Skip to content

tests: Add test for mimetype blocking on share #321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nickvergessen merged 1 commit into from
Jul 17, 2023
Merged

tests: Add test for mimetype blocking on share #321

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tests/Integration/data/code.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
console.debug('some js script');
Binary file added tests/Integration/data/hello
View file
Open in desktop
Binary file not shown.
Binary file added tests/Integration/data/nc.exe
View file
Open in desktop
Binary file not shown.
Binary file added tests/Integration/data/nextcloud.pdf
View file
Open in desktop
Binary file not shown.
13 changes: 13 additions & 0 deletions tests/Integration/features/bootstrap/WebDav.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1009,4 +1009,17 @@ public function userChecksFileIdForPath($user, $path) {
$currentFileID = $this->getFileIdForPath($user, $path);
Assert::assertEquals($currentFileID, $this->storedFileID);
}

/**
* This function is needed to use a vertical fashion in the gherkin tables.
*
* @param array $arrayOfArrays
* @return array
*/
public function simplifyArray($arrayOfArrays) {
Copy link
Member

@blizzz blizzz Jul 12, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it actually used?

Copy link
Member Author

@juliusknorr juliusknorr Jul 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I added for completeness as there were usages from Joas initial commit:

tests/Integration/features/bootstrap/WebDav.php
579: $elementsSimplified = $this->simplifyArray($elementRows);
930: $elementsSimplified = $this->simplifyArray($elementRows);

$a = array_map(function ($subArray) {
return $subArray[0];
}, $arrayOfArrays);
return $a;
}
}
67 changes: 67 additions & 0 deletions tests/Integration/features/mimetypes.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@

Feature: Mimetype blocking
Background:
Given user "test1" exists
Given as user "test1"
And using new dav path

Scenario: Can properly block path detected mimetypes for application/javscript
And user "admin" creates global flow with 200
| name | Admin flow |
| class | OCA\FilesAccessControl\Operation |
| entity | OCA\WorkflowEngine\Entity\File |
| events | [] |
| operation | deny |
| checks-0 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "application/javascript"} |
Given User "test1" uploads file "data/code.js" to "/code.js"
And The webdav response should have a status code "403"
And Downloading file "/code.js" as "test1"
And The webdav response should have a status code "404"

# https://github.com/nextcloud/server/pull/23096
Scenario: Can properly block path detected mimetypes for text/plain
And user "admin" creates global flow with 200
| name | Admin flow |
| class | OCA\FilesAccessControl\Operation |
| entity | OCA\WorkflowEngine\Entity\File |
| events | [] |
| operation | deny |
| checks-0 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "text/plain"} |
Given User "test1" uploads file "data/code.js" to "/code.js"
And The webdav response should have a status code "201"
And Downloading file "/code.js" as "test1"
And The webdav response should have a status code "200"
Given User "test1" uploads file "data/code.js" to "/code.txt"
And The webdav response should have a status code "403"
And Downloading file "/code.txt" as "test1"
And The webdav response should have a status code "404"

Scenario: Can properly block path detected mimetypes for application/octet-stream
And user "admin" creates global flow with 200
| name | Admin flow |
| class | OCA\FilesAccessControl\Operation |
| entity | OCA\WorkflowEngine\Entity\File |
| events | [] |
| operation | deny |
| checks-0 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "application/octet-stream"} |
Given User "test1" uploads file "data/hello" to "/hello"
And The webdav response should have a status code "403"
And Downloading file "/hello" as "test1"
And The webdav response should have a status code "404"
Given User "test1" uploads file "data/nc.exe" to "/nc"
And The webdav response should have a status code "403"
And Downloading file "/nc" as "test1"
And The webdav response should have a status code "404"

Scenario: Can properly block path detected mimetypes for application/x-ms-dos-executable by extension
And user "admin" creates global flow with 200
| name | Admin flow |
| class | OCA\FilesAccessControl\Operation |
| entity | OCA\WorkflowEngine\Entity\File |
| events | [] |
| operation | deny |
| checks-0 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "application/x-ms-dos-executable"} |
Given User "test1" uploads file "data/nc.exe" to "/nc.exe"
And The webdav response should have a status code "403"
And Downloading file "/nc.exe" as "test1"
And The webdav response should have a status code "404"
35 changes: 35 additions & 0 deletions tests/Integration/features/sharing-user.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,3 +83,38 @@ Feature: Sharing user
And as user "test2"
When User "test2" deletes file "/subdir/foobar.txt"
Then The webdav response should have a status code "403"

Scenario: Upload and share a file that is allowed by mimetype exludes
And user "admin" creates global flow with 200
| name | Admin flow |
| class | OCA\FilesAccessControl\Operation |
| entity | OCA\WorkflowEngine\Entity\File |
| events | [] |
| operation | deny |
| checks-0 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "httpd/directory"} |
| checks-1 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "application/pdf"} |

Given User "test1" uploads file "data/nextcloud.pdf" to "/nextcloud.pdf"
And The webdav response should have a status code "201"
And user "test1" shares file "/nextcloud.pdf" with user "test2"
And Downloading file "/nextcloud.pdf" as "test1"
And The webdav response should have a status code "200"
And Downloading file "/nextcloud.pdf" as "test2"
And The webdav response should have a status code "200"

Scenario: Share a file that is allowed by mimetype exludes
Given User "test1" uploads file "data/nextcloud.pdf" to "/nextcloud2.pdf"
And The webdav response should have a status code "201"
And user "test1" shares file "/nextcloud2.pdf" with user "test2"
And Downloading file "/nextcloud2.pdf" as "test1"
And The webdav response should have a status code "200"
And user "admin" creates global flow with 200
| name | Admin flow |
| class | OCA\FilesAccessControl\Operation |
| entity | OCA\WorkflowEngine\Entity\File |
| events | [] |
| operation | deny |
| checks-0 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "httpd/directory"} |
| checks-1 | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "application/pdf"} |
And Downloading file "/nextcloud2.pdf" as "test2"
And The webdav response should have a status code "200"