From a0d05b26d189307230ef395609b42b4d71bce20e Mon Sep 17 00:00:00 2001
From: Maikel Linke <maikel@email.org.au>
Date: Wed, 17 May 2023 15:09:01 +1000
Subject: [PATCH] Spec current product import vulnerabilities

I didn't use pending specs but deliberately passing specs on wrong
behaviour. This is not how it should be but how it is at the moment.
---
 spec/requests/admin/product_import_spec.rb | 59 ++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 spec/requests/admin/product_import_spec.rb

diff --git a/spec/requests/admin/product_import_spec.rb b/spec/requests/admin/product_import_spec.rb
new file mode 100644
index 0000000000..810c604627
--- /dev/null
+++ b/spec/requests/admin/product_import_spec.rb
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe "Product Import", type: :request do
+  include AuthenticationHelper
+
+  describe "validate_data" do
+    it "requires a login" do
+      post admin_product_import_process_async_path
+
+      expect(response).to redirect_to %r|#/login$|
+    end
+
+    it "rejects non-csv files" do
+      login_as_admin
+
+      post admin_product_import_process_async_path, params: {
+        filepath: "/etc/passwd",
+      }, as: :json
+
+      expect(response).to have_http_status :ok
+      expect(response.body).to eq "undefined method `validate_all' for nil:NilClass"
+    end
+
+    it "raises an error when csv file doesn't exist" do
+      login_as_admin
+
+      expect do
+        post admin_product_import_process_async_path, params: {
+          filepath: "/file/does/not/exist.csv",
+        }, as: :json
+      end
+        # This would result in server error and we know the file doesn't exist.
+        .to raise_error(
+          Errno::ENOENT,
+          "No such file or directory @ rb_sysopen - /file/does/not/exist.csv"
+        )
+    end
+
+    it "tries to read any csv file" do
+      login_as_admin
+
+      # This could point to a secret file in the file system:
+      existing_file = Rails.public_path.join('inventory_template.csv').to_s
+
+      post admin_product_import_process_async_path, params: {
+        filepath: existing_file,
+        start: 1,
+        end: 5,
+      }, as: :json
+
+      # No error, the file exists:
+      expect(response).to have_http_status :ok
+      # But it doesn't contain product data:
+      expect(response.body).to eq '{"entries":"{}","reset_counts":{}}'
+    end
+  end
+end