package com.atlassian.crowd.acceptance.tests.applications.crowdid.client;

import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.HttpClientBuilder;
import org.hamcrest.Matchers;
import org.junit.Assert;

/* loaded from: input_file:com/atlassian/crowd/acceptance/tests/applications/crowdid/client/OpenIDClientOGNLInjectionTest.class */
public class OpenIDClientOGNLInjectionTest extends CrowdIDClientAcceptanceTestCase {
    public void testOGNLCodeInjection() {
        gotoPage("/login.action?redirect:${@java.lang.System@exit(0)}");
        gotoPage("/login.action");
        assertKeyPresent("login.title");
    }

    public void testOGNLArbitraryRedirect() throws Exception {
        HttpGet httpGet = new HttpGet(getBaseUrl() + "/login.action?redirect:http://example.test/");
        assertEquals("HTTP status code should be a 2xx, not a 3xx", 2, HttpClientBuilder.create().disableRedirectHandling().build().execute(httpGet).getStatusLine().getStatusCode() / 100);
        Assert.assertThat("Should not have a Location header", httpGet.getHeaders("Location"), Matchers.emptyArray());
    }
}
