Skip to content

Commit 83b47af

Browse files
mizadimizadi
committed
Improve tests
1 parent a2aabc0 commit 83b47af

File tree

1 file changed

+26
-5
lines changed

1 file changed

+26
-5
lines changed

cloudinary-test-common/src/main/java/com/cloudinary/test/AbstractApiTest.java

Lines changed: 26 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1371,10 +1371,31 @@ public void testAllowDerivedNextCursor() throws Exception {
13711371

13721372
@Test
13731373
public void testSignatureWithEscapingCharacters() {
1374-
String signatureWithEscapingCharacters = "579369d56eea031dd7a8d3573551f9e68f05b005";
1375-
Map<String, Object> to_sign = new HashMap<String, Object>();
1376-
to_sign.put("public_id", "publicid&tags=blabla");
1377-
String expected_signature = cloudinary.apiSignRequest(to_sign, cloudinary.config.apiSecret);
1378-
assertNotEquals(expected_signature, signatureWithEscapingCharacters);
1374+
String API_SIGN_REQUEST_CLOUD_NAME = "dn6ot3ged";
1375+
String API_SIGN_REQUEST_TEST_SECRET = "hdcixPpR2iKERPwqvH6sHdK9cyac";
1376+
1377+
Map<String, Object> paramsWithAmpersand = new HashMap<>();
1378+
paramsWithAmpersand.put("cloud_name", API_SIGN_REQUEST_CLOUD_NAME);
1379+
paramsWithAmpersand.put("timestamp", 1568810420);
1380+
paramsWithAmpersand.put("notification_url", "https://fake.com/callback?a=1&tags=hello,world");
1381+
1382+
String signatureWithAmpersand = Util.produceSignature(paramsWithAmpersand, API_SIGN_REQUEST_TEST_SECRET);
1383+
1384+
Map<String, Object> paramsSmuggled = new HashMap<>();
1385+
paramsSmuggled.put("cloud_name", API_SIGN_REQUEST_CLOUD_NAME);
1386+
paramsSmuggled.put("timestamp", 1568810420);
1387+
paramsSmuggled.put("notification_url", "https://fake.com/callback?a=1");
1388+
paramsSmuggled.put("tags", "hello,world");
1389+
1390+
String signatureSmuggled = Util.produceSignature(paramsSmuggled, API_SIGN_REQUEST_TEST_SECRET);
1391+
1392+
assertNotEquals(signatureWithAmpersand, signatureSmuggled,
1393+
"Signatures should be different to prevent parameter smuggling");
1394+
1395+
String expectedSignature = "4fdf465dd89451cc1ed8ec5b3e314e8a51695704";
1396+
assertEquals(expectedSignature, signatureWithAmpersand);
1397+
1398+
String expectedSmuggledSignature = "7b4e3a539ff1fa6e6700c41b3a2ee77586a025f9";
1399+
assertEquals(expectedSmuggledSignature, signatureSmuggled);
13791400
}
13801401
}

0 commit comments

Comments
 (0)