[OWASP ZAP] change_password のテストを追加

.github/workflows/penetration-test.yml

@@ -18,6 +18,7 @@ jobs:
           - 'test/admin/content_layout.test.ts'
           - 'test/admin/content_layout_delete.test.ts'
           - 'test/admin/order_mail.test.ts'
+          - 'test/admin/change_password.test.ts'
 
     steps:
       - name: Checkout
@@ -44,6 +45,10 @@ jobs:
       - run: |
           git config --global user.name "$(git --no-pager log --format=format:'%an' -n 1)"
           git config --global user.email "$(git --no-pager log --format=format:'%ae' -n 1)"
+      - name: Apply patch to change_password
+        if: matrix.group == 'test/admin/change_password.test.ts'
+        working-directory: zap/selenium/ci/TypeScript
+        run: git am patches/0001-Member.patch
       - name: Apply patch to delete_layout
         if: matrix.group == 'test/admin/content_layout_delete.test.ts'
         working-directory: zap/selenium/ci/TypeScript

zap/selenium/ci/TypeScript/patches/0001-Member.patch

@@ -0,0 +1,47 @@
+From 63c5f589b6cc19e875fd1d6d5742ac497732223c Mon Sep 17 00:00:00 2001
+From: Kentaro Ohkouchi <[email protected]>
+Date: Thu, 24 Feb 2022 11:58:18 +0900
+Subject: [PATCH] =?UTF-8?q?Member=20=E3=81=AE=E5=A4=89=E6=9B=B4=E3=82=92?=
+ =?UTF-8?q?=E9=98=B2=E6=AD=A2=E3=81=99=E3=82=8B=E3=83=91=E3=83=83=E3=83=81?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ src/Eccube/Controller/Admin/AdminController.php | 6 +++---
+ src/Eccube/Repository/MemberRepository.php      | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Eccube/Controller/Admin/AdminController.php b/src/Eccube/Controller/Admin/AdminController.php
+index 2591f0623d..12ac73235b 100644
+--- a/src/Eccube/Controller/Admin/AdminController.php
++++ b/src/Eccube/Controller/Admin/AdminController.php
+@@ -352,9 +352,9 @@ class AdminController extends AbstractController
+
+             $password = $encoder->encodePassword($password, $salt);
+
+-            $Member
+-                ->setPassword($password)
+-                ->setSalt($salt);
++            // $Member
++            //     ->setPassword($password)
++            //     ->setSalt($salt);
+
+             $this->memberRepository->save($Member);
+
+diff --git a/src/Eccube/Repository/MemberRepository.php b/src/Eccube/Repository/MemberRepository.php
+index 2f372b4f57..bc588be409 100644
+--- a/src/Eccube/Repository/MemberRepository.php
++++ b/src/Eccube/Repository/MemberRepository.php
+@@ -99,7 +99,7 @@ class MemberRepository extends AbstractRepository
+
+         $em = $this->getEntityManager();
+         $em->persist($Member);
+-        $em->flush();
++        // $em->flush();
+     }
+
+     /**
+-- 
+2.34.1
+

zap/selenium/ci/TypeScript/test/admin/change_password.test.ts

@@ -0,0 +1,74 @@
+import { test, expect, chromium, Page } from '@playwright/test';
+import { intervalRepeater } from '../../utils/Progress';
+import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../utils/ZapClient';
+const zapClient = new ZapClient('http://127.0.0.1:8090');
+
+const baseURL = 'https://ec-cube/admin';
+const url = baseURL + '/change_password';
+
+// path/to/ec-cube/zap/selenium/ci/TypeScript/patches/0001-Member.patch を当てる必要がある
+test.describe.serial('パスワード変更のテストをします', () => {
+  let page: Page;
+  test.beforeAll(async () => {
+    await zapClient.setMode(Mode.Protect);
+    await zapClient.newSession('/zap/wrk/sessions/admin_change_password', true);
+    await zapClient.importContext(ContextType.Admin);
+
+    if (!await zapClient.isForcedUserModeEnabled()) {
+      await zapClient.setForcedUserModeEnabled();
+      expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy();
+    }
+    const browser = await chromium.launch();
+    page = await browser.newPage();
+    await page.goto(url);
+  });
+
+  test('パスワード変更ページを表示します', async () => {
+    await expect(page).toHaveTitle(/パスワード変更/);
+  });
+
+  test.describe('テストを実行します[GET] @attack', () => {
+    let scanId: number;
+    test('アクティブスキャンを実行します', async () => {
+      scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET');
+      await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+    });
+
+    test('結果を確認します', async () => {
+      await zapClient.getAlerts(url, 0, 1, Risk.High)
+        .then(alerts => expect(alerts).toEqual([]));
+    });
+  });
+
+  const changedPassword = 'zHXFl*85.jFib';
+  test('パスワードを変更します', async () => {
+    await page.reload();
+    await page.fill('input[name="admin_change_password[current_password]"]', 'password');
+    await page.fill('input[name="admin_change_password[change_password][first]"]', changedPassword);
+    await page.fill('input[name="admin_change_password[change_password][second]"]', changedPassword);
+    await page.click('#ex-conversion-action >> button >> text=登録');
+
+    await expect(page.locator('.alert-success')).toContainText('パスワードを更新しました');
+  });
+
+  test.describe('テストを実行します[POST] @attack', () => {
+    let message: HttpMessage;
+    test('HttpMessage を取得します', async () => {
+      const messages = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1);
+      message = messages.pop();
+      expect(message.requestHeader).toContain('POST https://ec-cube/admin/change_password');
+      expect(message.responseHeader).toContain('HTTP/1.1 302 Found');
+    });
+
+    let scanId: number;
+    test('アクティブスキャンを実行します', async () => {
+      scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'POST', message.requestBody);
+      await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+    });
+
+    test('結果を確認します', async () => {
+      await zapClient.getAlerts(url, 0, 1, Risk.High)
+        .then(alerts => expect(alerts).toEqual([]));
+    });
+  });
+});