From c4c602ee80b3bd6a158274df12019ba4e41e31d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Calvi=C3=B1o=20S=C3=A1nchez?= <danxuliu@gmail.com>
Date: Fri, 18 Sep 2020 18:32:59 +0200
Subject: [PATCH] Add integration tests for transferring files of a user with a
 risky name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The files:transfer-ownership performs a sanitization of users with
"risky" display names (including characters like "\" or "/").

In order to allow (escaped) double quotes in the display name the
regular expression used in the "user XXX with displayname YYY exists"
step had to be adjusted.

Signed-off-by: Daniel CalviÃ±o SÃ¡nchez <danxuliu@gmail.com>
---
 .../features/bootstrap/CommandLineContext.php |  8 +++++
 .../features/bootstrap/Provisioning.php       |  2 +-
 .../features/transfer-ownership.feature       | 32 +++++++++++++++++++
 3 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/build/integration/features/bootstrap/CommandLineContext.php b/build/integration/features/bootstrap/CommandLineContext.php
index 3acb59ec404..6db8de6b485 100644
--- a/build/integration/features/bootstrap/CommandLineContext.php
+++ b/build/integration/features/bootstrap/CommandLineContext.php
@@ -27,6 +27,7 @@
 require __DIR__ . '/../../vendor/autoload.php';
 
 use Behat\Behat\Hook\Scope\BeforeScenarioScope;
+use PHPUnit\Framework\Assert;
 
 class CommandLineContext implements \Behat\Behat\Context\Context {
 	use CommandLine;
@@ -129,4 +130,11 @@ class CommandLineContext implements \Behat\Behat\Context\Context {
 		$davPath = rtrim($davPath, '/') . $this->lastTransferPath;
 		$this->featureContext->usingDavPath($davPath);
 	}
+
+	/**
+	 * @Then /^transfer folder name contains "([^"]+)"$/
+	 */
+	public function transferFolderNameContains($text) {
+		Assert::assertContains($text, $this->lastTransferPath);
+	}
 }
diff --git a/build/integration/features/bootstrap/Provisioning.php b/build/integration/features/bootstrap/Provisioning.php
index daf5b11569c..31331092ae7 100644
--- a/build/integration/features/bootstrap/Provisioning.php
+++ b/build/integration/features/bootstrap/Provisioning.php
@@ -70,7 +70,7 @@ trait Provisioning {
 	}
 
 	/**
-	 * @Given /^user "([^"]*)" with displayname "([^"]*)" exists$/
+	 * @Given /^user "([^"]*)" with displayname "((?:[^"]|\\")*)" exists$/
 	 * @param string $user
 	 */
 	public function assureUserWithDisplaynameExists($user, $displayname) {
diff --git a/build/integration/features/transfer-ownership.feature b/build/integration/features/transfer-ownership.feature
index 7afaf1f3e59..46aeabb3aa7 100644
--- a/build/integration/features/transfer-ownership.feature
+++ b/build/integration/features/transfer-ownership.feature
@@ -29,6 +29,22 @@ Feature: transfer-ownership
 		And using received transfer folder of "user1" as dav path
 		And as "user1" the folder "/test" exists
 
+	Scenario: transferring ownership from user with risky display name
+		Given user "user0" with displayname "user0 \"risky\"? ãƒ‚spá¸·ay 'na|\/|e':.#" exists
+		And user "user1" exists
+		And User "user0" created a folder "/test"
+		And User "user0" uploads file "data/textfile.txt" to "/test/somefile.txt"
+		When transferring ownership from "user0" to "user1"
+		And the command was successful
+		And As an "user1"
+		And using received transfer folder of "user1" as dav path
+		Then Downloaded content when downloading file "/test/somefile.txt" with range "bytes=0-6" should be "This is"
+		And transfer folder name contains "transferred from user0 -risky- ãƒ‚spá¸·ay -na|-|e- on"
+		And using old dav path
+		And as "user0" the folder "/test" does not exist
+		And using received transfer folder of "user1" as dav path
+		And as "user1" the folder "/test" exists
+
 	Scenario: transferring ownership of file shares
 		Given user "user0" exists
 		And user "user1" exists
@@ -319,6 +335,22 @@ Feature: transfer-ownership
 		And using received transfer folder of "user1" as dav path
 		And as "user1" the folder "/test" exists
 
+	Scenario: transferring ownership from user with risky display name
+		Given user "user0" with displayname "user0 \"risky\"? ãƒ‚spá¸·ay 'na|\/|e':.#" exists
+		And user "user1" exists
+		And User "user0" created a folder "/test"
+		And User "user0" uploads file "data/textfile.txt" to "/test/somefile.txt"
+		When transferring ownership of path "test" from "user0" to "user1"
+		And the command was successful
+		And As an "user1"
+		And using received transfer folder of "user1" as dav path
+		Then Downloaded content when downloading file "/test/somefile.txt" with range "bytes=0-6" should be "This is"
+		And transfer folder name contains "transferred from user0 -risky- ãƒ‚spá¸·ay -na|-|e- on"
+		And using old dav path
+		And as "user0" the folder "/test" does not exist
+		And using received transfer folder of "user1" as dav path
+		And as "user1" the folder "/test" exists
+
 	Scenario: transferring ownership of file shares
 		Given user "user0" exists
 		And user "user1" exists
-- 
GitLab