113 lines
3.5 KiB
Python
113 lines
3.5 KiB
Python
import re
|
|
from urllib.parse import urlparse, urlunparse
|
|
|
|
from CTFd.utils import set_config
|
|
from tests.helpers import (
|
|
create_ctfd,
|
|
destroy_ctfd,
|
|
gen_challenge,
|
|
gen_solve,
|
|
login_as_user,
|
|
register_user,
|
|
)
|
|
|
|
|
|
def test_share_endpoints():
|
|
"""Test that social share endpoints and disabling are working"""
|
|
app = create_ctfd(ctf_theme="core")
|
|
with app.app_context():
|
|
chal_id = gen_challenge(app.db).id
|
|
register_user(app)
|
|
gen_solve(app.db, user_id=2, challenge_id=chal_id)
|
|
|
|
# social_shares are enabled by default now
|
|
set_config("social_shares", False)
|
|
|
|
# Test disabled shares dont work
|
|
with login_as_user(app) as client:
|
|
r = client.post(
|
|
"/api/v1/shares",
|
|
json={"type": "solve", "user_id": 2, "challenge_id": 1},
|
|
)
|
|
assert r.status_code == 403
|
|
|
|
set_config("social_shares", True)
|
|
|
|
# Test working share
|
|
with login_as_user(app) as client:
|
|
r = client.post(
|
|
"/api/v1/shares",
|
|
json={"type": "solve", "user_id": 2, "challenge_id": 1},
|
|
)
|
|
resp = r.get_json()
|
|
url = resp["data"]["url"]
|
|
|
|
# Test loadding share page
|
|
with app.test_client() as client:
|
|
r = client.get(url)
|
|
resp = r.get_data(as_text=True)
|
|
assert r.status_code == 200
|
|
assert "user has solved" in resp
|
|
assert "+100 points" in resp
|
|
|
|
# Test downloading asset image
|
|
m = re.search(r"og:image(.*)", resp)
|
|
# Remove extra text
|
|
asset_url = m.group()[19:-4].replace("&", "&")
|
|
r = client.get(asset_url)
|
|
assert r.status_code == 200
|
|
|
|
# Test disabled social shares
|
|
set_config("social_shares", False)
|
|
with app.test_client() as client:
|
|
r = client.get(url)
|
|
assert r.status_code == 403
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_share_security():
|
|
"""Test that shares and their assets do not load without a valid mac"""
|
|
app = create_ctfd(ctf_theme="core")
|
|
with app.app_context():
|
|
chal_id = gen_challenge(app.db).id
|
|
register_user(app)
|
|
gen_solve(app.db, user_id=2, challenge_id=chal_id)
|
|
|
|
set_config("social_shares", True)
|
|
|
|
# Test working share
|
|
with login_as_user(app) as client:
|
|
r = client.post(
|
|
"/api/v1/shares",
|
|
json={"type": "solve", "user_id": 2, "challenge_id": 1},
|
|
)
|
|
resp = r.get_json()
|
|
url = resp["data"]["url"]
|
|
|
|
with app.test_client() as client:
|
|
r = client.get(url)
|
|
resp = r.get_data(as_text=True)
|
|
assert r.status_code == 200
|
|
|
|
# Test downloading asset image
|
|
m = re.search(r"og:image(.*)", resp)
|
|
# Remove extra text
|
|
asset_url = m.group()[19:-4].replace("&", "&")
|
|
r = client.get(asset_url)
|
|
assert r.status_code == 200
|
|
|
|
parsed_asset_url = urlparse(asset_url)
|
|
parsed_asset_url = parsed_asset_url._replace(
|
|
path=(parsed_asset_url.path[:-5]) + "abc.png"
|
|
)
|
|
|
|
asset_url = urlunparse(parsed_asset_url)
|
|
r = client.get(asset_url)
|
|
assert r.status_code == 404
|
|
|
|
# Test modified mac
|
|
url = url[:-3] + "abc"
|
|
r = client.get(url)
|
|
assert r.status_code == 404
|
|
destroy_ctfd(app)
|