From 892bd22c22ffe65e9d3f8b90747aa93e690dffda Mon Sep 17 00:00:00 2001
From: Kazuaki Yabu <carbuncle.panic@gmail.com>
Date: Wed, 23 Mar 2022 16:09:35 +0900
Subject: [PATCH 1/5] =?UTF-8?q?[OWASP=20ZAP]=20=E4=BC=9A=E5=93=A1=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=20=E4=BC=9A=E5=93=A1=E6=83=85=E5=A0=B1=E7=B7=A8?=
 =?UTF-8?q?=E9=9B=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/penetration-test.yml        |  1 +
 .../test/admin/customer_edit.test.ts          | 91 +++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts

diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml
index cbdfe3c6fc7..131decf6922 100644
--- a/.github/workflows/penetration-test.yml
+++ b/.github/workflows/penetration-test.yml
@@ -16,6 +16,7 @@ jobs:
           - 'test/front_guest/contact.test.ts'
           - 'test/admin/content_layout.test.ts'
           - 'test/admin/content_layout_delete.test.ts'
+          - 'test/admin/customer_edit.test.ts'
           - 'test/admin/order_mail.test.ts'
 
     steps:
diff --git a/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts b/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts
new file mode 100644
index 00000000000..3d4a8286b43
--- /dev/null
+++ b/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts
@@ -0,0 +1,91 @@
+import { test, expect, chromium, Page } from '@playwright/test';
+import PlaywrightConfig from '../../playwright.config';
+import { intervalRepeater } from '../../utils/Progress';
+import { ZapClient, Mode, ContextType, Risk, HttpMessage } from '../../utils/ZapClient';
+import { ECCUBE_ADMIN_ROUTE } from '../../config/default.config';
+
+const zapClient = new ZapClient();
+
+const url = `${PlaywrightConfig.use.baseURL}/${ECCUBE_ADMIN_ROUTE}/customer/1/edit`;
+
+test.describe.serial('会員登録 会員管理->編集のテストをします', () => {
+  let page: Page;
+  test.beforeAll(async () => {
+    await zapClient.setMode(Mode.Protect);
+    await zapClient.newSession('/zap/wrk/sessions/admin_customer_edit', true);
+    await zapClient.importContext(ContextType.Admin);
+
+    if (!await zapClient.isForcedUserModeEnabled()) {
+      await zapClient.setForcedUserModeEnabled();
+      expect(await zapClient.isForcedUserModeEnabled()).toBeTruthy();
+    }
+    const browser = await chromium.launch();
+    page = await browser.newPage();
+    await page.goto(url);
+  });
+
+  test('会員管理ページを表示します', async () => {
+    await expect(page).toHaveTitle(/会員管理/);
+  });
+
+  test('タイトルを確認します', async () => {
+    await page.textContent('.c-pageTitle__subTitle')
+      .then(title => expect(title).toContain('会員管理'));
+  });
+
+  test.describe('テストを実行します[GET] @attack', () => {
+    let scanId: number;
+    test('アクティブスキャンを実行します[GET]', async () => {
+      scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'GET');
+      await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+    });
+
+    test('結果を確認します[GET]', async () => {
+      await zapClient.getAlerts(url, 0, 1, Risk.High)
+        .then(alerts => expect(alerts).toEqual([]));
+    });
+  });
+
+  test('会員情報を更新します', async () => {
+    await page.fill('[placeholder="姓"]', '山田');
+    await page.fill('[placeholder="名"]', '太郎');
+    await page.fill('[placeholder="セイ"]', 'ヤマダ');
+    await page.fill('[placeholder="メイ"]', 'タロウ');
+    await page.fill('input[name="admin_customer\\[company_name\\]"]', 'イーシーキューブ');
+    await page.fill('[placeholder="例：5300001"]', '5300001');
+    await page.click('select[name="admin_customer\\[address\\]\\[pref\\]"]');
+    await page.selectOption('select[name="admin_customer\\[address\\]\\[pref\\]"]', '1');
+    await page.fill('[placeholder="市区町村名\\(例：大阪市北区\\)"]', '大阪市北区梅田');
+    await page.fill('[placeholder="番地・ビル名\\(例：西梅田1丁目6-8\\)"]', '2-4-9');
+    await page.fill('[placeholder="例：ec-cube\\@example\\.com"]', 'test12345@test.local');
+    await page.fill('[placeholder="例：11122223333"]', '0001112222');
+    await page.fill('input[name="admin_customer\\[password\\]\\[first\\]"]', 'password123');
+    await page.fill('input[name="admin_customer\\[password\\]\\[second\\]"]', 'password123');
+    await page.click('input[name="admin_customer\\[sex\\]"]');
+    await page.selectOption('select[name="admin_customer\\[job\\]"]', '3');
+    await page.fill('input[name="admin_customer\\[birth\\]"]', '1980-04-01');
+    await page.fill('input[name="admin_customer\\[point\\]"]', '10');
+    await page.fill('textarea[name="admin_customer\\[note\\]"]', '国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語');
+    await page.click('button:has-text("登録")');
+    await expect(page).toHaveURL(url);
+  });
+
+  let message: HttpMessage;
+  test('HttpMessage を取得します', async () => {
+    const messages = await zapClient.getMessages(url, await zapClient.getNumberOfMessages(url) - 1, 1);
+    message = messages.pop();
+    expect(message.requestHeader).toContain(`POST ${url}`)
+    expect(message.responseHeader).toContain('HTTP/1.1 302 Found');
+  });
+
+  let scanId: number;
+  test('アクティブスキャンを実行します[POST]', async () => {
+    scanId = await zapClient.activeScanAsUser(url, 2, 55, false, null, 'POST', message.requestBody);
+    await intervalRepeater(async () => await zapClient.getActiveScanStatus(scanId), 5000, page);
+  });
+
+  test('結果を確認します[POST]', async () => {
+    await zapClient.getAlerts(url, 0, 1, Risk.High)
+      .then(alerts => expect(alerts).toEqual([]));
+  });
+});

From 729785928163e81613d20b1f0788c68a5a448bee Mon Sep 17 00:00:00 2001
From: Kazuaki Yabu <carbuncle.panic@gmail.com>
Date: Wed, 23 Mar 2022 16:18:49 +0900
Subject: [PATCH 2/5] =?UTF-8?q?[OWASP=20ZAP]=20=E4=BC=9A=E5=93=A1=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=20=E4=BC=9A=E5=93=A1=E6=83=85=E5=A0=B1=E7=B7=A8?=
 =?UTF-8?q?=E9=9B=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/penetration-test.yml        |  4 +++
 .../patches/0002-EditCustomer.patch           | 32 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch

diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml
index 131decf6922..ad7391bf369 100644
--- a/.github/workflows/penetration-test.yml
+++ b/.github/workflows/penetration-test.yml
@@ -48,6 +48,10 @@ jobs:
         if: matrix.group == 'test/admin/content_layout_delete.test.ts'
         working-directory: zap/selenium/ci/TypeScript
         run: git am patches/0001-DeleteLayout.patch
+      - name: Apply patch to edit_customer
+        if: matrix.group == 'test/admin/customer_edit.test.ts'
+        working-directory: zap/selenium/ci/TypeScript
+        run: git am patches/0002-EditCustomer.patch
       - name: Penetration testing
         working-directory: zap/selenium/ci/TypeScript
         env:
diff --git a/zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch b/zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch
new file mode 100644
index 00000000000..80c0c867c56
--- /dev/null
+++ b/zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch
@@ -0,0 +1,32 @@
+From 8ef429a0efe81ef1cebcd778170e14f30d1663eb Mon Sep 17 00:00:00 2001
+From: Kazuaki Yabu <carbuncle.panic@gmail.com>
+Date: Wed, 23 Mar 2022 16:10:44 +0900
+Subject: [PATCH] =?UTF-8?q?[OWASP=20ZAP]=20=E4=BC=9A=E5=93=A1=E7=AE=A1?=
+ =?UTF-8?q?=E7=90=86=20=E4=BC=9A=E5=93=A1=E6=83=85=E5=A0=B1=E7=B7=A8?=
+ =?UTF-8?q?=E9=9B=86?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ .../Controller/Admin/Customer/CustomerEditController.php      | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/Eccube/Controller/Admin/Customer/CustomerEditController.php b/src/Eccube/Controller/Admin/Customer/CustomerEditController.php
+index f8beac4f6d..ef55c7fca9 100644
+--- a/src/Eccube/Controller/Admin/Customer/CustomerEditController.php
++++ b/src/Eccube/Controller/Admin/Customer/CustomerEditController.php
+@@ -113,8 +113,8 @@ class CustomerEditController extends AbstractController
+                 $Customer->setEmail(StringUtil::random(60).'@dummy.dummy');
+             }
+ 
+-            $this->entityManager->persist($Customer);
+-            $this->entityManager->flush();
++//            $this->entityManager->persist($Customer);
++//            $this->entityManager->flush();
+ 
+             log_info('会員登録完了', [$Customer->getId()]);
+ 
+-- 
+2.30.2
+

From 98f806ec912ea6f3a6182782817ab4e4888f482b Mon Sep 17 00:00:00 2001
From: carkn <carbuncle.panic@gmail.com>
Date: Fri, 1 Apr 2022 17:05:51 +0900
Subject: [PATCH 3/5] =?UTF-8?q?Deleted=20=E3=83=91=E3=83=83=E3=83=81?=
 =?UTF-8?q?=E9=81=A9=E7=94=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../patches/0002-EditCustomer.patch           | 32 -------------------
 1 file changed, 32 deletions(-)
 delete mode 100644 zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch

diff --git a/zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch b/zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch
deleted file mode 100644
index 80c0c867c56..00000000000
--- a/zap/selenium/ci/TypeScript/patches/0002-EditCustomer.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 8ef429a0efe81ef1cebcd778170e14f30d1663eb Mon Sep 17 00:00:00 2001
-From: Kazuaki Yabu <carbuncle.panic@gmail.com>
-Date: Wed, 23 Mar 2022 16:10:44 +0900
-Subject: [PATCH] =?UTF-8?q?[OWASP=20ZAP]=20=E4=BC=9A=E5=93=A1=E7=AE=A1?=
- =?UTF-8?q?=E7=90=86=20=E4=BC=9A=E5=93=A1=E6=83=85=E5=A0=B1=E7=B7=A8?=
- =?UTF-8?q?=E9=9B=86?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
----
- .../Controller/Admin/Customer/CustomerEditController.php      | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/Eccube/Controller/Admin/Customer/CustomerEditController.php b/src/Eccube/Controller/Admin/Customer/CustomerEditController.php
-index f8beac4f6d..ef55c7fca9 100644
---- a/src/Eccube/Controller/Admin/Customer/CustomerEditController.php
-+++ b/src/Eccube/Controller/Admin/Customer/CustomerEditController.php
-@@ -113,8 +113,8 @@ class CustomerEditController extends AbstractController
-                 $Customer->setEmail(StringUtil::random(60).'@dummy.dummy');
-             }
- 
--            $this->entityManager->persist($Customer);
--            $this->entityManager->flush();
-+//            $this->entityManager->persist($Customer);
-+//            $this->entityManager->flush();
- 
-             log_info('会員登録完了', [$Customer->getId()]);
- 
--- 
-2.30.2
-

From 49d2f1d58da34bc1764bff799608e534ef48ddcc Mon Sep 17 00:00:00 2001
From: carkn <carbuncle.panic@gmail.com>
Date: Fri, 1 Apr 2022 17:06:53 +0900
Subject: [PATCH 4/5] =?UTF-8?q?Modified=20=E3=83=91=E3=83=83=E3=83=81?=
 =?UTF-8?q?=E9=81=A9=E7=94=A8=E7=AE=87=E6=89=80=E3=82=92=E5=89=8A=E9=99=A4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/penetration-test.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/penetration-test.yml b/.github/workflows/penetration-test.yml
index ad7391bf369..131decf6922 100644
--- a/.github/workflows/penetration-test.yml
+++ b/.github/workflows/penetration-test.yml
@@ -48,10 +48,6 @@ jobs:
         if: matrix.group == 'test/admin/content_layout_delete.test.ts'
         working-directory: zap/selenium/ci/TypeScript
         run: git am patches/0001-DeleteLayout.patch
-      - name: Apply patch to edit_customer
-        if: matrix.group == 'test/admin/customer_edit.test.ts'
-        working-directory: zap/selenium/ci/TypeScript
-        run: git am patches/0002-EditCustomer.patch
       - name: Penetration testing
         working-directory: zap/selenium/ci/TypeScript
         env:

From f3c5e1835be93e3728aef5b3facea8e91455e33d Mon Sep 17 00:00:00 2001
From: carkn <carbuncle.panic@gmail.com>
Date: Fri, 1 Apr 2022 17:14:43 +0900
Subject: [PATCH 5/5] =?UTF-8?q?Modified=20=E4=BC=9A=E5=93=A1=E6=83=85?=
 =?UTF-8?q?=E5=A0=B1=E3=81=AE=E6=9B=B4=E6=96=B0=E3=81=AE=E8=A8=98=E8=BF=B0?=
 =?UTF-8?q?=E3=82=92=E5=A4=89=E6=9B=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../test/admin/customer_edit.test.ts          | 40 +++++++++----------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts b/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts
index 3d4a8286b43..40df3748887 100644
--- a/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts
+++ b/zap/selenium/ci/TypeScript/test/admin/customer_edit.test.ts
@@ -47,27 +47,25 @@ test.describe.serial('会員登録 会員管理->編集のテストをします'
   });
 
   test('会員情報を更新します', async () => {
-    await page.fill('[placeholder="姓"]', '山田');
-    await page.fill('[placeholder="名"]', '太郎');
-    await page.fill('[placeholder="セイ"]', 'ヤマダ');
-    await page.fill('[placeholder="メイ"]', 'タロウ');
-    await page.fill('input[name="admin_customer\\[company_name\\]"]', 'イーシーキューブ');
-    await page.fill('[placeholder="例：5300001"]', '5300001');
-    await page.click('select[name="admin_customer\\[address\\]\\[pref\\]"]');
-    await page.selectOption('select[name="admin_customer\\[address\\]\\[pref\\]"]', '1');
-    await page.fill('[placeholder="市区町村名\\(例：大阪市北区\\)"]', '大阪市北区梅田');
-    await page.fill('[placeholder="番地・ビル名\\(例：西梅田1丁目6-8\\)"]', '2-4-9');
-    await page.fill('[placeholder="例：ec-cube\\@example\\.com"]', 'test12345@test.local');
-    await page.fill('[placeholder="例：11122223333"]', '0001112222');
-    await page.fill('input[name="admin_customer\\[password\\]\\[first\\]"]', 'password123');
-    await page.fill('input[name="admin_customer\\[password\\]\\[second\\]"]', 'password123');
-    await page.click('input[name="admin_customer\\[sex\\]"]');
-    await page.selectOption('select[name="admin_customer\\[job\\]"]', '3');
-    await page.fill('input[name="admin_customer\\[birth\\]"]', '1980-04-01');
-    await page.fill('input[name="admin_customer\\[point\\]"]', '10');
-    await page.fill('textarea[name="admin_customer\\[note\\]"]', '国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語');
-    await page.click('button:has-text("登録")');
-    await expect(page).toHaveURL(url);
+    await page.locator('id=admin_customer_name_name01').fill('山田');
+    await page.locator('id=admin_customer_name_name02').fill('太郎');
+    await page.locator('id=admin_customer_kana_kana01').fill('ヤマダ');
+    await page.locator('id=admin_customer_kana_kana02').fill('タロウ');
+    await page.locator('id=admin_customer_company_name').fill('イーシーキューブ');
+    await page.locator('id=admin_customer_postal_code').fill('5300001');
+    await page.locator('id=admin_customer_address_pref').selectOption('1');
+    await page.locator('id=admin_customer_address_addr01').fill('大阪市北区梅田');
+    await page.locator('id=admin_customer_address_addr02').fill('2-4-9');
+    await page.locator('id=admin_customer_email').fill('taro_yamada@test.local');
+    await page.locator('id=admin_customer_phone_number').fill('0001112222');
+    await page.locator('id=admin_customer_password_first').fill('password123');
+    await page.locator('id=admin_customer_password_second').fill('password123');
+    await page.locator('id=admin_customer_sex_1').click();
+    await page.locator('id=admin_customer_job').selectOption('3');
+    await page.locator('id=admin_customer_birth').fill('1980-04-01');
+    await page.locator('id=admin_customer_point').fill('10');
+    await page.locator('id=admin_customer_note').fill('国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語国語');
+    await page.click('button >> text=登録');
   });
 
   let message: HttpMessage;