tokens.token\(18\).enabled=true +anticsrf.tokens.token\(19\).name=admin_search_order[_token] +anticsrf.tokens.token\(19\).enabled=true +anticsrf.tokens.token\(20\).name=order_pdf[_token] +anticsrf.tokens.token\(20\).enabled=true +anticsrf.tokens.token\(21\).name=order[_token] +anticsrf.tokens.token\(21\).enabled=true +anticsrf.tokens.token\(22\).name=admin_order_mail[_token] +anticsrf.tokens.token\(22\).enabled=true +anticsrf.tokens.token\(23\).name=coupon[_token] +anticsrf.tokens.token\(23\).enabled=true +anticsrf.tokens.token\(24\).name=admin_search_customer[_token] +anticsrf.tokens.token\(24\).enabled=true +anticsrf.tokens.token\(25\).name=admin_news[_token] +anticsrf.tokens.token\(25\).enabled=true +anticsrf.tokens.token\(26\).name=admin_layout[_token] +anticsrf.tokens.token\(26\).enabled=true +anticsrf.tokens.token\(27\).name=main_edit[_token] +anticsrf.tokens.token\(27\).enabled=true +anticsrf.tokens.token\(28\).name=block[_token] +anticsrf.tokens.token\(28\).enabled=true +anticsrf.tokens.token\(29\).name=recommend_product[_token] +anticsrf.tokens.token\(29\).enabled=true +anticsrf.tokens.token\(30\).name=shop_master[_token] +anticsrf.tokens.token\(30\).enabled=true +anticsrf.tokens.token\(31\).name=payment_register[_token] +anticsrf.tokens.token\(31\).enabled=true +anticsrf.tokens.token\(32\).name=delivery[_token] +anticsrf.tokens.token\(32\).enabled=true +anticsrf.tokens.token\(33\).name=tax_rule[_token] +anticsrf.tokens.token\(33\).enabled=true +anticsrf.tokens.token\(34\).name=mail[_token] +anticsrf.tokens.token\(34\).enabled=true +anticsrf.tokens.token\(35\).name=admin_member[_token] +anticsrf.tokens.token\(35\).enabled=true +anticsrf.tokens.token\(36\).name=admin_security[_token] +anticsrf.tokens.token\(36\).enabled=true +anticsrf.tokens.token\(37\).name=admin_search_login_history[_token] +anticsrf.tokens.token\(37\).enabled=true +anticsrf.tokens.token\(38\).name=admin_system_log[_token] +anticsrf.tokens.token\(38\).enabled=true +anticsrf.tokens.token\(39\).name=admin_system_masterdata[_token] +anticsrf.tokens.token\(39\).enabled=true +anticsrf.tokens.token\(40\).name=admin_system_masterdata_edit[_token] +anticsrf.tokens.token\(40\).enabled=true +anticsrf.tokens.token\(41\).name=api_admin_client[_token] +anticsrf.tokens.token\(41\).enabled=true +anticsrf.tokens.token\(42\).name=web_hook[_token] +anticsrf.tokens.token\(42\).enabled=true +anticsrf.tokens.token\(43\).name=search_plugin[_token] +anticsrf.tokens.token\(43\).enabled=true +anticsrf.tokens.token\(44\).name=product_review_config[_token] +anticsrf.tokens.token\(44\).enabled=true +anticsrf.tokens.token\(45\).name=securitychecker4_config[_token] +anticsrf.tokens.token\(45\).enabled=true +anticsrf.tokens.token\(46\).name=admin_template[_token] +anticsrf.tokens.token\(46\).enabled=true +anticsrf.tokens.token\(47\).name=admin_authentication[_token] +anticsrf.tokens.token\(47\).enabled=true +anticsrf.tokens.token\(48\).name=mail_magazine[_token] +anticsrf.tokens.token\(48\).enabled=true +anticsrf.tokens.token\(49\).name=mail_magazine_template_edit[_token] +anticsrf.tokens.token\(49\).enabled=true +anticsrf.tokens.token\(50\).name=sales_report[_token] +anticsrf.tokens.token\(50\).enabled=true +anticsrf.tokens.token\(51\).name=admin_csv_import[_token] +anticsrf.tokens.token\(51\).enabled=true +anticsrf.tokens.token\(52\).name=plugin_local_install[_token] +anticsrf.tokens.token\(52\).enabled=true +anticsrf.tokens.token\(53\).name=admin_change_password[_token] +anticsrf.tokens.token\(53\).enabled=true scanner.antiCSFR=true httpsessions.tokens.token\(0\).name=eccube httpsessions.tokens.token\(0\).enabled=true From 1b266d501feb0e2510d51a5dc09a13bf5678fa0a Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 10:47:29 +0900 Subject: [PATCH 05/17] Refactoring --- .../ci/TypeScript/test/example.test.ts | 100 ++++++------------ zap/selenium/ci/TypeScript/utils/Progress.ts | 10 ++ .../TypeScript/utils/SeleniumCapabilities.ts | 18 ++++ zap/selenium/ci/TypeScript/utils/ZapClient.ts | 94 ++++++++++++++++ 4 files changed, 153 insertions(+), 69 deletions(-) create mode 100644 zap/selenium/ci/TypeScript/utils/Progress.ts create mode 100644 zap/selenium/ci/TypeScript/utils/SeleniumCapabilities.ts create mode 100644 zap/selenium/ci/TypeScript/utils/ZapClient.ts diff --git a/zap/selenium/ci/TypeScript/test/example.test.ts b/zap/selenium/ci/TypeScript/test/example.test.ts index 99ab1c0433b..56c1879114f 100644 --- a/zap/selenium/ci/TypeScript/test/example.test.ts +++ b/zap/selenium/ci/TypeScript/test/example.test.ts @@ -1,51 +1,36 @@ -import { Builder, By, Capabilities, Key, until, ProxyConfig } from 'selenium-webdriver' -const ClientApi = require('zaproxy'); -const zaproxy = new ClientApi({ - apiKey: null, - proxy: 'http://127.0.0.1:8090' -}); +import { Builder, By, Key, until } from 'selenium-webdriver' +import { ZapClient, Mode, ContextType, Risk } from '../utils/ZapClient'; +import { intervalRepeater } from '../utils/Progress'; +import { SeleniumCapabilities } from '../utils/SeleniumCapabilities'; +const zapClient = new ZapClient('http://127.0.0.1:8090'); -const proxy : ProxyConfig = { - proxyType: 'manual', - httpProxy: 'localhost:8090', - sslProxy: 'localhost:8090' -}; -const capabilities = Capabilities.chrome(); jest.setTimeout(6000000); -capabilities.set('chromeOptions', { - args: [ - '--headless', - '--disable-gpu', - '--window-size=1024,768' - ], - w3c: false -}) - .setAcceptInsecureCerts(true) - .setProxy(proxy); - const baseURL = 'https://ec-cube'; +const url = baseURL + '/contact'; + +beforeAll(async () => { + await zapClient.setMode(Mode.Protect); + await zapClient.newSession('/zap/wrk/sessions/front_login_contact', true); + await zapClient.importContext(ContextType.FrontLogin); + + if (!await zapClient.isForcedUserModeEnabled()) { + await zapClient.setForcedUserModeEnabled(); + expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy(); + } +}); + +afterEach(async () => { + await zapClient.snapshotSession(); +}); -test('example', async () => { +test('contact', async () => { const driver = await new Builder() - .withCapabilities(capabilities) + .withCapabilities(SeleniumCapabilities) .build(); try { - await zaproxy.core.setMode('protect'); - await zaproxy.core.newSession('/zap/wrk/sessions/front_login_contact', true); - await zaproxy.context.importContext('/zap/wrk/front_login.context'); - const isForcedUserModeEnabled = async (): Promise => { - const result: any = await zaproxy.forcedUser.isForcedUserModeEnabled(); - return JSON.parse(result.forcedModeEnabled); - }; - - if (!await isForcedUserModeEnabled()) { - await zaproxy.forcedUser.setForcedUserModeEnabled(true); - expect(await isForcedUserModeEnabled()).toBeTruthy(); - } - - await driver.get(baseURL + '/contact'); + await driver.get(url); const title = await driver.wait( until.elementLocated(By.className('ec-pageHeader')) , 10000).getText(); @@ -57,39 +42,16 @@ test('example', async () => { expect(await driver.findElement(By.id('contact_email')).getAttribute('value')).toBe('zap_user@example.com'); await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); - const numberOfMessagesResult = await zaproxy.core.numberOfMessages(baseURL + '/contact'); - const messages = await zaproxy.core.messages(baseURL + '/contact', numberOfMessagesResult.numberOfMessages, 10); - const requestBody = messages.messages.pop().requestBody; - - const scanResult = await zaproxy.ascan.scanAsUser(baseURL + '/contact', 2, 110, false, null, 'POST', requestBody); - - let progress = async () => { - const status = await zaproxy.ascan.status(scanResult.scan); - return status.status; - } + const message = await zapClient.getLastMessage(url); + const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', message.requestBody); - await intervalRepeater(progress, 5000); + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); - await zaproxy.core.snapshotSession(); - const alertsResult = await zaproxy.core.alerts(baseURL); - alertsResult.alerts.forEach((alert: any) => { - if (alert.risk == 'High') { - console.log(alert); - throw new Error(alert.name); - } - }); + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } }); - -const sleep = (msec: number) => new Promise(resolve => setTimeout(resolve, msec)); -const intervalRepeater = async (callback: any, interval: number) => { - let progress = await callback(); - - while (progress < 100) { - progress = await callback(); - console.log(`Active Scan progress : ${progress}%`); - await sleep(interval); - } -} diff --git a/zap/selenium/ci/TypeScript/utils/Progress.ts b/zap/selenium/ci/TypeScript/utils/Progress.ts new file mode 100644 index 00000000000..c68be1ba1e0 --- /dev/null +++ b/zap/selenium/ci/TypeScript/utils/Progress.ts @@ -0,0 +1,10 @@ +const sleep = (msec: number) => new Promise(resolve => setTimeout(resolve, msec)); +export const intervalRepeater = async (callback: any, interval: number) => { + let progress = await callback(); + + while (progress < 100) { + progress = await callback(); + console.log(`Active Scan progress : ${progress}%`); + await sleep(interval); + } +} diff --git a/zap/selenium/ci/TypeScript/utils/SeleniumCapabilities.ts b/zap/selenium/ci/TypeScript/utils/SeleniumCapabilities.ts new file mode 100644 index 00000000000..2162a7af6b6 --- /dev/null +++ b/zap/selenium/ci/TypeScript/utils/SeleniumCapabilities.ts @@ -0,0 +1,18 @@ +import { Capabilities, ProxyConfig } from 'selenium-webdriver' +const proxy : ProxyConfig = { + proxyType: 'manual', + httpProxy: 'localhost:8090', + sslProxy: 'localhost:8090' +}; + +export const SeleniumCapabilities = Capabilities.chrome(); +SeleniumCapabilities.set('chromeOptions', { + args: [ + '--headless', + '--disable-gpu', + '--window-size=1024,768' + ], + w3c: false +}) + .setAcceptInsecureCerts(true) + .setProxy(proxy); diff --git a/zap/selenium/ci/TypeScript/utils/ZapClient.ts b/zap/selenium/ci/TypeScript/utils/ZapClient.ts new file mode 100644 index 00000000000..0cbf0b1370b --- /dev/null +++ b/zap/selenium/ci/TypeScript/utils/ZapClient.ts @@ -0,0 +1,94 @@ +const ClientApi = require('zaproxy'); +export const Mode = { + Safe: 'safe', + Protect: 'protect', + Standard: 'standard', + // Attack: 'attack' denger!! +} as const; +type Mode = typeof Mode[keyof typeof Mode]; + +export const ContextType = { + FrontLogin: 'front_login.context', + FrontGuest: 'front_guest.context', + Admin: 'admin.context' +} as const; +type ContextType = typeof ContextType[keyof typeof ContextType]; + +export const Risk = { + Informational: 0, + Low: 1, + Medium: 2, + High: 3 +} as const; +type Risk = typeof Risk[keyof typeof Risk]; + +export class ZapClient { + + private apiKey: string | null; + private proxy: string; + private readonly zaproxy; + + constructor(proxy: string, apiKey?: string | null) { + this.proxy = proxy; + this.apiKey = apiKey != undefined ? apiKey : null; + this.zaproxy = new ClientApi({ + apiKey: this.apiKey, + proxy: this.proxy + }); + } + + public async setMode(mode: Mode): Promise { + await this.zaproxy.core.setMode(mode); + } + + public async newSession(name: string, override: boolean): Promise { + await this.zaproxy.core.newSession(name, override); + } + + public async importContext(contextType: ContextType): Promise { + await this.zaproxy.context.importContext('/zap/wrk/' + contextType); + } + + public async isForcedUserModeEnabled(): Promise { + const result = await this.zaproxy.forcedUser.isForcedUserModeEnabled(); + return JSON.parse(result.forcedModeEnabled); + } + + public async setForcedUserModeEnabled(bool?: boolean): Promise { + await this.zaproxy.forcedUser.setForcedUserModeEnabled(bool ?? true); + } + + public async getNumberOfMessages(url: string): Promise { + const result = await this.zaproxy.core.numberOfMessages(url); + return JSON.parse(result.numberOfMessages); + } + + public async getMessages(url: string, start?: number, count?: number): Promise> { + const result = await this.zaproxy.core.messages(url, start, count); + return result.messages; + } + + public async getLastMessage(url: string): Promise { + const result = await this.getMessages(url, await this.getNumberOfMessages(url), 10); + return result.pop(); + } + + public async activeScanAsUser(url: string, contextId: number, userId: number, recurse?: boolean, scanPolicyName?: string | null, method?: 'GET' | 'POST' | 'PUT' | 'DELETE', postData?: string | null): Promise { + const result = await this.zaproxy.ascan.scanAsUser(url, contextId, userId, recurse ?? false, scanPolicyName ?? null, method ?? 'GET', postData ?? null); + return result.scan; + } + + public async getActiveScanStatus(scanId: number): Promise { + const result = await this.zaproxy.ascan.status(scanId); + return result.status; + } + + public async snapshotSession(): Promise { + await this.zaproxy.core.snapshotSession(); + } + + public async getAlerts(url: string, start?: number, count?:number, riskid?: Risk): Promise> { + const result = await this.zaproxy.core.alerts(url, start, count, riskid); + return result.alerts; + } +} From 029a70ba844372cffd497e5c2393983de8510247 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 09:33:32 +0900 Subject: [PATCH 06/17] =?UTF-8?q?=E7=A2=BA=E8=AA=8D=E2=86=92=E5=AE=8C?= =?UTF-8?q?=E4=BA=86=E3=83=9A=E3=83=BC=E3=82=B8=E3=81=AE=E3=83=86=E3=82=B9?= =?UTF-8?q?=E3=83=88=E3=82=92=E8=BF=BD=E5=8A=A0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ci/TypeScript/test/example.test.ts | 68 ++++++++++++++++++- zap/selenium/ci/TypeScript/utils/ZapClient.ts | 5 ++ 2 files changed, 72 insertions(+), 1 deletion(-) diff --git a/zap/selenium/ci/TypeScript/test/example.test.ts b/zap/selenium/ci/TypeScript/test/example.test.ts index 56c1879114f..e155f359287 100644 --- a/zap/selenium/ci/TypeScript/test/example.test.ts +++ b/zap/selenium/ci/TypeScript/test/example.test.ts @@ -24,7 +24,33 @@ afterEach(async () => { await zapClient.snapshotSession(); }); -test('contact', async () => { +test('お問い合わせ - GET', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('ec-pageHeader')) + , 10000).getText(); + expect(title).toBe('お問い合わせ'); + + const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'GET'); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); + + +test('お問い合わせ(入力ページ→確認ページ) - POST', async () => { const driver = await new Builder() .withCapabilities(SeleniumCapabilities) .build(); @@ -55,3 +81,43 @@ test('contact', async () => { driver && await driver.quit() } }); + +test('お問い合わせ(確認ページ→完了ページ) - POST', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('ec-pageHeader')) + , 10000).getText(); + expect(title).toBe('お問い合わせ'); + + await driver.findElement(By.id('contact_name_name01')).sendKeys('石'); + await driver.findElement(By.id('contact_name_name02')).sendKeys('球部'); + await driver.findElement(By.id('contact_contents')).sendKeys('お問い合わせ入力'); + expect(await driver.findElement(By.id('contact_email')).getAttribute('value')).toBe('zap_user@example.com'); + await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); + + const message = await zapClient.getLastMessage(url); + // 確認画面→完了画面に requestBody を書き換える + const requestBody = message.requestBody.replace(/mode=confirm/, 'mode=complete&mode2=dummy'); + // Content-Length を書き換えて手動リクエストを送信する + await zapClient.sendRequest( + message.requestHeader.replace('Content-Length: ' + message.requestBody.length, 'Content-Length: ' + requestBody.length) + requestBody + ); + + const completeMessage = await zapClient.getLastMessage(url); + const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', completeMessage.requestBody); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); diff --git a/zap/selenium/ci/TypeScript/utils/ZapClient.ts b/zap/selenium/ci/TypeScript/utils/ZapClient.ts index 0cbf0b1370b..e48f05583c4 100644 --- a/zap/selenium/ci/TypeScript/utils/ZapClient.ts +++ b/zap/selenium/ci/TypeScript/utils/ZapClient.ts @@ -58,6 +58,11 @@ export class ZapClient { await this.zaproxy.forcedUser.setForcedUserModeEnabled(bool ?? true); } + public async sendRequest(request: string, followRedirects?: boolean): Promise { + const result = await this.zaproxy.core.sendRequest(request, followRedirects ?? false); + return result.sendRequest; + } + public async getNumberOfMessages(url: string): Promise { const result = await this.zaproxy.core.numberOfMessages(url); return JSON.parse(result.numberOfMessages); From 0e8c5c96063115885c780261621c527cc661309c Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 12:46:06 +0900 Subject: [PATCH 07/17] Rename --- .../test/front_guest/contact.test.ts | 128 ++++++++++++++++++ .../contact.test.ts} | 8 +- 2 files changed, 132 insertions(+), 4 deletions(-) create mode 100644 zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts rename zap/selenium/ci/TypeScript/test/{example.test.ts => front_login/contact.test.ts} (94%) diff --git a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts new file mode 100644 index 00000000000..51ed426f328 --- /dev/null +++ b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts @@ -0,0 +1,128 @@ +import { Builder, By, until } from 'selenium-webdriver' +import { ZapClient, Mode, ContextType, Risk } from '../../utils/ZapClient'; +import { intervalRepeater } from '../../utils/Progress'; +import { SeleniumCapabilities } from '../../utils/SeleniumCapabilities'; +const zapClient = new ZapClient('http://127.0.0.1:8090'); + +jest.setTimeout(6000000); + +const baseURL = 'https://ec-cube'; +const url = baseURL + '/contact'; + +beforeAll(async () => { + await zapClient.setMode(Mode.Protect); + await zapClient.newSession('/zap/wrk/sessions/front_guest_contact', true); + await zapClient.importContext(ContextType.FrontGuest); +}); + +afterEach(async () => { + await zapClient.snapshotSession(); +}); + +test('お問い合わせ - GET', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('ec-pageHeader')) + , 10000).getText(); + expect(title).toBe('お問い合わせ'); + + const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'GET'); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); + + +test('お問い合わせ(入力ページ→確認ページ) - POST', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('ec-pageHeader')) + , 10000).getText(); + expect(title).toBe('お問い合わせ'); + + await driver.findElement(By.id('contact_name_name01')).sendKeys('石'); + await driver.findElement(By.id('contact_name_name02')).sendKeys('球部'); + await driver.findElement(By.id('contact_postal_code')).sendKeys('5300001'); + await driver.findElement(By.xpath('//*[@id="contact_address_pref"]/option[2]')).click(); + await driver.findElement(By.id('contact_address_addr01')).sendKeys('大阪市北区梅田'); + await driver.findElement(By.id('contact_address_addr02')).sendKeys('2-4-9'); + await driver.findElement(By.id('contact_phone_number')).sendKeys('999999999'); + await driver.findElement(By.id('contact_email')).sendKeys('zap_user@example.com'); + await driver.findElement(By.id('contact_contents')).sendKeys('お問い合わせ入力'); + await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); + + const message = await zapClient.getLastMessage(url); + const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', message.requestBody); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); + +test('お問い合わせ(確認ページ→完了ページ) - POST', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('ec-pageHeader')) + , 10000).getText(); + expect(title).toBe('お問い合わせ'); + + await driver.findElement(By.id('contact_name_name01')).sendKeys('石'); + await driver.findElement(By.id('contact_name_name02')).sendKeys('球部'); + await driver.findElement(By.id('contact_postal_code')).sendKeys('5300001'); + await driver.findElement(By.xpath('//*[@id="contact_address_pref"]/option[2]')).click(); + await driver.findElement(By.id('contact_address_addr01')).sendKeys('大阪市北区梅田'); + await driver.findElement(By.id('contact_address_addr02')).sendKeys('2-4-9'); + await driver.findElement(By.id('contact_phone_number')).sendKeys('999999999'); + await driver.findElement(By.id('contact_email')).sendKeys('zap_user@example.com'); + await driver.findElement(By.id('contact_contents')).sendKeys('お問い合わせ入力'); + await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); + + const message = await zapClient.getLastMessage(url); + // 確認画面→完了画面に requestBody を書き換える + const requestBody = message.requestBody.replace(/mode=confirm/, 'mode=complete&mode2=dummy'); + // Content-Length を書き換えて手動リクエストを送信する + await zapClient.sendRequest( + message.requestHeader.replace('Content-Length: ' + message.requestBody.length, 'Content-Length: ' + requestBody.length) + requestBody + ); + + const completeMessage = await zapClient.getLastMessage(url); + const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', completeMessage.requestBody); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); diff --git a/zap/selenium/ci/TypeScript/test/example.test.ts b/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts similarity index 94% rename from zap/selenium/ci/TypeScript/test/example.test.ts rename to zap/selenium/ci/TypeScript/test/front_login/contact.test.ts index e155f359287..0685f2e69a3 100644 --- a/zap/selenium/ci/TypeScript/test/example.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts @@ -1,7 +1,7 @@ -import { Builder, By, Key, until } from 'selenium-webdriver' -import { ZapClient, Mode, ContextType, Risk } from '../utils/ZapClient'; -import { intervalRepeater } from '../utils/Progress'; -import { SeleniumCapabilities } from '../utils/SeleniumCapabilities'; +import { Builder, By, until } from 'selenium-webdriver' +import { ZapClient, Mode, ContextType, Risk } from '../../utils/ZapClient'; +import { intervalRepeater } from '../../utils/Progress'; +import { SeleniumCapabilities } from '../../utils/SeleniumCapabilities'; const zapClient = new ZapClient('http://127.0.0.1:8090'); jest.setTimeout(6000000); From e3e651029e941c684420521e541d92f5a5787c45 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 12:49:46 +0900 Subject: [PATCH 08/17] Use matrix --- .github/workflows/penetration-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml index 21e61ac9ebf..3722b537a1f 100644 --- a/.github/workflows/penetration-test.yml +++ b/.github/workflows/penetration-test.yml @@ -21,7 +21,8 @@ jobs: matrix: operating-system: [ ubuntu-18.04 ] group: - - contact + - 'test/front_login/contact.test.ts' + - 'test/front_guest/contact.test.ts' steps: - name: Checkout @@ -46,8 +47,7 @@ jobs: working-directory: zap/selenium/ci/TypeScript env: GROUP: ${{ matrix.group }} - # run: yarn jest --group=${GROUP} - run: yarn jest + run: yarn jest ${GROUP} - name: Upload evidence if: always() uses: actions/upload-artifact@v2 From e67da192a5f33d108a59e61c2ab011666e2effb3 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 13:44:26 +0900 Subject: [PATCH 09/17] Use scan --- zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts | 6 +++--- zap/selenium/ci/TypeScript/utils/ZapClient.ts | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts index 51ed426f328..cb4f00c624a 100644 --- a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts @@ -31,7 +31,7 @@ test('お問い合わせ - GET', async () => { , 10000).getText(); expect(title).toBe('お問い合わせ'); - const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'GET'); + const scanId = await zapClient.activeScan(url, false, true, null, 'GET', null, 1); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); @@ -69,7 +69,7 @@ test('お問い合わせ(入力ページ→確認ページ) - POST', async () => await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); const message = await zapClient.getLastMessage(url); - const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', message.requestBody); + const scanId = await zapClient.activeScan(url, false, true, null, 'GET', message.requestBody, 1); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); @@ -114,7 +114,7 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => ); const completeMessage = await zapClient.getLastMessage(url); - const scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', completeMessage.requestBody); + const scanId = await zapClient.activeScan(url, false, true, null, 'GET', completeMessage.requestBody, 1); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); diff --git a/zap/selenium/ci/TypeScript/utils/ZapClient.ts b/zap/selenium/ci/TypeScript/utils/ZapClient.ts index e48f05583c4..1b13449fe53 100644 --- a/zap/selenium/ci/TypeScript/utils/ZapClient.ts +++ b/zap/selenium/ci/TypeScript/utils/ZapClient.ts @@ -83,6 +83,11 @@ export class ZapClient { return result.scan; } + public async activeScan(url: string, recurse?: boolean, inScopeOnly?: boolean, scanPolicyName?: string | null, method?: 'GET' | 'POST' | 'PUT' | 'DELETE', postData?: string | null, contextId?: number | null): Promise { + const result = await this.zaproxy.ascan.scan(url, recurse ?? false, inScopeOnly ?? true, scanPolicyName ?? null, method ?? 'GET', postData ?? null, contextId ?? null) + return result.scan; + } + public async getActiveScanStatus(scanId: number): Promise { const result = await this.zaproxy.ascan.status(scanId); return result.status; From b8f6a9f5dcc4b2c480d354dccce0c1900f54e143 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 13:45:05 +0900 Subject: [PATCH 10/17] Fix artifact with name --- .github/workflows/penetration-test.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml index 3722b537a1f..e36ba2f26de 100644 --- a/.github/workflows/penetration-test.yml +++ b/.github/workflows/penetration-test.yml @@ -48,9 +48,12 @@ jobs: env: GROUP: ${{ matrix.group }} run: yarn jest ${GROUP} + - env: + GROUP: ${{ matrix.group }} + run: echo "ARTIFACT_NAME=$(echo ${GROUP} | sed 's,/,-,g')" >> $GITHUB_ENV - name: Upload evidence if: always() uses: actions/upload-artifact@v2 with: - name: zap-${{ matrix.group }}-session + name: zap-${{ env.ARTIFACT_NAME }}-session path: zap/sessions From 6df14b10829347def7df5fcf2014e5b8f65a8dd6 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 13:54:35 +0900 Subject: [PATCH 11/17] Fix inScopeOnly to false --- zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts index cb4f00c624a..4d3129c7a18 100644 --- a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts @@ -31,7 +31,7 @@ test('お問い合わせ - GET', async () => { , 10000).getText(); expect(title).toBe('お問い合わせ'); - const scanId = await zapClient.activeScan(url, false, true, null, 'GET', null, 1); + const scanId = await zapClient.activeScan(url, false, false, null, 'GET', null, 1); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); @@ -69,7 +69,7 @@ test('お問い合わせ(入力ページ→確認ページ) - POST', async () => await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); const message = await zapClient.getLastMessage(url); - const scanId = await zapClient.activeScan(url, false, true, null, 'GET', message.requestBody, 1); + const scanId = await zapClient.activeScan(url, false, false, null, 'GET', message.requestBody, 1); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); @@ -114,7 +114,7 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => ); const completeMessage = await zapClient.getLastMessage(url); - const scanId = await zapClient.activeScan(url, false, true, null, 'GET', completeMessage.requestBody, 1); + const scanId = await zapClient.activeScan(url, false, false, null, 'GET', completeMessage.requestBody, 1); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); From 96c103b47a6ac942327e25f183eb44f556c7815e Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 15:21:18 +0900 Subject: [PATCH 12/17] Remove snapshotSession --- .../test/front_guest/contact.test.ts | 24 ++++++++----------- .../test/front_login/contact.test.ts | 22 +++++++---------- 2 files changed, 19 insertions(+), 27 deletions(-) diff --git a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts index 4d3129c7a18..15b7ceee975 100644 --- a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts @@ -15,10 +15,6 @@ beforeAll(async () => { await zapClient.importContext(ContextType.FrontGuest); }); -afterEach(async () => { - await zapClient.snapshotSession(); -}); - test('お問い合わせ - GET', async () => { const driver = await new Builder() .withCapabilities(SeleniumCapabilities) @@ -36,9 +32,9 @@ test('お問い合わせ - GET', async () => { await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } @@ -74,9 +70,9 @@ test('お問い合わせ(入力ページ→確認ページ) - POST', async () => await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } @@ -103,7 +99,7 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => await driver.findElement(By.id('contact_phone_number')).sendKeys('999999999'); await driver.findElement(By.id('contact_email')).sendKeys('zap_user@example.com'); await driver.findElement(By.id('contact_contents')).sendKeys('お問い合わせ入力'); - await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); + await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); const message = await zapClient.getLastMessage(url); // 確認画面→完了画面に requestBody を書き換える @@ -119,9 +115,9 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } diff --git a/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts index 0685f2e69a3..1dedcecd447 100644 --- a/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts @@ -20,10 +20,6 @@ beforeAll(async () => { } }); -afterEach(async () => { - await zapClient.snapshotSession(); -}); - test('お問い合わせ - GET', async () => { const driver = await new Builder() .withCapabilities(SeleniumCapabilities) @@ -41,9 +37,9 @@ test('お問い合わせ - GET', async () => { await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } @@ -74,9 +70,9 @@ test('お問い合わせ(入力ページ→確認ページ) - POST', async () => await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } @@ -114,9 +110,9 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; } finally { driver && await driver.quit() } From d312a94c7f17675e15d88e536a63b1518e91e487 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 15:22:02 +0900 Subject: [PATCH 13/17] Add admin/order_mail.test.ts --- .github/workflows/penetration-test.yml | 1 + .../TypeScript/test/admin/order_mail.test.ts | 80 +++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml index e36ba2f26de..5e89eff1493 100644 --- a/.github/workflows/penetration-test.yml +++ b/.github/workflows/penetration-test.yml @@ -23,6 +23,7 @@ jobs: group: - 'test/front_login/contact.test.ts' - 'test/front_guest/contact.test.ts' + - 'test/admin/order_mail.test.ts' steps: - name: Checkout diff --git a/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts b/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts new file mode 100644 index 00000000000..83bd3d79154 --- /dev/null +++ b/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts @@ -0,0 +1,80 @@ +import { Builder, By, until } from 'selenium-webdriver' +import { ZapClient, Mode, ContextType, Risk } from '../../utils/ZapClient'; +import { intervalRepeater } from '../../utils/Progress'; +import { SeleniumCapabilities } from '../../utils/SeleniumCapabilities'; +const zapClient = new ZapClient('http://127.0.0.1:8090'); + +jest.setTimeout(6000000); + +const baseURL = 'https://ec-cube/admin'; +const url = baseURL + '/order/4/mail'; + +beforeAll(async () => { + await zapClient.setMode(Mode.Protect); + await zapClient.newSession('/zap/wrk/sessions/admin_order_mail', true); + await zapClient.importContext(ContextType.Admin); + + if (!await zapClient.isForcedUserModeEnabled()) { + await zapClient.setForcedUserModeEnabled(); + expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy(); + } +}); + +test('受注管理>メール通知 - GET', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('c-pageTitle__title')) + , 10000).getText(); + expect(title).toBe('メール通知'); + + const scanId = await zapClient.activeScan(url, false, false, null, 'GET', null, 1); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); + +test('受注管理>メール通知(確認ページ) - POST', async () => { + const driver = await new Builder() + .withCapabilities(SeleniumCapabilities) + .build(); + + try { + await driver.get(url); + const title = await driver.wait( + until.elementLocated(By.className('c-pageTitle__title')) + , 10000).getText(); + expect(title).toBe('メール通知'); + + await driver.findElement(By.xpath('//*[@id="template-change"]/option[2]')).click(); + const subject = await driver.wait( + until.elementLocated(By.xpath('//*[@id="admin_order_mail_mail_subject"]')) + , 10000).getAttribute('value'); + expect(subject).toBe('ご注文ありがとうございます'); + + await driver.findElement(By.xpath('//*[@id="order-mail-form"]/div[2]/div/div/div[2]/div/div/button')).click(); + + const message = await zapClient.getLastMessage(url); + const scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'POST', message.requestBody); + + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); + + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + }));; + } finally { + driver && await driver.quit() + } +}); From 5f7dd47aa67e58a1cf1a0f57588f5019a4f1abee Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 16:04:04 +0900 Subject: [PATCH 14/17] Fix activeScan parameters --- .../ci/TypeScript/test/front_guest/contact.test.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts index 15b7ceee975..61cb271d564 100644 --- a/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_guest/contact.test.ts @@ -27,14 +27,14 @@ test('お問い合わせ - GET', async () => { , 10000).getText(); expect(title).toBe('お問い合わせ'); - const scanId = await zapClient.activeScan(url, false, false, null, 'GET', null, 1); + const scanId = await zapClient.activeScan(url, false, true, null, 'GET', null); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } @@ -65,14 +65,14 @@ test('お問い合わせ(入力ページ→確認ページ) - POST', async () => await driver.findElement(By.xpath('//*[@id="page_contact"]/div[1]/div[2]/div/div/div[2]/div/form/div[2]/div/div/button')).click(); const message = await zapClient.getLastMessage(url); - const scanId = await zapClient.activeScan(url, false, false, null, 'GET', message.requestBody, 1); + const scanId = await zapClient.activeScan(url, false, true, null, 'POST', message.requestBody); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } @@ -110,14 +110,14 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => ); const completeMessage = await zapClient.getLastMessage(url); - const scanId = await zapClient.activeScan(url, false, false, null, 'GET', completeMessage.requestBody, 1); + const scanId = await zapClient.activeScan(url, false, true, null, 'POST', completeMessage.requestBody); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } From 51bf8db2bd456d84b5f6a181297bfadc1fe541da Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 16:05:32 +0900 Subject: [PATCH 15/17] Fix format --- zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts | 8 ++++---- .../ci/TypeScript/test/front_login/contact.test.ts | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts b/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts index 83bd3d79154..622904e3d7a 100644 --- a/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts +++ b/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts @@ -37,9 +37,9 @@ test('受注管理>メール通知 - GET', async () => { await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); await zapClient.getAlerts(url, 0, 1, Risk.High) - .then(alerts => alerts.forEach((alert: any) => { - throw new Error(alert.name); - }));; + .then(alerts => alerts.forEach((alert: any) => { + throw new Error(alert.name); + })); } finally { driver && await driver.quit() } @@ -73,7 +73,7 @@ test('受注管理>メール通知(確認ページ) - POST', async () => { await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } diff --git a/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts b/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts index 1dedcecd447..f9b9ef410c4 100644 --- a/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts +++ b/zap/selenium/ci/TypeScript/test/front_login/contact.test.ts @@ -39,7 +39,7 @@ test('お問い合わせ - GET', async () => { await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } @@ -72,7 +72,7 @@ test('お問い合わせ(入力ページ→確認ページ) - POST', async () => await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } @@ -112,7 +112,7 @@ test('お問い合わせ(確認ページ→完了ページ) - POST', async () => await zapClient.getAlerts(url, 0, 1, Risk.High) .then(alerts => alerts.forEach((alert: any) => { throw new Error(alert.name); - }));; + })); } finally { driver && await driver.quit() } From 1988552e5e7e61b7c1f1bd98bd758152a6cab417 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 16:17:41 +0900 Subject: [PATCH 16/17] Fix activeScanAsUser --- zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts b/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts index 622904e3d7a..7f8ca431379 100644 --- a/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts +++ b/zap/selenium/ci/TypeScript/test/admin/order_mail.test.ts @@ -32,7 +32,7 @@ test('受注管理>メール通知 - GET', async () => { , 10000).getText(); expect(title).toBe('メール通知'); - const scanId = await zapClient.activeScan(url, false, false, null, 'GET', null, 1); + const scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET'); await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000); From ff702d596839a8510258ebe6825dabfae9e95db4 Mon Sep 17 00:00:00 2001 From: Kentaro Ohkouchi Date: Thu, 16 Sep 2021 16:26:22 +0900 Subject: [PATCH 17/17] =?UTF-8?q?4.0,5=20=E3=81=AE=E8=84=86=E5=BC=B1?= =?UTF-8?q?=E6=80=A7=E3=82=92=E5=86=8D=E7=8F=BE=E3=81=99=E3=82=8B=E3=83=86?= =?UTF-8?q?=E3=82=B9=E3=83=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/penetration-test.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml index 5e89eff1493..78162fd2ecf 100644 --- a/.github/workflows/penetration-test.yml +++ b/.github/workflows/penetration-test.yml @@ -28,6 +28,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + - name: Checkout vlunerability + run: | + git remote add upstream https://github.com/EC-CUBE/ec-cube + git fetch --tags upstream + git checkout refs/tags/4.0.5 src/Eccube/Resource/template/admin/Order/mail_confirm.twig + git checkout refs/tags/4.0.5 src/Eccube/Resource/template/default/Mail/ - name: Setup to EC-CUBE run: |