require 'test_helper' class TicketXssTest < ActiveSupport::TestCase test 'xss via model' do ticket = Ticket.create( title: 'test 123 ', group: Group.lookup(name: 'Users'), customer_id: 2, state: Ticket::State.lookup(name: 'new'), priority: Ticket::Priority.lookup(name: '2 normal'), updated_by_id: 1, created_by_id: 1, ) assert(ticket, 'ticket created') assert_equal('test 123 ', ticket.title, 'ticket.title verify') assert_equal('Users', ticket.group.name, 'ticket.group verify') assert_equal('new', ticket.state.name, 'ticket.state verify') article1 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: '', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal('alert("XSS!");', article1.body, 'article1.body verify - inbound') article2 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: 'please tell me this doesn\'t work: ', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal('please tell me this doesn\'t work: alert("XSS!");', article2.body, 'article2.body verify - inbound') article3 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: 'please tell me this doesn\'t work: ada
LINKaaABC', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal("please tell me this doesn't work: ada
LINKaaABC
", article3.body, 'article3.body verify - inbound') article4 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: 'please tell me this doesn\'t work: alal', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal("please tell me this doesn't work: alal", article4.body, 'article4.body verify - inbound') article5 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/plain', body: 'please tell me this doesn\'t work: ada
LINKaaABC', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal('please tell me this doesn\'t work: ada
LINKaaABC', article5.body, 'article5.body verify - inbound') article6 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: 'some message article helper test1
asdasd
', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal('some message article helper test1
asdasd
', article6.body, 'article6.body verify - inbound') article7 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: 'some message article helper test1
asdasd
', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal('some message article helper test1
asdasd
', article7.body, 'article7.body verify - inbound') article8 = Ticket::Article.create( ticket_id: ticket.id, from: 'some_sender@example.com', to: 'some_recipient@example.com', subject: 'some subject ', message_id: 'some@id', content_type: 'text/html', body: 'some message article helper test1 abc 123123', internal: false, sender: Ticket::Article::Sender.find_by(name: 'Customer'), type: Ticket::Article::Type.find_by(name: 'email'), updated_by_id: 1, created_by_id: 1, ) assert_equal('some message article helper test1 abc 123123', article8.body, 'article8.body verify - inbound') end test 'xss via mail' do data = 'From: ME Bob To: customer@example.com Subject: some subject Content-Type: text/html MIME-Version: 1.0 no HTML ' parser = Channel::EmailParser.new ticket, article, user = parser.process({}, data) assert_equal('text/html', ticket.articles.first.content_type) assert_equal('no HTML alert(\'XSS\')', ticket.articles.first.body) data = 'From: ME Bob To: customer@example.com Subject: some subject Content-Type: text/plain MIME-Version: 1.0 no HTML ' parser = Channel::EmailParser.new ticket, article, user = parser.process({}, data) assert_equal('text/plain', ticket.articles.first.content_type) assert_equal('no HTML ', ticket.articles.first.body) end end