From 2e83742ecf9bb1744a13ecb321ee4e7383ae2153 Mon Sep 17 00:00:00 2001
From: Thomas Druez <tdruez@nexb.com>
Date: Wed, 9 Aug 2023 10:52:05 +0200
Subject: [PATCH] Fix and add unit tests for license views #847

Signed-off-by: Thomas Druez <tdruez@nexb.com>
---
 scanpipe/tests/test_auth.py     |  6 ++---
 scanpipe/tests/test_licenses.py | 41 ---------------------------------
 scanpipe/tests/test_views.py    | 26 +++++++++++++++++++++
 scanpipe/urls.py                |  2 +-
 4 files changed, 30 insertions(+), 45 deletions(-)
 delete mode 100644 scanpipe/tests/test_licenses.py

diff --git a/scanpipe/tests/test_auth.py b/scanpipe/tests/test_auth.py
index 100325698..7f42c8bee 100644
--- a/scanpipe/tests/test_auth.py
+++ b/scanpipe/tests/test_auth.py
@@ -116,7 +116,7 @@ def test_scancodeio_account_profile_view(self):
     def test_scancodeio_auth_views_are_protected(self):
         a_uuid = uuid.uuid4()
         a_int = 1
-        a_path = "path"
+        a_string = "string"
 
         views = [
             ("account_profile", None),
@@ -129,7 +129,7 @@ def test_scancodeio_auth_views_are_protected(self):
             ("project_delete", [a_uuid]),
             ("project_reset", [a_uuid]),
             ("project_detail", [a_uuid]),
-            ("project_results", [a_uuid, a_path]),
+            ("project_results", [a_uuid, a_string]),
             ("resource_raw", [a_uuid, a_int]),
             ("resource_detail", [a_uuid, a_int]),
             ("project_execute_pipeline", [a_uuid, a_uuid]),
@@ -138,7 +138,7 @@ def test_scancodeio_auth_views_are_protected(self):
             ("run_detail", [a_uuid]),
             ("run_status", [a_uuid]),
             ("license_list", None),
-            ("license_details", [a_path]),
+            ("license_detail", [a_string]),
         ]
 
         for viewname, args in views:
diff --git a/scanpipe/tests/test_licenses.py b/scanpipe/tests/test_licenses.py
deleted file mode 100644
index a3906cda2..000000000
--- a/scanpipe/tests/test_licenses.py
+++ /dev/null
@@ -1,41 +0,0 @@
-# SPDX-License-Identifier: Apache-2.0
-#
-# http://nexb.com and https://github.com/nexB/scancode.io
-# The ScanCode.io software is licensed under the Apache License version 2.0.
-# Data generated with ScanCode.io is provided as-is without warranties.
-# ScanCode is a trademark of nexB Inc.
-#
-# You may not use this software except in compliance with the License.
-# You may obtain a copy of the License at: http://apache.org/licenses/LICENSE-2.0
-# Unless required by applicable law or agreed to in writing, software distributed
-# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-# CONDITIONS OF ANY KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations under the License.
-#
-# Data Generated with ScanCode.io is provided on an "AS IS" BASIS, WITHOUT WARRANTIES
-# OR CONDITIONS OF ANY KIND, either express or implied. No content created from
-# ScanCode.io should be considered or used as legal advice. Consult an Attorney
-# for any legal advice.
-#
-# ScanCode.io is a free software code scanning tool from nexB Inc. and others.
-# Visit https://github.com/nexB/scancode.io for support and download.
-
-from django.test import TestCase
-from django.test import override_settings
-from django.urls import reverse
-
-
-@override_settings(SCANCODEIO_REQUIRE_AUTHENTICATION=False)
-class LicensesTest(TestCase):
-    def test_license_list_view(self):
-        url = reverse("license_list")
-        response = self.client.get(url)
-        self.assertEqual(response.status_code, 200)
-
-    def test_license_details_view(self):
-        keys = ["apache-2.0", "abcdefg"]
-        license_url = reverse("license_details", args=(keys[0],))
-        dummy_license_url = reverse("license_details", args=(keys[1],))
-        response = [self.client.get(license_url), self.client.get(dummy_license_url)]
-        self.assertEqual(response[0].status_code, 200)
-        self.assertEqual(response[1].status_code, 404)
diff --git a/scanpipe/tests/test_views.py b/scanpipe/tests/test_views.py
index 1985dca08..76322d65c 100644
--- a/scanpipe/tests/test_views.py
+++ b/scanpipe/tests/test_views.py
@@ -30,6 +30,7 @@
 from django.test import TestCase
 from django.test import override_settings
 from django.urls import reverse
+from django.urls.exceptions import NoReverseMatch
 
 from scanpipe.models import CodebaseResource
 from scanpipe.models import DiscoveredPackage
@@ -796,3 +797,28 @@ def test_scanpipe_views_discovered_package_details_view_tab_vulnerabilities(self
         self.assertContains(response, "tab-vulnerabilities")
         self.assertContains(response, '<section id="tab-vulnerabilities"')
         self.assertContains(response, "VCID-cah8-awtr-aaad")
+
+    def test_license_list_view(self):
+        url = reverse("license_list")
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        expected = '<a href="/license/apache-2.0/">apache-2.0</a>'
+        self.assertContains(response, expected)
+
+    def test_license_details_view(self):
+        license_url = reverse("license_detail", args=["apache-2.0"])
+        response = self.client.get(license_url)
+        self.assertEqual(response.status_code, 200)
+
+        dummy_license_url = reverse("license_detail", args=["abcdefg"])
+        response = self.client.get(dummy_license_url)
+        self.assertEqual(response.status_code, 404)
+
+        xss = "%3Cscript%3Ealert(document.cookie);%3C/script%3E/"
+        with self.assertRaises(NoReverseMatch):
+            reverse("license_detail", args=[xss])
+
+        xss = "%3Cscript%3Ealert(document.cookie);%3C"
+        xss_url = reverse("license_detail", args=[xss])
+        response = self.client.get(xss_url)
+        self.assertEqual(response.status_code, 404)
diff --git a/scanpipe/urls.py b/scanpipe/urls.py
index 43d286d58..004d9caf4 100644
--- a/scanpipe/urls.py
+++ b/scanpipe/urls.py
@@ -162,7 +162,7 @@
         name="project_list",
     ),
     path(
-        "license/<path:key>/",
+        "license/<str:key>/",
         views.LicenseDetailsView.as_view(),
         name="license_detail",
     ),