init CTFd source

tests/test_share.py

@@ -0,0 +1,112 @@
+import re
+from urllib.parse import urlparse, urlunparse
+
+from CTFd.utils import set_config
+from tests.helpers import (
+    create_ctfd,
+    destroy_ctfd,
+    gen_challenge,
+    gen_solve,
+    login_as_user,
+    register_user,
+)
+
+
+def test_share_endpoints():
+    """Test that social share endpoints and disabling are working"""
+    app = create_ctfd(ctf_theme="core")
+    with app.app_context():
+        chal_id = gen_challenge(app.db).id
+        register_user(app)
+        gen_solve(app.db, user_id=2, challenge_id=chal_id)
+
+        # social_shares are enabled by default now
+        set_config("social_shares", False)
+
+        # Test disabled shares dont work
+        with login_as_user(app) as client:
+            r = client.post(
+                "/api/v1/shares",
+                json={"type": "solve", "user_id": 2, "challenge_id": 1},
+            )
+            assert r.status_code == 403
+
+        set_config("social_shares", True)
+
+        # Test working share
+        with login_as_user(app) as client:
+            r = client.post(
+                "/api/v1/shares",
+                json={"type": "solve", "user_id": 2, "challenge_id": 1},
+            )
+            resp = r.get_json()
+            url = resp["data"]["url"]
+
+        # Test loadding share page
+        with app.test_client() as client:
+            r = client.get(url)
+            resp = r.get_data(as_text=True)
+            assert r.status_code == 200
+            assert "user has solved" in resp
+            assert "+100 points" in resp
+
+            # Test downloading asset image
+            m = re.search(r"og:image(.*)", resp)
+            # Remove extra text
+            asset_url = m.group()[19:-4].replace("&", "&")
+            r = client.get(asset_url)
+            assert r.status_code == 200
+
+        # Test disabled social shares
+        set_config("social_shares", False)
+        with app.test_client() as client:
+            r = client.get(url)
+            assert r.status_code == 403
+    destroy_ctfd(app)
+
+
+def test_share_security():
+    """Test that shares and their assets do not load without a valid mac"""
+    app = create_ctfd(ctf_theme="core")
+    with app.app_context():
+        chal_id = gen_challenge(app.db).id
+        register_user(app)
+        gen_solve(app.db, user_id=2, challenge_id=chal_id)
+
+        set_config("social_shares", True)
+
+        # Test working share
+        with login_as_user(app) as client:
+            r = client.post(
+                "/api/v1/shares",
+                json={"type": "solve", "user_id": 2, "challenge_id": 1},
+            )
+            resp = r.get_json()
+            url = resp["data"]["url"]
+
+        with app.test_client() as client:
+            r = client.get(url)
+            resp = r.get_data(as_text=True)
+            assert r.status_code == 200
+
+            # Test downloading asset image
+            m = re.search(r"og:image(.*)", resp)
+            # Remove extra text
+            asset_url = m.group()[19:-4].replace("&", "&")
+            r = client.get(asset_url)
+            assert r.status_code == 200
+
+            parsed_asset_url = urlparse(asset_url)
+            parsed_asset_url = parsed_asset_url._replace(
+                path=(parsed_asset_url.path[:-5]) + "abc.png"
+            )
+
+            asset_url = urlunparse(parsed_asset_url)
+            r = client.get(asset_url)
+            assert r.status_code == 404
+
+            # Test modified mac
+            url = url[:-3] + "abc"
+            r = client.get(url)
+            assert r.status_code == 404
+    destroy_ctfd(app)