-
Notifications
You must be signed in to change notification settings - Fork 98
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #523 from nanasess/penetration-test-cart
カートページのペネトレーションテスト追加
- Loading branch information
Showing
6 changed files
with
262 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
import { test, expect, chromium, Page } from '@playwright/test'; | ||
import PlaywrightConfig from '../../../../playwright.config'; | ||
import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../../utils/ZapClient'; | ||
import { intervalRepeater } from '../../../utils/Progress'; | ||
const zapClient = new ZapClient(); | ||
|
||
const url = `${PlaywrightConfig.use.baseURL}/cart/index.php`; | ||
|
||
test.describe.serial('カートページのテストをします', () => { | ||
let page: Page; | ||
test.beforeAll(async () => { | ||
await zapClient.setMode(Mode.Protect); | ||
await zapClient.newSession('/zap/wrk/sessions/front_login_cart', true); | ||
await zapClient.importContext(ContextType.FrontLogin); | ||
|
||
if (!await zapClient.isForcedUserModeEnabled()) { | ||
await zapClient.setForcedUserModeEnabled(); | ||
expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy(); | ||
} | ||
const browser = await chromium.launch(); | ||
page = await browser.newPage(); | ||
await page.goto(url); | ||
}); | ||
|
||
const detailURL = `${PlaywrightConfig.use.baseURL}/products/detail.php?product_id=1`; | ||
test('商品詳細ページを表示します', async () => { | ||
await page.goto(detailURL); | ||
await expect(page.locator('#detailrightbloc > h2')).toContainText('アイスクリーム'); | ||
}); | ||
|
||
test('商品をカートに入れます', async () => { | ||
await page.selectOption('select[name=classcategory_id1]', { label: '抹茶' }); | ||
await page.selectOption('select[name=classcategory_id2]', { label: 'S' }); | ||
await page.fill('input[name=quantity]', '2'); | ||
await page.click('[alt=カゴに入れる]'); | ||
}); | ||
|
||
test('カートの内容を確認します', async () => { | ||
await expect(page.locator('h2.title')).toContainText('現在のカゴの中'); | ||
await expect(page.locator('table[summary=商品情報] >> tr >> nth=1')).toContainText('アイスクリーム'); | ||
}); | ||
|
||
test.describe('テストを実行します[GET] @attack', () => { | ||
let scanId: number; | ||
test('アクティブスキャンを実行します', async () => { | ||
scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'GET'); | ||
await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); | ||
}); | ||
|
||
test('結果を確認します', async () => { | ||
await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
.then(alerts => expect(alerts).toEqual([])); | ||
}); | ||
}); | ||
|
||
test('カートの数量を加算します', async () => { | ||
await page.reload(); | ||
const quantity = parseInt(await page.locator('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=4').textContent()); | ||
await page.click('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=4 >> [alt="+"]'); | ||
await expect(page.locator('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=4')).toContainText(String(quantity + 1)); | ||
}); | ||
|
||
test.describe('数量加算のテストを実行します[POST] @attack', () => { | ||
|
||
let message: HttpMessage; | ||
let requestBody: string; | ||
test('履歴を取得します', async () => { | ||
const result = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1); | ||
message = result.pop(); | ||
expect(message.requestBody).toContain('mode=up'); | ||
}); | ||
test('transactionid を取得し直します', async () => { | ||
await page.goto(url); | ||
const transactionid = await page.locator('input[name=transactionid]').first().inputValue(); | ||
requestBody = message.requestBody.replace(/transactionid=[a-z0-9]+/, `transactionid=${transactionid}`); | ||
}); | ||
|
||
let scanId: number; | ||
test('アクティブスキャンを実行します', async () => { | ||
expect(requestBody).toContain('mode=up'); | ||
scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', requestBody); | ||
await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); | ||
}); | ||
|
||
test('結果を確認します', async () => { | ||
await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
.then(alerts => expect(alerts).toEqual([])); | ||
}); | ||
}); | ||
|
||
test('カートの数量を減算します', async () => { | ||
await page.reload(); | ||
const quantity = parseInt(await page.locator('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=4').textContent()); | ||
await page.click('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=4 >> [alt="-"]'); | ||
await expect(page.locator('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=4')).toContainText(String(quantity - 1)); | ||
}); | ||
|
||
test.describe('数量減算のテストを実行します[POST] @attack', () => { | ||
|
||
let message: HttpMessage; | ||
let requestBody: string; | ||
test('履歴を取得します', async () => { | ||
const result = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1); | ||
message = result.pop(); | ||
}); | ||
test('transactionid を取得し直します', async () => { | ||
await page.goto(url); | ||
const transactionid = await page.locator('input[name=transactionid]').first().inputValue(); | ||
requestBody = message.requestBody.replace(/transactionid=[a-z0-9]+/, `transactionid=${transactionid}`); | ||
}); | ||
let manuallyMessage: HttpMessage; | ||
test('数量減算の requestBody に書き換えて手動送信します', async () => { | ||
requestBody = requestBody.replace(/mode=down/, 'mode=down&mode_down=dummy'); | ||
await zapClient.sendRequest(message.requestHeader + requestBody); | ||
manuallyMessage = await zapClient.getLastMessage(url); | ||
}); | ||
let scanId: number; | ||
test('アクティブスキャンを実行します', async () => { | ||
expect(manuallyMessage.requestBody).toContain('mode=down'); | ||
scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', requestBody); | ||
await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); | ||
}); | ||
|
||
test('結果を確認します', async () => { | ||
await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
.then(alerts => expect(alerts).toEqual([])); | ||
}); | ||
}); | ||
|
||
test('購入手続きへ進みます', async () => { | ||
await page.goto(url); | ||
await page.click('input[name=confirm][alt=購入手続きへ]'); | ||
await expect(page.locator('h2.title')).toContainText('お届け先の指定'); | ||
}); | ||
|
||
test.describe('購入手続きへ進むテストを実行します[POST] @attack', () => { | ||
let message: HttpMessage; | ||
test('履歴を取得します', async () => { | ||
message = await zapClient.getLastMessage(url); | ||
expect(message.requestHeader).toContain(`POST ${url}`); | ||
expect(message.responseHeader).toContain('HTTP/1.1 302 Found'); | ||
}); | ||
|
||
let scanId: number; | ||
test('アクティブスキャンを実行します', async () => { | ||
scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', message.requestBody); | ||
await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); | ||
}); | ||
|
||
test('結果を確認します', async () => { | ||
await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
.then(alerts => expect(alerts).toEqual([])); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
import { test, expect, chromium, Page } from '@playwright/test'; | ||
import PlaywrightConfig from '../../../../playwright.config'; | ||
import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../../utils/ZapClient'; | ||
import { intervalRepeater } from '../../../utils/Progress'; | ||
const zapClient = new ZapClient(); | ||
|
||
const url = `${PlaywrightConfig.use.baseURL}/cart/index.php`; | ||
|
||
// zap/patches/0009-cart_delete.patch を適用する必要があります | ||
test.describe.serial('カートページのテストをします', () => { | ||
let page: Page; | ||
test.beforeAll(async () => { | ||
await zapClient.setMode(Mode.Protect); | ||
await zapClient.newSession('/zap/wrk/sessions/front_login_contact', true); | ||
await zapClient.importContext(ContextType.FrontLogin); | ||
|
||
if (!await zapClient.isForcedUserModeEnabled()) { | ||
await zapClient.setForcedUserModeEnabled(); | ||
expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy(); | ||
} | ||
const browser = await chromium.launch(); | ||
page = await browser.newPage(); | ||
await page.goto(url); | ||
}); | ||
|
||
const detailURL = `${PlaywrightConfig.use.baseURL}/products/detail.php?product_id=1`; | ||
test('商品詳細ページを表示します', async () => { | ||
await page.goto(detailURL); | ||
await expect(page.locator('#detailrightbloc > h2')).toContainText('アイスクリーム'); | ||
}); | ||
|
||
test('商品をカートに入れます', async () => { | ||
await page.selectOption('select[name=classcategory_id1]', { label: '抹茶' }); | ||
await page.selectOption('select[name=classcategory_id2]', { label: 'S' }); | ||
await page.fill('input[name=quantity]', '2'); | ||
await page.click('[alt=カゴに入れる]'); | ||
}); | ||
|
||
test('カートの内容を確認します', async () => { | ||
await expect(page.locator('h2.title')).toContainText('現在のカゴの中'); | ||
await expect(page.locator('table[summary=商品情報] >> tr >> nth=1')).toContainText('アイスクリーム'); | ||
}); | ||
|
||
test('カートを削除します', async () => { | ||
page.on('dialog', dialog => dialog.accept()); | ||
await page.reload(); | ||
await page.click('table[summary=商品情報] >> tr >> nth=1 >> td >> nth=0 >> text=削除'); | ||
}); | ||
|
||
test.describe('カート削除のテストを実行します[POST] @attack', () => { | ||
|
||
let message: HttpMessage; | ||
test('履歴を取得します', async () => { | ||
const result = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1); | ||
message = result.pop(); | ||
}); | ||
|
||
let scanId: number; | ||
test('アクティブスキャンを実行します', async () => { | ||
expect(message.requestBody).toContain('mode=delete'); | ||
scanId = await zapClient.activeScanAsUser(url, 2, 110, false, null, 'POST', message.requestBody); | ||
await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page); | ||
}); | ||
|
||
test('結果を確認します', async () => { | ||
await zapClient.getAlerts(url, 0, 1, Risk.High) | ||
.then(alerts => expect(alerts).toEqual([])); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
From 274562f19542ac7548c75a65677d0e46af89a655 Mon Sep 17 00:00:00 2001 | ||
From: Kentaro Ohkouchi <[email protected]> | ||
Date: Fri, 18 Feb 2022 15:56:54 +0900 | ||
Subject: [PATCH] =?UTF-8?q?=E3=82=AB=E3=83=BC=E3=83=88=E5=89=8A=E9=99=A4?= | ||
=?UTF-8?q?=E3=81=97=E3=81=AA=E3=81=84=E3=82=88=E3=81=86=E3=81=AB=E3=81=99?= | ||
=?UTF-8?q?=E3=82=8B=E3=83=91=E3=83=83=E3=83=81?= | ||
MIME-Version: 1.0 | ||
Content-Type: text/plain; charset=UTF-8 | ||
Content-Transfer-Encoding: 8bit | ||
|
||
--- | ||
data/class/SC_CartSession.php | 2 +- | ||
1 file changed, 1 insertion(+), 1 deletion(-) | ||
|
||
diff --git a/data/class/SC_CartSession.php b/data/class/SC_CartSession.php | ||
index add3a0555..b022d932f 100644 | ||
--- a/data/class/SC_CartSession.php | ||
+++ b/data/class/SC_CartSession.php | ||
@@ -518,7 +518,7 @@ class SC_CartSession | ||
$max = $this->getMax($productTypeId); | ||
for ($i = 0; $i <= $max; $i++) { | ||
if ($this->cartSession[$productTypeId][$i]['cart_no'] == $cart_no) { | ||
- unset($this->cartSession[$productTypeId][$i]); | ||
+ // unset($this->cartSession[$productTypeId][$i]); | ||
} | ||
} | ||
} | ||
-- | ||
2.34.1 | ||
|