From 7c498c032d3aaa601c4a43405f1d3a78ac043016 Mon Sep 17 00:00:00 2001
From: sunnavy <sunnavy@bestpractical.com>
Date: Thu, 12 Oct 2023 09:56:49 +1300
Subject: Patches to tests for CVE-2023-41259, CVE-2023-41260, and CVE-45024

Patch-Name: upstream_5.0.x_cve:_patchset_2023-09-26-tests.diff
Author: sunnavy <sunnavy@bestpractical.com>
Forwarded: not-needed
Applied: 5.0.5
---
 t/mail/gateway.t            |  2 +-
 t/mail/han-encodings.t      |  2 +-
 t/mail/sendmail-plaintext.t |  2 +-
 t/mail/sendmail.t           |  2 +-
 t/rest2/articles.t          |  2 +-
 t/rest2/assets.t            |  2 +-
 t/rest2/attachments.t       |  4 ++--
 t/rest2/cf-image.t          |  2 +-
 t/rest2/customfields.t      |  2 +-
 t/rest2/group-members.t     | 24 +++++-------------------
 t/rest2/searches.t          |  2 +-
 t/rest2/tickets.t           |  4 +---
 t/rest2/transactions.t      |  4 ++--
 t/ticket/interface.t        |  2 +-
 14 files changed, 20 insertions(+), 36 deletions(-)

diff --git a/t/mail/gateway.t b/t/mail/gateway.t
index c51daa90..8f9e941c 100644
--- a/t/mail/gateway.t
+++ b/t/mail/gateway.t
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 
 
-use RT::Test config => 'Set( @MailPlugins, "Action::Take", "Action::Resolve");', tests => undef, actual_server => 1;
+use RT::Test config => 'Set( @MailPlugins, "Action::Take", "Action::Resolve"); Set($DevelMode, 1);', tests => undef, actual_server => 1;
 my ($baseurl, $m) = RT::Test->started_ok;
 
 use RT::Tickets;
diff --git a/t/mail/han-encodings.t b/t/mail/han-encodings.t
index ba1acc0c..d2dc5238 100644
--- a/t/mail/han-encodings.t
+++ b/t/mail/han-encodings.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => undef, actual_server => 1;
+use RT::Test tests => undef, config => 'Set($DevelMode, 1);', actual_server => 1;
 
 # we can't simply call Encode::HanExtra->require here because we are testing
 # if Encode::HanExtra could be automatically loaded.
diff --git a/t/mail/sendmail-plaintext.t b/t/mail/sendmail-plaintext.t
index b9eb7195..14103924 100644
--- a/t/mail/sendmail-plaintext.t
+++ b/t/mail/sendmail-plaintext.t
@@ -132,7 +132,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') {
 {
     my ($ticket) = mail_in_ticket('rt-send-cc');
     my $cc = first_attach($ticket)->GetHeader('RT-Send-Cc');
-    like ($cc, qr/test$_/, "Found test $_") for 1..5;
+    ok (!$cc, "No RT-Send-Cc"); # RT-Send-Cc is supposed to be cleared
 }
 
 {
diff --git a/t/mail/sendmail.t b/t/mail/sendmail.t
index 4ef32061..d6ead4d8 100644
--- a/t/mail/sendmail.t
+++ b/t/mail/sendmail.t
@@ -157,7 +157,7 @@ for my $encoding ('ISO-8859-1', 'UTF-8') {
 {
     my ($ticket) = mail_in_ticket('rt-send-cc');
     my $cc = first_attach($ticket)->GetHeader('RT-Send-Cc');
-    like ($cc, qr/test$_/, "Found test $_") for 1..5;
+    ok (!$cc, "No RT-Send-Cc"); # RT-Send-Cc is supposed to be cleared
 }
 
 {
diff --git a/t/rest2/articles.t b/t/rest2/articles.t
index db6ccd85..0bf5514c 100644
--- a/t/rest2/articles.t
+++ b/t/rest2/articles.t
@@ -172,7 +172,7 @@ TODO: {
     is( $content->{count},             2 );
     is( $content->{page},              1 );
     is( $content->{per_page},          20 );
-    is( $content->{total},             2 );
+    is( $content->{total},             undef, 'No total count');
     is( scalar @{ $content->{items} }, 2 );
 
     for my $txn ( @{ $content->{items} } ) {
diff --git a/t/rest2/assets.t b/t/rest2/assets.t
index 4c1984f3..aba50a29 100644
--- a/t/rest2/assets.t
+++ b/t/rest2/assets.t
@@ -256,7 +256,7 @@ my ($asset_url, $asset_id);
     is($content->{count}, 3);
     is($content->{page}, 1);
     is($content->{per_page}, 20);
-    is($content->{total}, 3);
+    is($content->{total}, undef, 'No total');
     is(scalar @{$content->{items}}, 3);
 
     for my $txn (@{ $content->{items} }) {
diff --git a/t/rest2/attachments.t b/t/rest2/attachments.t
index 416ea504..f76baf12 100644
--- a/t/rest2/attachments.t
+++ b/t/rest2/attachments.t
@@ -109,8 +109,8 @@ $image_content = MIME::Base64::encode_base64($image_content);
     cmp_deeply(
         $mech->json_response,
         {   per_page => 20,
-            pages    => 1,
-            total    => 4,
+            pages    => undef,
+            total    => undef,
             page     => 1,
             count    => 4,
             items    => [
diff --git a/t/rest2/cf-image.t b/t/rest2/cf-image.t
index f311c7ab..5025ddf2 100644
--- a/t/rest2/cf-image.t
+++ b/t/rest2/cf-image.t
@@ -47,7 +47,7 @@ $user->PrincipalObj->GrantRight( Right => 'SeeCustomField' );
     my $res = $mech->get("$rest_base_path/download/cf/666",
         'Authorization' => $auth,
     );
-    is($res->code, 404);
+    is($res->code, 403);
 }
 
 # Download cf text
diff --git a/t/rest2/customfields.t b/t/rest2/customfields.t
index 26cb5c1d..e09daa21 100644
--- a/t/rest2/customfields.t
+++ b/t/rest2/customfields.t
@@ -82,7 +82,7 @@ my $freeform_cf_id;
     is($res->code, 200);
 
     my $content = $mech->json_response;
-    is($content->{total}, 3);
+    is($content->{total}, undef, 'No total');
     is($content->{count}, 0);
     is_deeply($content->{items}, []);
 }
diff --git a/t/rest2/group-members.t b/t/rest2/group-members.t
index 842d595b..fc0dc9e0 100644
--- a/t/rest2/group-members.t
+++ b/t/rest2/group-members.t
@@ -59,19 +59,12 @@ $group2->Load($group2_id);
     );
     is($res->code, 403, 'Cannot disable group without AdminGroup right');
 
-    # Rights Test - With AdminGroup, no SeeGroup
+    # Rights Test - With AdminGroup
     $user->PrincipalObj->GrantRight(Right => 'AdminGroup', Object => $group2);
     $res = $mech->delete($group2_url,
         'Authorization' => $auth,
     );
-    is($res->code, 403, 'Cannot disable group without SeeGroup right');
-
-    # Rights Test - With AdminGroup, no SeeGroup
-    $user->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $group2);
-    $res = $mech->delete($group2_url,
-        'Authorization' => $auth,
-    );
-    is($res->code, 204, 'Disable group with AdminGroup & SeeGroup rights');
+    is($res->code, 204, 'Disable group with AdminGroup rights');
 
     is($group2->Disabled, 1, "Group disabled");
 }
@@ -91,19 +84,12 @@ $group2->Load($group2_id);
         'Authorization' => $auth);
     is($res->code, 403, 'Cannot enable group without AdminGroup right');
 
-    # Rights Test - With AdminGroup, no SeeGroup
+    # Rights Test - With AdminGroup
     $user->PrincipalObj->GrantRight(Right => 'AdminGroup', Object => $group2);
     $res = $mech->put_json($group2_url,
         $payload,
         'Authorization' => $auth);
-    is($res->code, 403, 'Cannot enable group without SeeGroup right');
-
-    # Rights Test - With AdminGroup, no SeeGroup
-    $user->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $group2);
-    $res = $mech->put_json($group2_url,
-        $payload,
-        'Authorization' => $auth);
-    is($res->code, 200, 'Enable group with AdminGroup & SeeGroup rights');
+    is($res->code, 200, 'Enable group with AdminGroup rights');
     is_deeply($mech->json_response, ['Group enabled']);
 
     is($group2->Disabled, 0, "Group enabled");
@@ -111,7 +97,7 @@ $group2->Load($group2_id);
 
 my $group1_id = $group1->id;
 (my $group1_url = $group2_url) =~ s/$group2_id/$group1_id/;
-$user->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $group1);
+$user->PrincipalObj->GrantRight(Right => 'SeeGroup', Object => $_) for $group1, $group2;
 
 # Members addition
 {
diff --git a/t/rest2/searches.t b/t/rest2/searches.t
index 067ba1fd..bfae6fde 100644
--- a/t/rest2/searches.t
+++ b/t/rest2/searches.t
@@ -65,7 +65,7 @@ ok( $ret, "created $msg" );
     is( $content->{count},             4,  '4 searches' );
     is( $content->{page},              1,  '1 page' );
     is( $content->{per_page},          20, '20 per_page' );
-    is( $content->{total},             4,  '4 total' );
+    is( $content->{total},             undef, 'No total' );
     is( scalar @{ $content->{items} }, 4,  'items count' );
 
     for my $item ( @{ $content->{items} } ) {
diff --git a/t/rest2/tickets.t b/t/rest2/tickets.t
index 7c6a378b..fd563c82 100644
--- a/t/rest2/tickets.t
+++ b/t/rest2/tickets.t
@@ -396,9 +396,7 @@ my ($ticket_url, $ticket_id);
     is($content->{page}, 1);
     is($content->{per_page}, 20);
 
-    # TODO This 14 VS 15 inconsitency is because user lacks ShowOutgoingEmail.
-    # It'll be perfect if we can keep them in sync
-    is($content->{total}, 15);
+    is($content->{total}, undef, 'No total');
     is(scalar @{$content->{items}}, 14);
 
     for my $txn (@{ $content->{items} }) {
diff --git a/t/rest2/transactions.t b/t/rest2/transactions.t
index 6096b54c..918b19a1 100644
--- a/t/rest2/transactions.t
+++ b/t/rest2/transactions.t
@@ -41,7 +41,7 @@ my ($comment_txn_url, $comment_txn_id);
     is($content->{count}, 5);
     is($content->{page}, 1);
     is($content->{per_page}, 20);
-    is($content->{total}, 5);
+    is($content->{total}, undef, 'No total');
     is(scalar @{$content->{items}}, 5);
 
     my ($create, $priority1, $subject, $priority2, $comment) = @{ $content->{items} };
@@ -70,7 +70,7 @@ my ($comment_txn_url, $comment_txn_id);
     is($content->{count}, 5);
     is($content->{page}, 1);
     is($content->{per_page}, 20);
-    is($content->{total}, 5);
+    is($content->{total}, undef, 'No total');
     is(scalar @{$content->{items}}, 5);
 
     my ($create, $priority1, $subject, $priority2, $comment) = @{ $content->{items} };
diff --git a/t/ticket/interface.t b/t/ticket/interface.t
index c43e1341..9067f869 100644
--- a/t/ticket/interface.t
+++ b/t/ticket/interface.t
@@ -1,7 +1,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => undef, actual_server => 1;
+use RT::Test tests => undef, config => 'Set($DevelMode, 1);', actual_server => 1;
 
 my ( $baseurl, $m ) = RT::Test->started_ok;