diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml index 1a3df478025..a8156d22060 100644 --- a/.github/workflows/penetration-test.yml +++ b/.github/workflows/penetration-test.yml @@ -18,6 +18,7 @@ jobs: - 'test/admin/content_layout.test.ts' - 'test/admin/content_layout_delete.test.ts' - 'test/admin/order_mail.test.ts' + - 'test/admin/change_password.test.ts' steps: - name: Checkout @@ -44,6 +45,10 @@ jobs: - run: | git config --global user.name "$(git --no-pager log --format=format:'%an' -n 1)" git config --global user.email "$(git --no-pager log --format=format:'%ae' -n 1)" + - name: Apply patch to change_password + if: matrix.group == 'test/admin/change_password.test.ts' + working-directory: zap/selenium/ci/TypeScript + run: git am patches/0001-Member.patch - name: Apply patch to delete_layout if: matrix.group == 'test/admin/content_layout_delete.test.ts' working-directory: zap/selenium/ci/TypeScript diff --git a/zap/selenium/ci/TypeScript/patches/0001-Member.patch b/zap/selenium/ci/TypeScript/patches/0001-Member.patch new file mode 100644 index 00000000000..8ace77b816e --- /dev/null +++ b/zap/selenium/ci/TypeScript/patches/0001-Member.patch @@ -0,0 +1,47 @@ +From 63c5f589b6cc19e875fd1d6d5742ac497732223c Mon Sep 17 00:00:00 2001 +From: Kentaro Ohkouchi +Date: Thu, 24 Feb 2022 11:58:18 +0900 +Subject: [PATCH] =?UTF-8?q?Member=20=E3=81=AE=E5=A4=89=E6=9B=B4=E3=82=92?= + =?UTF-8?q?=E9=98=B2=E6=AD=A2=E3=81=99=E3=82=8B=E3=83=91=E3=83=83=E3=83=81?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +--- + src/Eccube/Controller/Admin/AdminController.php | 6 +++--- + src/Eccube/Repository/MemberRepository.php | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/Eccube/Controller/Admin/AdminController.php b/src/Eccube/Controller/Admin/AdminController.php +index 2591f0623d..12ac73235b 100644 +--- a/src/Eccube/Controller/Admin/AdminController.php ++++ b/src/Eccube/Controller/Admin/AdminController.php +@@ -352,9 +352,9 @@ class AdminController extends AbstractController + + $password = $encoder->encodePassword($password, $salt); + +- $Member +- ->setPassword($password) +- ->setSalt($salt); ++ // $Member ++ // ->setPassword($password) ++ // ->setSalt($salt); + + $this->memberRepository->save($Member); + +diff --git a/src/Eccube/Repository/MemberRepository.php b/src/Eccube/Repository/MemberRepository.php +index 2f372b4f57..bc588be409 100644 +--- a/src/Eccube/Repository/MemberRepository.php ++++ b/src/Eccube/Repository/MemberRepository.php +@@ -99,7 +99,7 @@ class MemberRepository extends AbstractRepository + + $em = $this->getEntityManager(); + $em->persist($Member); +- $em->flush(); ++ // $em->flush(); + } + + /** +-- +2.34.1 + diff --git a/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts b/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts new file mode 100644 index 00000000000..0f74cfedd74 --- /dev/null +++ b/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts @@ -0,0 +1,74 @@ +import { test, expect, chromium, Page } from '@playwright/test'; +import { intervalRepeater } from '../../utils/Progress'; +import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../utils/ZapClient'; +const zapClient = new ZapClient('http://127.0.0.1:8090'); + +const baseURL = 'https://ec-cube/admin'; +const url = baseURL + '/change_password'; + +// path/to/ec-cube/zap/selenium/ci/TypeScript/patches/0001-Member.patch を当てる必要がある +test.describe.serial('パスワード変更のテストをします', () => { + let page: Page; + test.beforeAll(async () => { + await zapClient.setMode(Mode.Protect); + await zapClient.newSession('/zap/wrk/sessions/admin_change_password', true); + await zapClient.importContext(ContextType.Admin); + + if (!await zapClient.isForcedUserModeEnabled()) { + await zapClient.setForcedUserModeEnabled(); + expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy(); + } + const browser = await chromium.launch(); + page = await browser.newPage(); + await page.goto(url); + }); + + test('パスワード変更ページを表示します', async () => { + await expect(page).toHaveTitle(/パスワード変更/); + }); + + test.describe('テストを実行します[GET] @attack', () => { + let scanId: number; + test('アクティブスキャンを実行します', async () => { + scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET'); + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); + }); + + test('結果を確認します', async () => { + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => expect(alerts).toEqual([])); + }); + }); + + const changedPassword = 'zHXFl*85.jFib'; + test('パスワードを変更します', async () => { + await page.reload(); + await page.fill('input[name="admin_change_password[current_password]"]', 'password'); + await page.fill('input[name="admin_change_password[change_password][first]"]', changedPassword); + await page.fill('input[name="admin_change_password[change_password][second]"]', changedPassword); + await page.click('#ex-conversion-action >> button >> text=登録'); + + await expect(page.locator('.alert-success')).toContainText('パスワードを更新しました'); + }); + + test.describe('テストを実行します[POST] @attack', () => { + let message: HttpMessage; + test('HttpMessage を取得します', async () => { + const messages = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1); + message = messages.pop(); + expect(message.requestHeader).toContain('POST https://ec-cube/admin/change_password'); + expect(message.responseHeader).toContain('HTTP/1.1 302 Found'); + }); + + let scanId: number; + test('アクティブスキャンを実行します', async () => { + scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'POST', message.requestBody); + await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); + }); + + test('結果を確認します', async () => { + await zapClient.getAlerts(url, 0, 1, Risk.High) + .then(alerts => expect(alerts).toEqual([])); + }); + }); +});