X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/cf24a5a3ee68905c5f55cf6f17c5d2ea983cb34f..9705105681afef0482763d830096c52b430fe943:/test/functional/node_controller_test.rb diff --git a/test/functional/node_controller_test.rb b/test/functional/node_controller_test.rb index 085cd3078..9e5621f8b 100644 --- a/test/functional/node_controller_test.rb +++ b/test/functional/node_controller_test.rb @@ -1,18 +1,9 @@ require File.dirname(__FILE__) + '/../test_helper' require 'node_controller' -# Re-raise errors caught by the controller. -class NodeController; def rescue_action(e) raise e end; end - -class NodeControllerTest < Test::Unit::TestCase +class NodeControllerTest < ActionController::TestCase api_fixtures - def setup - @controller = NodeController.new - @request = ActionController::TestRequest.new - @response = ActionController::TestResponse.new - end - def test_create # cannot read password from fixture as it is stored as MD5 digest basic_authorization(users(:normal_user).email, "test"); @@ -79,6 +70,11 @@ class NodeControllerTest < Test::Unit::TestCase delete :delete, :id => current_nodes(:visible_node).id assert_response :success + # valid delete should return the new version number, which should + # be greater than the old version number + assert @response.body.to_i > current_nodes(:visible_node).version, + "delete request should return a new version number for node" + # this won't work since the node is already deleted content(nodes(:invisible_node).to_xml) delete :delete, :id => current_nodes(:invisible_node).id @@ -92,12 +88,14 @@ class NodeControllerTest < Test::Unit::TestCase # in a way... content(nodes(:used_node_1).to_xml) delete :delete, :id => current_nodes(:used_node_1).id - assert_response :precondition_failed + assert_response :precondition_failed, + "shouldn't be able to delete a node used in a way (#{@response.body})" # in a relation... content(nodes(:node_used_by_relationship).to_xml) delete :delete, :id => current_nodes(:node_used_by_relationship).id - assert_response :precondition_failed + assert_response :precondition_failed, + "shouldn't be able to delete a node used in a relation (#{@response.body})" end ## @@ -197,7 +195,36 @@ class NodeControllerTest < Test::Unit::TestCase put :update, :id => current_nodes(:visible_node).id assert_response :bad_request, "adding duplicate tags to a node should fail with 'bad request'" - end + end + + # test whether string injection is possible + def test_string_injection + basic_authorization(users(:normal_user).email, "test") + changeset_id = changesets(:normal_user_first_change).id + + # try and put something into a string that the API might + # use unquoted and therefore allow code injection... + content "" + + '' + + '' + put :create + assert_response :success + nodeid = @response.body + + # find the node in the database + checknode = Node.find(nodeid) + assert_not_nil checknode, "node not found in data base after upload" + + # and grab it using the api + get :read, :id => nodeid + assert_response :success + apinode = Node.from_xml(@response.body) + assert_not_nil apinode, "downloaded node is nil, but shouldn't be" + + # check the tags are not corrupted + assert_equal checknode.tags, apinode.tags + assert apinode.tags.include?('#{@user.inspect}') + end def basic_authorization(user, pass) @request.env["HTTP_AUTHORIZATION"] = "Basic %s" % Base64.encode64("#{user}:#{pass}")