diff options
| author | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2020-09-18 18:32:59 +0200 |
|---|---|---|
| committer | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2020-09-18 20:31:03 +0200 |
| commit | dfcc14c7524b8a10cd04c7766e5902a70ce6ee1d (patch) | |
| tree | cffec577973f789a474b23fa3c77fb6cf5c8c015 | |
| parent | 6eac4147400058e88ef9a26b0f8e74845447470c (diff) | |
| download | nextcloud-server-dfcc14c7524b8a10cd04c7766e5902a70ce6ee1d.tar.gz nextcloud-server-dfcc14c7524b8a10cd04c7766e5902a70ce6ee1d.zip | |
Add integration tests for transferring files of a user with a risky name
The files:transfer-ownership performs a sanitization of users with
"risky" display names (including characters like "\" or "/").
In order to allow (escaped) double quotes in the display name the
regular expression used in the "user XXX with displayname YYY exists"
step is not the "standard" one, "([^"]*)".
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
3 files changed, 61 insertions, 1 deletions
diff --git a/build/integration/features/bootstrap/CommandLineContext.php b/build/integration/features/bootstrap/CommandLineContext.php index 5bb87c04a94..83d767f53bc 100644 --- a/build/integration/features/bootstrap/CommandLineContext.php +++ b/build/integration/features/bootstrap/CommandLineContext.php @@ -25,6 +25,7 @@ require __DIR__ . '/../../vendor/autoload.php'; use Behat\Behat\Hook\Scope\BeforeScenarioScope; +use PHPUnit\Framework\Assert; class CommandLineContext implements \Behat\Behat\Context\Context { use CommandLine; @@ -127,4 +128,11 @@ class CommandLineContext implements \Behat\Behat\Context\Context { $davPath = rtrim($davPath, '/') . $this->lastTransferPath; $this->featureContext->usingDavPath($davPath); } + + /** + * @Then /^transfer folder name contains "([^"]+)"$/ + */ + public function transferFolderNameContains($text) { + Assert::assertContains($text, $this->lastTransferPath); + } } diff --git a/build/integration/features/bootstrap/Provisioning.php b/build/integration/features/bootstrap/Provisioning.php index 4339c9a01af..c3fc21bbc8d 100644 --- a/build/integration/features/bootstrap/Provisioning.php +++ b/build/integration/features/bootstrap/Provisioning.php @@ -69,6 +69,23 @@ trait Provisioning { } /** + * @Given /^user "([^"]*)" with displayname "((?:[^"]|\\")*)" exists$/ + * @param string $user + */ + public function assureUserWithDisplaynameExists($user, $displayname) { + try { + $this->userExists($user); + } catch (\GuzzleHttp\Exception\ClientException $ex) { + $previous_user = $this->currentUser; + $this->currentUser = "admin"; + $this->creatingTheUser($user, $displayname); + $this->currentUser = $previous_user; + } + $this->userExists($user); + Assert::assertEquals(200, $this->response->getStatusCode()); + } + + /** * @Given /^user "([^"]*)" does not exist$/ * @param string $user */ @@ -92,7 +109,7 @@ trait Provisioning { } } - public function creatingTheUser($user) { + public function creatingTheUser($user, $displayname = '') { $fullUrl = $this->baseUrl . "v{$this->apiVersion}.php/cloud/users"; $client = new Client(); $options = []; @@ -104,6 +121,9 @@ trait Provisioning { 'userid' => $user, 'password' => '123456' ]; + if ($displayname !== '') { + $options['form_params']['displayName'] = $displayname; + } $options['headers'] = [ 'OCS-APIREQUEST' => 'true', ]; diff --git a/build/integration/features/transfer-ownership.feature b/build/integration/features/transfer-ownership.feature index 265e1d370e4..49326c96d93 100644 --- a/build/integration/features/transfer-ownership.feature +++ b/build/integration/features/transfer-ownership.feature @@ -29,6 +29,22 @@ Feature: transfer-ownership And using received transfer folder of "user1" as dav path And as "user1" the folder "/test" exists + Scenario: transfering ownership from user with risky display name + Given user "user0" with displayname "user0 \"risky\"? ヂspḷay 'na|\/|e':.#" exists + And user "user1" exists + And User "user0" created a folder "/test" + And User "user0" uploads file "data/textfile.txt" to "/test/somefile.txt" + When transfering ownership from "user0" to "user1" + And the command was successful + And As an "user1" + And using received transfer folder of "user1" as dav path + Then Downloaded content when downloading file "/test/somefile.txt" with range "bytes=0-6" should be "This is" + And transfer folder name contains "transferred from user0 -risky- ヂspḷay -na|-|e- on" + And using old dav path + And as "user0" the folder "/test" does not exist + And using received transfer folder of "user1" as dav path + And as "user1" the folder "/test" exists + Scenario: transfering ownership of file shares Given user "user0" exists And user "user1" exists @@ -319,6 +335,22 @@ Feature: transfer-ownership And using received transfer folder of "user1" as dav path And as "user1" the folder "/test" exists + Scenario: transfering ownership from user with risky display name + Given user "user0" with displayname "user0 \"risky\"? ヂspḷay 'na|\/|e':.#" exists + And user "user1" exists + And User "user0" created a folder "/test" + And User "user0" uploads file "data/textfile.txt" to "/test/somefile.txt" + When transfering ownership of path "test" from "user0" to "user1" + And the command was successful + And As an "user1" + And using received transfer folder of "user1" as dav path + Then Downloaded content when downloading file "/test/somefile.txt" with range "bytes=0-6" should be "This is" + And transfer folder name contains "transferred from user0 -risky- ヂspḷay -na|-|e- on" + And using old dav path + And as "user0" the folder "/test" does not exist + And using received transfer folder of "user1" as dav path + And as "user1" the folder "/test" exists + Scenario: transfering ownership of file shares Given user "user0" exists And user "user1" exists |