1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# --
# Copyright (C) 2021 Znuny GmbH, https://znuny.org/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (AGPL). If you
# did not receive this file, see http://www.gnu.org/licenses/agpl.txt.
# --
use strict;
use warnings;
use utf8;
use vars (qw($Self));
$Kernel::OM->ObjectParamAdd(
'Kernel::System::UnitTest::Helper' => {
RestoreDatabase => 1,
},
);
my $DynamicFieldObject = $Kernel::OM->Get('Kernel::System::DynamicField');
my $HelperObject = $Kernel::OM->Get('Kernel::System::UnitTest::Helper');
my $RandomID = $HelperObject->GetRandomNumber();
my $UserID = 1;
my @Tests = (
{
Name => 'RegEx error message without malicious content.',
DynamicFieldConfig => {
Name => 'RegExErrorMessageSafety1',
Label => 'RegExErrorMessageSafety1',
FieldOrder => 10000,
FieldType => 'Text',
ObjectType => 'Ticket',
Config => {
RegExList => [
{
Value => '^\d+$',
ErrorMessage => 'Some error message.',
},
{
Value => '^\d{2}$',
ErrorMessage => 'Another error message.',
},
],
},
ValidID => 1,
},
ExpectedDynamicFieldConfigRegExList => [
{
Value => '^\d+$',
ErrorMessage => 'Some error message.',
},
{
Value => '^\d{2}$',
ErrorMessage => 'Another error message.',
},
],
},
{
Name => 'RegEx error message with malicious content.',
DynamicFieldConfig => {
Name => 'RegExErrorMessageSafety2',
Label => 'RegExErrorMessageSafety2',
FieldOrder => 10000,
FieldType => 'Text',
ObjectType => 'Ticket',
Config => {
RegExList => [
{
Value => '^\d+$',
ErrorMessage => 'Some <script>alert("TEST");</script> error message.',
},
{
Value => '^\d{2}$',
ErrorMessage => 'Another <script>console.log("TEST2");</script>error message.',
},
],
},
ValidID => 1,
},
ExpectedDynamicFieldConfigRegExList => [
{
Value => '^\d+$',
ErrorMessage => 'Some error message.',
},
{
Value => '^\d{2}$',
ErrorMessage => 'Another error message.',
},
],
},
);
TEST:
for my $Test (@Tests) {
my $DynamicFieldID = $DynamicFieldObject->DynamicFieldAdd(
%{ $Test->{DynamicFieldConfig} },
UserID => $UserID,
);
$Self->True(
$DynamicFieldID,
"$Test->{Name} - DynamicFieldAdd() must be successful.",
);
my $DynamicFieldConfig = $DynamicFieldObject->DynamicFieldGet(
ID => $DynamicFieldID,
);
$Self->IsDeeply(
$DynamicFieldConfig->{Config}->{RegExList},
$Test->{ExpectedDynamicFieldConfigRegExList},
"$Test->{Name} - RegEx config must match expected one.",
);
}
1;
|
