diff --git a/src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java b/src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java new file mode 100644 index 00000000..ed779b9c --- /dev/null +++ b/src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java @@ -0,0 +1,451 @@ +package org.sasanlabs.service.vulnerability.pathTraversal; + +import static org.junit.jupiter.api.Assertions.*; + +import java.net.URI; +import java.net.URISyntaxException; +import java.util.HashMap; +import java.util.Map; +import org.junit.jupiter.api.Test; +import org.mockito.InjectMocks; +import org.sasanlabs.service.vulnerability.bean.GenericVulnerabilityResponseBean; +import org.springframework.http.HttpMethod; +import org.springframework.http.HttpStatus; +import org.springframework.http.RequestEntity; +import org.springframework.http.ResponseEntity; + +class PathTraversalVulnerabilityTest { + @InjectMocks + private PathTraversalVulnerability pathTraversalVulnerability = + new PathTraversalVulnerability(); + + @Test + void testGetVulnerablePayloadLevel1WithNullFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel1(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel1WithWrongFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "../"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel1(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertTrue(response.getBody().getIsValid()); + assertNotNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel1() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel1(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel2WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel2(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel2WithWrongURL() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("../")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel2(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel2() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel2(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel3WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel3(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel3WithWrongURL() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel3(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel3() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel3(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel4WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel4(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel4WithWrongURL() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("%2f")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel4(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel4() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel4(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel5WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel5(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel5WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("%2f/..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel5(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel5() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel5(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel6WithNullFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel6(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel6WithWrongFileName() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", ".."); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel6(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel6() { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel6(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel7WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel7(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel7() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel7(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel8WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel8(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel8WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("../")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel8(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel8() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel8(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel9WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel9(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel9WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel9(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel9() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel9(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel10WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel10(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel10WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("%2f/..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel10(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel10() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel10(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel11WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel11(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel11WithWrongURLAndFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + RequestEntity requestEntity = new RequestEntity<>(HttpMethod.GET, new URI("2f/..")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel11(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel11() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + RequestEntity requestEntity = + new RequestEntity<>(HttpMethod.GET, new URI("localhost")); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel11(requestEntity, queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } + + @Test + void testGetVulnerablePayloadLevel12WithNullFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", null); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel12(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel12WithWrongFileName() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", ".."); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel12(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + assertNotNull(response.getBody()); + assertFalse(response.getBody().getIsValid()); + assertNull(response.getBody().getContent()); + } + + @Test + void testGetVulnerablePayloadLevel12() throws URISyntaxException { + Map queryParams = new HashMap<>(); + queryParams.put("fileName", "UserInfo.json"); + ResponseEntity> response = + pathTraversalVulnerability.getVulnerablePayloadLevel12(queryParams); + assertEquals(HttpStatus.OK, response.getStatusCode()); + } +}