Skip to content

Commit 1f9ae9e

Browse files
dackers86dackers86
committed
tidying up tests and fixtures
1 parent 75f95ea commit 1f9ae9e

File tree

10 files changed

+47
-46
lines changed

10 files changed

+47
-46
lines changed

.gitignore

+3-1
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,6 @@ coverage
1717
yarn.lock
1818
_emulator/pubsub-debug.log
1919
firestore-debug.log
20-
pubsub-debug.log
20+
pubsub-debug.log
21+
tmp/
22+
fixtures/

storage-resize-images/functions/__tests__/fixtures/config.json

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{ "some": "secret" }

storage-resize-images/functions/__tests__/fixtures/config_hack.txt

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
data:text/plain;,'Hello from hacker'

storage-resize-images/functions/__tests__/fixtures/settings.json

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{ "status": "active" }

storage-resize-images/functions/__tests__/storage.rules

+17
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
rules_version = '2';
2+
service firebase.storage {
3+
match /b/{bucket}/o {
4+
5+
match /users/{userId}/images/{documents=**} {
6+
allow read, write;
7+
}
8+
9+
match /users/{userId}/images/thumbs/{image} {
10+
allow read: if image.matches('.*\\.png');
11+
}
12+
13+
match /config.json {
14+
allow read, write;
15+
}
16+
}
17+
}

storage-resize-images/functions/__tests__/vulnerability.test.ts

+23-37
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ const exec = util.promisify(require("child_process").exec);
88

99
/**
1010
* e2e testing for discovered storage vulnerability
11+
* Ensure the following rules from __tests__/fixtures/storage.rules are in place:
1112
*/
1213

1314
// Initialize Firebase app first
@@ -29,33 +30,31 @@ const storage = firebaseStorage.getStorage();
2930
/** basic configuration */
3031
const username = "[email protected]";
3132
const password = "L33tH4cker";
33+
const userId = "RiosyEksHRYop824nECwfBIuJmn1";
34+
const secondaryUserId = "UuAG5c2Iyqec9fKlNo4dJYsp5B23";
35+
const filePath = "/fixtures/config_hack.txt";
36+
const project_id = "extensions-testing";
3237

3338
describe("failed resize vulnerability", () => {
34-
let userId;
35-
let filePath;
3639
let dest;
37-
let project_id;
3840
let bucketName;
3941

4042
beforeAll(async () => {
4143
/** config */
42-
userId = "RiosyEksHRYop824nECwfBIuJmn1";
43-
filePath = "/../fixtures/config_hack.txt";
4444
dest = `users/${userId}/images/../../../config.json`;
45-
project_id = "extensions-testing";
4645
bucketName = `gs://${project_id}.appspot.com`;
4746
});
4847
test("should not write a file to a storage subdirectory", async () => {
4948
/** Upload the original file */
50-
// const configRef = firebaseStorage.ref(storage, "config.json");
49+
const configRef = firebaseStorage.ref(storage, "config.json");
5150

5251
/** Get the file buffer */
53-
// const buffer = fs.readFileSync(__dirname + "/../fixtures/config.json");
52+
const buffer = fs.readFileSync(__dirname + "/fixtures/config.json");
5453

5554
/** Upload the original file */
56-
// await firebaseStorage.uploadBytes(configRef, buffer).then(() => {
57-
// console.log("File upload succeed");
58-
// });
55+
await firebaseStorage.uploadBytes(configRef, buffer).then(() => {
56+
console.log("File upload succeed");
57+
});
5958

6059
/** Wait for 5 seconds to propegate */
6160
await new Promise((resolve) => setTimeout(resolve, 5000));
@@ -69,7 +68,7 @@ describe("failed resize vulnerability", () => {
6968

7069
/** Confirm correct files are in place */
7170
await exec(`echo 'Step 2:' && cat ./tmp/config.json`).then(({ stdout }) => {
72-
expect(stdout.trim()).toEqual('Step 2:\n{\n "some" : "secret"\n}');
71+
expect(stdout.trim()).toEqual('Step 2:\n{"some":"secret"}');
7372
});
7473

7574
/** Add logging */
@@ -109,51 +108,38 @@ describe("failed resize vulnerability", () => {
109108
/** Check file */
110109
await exec(`echo 'Step 4:' && cat ./tmp/config.json`).then(({ stdout }) => {
111110
/** Check file */
112-
expect(stdout.trim()).toEqual('Step 4:\n{\n "some" : "secret"\n}');
111+
expect(stdout.trim()).toEqual('Step 4:\n{"some":"secret"}');
113112
});
114113

115-
/** Clear file */
116-
// await exec(`echo 'Step 5:' && rm -f ./tmp/config.json`).then(
117-
// ({ stdout }) => {
118-
// /** Check file */
119-
// expect(stdout.trim()).toEqual("Step 5:");
120-
// }
121-
// );
122-
123114
/** Check results */
124115
expect(true).toBe(true);
125116
}, 60000);
126117
});
127118

128119
describe("allowed paths vulnerability", () => {
129-
let userId;
130-
let secondaryUserId;
131-
let filePath;
132120
let dest;
133-
let project_id;
134121
let bucketName;
135122

136123
beforeAll(async () => {
137124
/** config */
138-
userId = "RiosyEksHRYop824nECwfBIuJmn1";
139-
secondaryUserId = "UuAG5c2Iyqec9fKlNo4dJYsp5B23";
140-
filePath = "/../fixtures/config_hack.txt";
141-
dest = `users/${userId}/images/../../${secondaryUserId}/config.json`;
142-
project_id = "extensions-testing";
125+
dest = `users/${userId}/images/../../${secondaryUserId}/settings.json`;
143126
bucketName = `gs://${project_id}.appspot.com`;
144127
});
145128

146129
test("should not write a file to a storage subdirectory", async () => {
147130
/** Upload the original file */
148-
// const configRef = firebaseStorage.ref(storage, "config.json");
131+
const settingsRef = firebaseStorage.ref(
132+
storage,
133+
`users/${secondaryUserId}/settings.json`
134+
);
149135

150136
/** Get the file buffer */
151-
// const buffer = fs.readFileSync(__dirname + "/../fixtures/config.json");
137+
const buffer = fs.readFileSync(__dirname + "/fixtures/settings.json");
152138

153139
/** Upload the original file */
154-
// await firebaseStorage.uploadBytes(configRef, buffer).then(() => {
155-
// console.log("File upload succeed");
156-
// });
140+
await firebaseStorage.uploadBytes(settingsRef, buffer).then(() => {
141+
console.log("File upload succeed");
142+
});
157143

158144
/** Wait for 5 seconds to propegate */
159145
await new Promise((resolve) => setTimeout(resolve, 5000));
@@ -173,7 +159,7 @@ describe("allowed paths vulnerability", () => {
173159
/** Confirm correct files are in place */
174160
await exec(`echo 'Step 2:' && cat ./tmp/settings.json`).then(
175161
({ stdout }) => {
176-
expect(stdout.trim()).toEqual('Step 2:\n{\n "status" : "active"\n}');
162+
expect(stdout.trim()).toEqual('Step 2:\n{"status":"active"}');
177163
}
178164
);
179165

@@ -221,7 +207,7 @@ describe("allowed paths vulnerability", () => {
221207
await exec(`echo 'Step 4:' && cat ./tmp/settings.json`).then(
222208
({ stdout }) => {
223209
/** Check file */
224-
expect(stdout.trim()).toEqual('Step 4:\n{\n "status" : "active"\n}');
210+
expect(stdout.trim()).toEqual('Step 4:\n{"status":"active"}');
225211
}
226212
);
227213
}, 60000);

storage-resize-images/functions/fixtures/config.json

-3
This file was deleted.

storage-resize-images/functions/fixtures/config_hack.txt

-1
This file was deleted.

storage-resize-images/functions/fixtures/settings.json

-3
This file was deleted.

storage-resize-images/functions/jest.config.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ module.exports = {
1111
},
1212
preset: "ts-jest",
1313
setupFiles: ["<rootDir>/__tests__/jest.setup.ts"],
14-
testMatch: ["**/__tests__/*.test.ts"],
14+
testMatch: ["**/__tests__/vulnerability.test.ts"],
1515
moduleNameMapper: {
1616
"firebase-admin/eventarc":
1717
"<rootDir>/node_modules/firebase-admin/lib/eventarc",

0 commit comments

Comments
 (0)