Merge pull request #321 from nextcloud/tests/36830

tests: Add test for mimetype blocking on share
nextcloud · Jul 17, 2023 · 8dc3e99 · 8dc3e99
2 parents dbc39c8 + 68e8c25
commit 8dc3e99
Show file tree

Hide file tree

Showing 7 changed files with 116 additions and 0 deletions.
diff --git a/tests/Integration/data/code.js b/tests/Integration/data/code.js
@@ -0,0 +1 @@
+console.debug('some js script');
diff --git a/tests/Integration/data/hello b/tests/Integration/data/hello
diff --git a/tests/Integration/data/nc.exe b/tests/Integration/data/nc.exe
diff --git a/tests/Integration/data/nextcloud.pdf b/tests/Integration/data/nextcloud.pdf
diff --git a/tests/Integration/features/bootstrap/WebDav.php b/tests/Integration/features/bootstrap/WebDav.php
@@ -1009,4 +1009,17 @@ public function userChecksFileIdForPath($user, $path) {
 		$currentFileID = $this->getFileIdForPath($user, $path);
 		Assert::assertEquals($currentFileID, $this->storedFileID);
 	}
+
+	/**
+	 * This function is needed to use a vertical fashion in the gherkin tables.
+	 *
+	 * @param array $arrayOfArrays
+	 * @return array
+	 */
+	public function simplifyArray($arrayOfArrays) {
+		$a = array_map(function ($subArray) {
+			return $subArray[0];
+		}, $arrayOfArrays);
+		return $a;
+	}
 }
diff --git a/tests/Integration/features/mimetypes.feature b/tests/Integration/features/mimetypes.feature
@@ -0,0 +1,67 @@
+
+  Feature: Mimetype blocking
+  Background:
+    Given user "test1" exists
+    Given as user "test1"
+    And using new dav path
+
+   Scenario: Can properly block path detected mimetypes for application/javscript
+    And user "admin" creates global flow with 200
+    | name      | Admin flow                       |
+    | class     | OCA\FilesAccessControl\Operation |
+    | entity    | OCA\WorkflowEngine\Entity\File   |
+    | events    | []                               |
+    | operation | deny                             |
+    | checks-0  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "application/javascript"} |
+    Given User "test1" uploads file "data/code.js" to "/code.js"
+    And The webdav response should have a status code "403"
+    And Downloading file "/code.js" as "test1"
+    And The webdav response should have a status code "404"
+
+   # https://github.com/nextcloud/server/pull/23096
+   Scenario: Can properly block path detected mimetypes for text/plain
+    And user "admin" creates global flow with 200
+    | name      | Admin flow                       |
+    | class     | OCA\FilesAccessControl\Operation |
+    | entity    | OCA\WorkflowEngine\Entity\File   |
+    | events    | []                               |
+    | operation | deny                             |
+    | checks-0  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "text/plain"} |
+    Given User "test1" uploads file "data/code.js" to "/code.js"
+    And The webdav response should have a status code "201"
+    And Downloading file "/code.js" as "test1"
+    And The webdav response should have a status code "200"
+    Given User "test1" uploads file "data/code.js" to "/code.txt"
+    And The webdav response should have a status code "403"
+    And Downloading file "/code.txt" as "test1"
+    And The webdav response should have a status code "404"
+
+  Scenario: Can properly block path detected mimetypes for application/octet-stream
+    And user "admin" creates global flow with 200
+    | name      | Admin flow                       |
+    | class     | OCA\FilesAccessControl\Operation |
+    | entity    | OCA\WorkflowEngine\Entity\File   |
+    | events    | []                               |
+    | operation | deny                             |
+    | checks-0  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "application/octet-stream"} |
+    Given User "test1" uploads file "data/hello" to "/hello"
+    And The webdav response should have a status code "403"
+    And Downloading file "/hello" as "test1"
+    And The webdav response should have a status code "404"
+    Given User "test1" uploads file "data/nc.exe" to "/nc"
+    And The webdav response should have a status code "403"
+    And Downloading file "/nc" as "test1"
+    And The webdav response should have a status code "404"
+
+  Scenario: Can properly block path detected mimetypes for application/x-ms-dos-executable by extension
+    And user "admin" creates global flow with 200
+    | name      | Admin flow                       |
+    | class     | OCA\FilesAccessControl\Operation |
+    | entity    | OCA\WorkflowEngine\Entity\File   |
+    | events    | []                               |
+    | operation | deny                             |
+    | checks-0  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "is", "value": "application/x-ms-dos-executable"} |
+    Given User "test1" uploads file "data/nc.exe" to "/nc.exe"
+    And The webdav response should have a status code "403"
+    And Downloading file "/nc.exe" as "test1"
+    And The webdav response should have a status code "404"
diff --git a/tests/Integration/features/sharing-user.feature b/tests/Integration/features/sharing-user.feature
@@ -83,3 +83,38 @@ Feature: Sharing user
     And as user "test2"
     When User "test2" deletes file "/subdir/foobar.txt"
     Then The webdav response should have a status code "403"
+
+  Scenario: Upload and share a file that is allowed by mimetype exludes
+    And user "admin" creates global flow with 200
+    | name      | Admin flow                       |
+    | class     | OCA\FilesAccessControl\Operation |
+    | entity    | OCA\WorkflowEngine\Entity\File   |
+    | events    | []                               |
+    | operation | deny                             |
+    | checks-0  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "httpd/directory"} |
+    | checks-1  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "application/pdf"} |
+
+    Given User "test1" uploads file "data/nextcloud.pdf" to "/nextcloud.pdf"
+    And The webdav response should have a status code "201"
+    And user "test1" shares file "/nextcloud.pdf" with user "test2"
+    And Downloading file "/nextcloud.pdf" as "test1"
+    And The webdav response should have a status code "200"
+    And Downloading file "/nextcloud.pdf" as "test2"
+    And The webdav response should have a status code "200"
+
+  Scenario: Share a file that is allowed by mimetype exludes
+    Given User "test1" uploads file "data/nextcloud.pdf" to "/nextcloud2.pdf"
+    And The webdav response should have a status code "201"
+    And user "test1" shares file "/nextcloud2.pdf" with user "test2"
+    And Downloading file "/nextcloud2.pdf" as "test1"
+    And The webdav response should have a status code "200"
+    And user "admin" creates global flow with 200
+    | name      | Admin flow                       |
+    | class     | OCA\FilesAccessControl\Operation |
+    | entity    | OCA\WorkflowEngine\Entity\File   |
+    | events    | []                               |
+    | operation | deny                             |
+    | checks-0  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "httpd/directory"} |
+    | checks-1  | {"class":"OCA\\WorkflowEngine\\Check\\FileMimeType", "operator": "!is", "value": "application/pdf"} |
+    And Downloading file "/nextcloud2.pdf" as "test2"
+    And The webdav response should have a status code "200"