require 'spec_helper'
require 'ronin/exploits/ssti'

describe Ronin::Exploits::SSTI do
  module TestSSTI
    class TestExploit < Ronin::Exploits::SSTI
      base_path   '/Templatize.asp'
      query_param 'item'
    end

    class TestExploitWithEscapeExpr < Ronin::Exploits::SSTI
      base_path   '/Templatize.asp'
      query_param 'item'
      escape_expr ->(expr) { "${{#{expr}}}" }
    end
  end

  let(:exploit_class) { TestSSTI::TestExploit }
  let(:base_url)      { 'http://testasp.vulnweb.com/' }
  let(:query)         { 'item=html/about.html' }
  let(:query_param)   { 'item' }

  subject do
    exploit_class.new(
      params: {
        base_url: base_url
      }
    )
  end

  describe ".escape_expr" do
    subject { exploit_class }

    context "and when escape_expr is not set in the class" do
      module TestSSTI
        class WithNoEscapeExprSet < Ronin::Exploits::SSTI
        end
      end

      let(:exploit_class) { TestSSTI::WithNoEscapeExprSet }

      it "must default to nil" do
        expect(subject.escape_expr).to be(nil)
      end
    end

    context "and when escape_expr is set in the class" do
      module TestSSTI
        class WithEscapeExprSet < Ronin::Exploits::SSTI
          escape_expr ->(expr) { "{{#{expr}}}" }
        end
      end

      let(:exploit_class) { TestSSTI::WithEscapeExprSet }

      it "must return the set escape_expr" do
        expect(subject.escape_expr).to be_kind_of(Proc)
        expect(subject.escape_expr.call('test')).to eq('{{test}}')
      end
    end

    context "but when the escape_expr was set in the superclass" do
      module TestSSTI
        class InheritsItsEscapeExpr < WithEscapeExprSet
        end
      end

      let(:exploit_class) { TestSSTI::InheritsItsEscapeExpr }

      it "must return the escape_expr set in the superclass" do
        expect(subject.escape_expr).to be_kind_of(Proc)
        expect(subject.escape_expr.call('test')).to eq('{{test}}')
      end

      context "but the escape_expr is overridden in the sub-class" do
        module TestSSTI
          class OverridesItsInheritedEscapeExpr < WithEscapeExprSet
            escape_expr ->(expr) { "${#{expr}}" }
          end
        end

        let(:exploit_class) do
          TestSSTI::OverridesItsInheritedEscapeExpr
        end

        it "must return the escape_expr set in the sub-class" do
          expect(subject.escape_expr).to be_kind_of(Proc)
          expect(subject.escape_expr.call('test')).to eq('${test}')
        end
      end
    end
  end

  describe ".exploit_type" do
    subject { described_class }

    it { expect(subject.exploit_type).to eq(:ssti) }
  end

  describe "#vuln" do
    it "must return a Ronin::Vulns::SSTI object" do
      expect(subject.vuln).to be_kind_of(Ronin::Vulns::SSTI)
    end

    it "must set the #url attribute of the SSTI vuln object" do
      expect(subject.vuln.url).to eq(subject.url)
    end

    it "must defalt the #escape attribute of the SSTI vuln object to nil" do
      expect(subject.vuln.escape).to be(nil)
    end

    context "when the exploit's escape_expr has been set" do
      let(:exploit_class) { TestSSTI::TestExploitWithEscapeExpr }

      it "must set the #escape attribute of the SSTI vuln object" do
        expect(subject.vuln.escape).to be(exploit_class.escape_expr)
      end
    end
  end
end