From fde00fefec9a82dbd6371093bd47aace3fb6a5f3 Mon Sep 17 00:00:00 2001 From: Martin Renvoize Date: Wed, 14 Aug 2019 11:34:47 +0100 Subject: [PATCH] Bug 23329: (RM follow-up) Add regression tests Test plan: Run the new tests and they should all pass once we've caught all cases Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall Signed-off-by: Martin Renvoize --- t/db_dependent/www/regressions.t | 137 +++++++++++++++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 t/db_dependent/www/regressions.t diff --git a/t/db_dependent/www/regressions.t b/t/db_dependent/www/regressions.t new file mode 100644 index 0000000000..788e1bb13b --- /dev/null +++ b/t/db_dependent/www/regressions.t @@ -0,0 +1,137 @@ +#!/usr/bin/env perl + +# This file is part of Koha. +# +# Koha is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# Koha is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Koha; if not, see . + +use Modern::Perl; + +use Test::More tests => 1; +use Test::Mojo; +use t::lib::TestBuilder; +use t::lib::Mocks; + +use C4::Context; +use C4::Biblio; + +use Koha::Database; + +use MARC::Field; + +my $intranet = + $ENV{KOHA_INTRANET_URL} || C4::Context->preference("staffClientBaseURL"); +my $opac = $ENV{KOHA_OPAC_URL} || C4::Context->preference("OPACBaseURL"); + +my $t = Test::Mojo->new(); +my $schema = Koha::Database->new->schema; +my $builder = t::lib::TestBuilder->new; + +subtest 'open redirection vulnerabilities in tracklinks' => sub { + plan tests => 30; + + $schema->storage->txn_begin; + + # No URI's + my $biblio = $builder->build_sample_biblio(); + my $biblionumber1 = $biblio->biblionumber; + + # Incorrect URI at Biblio level + $biblio = $builder->build_sample_biblio(); + my $biblionumber2 = $biblio->biblionumber; + my $record = $biblio->metadata->record; + my $new856 = MARC::Field->new( '856', '', '', u => "www.bing.com" ); + $record->insert_fields_ordered($new856); + C4::Biblio::ModBiblio( $record, $biblionumber2 ); + + # URI at Biblio level + $biblio = $builder->build_sample_biblio(); + my $biblionumber3 = $biblio->biblionumber; + $record = $biblio->metadata->record; + $new856 = MARC::Field->new( '856', '', '', u => "www.google.com" ); + $record->insert_fields_ordered($new856); + C4::Biblio::ModBiblio( $record, $biblionumber3 ); + + # URI at Item level + my $item = $builder->build_sample_item( { uri => 'www.google.com' } ); + my $itemnumber1 = $item->itemnumber; + + # Incorrect URI at Item level + $item = $builder->build_sample_item( { uri => 'www.bing.com ' } ); + my $itemnumber2 = $item->itemnumber; + + my $no_biblionumber = + '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com'; + my $bad_biblionumber1 = + '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber=' + . $biblionumber1; + my $bad_biblionumber2 = + '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber=' + . $biblionumber2; + my $good_biblionumber = + '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&biblionumber=' + . $biblionumber3; + my $bad_itemnumber = + '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber=' + . $itemnumber2; + my $good_itemnumber = + '/cgi-bin/koha/tracklinks.pl?uri=http://www.google.com&itemnumber=' + . $itemnumber1; + + # Don't Track + t::lib::Mocks::mock_preference( 'TrackClicks', '' ); + $t->get_ok( $opac . $no_biblionumber ) + ->status_is( 404, "404 for no biblionumber" ); + $t->get_ok( $opac . $bad_biblionumber1 ) + ->status_is( 404, "404 for biblionumber containing no URI" ); + $t->get_ok( $opac . $bad_biblionumber2 ) + ->status_is( 404, "404 for biblionumber containing different URI" ); + $t->get_ok( $opac . $good_biblionumber ) + ->status_is( 302, "302 for biblionumber with matching URI" ); + $t->get_ok( $opac . $bad_itemnumber ) + ->status_is( 404, "404 for itemnumber containing different URI" ); + $t->get_ok( $opac . $good_itemnumber ) + ->status_is( 302, "302 for itemnumber with matching URI" ); + + # Track + t::lib::Mocks::mock_preference( 'TrackClicks', 'track' ); + $t->get_ok( $opac . $no_biblionumber ) + ->status_is( 404, "404 for no biblionumber" ); + $t->get_ok( $opac . $bad_biblionumber1 ) + ->status_is( 404, "404 for biblionumber containing no URI" ); + $t->get_ok( $opac . $bad_biblionumber2 ) + ->status_is( 404, "404 for biblionumber containing different URI" ); + $t->get_ok( $opac . $good_biblionumber ) + ->status_is( 302, "302 for biblionumber with matching URI" ); + $t->get_ok( $opac . $bad_itemnumber ) + ->status_is( 404, "404 for itemnumber containing different URI" ); + $t->get_ok( $opac . $good_itemnumber ) + ->status_is( 302, "302 for itemnumber with matching URI" ); + + # Track Anonymous + t::lib::Mocks::mock_preference( 'TrackClicks', 'anonymous' ); + $t->get_ok( $opac . $no_biblionumber ) + ->status_is( 404, "404 for no biblionumber" ); + $t->get_ok( $opac . $bad_biblionumber1 ) + ->status_is( 404, "404 for biblionumber containing no URI" ); + $t->get_ok( $opac . $bad_biblionumber2 ) + ->status_is( 404, "404 for biblionumber containing different URI" ); + $t->get_ok( $opac . $good_biblionumber ) + ->status_is( 302, "302 for biblionumber with matching URI" ); + $t->get_ok( $opac . $bad_itemnumber ) + ->status_is( 404, "404 for itemnumber containing different URI" ); + $t->get_ok( $opac . $good_itemnumber ) + ->status_is( 302, "302 for itemnumber with matching URI" ); + + $schema->storage->txn_rollback; +}; -- 2.39.5