RHPAM-4719: Add unit test cases for XSS data

kiegroup · paulovmr · Jun 15, 2023 · Jun 16, 2023 · Jun 27, 2023 · Jun 28, 2023
commit e5ff88d2d82edf577db5386a03dda61f2628a1db
diff --git a/...t/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java b/...t/java/org/guvnor/structure/backend/organizationalunit/OrganizationalUnitServiceTest.java
@@ -25,6 +25,7 @@
 
 import javax.enterprise.event.Event;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.assertj.core.api.Assertions;
 import org.assertj.core.api.Condition;
 import org.guvnor.structure.backend.organizationalunit.config.SpaceConfigStorageRegistryImpl;
@@ -268,6 +269,77 @@ public void createValidOrganizationalUnitTest() {
         assertEquals(SPACE_DESCRIPTION, ou.getDescription());
         assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId());
         assertEquals(contributors, ou.getContributors());
+        Assertions.assertThat(ou.getContributors()).hasSize(1);
+        Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> {
+            contributor.getUsername().equals(StringEscapeUtils.escapeHtml4(ADMIN));
+        });
+    }
+
+    @Test
+    public void createOrganizationalUnitWithPersistentXssInContributorTest() {
+        final String persistentXssContributor = "<img/src/onerror=alert(\"XSS\")>";
+        final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor);
+
+        List<Contributor> contributors = new ArrayList<>();
+        contributors.add(new Contributor(persistentXssContributor,
+                                         ContributorType.ADMIN));
+
+        setOUCreationPermission(true);
+
+        final OrganizationalUnit ou = organizationalUnitService.createOrganizationalUnit(SPACE_NAME,
+                                                                                         DEFAULT_GROUP_ID,
+                                                                                         new ArrayList<>(),
+                                                                                         contributors,
+                                                                                         SPACE_DESCRIPTION);
+
+        assertNotNull(ou);
+        verify(organizationalUnitFactory).newOrganizationalUnit(any());
+        assertEquals(SPACE_NAME, ou.getName());
+        assertEquals(SPACE_DESCRIPTION, ou.getDescription());
+        assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId());
+
+        Assertions.assertThat(ou.getContributors()).hasSize(1);
+        Assertions.assertThat(ou.getContributors()).hasOnlyOneElementSatisfying((contributor) -> {
+            contributor.getUsername().equals(escapedPersistentXssContributor);
+        });
+    }
+
+    @Test
+    public void createOrganizationalUnitWithPersistentXssAndValidContributorTest() {
+        final String persistentXssContributor = "<img/src/onerror=alert(\"XSS\")>";
+        final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor);
+        final String escapedAdminContributor = StringEscapeUtils.escapeHtml4(ADMIN);
+        final String regularContributor = "head_technician_junior-intern";
+
+        List<Contributor> contributors = new ArrayList<>();
+        contributors.add(new Contributor(persistentXssContributor,
+                                         ContributorType.CONTRIBUTOR));
+        contributors.add(new Contributor(ADMIN,
+                                         ContributorType.ADMIN));
+        contributors.add(new Contributor(regularContributor,
+                                         ContributorType.OWNER));
+
+        setOUCreationPermission(true);
+
+        final OrganizationalUnit ou = organizationalUnitService.createOrganizationalUnit(SPACE_NAME,
+                                                                                         DEFAULT_GROUP_ID,
+                                                                                         new ArrayList<>(),
+                                                                                         contributors,
+                                                                                         SPACE_DESCRIPTION);
+
+        assertNotNull(ou);
+        verify(organizationalUnitFactory).newOrganizationalUnit(any());
+        assertEquals(SPACE_NAME, ou.getName());
+        assertEquals(SPACE_DESCRIPTION, ou.getDescription());
+        assertEquals(DEFAULT_GROUP_ID, ou.getDefaultGroupId());
+
+        Assertions.assertThat(ou.getContributors()).hasSize(3);
+        Assertions.assertThat(ou.getContributors()).containsExactly(new Contributor(escapedPersistentXssContributor,
+                                                                                    ContributorType.CONTRIBUTOR),
+                                                                    new Contributor(escapedAdminContributor,
+                                                                                    ContributorType.ADMIN),
+                                                                    new Contributor(StringEscapeUtils.escapeHtml4(regularContributor),
+                                                                                    ContributorType.OWNER));
     }
 
     @Test
@@ -326,6 +398,40 @@ public void testUpdateOrganizationalUnit() {
         verify(spaceConfigStorage).endBatch();
     }
 
+    @Test
+    public void testContributorsPersistentXssOnUpdateOrganizationalUnit() {
+        final String persistentXssContributor = "<img/src/onerror=alert(\"XSS\")>";
+        final String escapedPersistentXssContributor = StringEscapeUtils.escapeHtml4(persistentXssContributor);
+
+        OrganizationalUnit organizationalUnit =
+                organizationalUnitService.updateOrganizationalUnit(SPACE_NAME,
+                                                                   DEFAULT_GROUP_ID,
+                                                                   Collections.singletonList(
+                                                                           new Contributor(
+                                                                                   persistentXssContributor,
+                                                                                   ContributorType.ADMIN
+                                                                           )
+                                                                   )
+                );
+
+        Assertions.assertThat(organizationalUnit)
+                .hasFieldOrPropertyWithValue("name", SPACE_NAME)
+                .hasFieldOrPropertyWithValue("defaultGroupId", DEFAULT_GROUP_ID);
+
+        Assertions.assertThat(organizationalUnit.getContributors()).hasSize(1);
+        Assertions.assertThat(organizationalUnit.getContributors()).hasOnlyOneElementSatisfying((contributor) -> {
+            contributor.getUsername().equals(escapedPersistentXssContributor);
+        });
+
+        Assertions.assertThat(spaceInfo)
+                .hasFieldOrPropertyWithValue("name", SPACE_NAME)
+                .hasFieldOrPropertyWithValue("defaultGroupId", DEFAULT_GROUP_ID);
+
+        verify(spaceConfigStorage).startBatch();
+        verify(spaceConfigStorage).saveSpaceInfo(eq(spaceInfo));
+        verify(spaceConfigStorage).endBatch();
+    }
+
     @Test
     public void testCheckChildrenRepositoryContributors() {
         OrganizationalUnit organizationalUnit = new OrganizationalUnitImpl(SPACE_NAME, DEFAULT_GROUP_ID);