From b65e2d2d41404d2b87674902fb0a830453fb32c1 Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Thu, 24 Feb 2022 12:32:35 +0900
Subject: [PATCH 1/3] =?UTF-8?q?=E7=AE=A1=E7=90=86=E7=94=BB=E9=9D=A2>?=
 =?UTF-8?q?=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC=E3=83=89=E5=A4=89=E6=9B=B4?=
 =?UTF-8?q?=E3=81=AE=E3=83=86=E3=82=B9=E3=83=88=E3=82=92=E8=BF=BD=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

パスワードを変更してしまうと、 OWASP ZAP の自動ログインが無効になり、
アクティブスキャンが継続できなくなってしまうため、パスワードの変更を抑
制するパッチを当てる必要がある
---
 .../ci/TypeScript/patches/0001-Member.patch   | 47 ++++++++++++
 .../test/admin/change_password.test.ts        | 74 +++++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 zap/selenium/ci/TypeScript/patches/0001-Member.patch
 create mode 100644 zap/selenium/ci/TypeScript/test/admin/change_password.test.ts

diff --git a/zap/selenium/ci/TypeScript/patches/0001-Member.patch b/zap/selenium/ci/TypeScript/patches/0001-Member.patch
new file mode 100644
index 00000000000..8ace77b816e
--- /dev/null
+++ b/zap/selenium/ci/TypeScript/patches/0001-Member.patch
@@ -0,0 +1,47 @@
+From 63c5f589b6cc19e875fd1d6d5742ac497732223c Mon Sep 17 00:00:00 2001
+From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
+Date: Thu, 24 Feb 2022 11:58:18 +0900
+Subject: [PATCH] =?UTF-8?q?Member=20=E3=81=AE=E5=A4=89=E6=9B=B4=E3=82=92?=
+ =?UTF-8?q?=E9=98=B2=E6=AD=A2=E3=81=99=E3=82=8B=E3=83=91=E3=83=83=E3=83=81?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ src/Eccube/Controller/Admin/AdminController.php | 6 +++---
+ src/Eccube/Repository/MemberRepository.php      | 2 +-
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/Eccube/Controller/Admin/AdminController.php b/src/Eccube/Controller/Admin/AdminController.php
+index 2591f0623d..12ac73235b 100644
+--- a/src/Eccube/Controller/Admin/AdminController.php
++++ b/src/Eccube/Controller/Admin/AdminController.php
+@@ -352,9 +352,9 @@ class AdminController extends AbstractController
+ 
+             $password = $encoder->encodePassword($password, $salt);
+ 
+-            $Member
+-                ->setPassword($password)
+-                ->setSalt($salt);
++            // $Member
++            //     ->setPassword($password)
++            //     ->setSalt($salt);
+ 
+             $this->memberRepository->save($Member);
+ 
+diff --git a/src/Eccube/Repository/MemberRepository.php b/src/Eccube/Repository/MemberRepository.php
+index 2f372b4f57..bc588be409 100644
+--- a/src/Eccube/Repository/MemberRepository.php
++++ b/src/Eccube/Repository/MemberRepository.php
+@@ -99,7 +99,7 @@ class MemberRepository extends AbstractRepository
+ 
+         $em = $this->getEntityManager();
+         $em->persist($Member);
+-        $em->flush();
++        // $em->flush();
+     }
+ 
+     /**
+-- 
+2.34.1
+
diff --git a/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts b/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts
new file mode 100644
index 00000000000..e0b27f6e5e0
--- /dev/null
+++ b/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts
@@ -0,0 +1,74 @@
+import { test, expect, chromium, Page } from '@playwright/test';
+import { intervalRepeater } from '../../utils/Progress';
+import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../utils/ZapClient';
+const zapClient = new ZapClient('http://127.0.0.1:8090');
+
+const baseURL = 'https://ec-cube/admin';
+const url = baseURL + '/change_password';
+
+// path/to/ec-cube/zap/selenium/ci/TypeScript/patches/0001-Member.patch を当てる必要がある
+test.describe.serial('パスワード変更のテストをします', () => {
+  let page: Page;
+  test.beforeAll(async () => {
+    await zapClient.setMode(Mode.Protect);
+    await zapClient.newSession('/zap/wrk/sessions/admin_change_password', true);
+    await zapClient.importContext(ContextType.Admin);
+
+    if (!await zapClient.isForcedUserModeEnabled()) {
+      await zapClient.setForcedUserModeEnabled();
+      expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy();
+    }
+    const browser = await chromium.launch();
+    page = await browser.newPage();
+    await page.goto(url);
+  });
+
+  test('パスワード変更ページを表示します', async () => {
+    await expect(page).toHaveTitle(/パスワード変更/);
+  });
+
+  test.describe('テストを実行します[GET] @attack', () => {
+    let scanId: number;
+    test.skip('アクティブスキャンを実行します', async () => {
+      scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET');
+      await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+    });
+
+    test.skip('結果を確認します', async () => {
+      await zapClient.getAlerts(url, 0, 1, Risk.High)
+        .then(alerts => expect(alerts).toEqual([]));
+    });
+  });
+
+  const changedPassword = 'zHXFl*85.jFib';
+  test('パスワードを変更します', async () => {
+    await page.reload();
+    await page.fill('input[name="admin_change_password[current_password]"]', 'password');
+    await page.fill('input[name="admin_change_password[change_password][first]"]', changedPassword);
+    await page.fill('input[name="admin_change_password[change_password][second]"]', changedPassword);
+    await page.click('#ex-conversion-action >> button >> text=登録');
+
+    await expect(page.locator('.alert-success')).toContainText('パスワードを更新しました');
+  });
+
+  test.describe('テストを実行します[POST] @attack', () => {
+    let message: HttpMessage;
+    test('HttpMessage を取得します', async () => {
+      const messages = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1);
+      message = messages.pop();
+      expect(message.requestHeader).toContain('POST https://ec-cube/admin/change_password');
+      expect(message.responseHeader).toContain('HTTP/1.1 302 Found');
+    });
+
+    let scanId: number;
+    test('アクティブスキャンを実行します', async () => {
+      scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'POST', message.requestBody);
+      await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+    });
+
+    test('結果を確認します', async () => {
+      await zapClient.getAlerts(url, 0, 1, Risk.High)
+        .then(alerts => expect(alerts).toEqual([]));
+    });
+  });
+});

From 0352e993d5115a526edd9c12664e8a9e0bda87e7 Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Thu, 24 Feb 2022 12:45:32 +0900
Subject: [PATCH 2/3] =?UTF-8?q?=E3=83=91=E3=82=B9=E3=83=AF=E3=83=BC?=
 =?UTF-8?q?=E3=83=89=E5=A4=89=E6=9B=B4=E3=81=AE=E3=83=86=E3=82=B9=E3=83=88?=
 =?UTF-8?q?=E3=82=92=20workflow=20=E3=81=AB=E8=BF=BD=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/penetration-test.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml
index 018d107aef3..961ce2559d0 100644
--- a/.github/workflows/penetration-test.yml
+++ b/.github/workflows/penetration-test.yml
@@ -15,6 +15,7 @@ jobs:
           - 'test/front_login/contact.test.ts'
           - 'test/front_guest/contact.test.ts'
           - 'test/admin/order_mail.test.ts'
+          - 'test/admin/change_password.test.ts'
 
     steps:
       - name: Checkout
@@ -38,6 +39,14 @@ jobs:
           yarn install
           yarn run playwright install --with-deps chromium
           yarn playwright install-deps chromium
+      - run: |
+          git config --global user.name "$(git --no-pager log --format=format:'%an' -n 1)"
+          git config --global user.email "$(git --no-pager log --format=format:'%ae' -n 1)"
+      - name: Apply patch to change_password
+        if: matrix.group == 'test/admin/change_password.test.ts'
+        working-directory: zap/selenium/ci/TypeScript
+        run: git am patches/0001-Member.patch
+
       - name: Penetration testing
         working-directory: zap/selenium/ci/TypeScript
         env:

From 6c01ec33984a2e32269222df3358175fa07d4c8d Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Thu, 24 Feb 2022 13:52:12 +0900
Subject: [PATCH 3/3] =?UTF-8?q?skip=20=E5=89=8A=E9=99=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 zap/selenium/ci/TypeScript/test/admin/change_password.test.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts b/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts
index e0b27f6e5e0..0f74cfedd74 100644
--- a/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts
+++ b/zap/selenium/ci/TypeScript/test/admin/change_password.test.ts
@@ -29,12 +29,12 @@ test.describe.serial('パスワード変更のテストをします', () => {
 
   test.describe('テストを実行します[GET] @attack', () => {
     let scanId: number;
-    test.skip('アクティブスキャンを実行します', async () => {
+    test('アクティブスキャンを実行します', async () => {
       scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET');
       await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
     });
 
-    test.skip('結果を確認します', async () => {
+    test('結果を確認します', async () => {
       await zapClient.getAlerts(url, 0, 1, Risk.High)
         .then(alerts => expect(alerts).toEqual([]));
     });