Merge pull request #647 from secureCodeBox/feature/add-typo3-integration-test

J12934 · web-flow · commit d0e3e03914a0 · 2021-09-17T11:10:41.000+02:00
Add integration tests to Typo3Scan
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -564,8 +564,10 @@ jobs:
           - kubeaudit
           - ncrack
           - nmap
-          - whatweb
           - nikto
+          - typo3scan
+          - whatweb
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -678,7 +680,7 @@ jobs:
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
           repository: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }}
           readme-filepath: ./scanners/${{ matrix.scanner }}/docs/README.DockerHub-Scanner.md
-
+          
     # ---- Integration Tests ----
 
   Integration-tests:
@@ -827,6 +829,8 @@ jobs:
           helm -n demo-targets install petstore ./demo-targets/swagger-petstore/ --set="fullnameOverride=petstore" --wait
           # Install old-wordpress app
           helm -n demo-targets install old-wordpress ./demo-targets/old-wordpress/ --set="fullnameOverride=old-wordpress" --wait
+          # Install old-typo3 app
+          helm -n demo-targets install old-typo3 ./demo-targets/old-typo3/ --set="fullnameOverride=old-typo3" --wait
           # Install juiceshop app
           helm -n demo-targets install juiceshop ./demo-targets/juice-shop/ --set="fullnameOverride=juiceshop" --wait
           # Install plain nginx server
@@ -972,6 +976,19 @@ jobs:
           cd tests/integration/
           npx jest --ci --color scanner/sslyze.test.js
 
+      # ---- Typo3scan Integration Tests ----
+
+      - name: "typo3scan Integration Tests"
+        run: |
+          kubectl -n integration-tests delete scans --all
+          helm -n integration-tests install typo3scan ./scanners/typo3scan/  \
+            --set="parser.image.tag=sha-$(git rev-parse --short HEAD)" \
+            --set="parser.image.repository=docker.io/${{ env.DOCKER_NAMESPACE }}/parser-typo3scan" \
+            --set="parser.env[0].name=CRASH_ON_FAILED_VALIDATION" \
+            --set-string="parser.env[0].value=true"
+          cd tests/integration/
+          npx jest --ci --color scanner/typo3scan.test.js    
+
       # ---- Whatweb Integration Tests ----
 
       - name: "Whatweb Integration Tests"
diff --git a/demo-targets/old-typo3/container/Dockerfile b/demo-targets/old-typo3/container/Dockerfile
@@ -10,9 +10,6 @@ COPY ./typo3conf /var/www/html/typo3conf
 
 RUN chown -R www-data.www-data /var/www/html/typo3conf \
     && chmod +rxw /var/www/html/typo3conf/cms-016d0ef9.sqlite
-# Change to low-privilege user 'www-data'    
-USER 33 
-
 # Login details
   # Username: root
   # Password: supersecret
diff --git a/tests/integration/scanner/typo3scan.test.js b/tests/integration/scanner/typo3scan.test.js
@@ -0,0 +1,42 @@
+// SPDX-FileCopyrightText: 2021 iteratec GmbH
+//
+// SPDX-License-Identifier: Apache-2.0
+
+const { scan } = require("../helpers");
+
+jest.retryTimes(3);
+
+test(
+  "typo3scan scans old-typo3 for vulnerable extensions and core only",
+  async () => {
+    const { categories, severities, count } = await scan(
+      "typo3scan-old-typo3",
+      "typo3scan",
+      ["-d", "http://old-typo3.demo-targets.svc", "--vuln"],
+      90
+    );
+
+    expect(count).toBe(53);
+    expect(categories).toMatchInlineSnapshot(`
+      Object {
+        "Vulnerability": 53,
+      }
+    `);
+    expect(severities).toMatchInlineSnapshot(`
+      Object {
+        "high": 53,
+      }
+    `);
+  },
+  3 * 60 * 1000
+);
+
+test(
+  "Invalid argument should be marked as errored",
+  async () => {
+    await expect(
+      scan("typo3scan-invalidArg", "typo3scan", ["--invalidArg", "example.com"], 90)
+    ).rejects.toThrow("HTTP request failed");
+  },
+  3 * 60 * 1000
+);
