VariantODataUnitTest.java example

Explorer

zaproxy-master
- src
  - ch
    - csnc
      - extension
        httpclient
        AliasCertificate.java
        AliasKeyManager.java
        PKCS11Configuration.java
        SSLContextManager.java
        ui
        AliasTableModel.java
        CertificateView.java
        DriverTableModel.java
        DriversView.java
        util
        DriverConfiguration.java
        Encoding.java
        OptionsParamExperimentalSliSupport.java
  - org
- test
  - ch
    - csnc
      - extension
        httpclient
        AliasCertificateUnitTest.java
        AliasKeyManagerUnitTest.java
        PKCS11ConfigurationUnitTest.java
        SSLContextManagerUnitTest.java
        util
        EncodingUnitTest.java
  - org
    - apache
      - commons
        httpclient
        HttpMethodBaseUnitTest.java
    - parosproxy
      - paros
        CommandLineUnitTest.java
        common
        AbstractParamUnitTest.java
        core
        scanner
        AbstractPluginUnitTest.java
        KbUnitTest.java
        NameValuePairUnitTest.java
        PluginFactoryUnitTest.java
        PluginTestUtils.java
        UtilUnitTest.java
        VariantCookieUnitTest.java
        VariantHeaderUnitTest.java
        VariantODataUnitTest.java
        model
        FileCopierUnitTest.java
        network
        HttpBodyUnitTest.java
        HttpRequestHeaderUnitTest.java
        HttpResponseHeaderUnitTest.java
    - zaproxy
      - zap
        VersionUnitTest.java
        WithConfigsTest.java
        authentication
        AuthenticationMethodIndicatorsUnitTest.java
        UsernamePasswordAuthenticationCredentialsUnitTest.java
        control
        AddOnCollectionUnitTest.java
        AddOnUnitTest.java
        ZapReleaseComparitorUnitTest.java
        ZapReleaseUnitTest.java
        extension
        alert
        ExtensionAlertUnitTest.java
        api
        APIUnitTest.java
        ApiResponseConversionUtilsUnitTest.java
        OptionsParamApiUnitTest.java
        authorization
        BasicAuthorizationDetectionMethodUnitTest.java
        brk
        impl
        http
        HttpBreakpointManagementDaemonImplUnitTest.java
        dynssl
        SslCertificateUtilsUnitTest.java
        ext
        ExtensionParamUnitTest.java
        httppanel
        view
        hex
        HttpPanelHexModelUnitTest.java
        util
        HttpTextViewUtilsUnitTest.java
        lang
        LangImporterUnitTest.java
        pscan
        PluginPassiveScannerUnitTest.java
        ruleconfig
        RuleConfigParamUnitTest.java
        model
        ContextUnitTest.java
        SessionUtilsUnitTest.java
        StandardParameterParserUnitTest.java
        VulnerabilitiesLoaderUnitTest.java
        network
        HttpBodyTestUtils.java
        HttpResponseBodyUnitTest.java
        spider
        URLCanonicalizerUnitTest.java
        URLResolverRfc1808ExamplesUnitTest.java
        URLResolverUnitTest.java
        filters
        DefaultFetchFilterUnitTest.java
        HttpPrefixFetchFilterUnitTest.java
        parser
        SpiderHtmlFormParserUnitTest.java
        SpiderHtmlParserUnitTest.java
        SpiderParserTestUtils.java
        SpiderSitemapXMLParserUnitTest.java
        SpiderTextParserUnitTest.java
        users
        UserUnitTest.java
        UsersTableModelUnitTest.java
        utils
        ApiUtilsUnitTest.java
        BoyerMooreMatcherUnitTest.java
        ByteBuilderUnitTest.java
        HirshbergMatcherUnitTest.java
        LocaleUtilsUnitTest.java
        XMLStringUtilUnitTest.java
        view
        AbstractMultipleOptionsBaseTableModelUnitTest.java
        JCheckBoxTreeUnitTest.java
        LayoutHelperUnitTest.java
        ListModelTestUtils.java
        TableModelTestUtils.java
        widgets
        UsersListModelUnitTest.java

package org.parosproxy.paros.core.scanner;

import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.URIException;
import org.junit.Test;
import org.parosproxy.paros.network.HttpMessage;
import org.parosproxy.paros.network.HttpRequestHeader;

import static org.hamcrest.Matchers.is;
import static org.junit.Assert.assertThat;

/**
 * Tests VariantODataIdQuery and VariantODataFilterQuery
 */
public class VariantODataUnitTest {

	private static final Variant VARIANT_ODATA_ID_QUERY    = new  VariantODataIdQuery();
	private static final Variant VARIANT_ODATA_FILTER_QUERY= new  VariantODataFilterQuery();

	/**
	 * Test intended to demonstrate a basic use case and help developing the class 
	 * Handling the OData resource ID (simple ID)
	 * 
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldAbleToInjectValueInODataSimpleResourceID() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_ID_QUERY,
				              new URI("http",null,"localhost",50050,"/remoting/servlet.svc/Book('BOOK1')/Summary","%24format=json"),
							  "__ID__Book", "'BOOK1'",
							  "'hacked'",
							  "http://localhost:50050/remoting/servlet.svc/Book('hacked')/Summary?%24format=json"
							   );
	}


	/**
	 * Test intended to demonstrate a basic use case and help developing the class
	 * Handling the OData resource ID (composite ID)
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldAbleToInjectValueInODataCompositeResourceID() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_ID_QUERY,
				              new URI("http",null,"localhost",50050,"/remoting/servlet.svc/DisplayItem(seqno=576460752035250185L,table='B0A43AEFE9A9FA0441AFE5302EF534A707CF0834F87A6EA884FB425A1C996EB1CA699ADDD2B48F13')"),
				              "seqno", "576460752035250185L",
				              "hacked",
				              "http://localhost:50050/remoting/servlet.svc/DisplayItem(seqno=hacked,table='B0A43AEFE9A9FA0441AFE5302EF534A707CF0834F87A6EA884FB425A1C996EB1CA699ADDD2B48F13')"
				              );
	}

	/**
	 * Test intended to demonstrate a basic use case and help developing the class
	 * Handling the OData resource ID (composite ID)
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldAbleToInjectValueInODataCompositeResourceID2() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_ID_QUERY,
							  new URI("http",null,"localhost",50050,"/remoting/servlet.svc/DisplayItem(seqno=576460752035250185L,table='B0A43AEFE9A9FA0441AFE5302EF534A707CF0834F87A6EA884FB425A1C996EB1CA699ADDD2B48F13')"),
				              "table", "'B0A43AEFE9A9FA0441AFE5302EF534A707CF0834F87A6EA884FB425A1C996EB1CA699ADDD2B48F13'",
				              "hacked",
				              "http://localhost:50050/remoting/servlet.svc/DisplayItem(seqno=576460752035250185L,table=hacked)"
				              );

	}

	/**
	 *
	 * Test intended to demonstrate a basic use case and help developing the class
	 * Handling the OData filter expression
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldBeAbleToInjectValueInODataFilterParameters() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_FILTER_QUERY,
							  new URI("http",null,"localhost",15050,"/remoting/servlet.svc/Book","$top=3&$select=name&$filter=(p1 eq 5) and (param2 gt 6) and startswith(code,'Once')$format=json"),
				              "p1", "5",
	                          "hacked",
	                          "http://localhost:15050/remoting/servlet.svc/Book?$top=3&$select=name&$filter=(p1 eq hacked) and (param2 gt 6) and startswith(code,'Once')$format=json"
	              );
	}


	/**
	 *
	 * Test intended to demonstrate a basic use case and help developing the class
	 * Handling the OData filter expression
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldBeAbleToInjectValueInODataFilterParametersHavingBlanksNearEquals1() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_FILTER_QUERY,
				              new URI("http",null,"localhost",15050,"/remoting/servlet.svc/Book","$top=3&$select=name&$filter =(p1 eq 5) and (param2 gt 6) and startswith(code,'Once')$format=json"),
	                          "param2", "6",
                              "hacked",
                              "http://localhost:15050/remoting/servlet.svc/Book?$top=3&$select=name&$filter =(p1 eq 5) and (param2 gt hacked) and startswith(code,'Once')$format=json"
               );
	}


	/**
	 *
	 * Test intended to demonstrate a basic use case and help developing the class
	 * Handling the OData filter expression
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldBeAbleToInjectValueInODataFilterParametersHavingBlanksNearEquals2() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_FILTER_QUERY,
				              new URI("http",null,"localhost",15050,"/remoting/servlet.svc/Book","$top=3&$select=name&$filter = (p1 eq 5) and (param2 gt 6) and startswith(code,'Once')$format=json"),
	                          "param2", "6",
                              "hacked",
                              "http://localhost:15050/remoting/servlet.svc/Book?$top=3&$select=name&$filter = (p1 eq 5) and (param2 gt hacked) and startswith(code,'Once')$format=json"
               );
	}

	/**
	 *
	 * Test intended to demonstrate a basic use case and help developing the class
	 * Handling the OData filter expression
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldBeAbleToInjectValueInODataFilterParametersHavingBlanksNearEquals3() throws URIException, NullPointerException, CloneNotSupportedException {
		doTestInjectParameter(VARIANT_ODATA_FILTER_QUERY,
				              new URI("http",null,"localhost",15050,"/remoting/servlet.svc/Book","$top=3&$select=name&$filter= (p1 eq 5) and (param2 gt 6) and startswith(code,'Once')$format=json"),
	                          "param2", "6",
                              "hacked",
                              "http://localhost:15050/remoting/servlet.svc/Book?$top=3&$select=name&$filter= (p1 eq 5) and (param2 gt hacked) and startswith(code,'Once')$format=json"
               );
	}



	/**
	 * Test that the variant handles URLs without query element
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldBeAbleToHandleURIwithoutQuery() throws URIException, NullPointerException, CloneNotSupportedException {
		URI sourceURI = new URI("http",null,"localhost",15050,"/remoting/servlet.svc/Book");
		doTestInjectParameter(VARIANT_ODATA_FILTER_QUERY,
	              sourceURI,
                "param2", "6",
                "hacked",
                "http://localhost:15050/remoting/servlet.svc/Book"
                );

	}


	/**
	 * Test that the variant handles URLs without path element
	 *
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException
	 */
	@Test
	public void shouldBeAbleToHandleURIwithoutPath() throws URIException, NullPointerException, CloneNotSupportedException {
		URI sourceURI = new URI("http",null,"localhost",15050);
		doTestInjectParameter(VARIANT_ODATA_ID_QUERY,
	              sourceURI,
                "param2", "6",
                "hacked",
                "http://localhost:15050"
                );

	}



	protected String setParameter(HttpMessage msg, String param, String value,
			                      Variant variant, NameValuePair originalPair /* in standard code these params are attributes of the class */){
		return variant.setParameter(msg, originalPair, param, value);
	}


	/**
	 * Test that we can properly inject a new value to the sourceURI
	 *
	 * @param sourceURI
	 * @param paramName
	 * @param originalValue
	 * @param hackValue
	 * @param expectedHackedURI
	 * @throws org.apache.commons.httpclient.URIException
	 * @throws NullPointerException
	 * @throws CloneNotSupportedException 
	 */
	private void doTestInjectParameter(Variant variant, URI sourceURI, String paramName, String originalValue, String hackValue, String expectedHackedURI) throws URIException, NullPointerException, CloneNotSupportedException {
		
		// Given
		HttpMessage msg = new HttpMessage();
		msg.setRequestHeader(new HttpRequestHeader());
		
		
		//When
		NameValuePair originalPair = new NameValuePair(NameValuePair.TYPE_URL_PATH, paramName, originalValue, 1); 
		msg.getRequestHeader().setURI((URI) sourceURI.clone());		
		variant.setMessage(msg);

		String param = originalPair.getName(); // implicit parameter name for the entity Book		
		setParameter(msg, param, hackValue ,variant,originalPair);
		
		//Then
		// Check that the msg contains now well formated URI with the injected parameter
		URI hackedURI = msg.getRequestHeader().getURI();
		String hackedURIasStr = hackedURI.getURI();
		assertThat("RequestHeader.uri",hackedURIasStr, is(expectedHackedURI));

	}

	
	
}