Add test cases for tampered content length on uploads

bkimminich · bkimminich · commit b386acf52670 · 2025-03-03T21:01:42.000+01:00
diff --git a/test/api/fileUploadSpec.ts b/test/api/fileUploadSpec.ts
@@ -160,4 +160,15 @@ describe('/file-upload', () => {
     return frisby.post(URL + '/file-upload', { headers: { 'Content-Type': form.getHeaders()['content-type'] }, body: form })
       .expect('status', 204)
   })
+
+  it('POST valid file with tampered content length', () => {
+    const file = path.resolve(__dirname, '../files/validSizeAndTypeForClient.pdf')
+    const form = frisby.formData()
+    form.append('file', fs.createReadStream(file))
+
+    // @ts-expect-error FIXME form.getHeaders() is not found
+    return frisby.post(URL + '/file-upload', { headers: { 'Content-Type': form.getHeaders()['content-type'], 'Content-Length': 42 }, body: form })
+      .expect('status', 500)
+      .expect('bodyContains', 'Unexpected end of form')
+  })
 })
diff --git a/test/api/profileImageUploadSpec.ts b/test/api/profileImageUploadSpec.ts
@@ -151,4 +151,33 @@ describe('/profile/image/url', () => {
       .expect('header', 'content-type', /text\/html/)
       .expect('bodyContains', 'Error: Blocked illegal activity')
   })
+
+  it('POST valid image with tampered content length', () => {
+    const file = path.resolve(__dirname, '../files/validProfileImage.jpg')
+    const form = frisby.formData()
+    form.append('file', fs.createReadStream(file))
+
+    return frisby.post(`${REST_URL}/user/login`, {
+      headers: jsonHeader,
+      body: {
+        email: `jim@${config.get<string>('application.domain')}`,
+        password: 'ncc-1701'
+      }
+    })
+      .expect('status', 200)
+      .then(({ json: jsonLogin }) => {
+        return frisby.post(`${URL}/profile/image/file`, {
+          headers: {
+            Cookie: `token=${jsonLogin.authentication.token}`,
+            // @ts-expect-error FIXME form.getHeaders() is not found
+            'Content-Type': form.getHeaders()['content-type'],
+            'Content-Length': 42
+          },
+          body: form,
+          redirect: 'manual'
+        })
+          .expect('status', 500)
+          .expect('bodyContains', 'Unexpected end of form')
+      })
+  })
 })
