From 971a3ca6927c7e9ffa9ee6d1aa0a25a7f40bcb1b Mon Sep 17 00:00:00 2001
From: Dom Sekotill <dom.sekotill@kodo.org.uk>
Date: Fri, 5 Nov 2021 01:19:37 +0000
Subject: [PATCH 1/2] Add tests checking top level scripts (#17)

---
 tests/script-access.feature  | 17 ++++++++++++++-
 tests/steps/request_steps.py | 40 ++++++++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/tests/script-access.feature b/tests/script-access.feature
index 4e3a3b3..f2aad15 100644
--- a/tests/script-access.feature
+++ b/tests/script-access.feature
@@ -29,7 +29,6 @@ Feature: Script Access and Restrictions
 			| path                                                | result    |
 			| /wp-activate.php                                    | Not Found |
 			| /wp-blog-header.php                                 | Not Found |
-			| /wp-comments-post.php                               | Not Found |
 			| /wp-config.php                                      | Not Found |
 			| /wp-cron.php                                        | Not Found |
 			| /wp-load.php                                        | Not Found |
@@ -47,8 +46,24 @@ Feature: Script Access and Restrictions
 			| /wp-login.php                                       | OK        |
 			| /wp-admin/                                          | 302       |
 			| /wp-admin/index.php                                 | 302       |
+			| /wp-comments-post.php                               | 405       |
 
 	Scenario: Check the JSON API is accessible
 		When /wp-json/wp/v2/ is requested
 		Then OK is returned
 		And the response body is JSON
+
+	Scenario: "GET /wp-comments-post.php" is not allowed
+		When /wp-comments-post.php is requested
+		Then 405 is returned
+		And the "Allow" header's value is "POST"
+
+	Scenario: "POST /wp-contents-post.php" accepts content
+		Given a blank post exists
+		When data is sent with POST to /wp-comments-post.php
+		"""
+		comment_post_id={context.post[ID]}&author=John+Smith&email=j.smith@example.com&comment=First+%F0%9F%8D%86
+		"""
+		Then OK is returned
+		# (Why 200 instead of 201? Probably the same reason 200 is returned when
+		# there are missing values?! It's WordPress.)
diff --git a/tests/steps/request_steps.py b/tests/steps/request_steps.py
index cd4c1f5..6af8d98 100644
--- a/tests/steps/request_steps.py
+++ b/tests/steps/request_steps.py
@@ -20,6 +20,17 @@ from utils import URL
 from utils import PatternEnum
 
 
+class Method(PatternEnum):
+	"""
+	HTTP methods
+	"""
+
+	GET = "GET"
+	POST = "POST"
+	PUT = "PUT"
+	# add more methods as needed…
+
+
 class ResponseCode(int, PatternEnum):
 	"""
 	HTTP response codes
@@ -32,11 +43,13 @@ class ResponseCode(int, PatternEnum):
 	temporary_redirect = 307
 	permanent_redirect = 308
 	not_found = 404
+	method_not_allowed = 405
 
 	# Aliases for the above codes, for mapping natural language in feature files to enums
 	ALIASES = {
 		"OK": 200,
 		"Not Found": 404,
+		"Method Not Allowed": 405,
 	}
 
 	@staticmethod
@@ -67,6 +80,21 @@ def get_request(context: Context, url: URL) -> None:
 	context.response = context.session.get(context.site.url / url, allow_redirects=False)
 
 
+@when("data is sent with {method:Method} to {url:URL}")
+def post_request(context: Context, method: Method, url: URL) -> None:
+	"""
+	Send context text to a URL endpoint and assign the response to the context
+	"""
+	if context.text is None:
+		raise ValueError("Missing data, please add as text to step definition")
+	context.response = context.session.request(
+		method.value,
+		context.site.url / url,
+		data=context.text.strip().format(context=context).encode("utf-8"),
+		allow_redirects=False,
+	)
+
+
 @when("the homepage is requested")
 def get_homepage(context: Context) -> None:
 	"""
@@ -87,6 +115,18 @@ def assert_response(context: Context, response: ResponseCode) -> None:
 		f"Expected response {response}: got {context.response.status_code}"
 
 
+@then('''the "{header_name}" header's value is "{header_value}"''')
+def assert_header(context: Context, header_name: str, header_value: str) -> None:
+	"""
+	Assert that an expected header was received during a previous step
+	"""
+	headers = context.response.headers
+	assert header_name in headers, \
+		f"Expected header not found in response: {header_name!r}"
+	assert headers[header_name] == header_value, \
+		f"Expected header value not found: got {headers[header_name]!r}"
+
+
 @then("the response body is JSON")
 def assert_is_json(context: Context) -> None:
 	"""
-- 
GitLab


From c69ebd850af69660b22826af4dda1d41061abd52 Mon Sep 17 00:00:00 2001
From: Dom Sekotill <dom.sekotill@kodo.org.uk>
Date: Fri, 5 Nov 2021 01:22:16 +0000
Subject: [PATCH 2/2] Allow access to WP comments POST endpoint

---
 data/nginx/server.conf | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/data/nginx/server.conf b/data/nginx/server.conf
index 4bd4056..afc7723 100644
--- a/data/nginx/server.conf
+++ b/data/nginx/server.conf
@@ -78,6 +78,20 @@ server {
 		include cache-bust.conf;
 	}
 
+	location = /wp-comments-post.php {
+		error_page 403 = @post-only;
+		limit_except POST {
+			deny all;
+		}
+		include fastcgi-script.conf;
+		include cache-bust.conf;
+	}
+
+	location @post-only {
+		add_header Allow "POST" always;
+		return 405;
+	}
+
 	location /wp-admin/ {
 		try_files $uri $uri/index.php;
 
-- 
GitLab