Skip to content
Penetration testing for EC-CUBE

Penetration testing for EC-CUBE #277

Sign in to view logs

Penetration testing for EC-CUBE

Penetration testing for EC-CUBE #277

Workflow file for this run

.github/workflows/penetration-tests.yml at f202366
name: Penetration testing for EC-CUBE
on:
workflow_dispatch:
schedule:
- cron: '0 15 * * 1'
permissions:
contents: read
jobs:
PenetrationTest:
name: Penetration testing
runs-on: ubuntu-24.04
strategy:
fail-fast: false
matrix:
group:
- 'test/front_login/contact.test.ts'
- 'test/front_login/cart/cart.test.ts'
- 'test/front_login/cart/cart_delete.test.ts'
- 'test/front_login/shopping/shopping_deliv.test.ts'
- 'test/front_login/shopping/shopping_payment.test.ts'
- 'test/front_login/shopping/shopping_confirm.test.ts'
- 'test/front_login/shopping/shopping_complete.test.ts'
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
# - name: Create ADMIN_DIR
# run: |
# sudo apt install -y sharutils
# echo "ADMIN_DIR=$(head -c 10 < /dev/random | uuencode -m - | tail -n 2 |head -n 1 | sed 's,[/+],_,g' | head -c10)/" >> $GITHUB_ENV
- name: Apply patchs
run: |
git config --global user.name "$(git --no-pager log --format=format:'%an' -n 1)"
git config --global user.email "$(git --no-pager log --format=format:'%ae' -n 1)"
git am zap/patches/0001-CSRF-OWASP-ZAP.patch
- name: Apply patch to cart_delete
if: matrix.group == 'test/front_login/cart/cart_delete.test.ts'
run: git am zap/patches/0009-cart_delete.patch
- name: Setup environment
run: echo "COMPOSE_FILE=docker-compose.yml:docker-compose.pgsql.yml:docker-compose.dev.yml:docker-compose.owaspzap.yml:docker-compose.owaspzap.daemon.yml" >> $GITHUB_ENV
- name: Setup to EC-CUBE
env:
HTTP_URL: https://127.0.0.1:8085/
HTTPS_URL: https://127.0.0.1:8085/
run: |
sudo chown -R 1001:1000 zap
sudo chmod -R g+w zap
docker compose up -d --wait
docker compose exec -T ec-cube composer dumpautoload
docker compose exec -T ec-cube php data/vendor/bin/eccube eccube:fixtures:generate --products=5 --customers=1 --orders=5
docker compose exec -T postgres psql --user=eccube_db_user eccube_db -c "UPDATE dtb_customer SET email = 'zap_user@example.com' WHERE customer_id = (SELECT MAX(customer_id) FROM dtb_customer WHERE status = 2 AND del_flg = 0);"
- name: Cache npm dependencies
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: node_modules
key: ${{ runner.os }}-node_modules-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node_modules-
- name: Cache Playwright browsers
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.cache/ms-playwright
key: ${{ runner.os }}-playwright-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-playwright-
- run: sleep 1
- name: Install dependencies
run: |
npm ci
npx playwright install chromium
- name: Install Playwright system dependencies
run: npx playwright install-deps chromium
- name: Penetration testing
uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
with:
timeout_minutes: 30
max_attempts: 2
retry_on: error
command: npm run test:attack -- e2e-tests/${{ matrix.group }}
env:
GROUP: ${{ matrix.group }}
HTTPS_PROXY: 'localhost:8090'
HTTP_PROXY: 'localhost:8090'
CI: 1
FORCE_COLOR: 1
- env:
GROUP: ${{ matrix.group }}
if: always()
run: echo "ARTIFACT_NAME=$(echo ${GROUP} | sed 's,/,_,g')" >> $GITHUB_ENV
- name: Upload evidence
if: always()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: zap-${{ env.ARTIFACT_NAME}}-session
path: zap/sessions
- name: Upload logs
if: failure()
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: linux-php${{ matrix.php }}-${{ matrix.db }}-logs
path: data/logs