|
1
|
<?php
|
|
2
|
|
|
3
|
/**
|
|
4
|
* @file security_review.test.
|
|
5
|
* Drupal test cases for Security Review.
|
|
6
|
*/
|
|
7
|
|
|
8
|
/**
|
|
9
|
* Tests the functionality of the Security Review module.
|
|
10
|
*/
|
|
11
|
class SecurityReviewTestCase extends DrupalWebTestCase {
|
|
12
|
|
|
13
|
public static function getInfo() {
|
|
14
|
return array(
|
|
15
|
'name' => 'Security Review tests',
|
|
16
|
'description' => 'Test the Security Review module.',
|
|
17
|
'group' => 'Security Review',
|
|
18
|
);
|
|
19
|
}
|
|
20
|
|
|
21
|
public function setUp() {
|
|
22
|
// Enable the Security Review module.
|
|
23
|
parent::setUp('security_review');
|
|
24
|
module_load_include('inc', 'security_review');
|
|
25
|
$this->privileged_user = $this->drupalCreateUser(array(
|
|
26
|
'run security checks',
|
|
27
|
'access security review list',
|
|
28
|
'access administration pages',
|
|
29
|
'administer filters',
|
|
30
|
'administer site configuration',
|
|
31
|
'create article content',
|
|
32
|
'administer nodes',
|
|
33
|
'administer content types',
|
|
34
|
));
|
|
35
|
$this->drupalLogin($this->privileged_user);
|
|
36
|
}
|
|
37
|
|
|
38
|
public function testUI() {
|
|
39
|
$checklist = security_review_get_checklist();
|
|
40
|
$secrev_checks = $checklist['security_review'];
|
|
41
|
|
|
42
|
$this->drupalGet('admin/reports/security-review');
|
|
43
|
$this->assertText('Click the button below to run the security checklist and review the results.');
|
|
44
|
|
|
45
|
$this->assertText('Before running the checklist please review the settings page at', 'First time message appears before checklist has been run.');
|
|
46
|
$settings_path = 'admin/reports/security-review/settings';
|
|
47
|
$this->assertLinkByHref($settings_path, 0, 'Link to settings appears');
|
|
48
|
$this->drupalGet($settings_path);
|
|
49
|
$this->assertText('Untrusted roles', 'Untrusted roles header appears');
|
|
50
|
$this->assertFieldChecked('edit-security-review-untrusted-roles-1', 'Anonymous users are marked as untrusted');
|
|
51
|
$this->assertFieldChecked('edit-security-review-untrusted-roles-2', 'Authenticated users are marked as untrusted');
|
|
52
|
$this->assertNoFieldChecked('edit-security-review-untrusted-roles-3', 'Adminitrator users are not marked as untrusted');
|
|
53
|
$this->assertFieldChecked('edit-security-review-log', 'Log results is checked');
|
|
54
|
$this->assertText('Base URL check method');
|
|
55
|
|
|
56
|
// Confirm checks are available for skipping here.
|
|
57
|
foreach ($secrev_checks as $name => $check) {
|
|
58
|
$this->assertText($check['title'], "Skip option appears for $name check");
|
|
59
|
$field = 'edit-security-review-skip-' . str_replace('_', '-', $name);
|
|
60
|
$this->assertNoFieldChecked($field, 'Adminitrator users are not marked as untrusted');
|
|
61
|
}
|
|
62
|
|
|
63
|
// Confirm check-specific help pages are working.
|
|
64
|
foreach ($secrev_checks as $name => $check) {
|
|
65
|
$path = 'admin/reports/security-review/help/security_review/' . $name;
|
|
66
|
$this->drupalGet($path);
|
|
67
|
$this->assertNoText('Check-specfic help', 'The top-level help text does not appear on check-specific pages');
|
|
68
|
}
|
|
69
|
|
|
70
|
// Run the checklist
|
|
71
|
$this->runChecklist();
|
|
72
|
$this->assertText('Review results from last run');
|
|
73
|
$this->assertText('Details');
|
|
74
|
$this->assertText('Skip');
|
|
75
|
|
|
76
|
// Test status page test.
|
|
77
|
$this->drupalGet('admin/reports/status');
|
|
78
|
$this->assertText('There are failed Security Review checks');
|
|
79
|
$this->assertLinkByHref('admin/reports/security-review', 0, 'Link to checklist appears');
|
|
80
|
}
|
|
81
|
|
|
82
|
/**
|
|
83
|
* Helper function for running the checklist.
|
|
84
|
*
|
|
85
|
*/
|
|
86
|
protected function runChecklist() {
|
|
87
|
$run_path = 'admin/reports/security-review';
|
|
88
|
$edit = array();
|
|
89
|
$this->drupalPost($run_path, $edit, t('Run checklist'));
|
|
90
|
}
|
|
91
|
|
|
92
|
public function testCheckResults() {
|
|
93
|
$checklist = security_review_get_checklist();
|
|
94
|
$secrev_checks = $checklist['security_review'];
|
|
95
|
// Assert that all checks return expected format.
|
|
96
|
foreach ($secrev_checks as $name => $check) {
|
|
97
|
$callback = $check['callback'];
|
|
98
|
$return = $callback();
|
|
99
|
$this->assertTrue(is_array($return), "Check $name returns an array");
|
|
100
|
$this->assertTrue(array_key_exists('result', $return), "Check $name has key 'result'");
|
|
101
|
}
|
|
102
|
// Note, not all checks can be tested (such as file permission checks)
|
|
103
|
// because of the shared dependencies of simpletest with the host.
|
|
104
|
|
|
105
|
// Test text formats check.
|
|
106
|
$check = security_review_check_input_formats();
|
|
107
|
$this->assertTrue($check['result'], 'Text formats check passes');
|
|
108
|
|
|
109
|
// No content yet submitted.
|
|
110
|
$check = security_review_check_field();
|
|
111
|
$this->assertTrue($check['result'], 'Unsafe content in fields check passes');
|
|
112
|
|
|
113
|
// Error reporting defaults to screen.
|
|
114
|
$check = security_review_check_error_reporting();
|
|
115
|
$this->assertFalse($check['result'], 'Error reporting check fails');
|
|
116
|
|
|
117
|
// Failed logins is null.
|
|
118
|
$check = security_review_check_failed_logins();
|
|
119
|
$this->assertTrue(is_null($check['result']), 'Failed logins check is null');
|
|
120
|
|
|
121
|
// Upload extensions passes.
|
|
122
|
$check = security_review_check_upload_extensions();
|
|
123
|
$this->assertTrue($check['result'], 'Upload extensions check passes');
|
|
124
|
|
|
125
|
// No admin permissions granted.
|
|
126
|
$check = security_review_check_admin_permissions();
|
|
127
|
$this->assertTrue($check['result'], 'Admin permission check passes');
|
|
128
|
}
|
|
129
|
|
|
130
|
public function testChecksUI() {
|
|
131
|
$this->runChecklist();
|
|
132
|
$this->assertText('Untrusted users are not allowed to input dangerous HTML tags.');
|
|
133
|
$this->assertText('Errors are written to the screen.');
|
|
134
|
$this->assertText('Dangerous tags were not found in any submitted content (fields).');
|
|
135
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
|
136
|
// Alter text formats.
|
|
137
|
$edit = array('filters[filter_html][status]' => FALSE);
|
|
138
|
$submit_button = 'Save configuration';
|
|
139
|
$this->drupalPost('admin/config/content/formats/filtered_html', $edit, $submit_button);
|
|
140
|
$this->runChecklist();
|
|
141
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
|
142
|
// Confirm some other checks haven't changed.
|
|
143
|
$this->assertText('Errors are written to the screen.');
|
|
144
|
$this->assertText('Dangerous tags were not found in any submitted content (fields).');
|
|
145
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
|
146
|
// Alter error reporting.
|
|
147
|
$edit = array('error_level' => 0);
|
|
148
|
$this->drupalPost('admin/config/development/logging', $edit, $submit_button);
|
|
149
|
$this->runChecklist();
|
|
150
|
$this->assertText('Error reporting set to log only.');
|
|
151
|
// Confirm some other checks haven't changed.
|
|
152
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
|
153
|
$this->assertText('Dangerous tags were not found in any submitted content (fields).');
|
|
154
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
|
155
|
// Create node with JS.
|
|
156
|
$edit = array(
|
|
157
|
'title' => 'test node',
|
|
158
|
'body[und][0][value]' => '<script>alert("testing!");</script>',
|
|
159
|
);
|
|
160
|
$this->drupalPost('node/add/article', $edit, 'Save');
|
|
161
|
$this->runChecklist();
|
|
162
|
$this->assertText('Dangerous tags were found in submitted content (fields).');
|
|
163
|
// Confirm some other checks haven't changed.
|
|
164
|
$this->assertText('Error reporting set to log only.');
|
|
165
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
|
166
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
|
167
|
// Alter article image upload extensions.
|
|
168
|
$edit = array('instance[settings][file_extensions]' => 'exe, php');
|
|
169
|
$this->drupalPost('admin/structure/types/manage/article/fields/field_image', $edit, 'Save settings');
|
|
170
|
$this->runChecklist();
|
|
171
|
$this->assertText('Unsafe file extensions are allowed in uploads.');
|
|
172
|
// Confirm some other checks haven't changed.
|
|
173
|
$this->assertText('Dangerous tags were found in submitted content (fields).');
|
|
174
|
$this->assertText('Error reporting set to log only.');
|
|
175
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
|
176
|
}
|
|
177
|
|
|
178
|
public function testCheckSkippingUI() {
|
|
179
|
$submit_button = 'Save configuration';
|
|
180
|
// Skip error reporting, change setting and test check result.
|
|
181
|
$edit = array('security_review_skip[error_reporting]' => TRUE);
|
|
182
|
$this->drupalPost('admin/reports/security-review/settings', $edit, $submit_button);
|
|
183
|
$this->runChecklist();
|
|
184
|
$this->assertText('Errors are written to the screen.');
|
|
185
|
// Alter error reporting.
|
|
186
|
$edit = array('error_level' => 0);
|
|
187
|
$this->drupalPost('admin/config/development/logging', $edit, $submit_button);
|
|
188
|
$this->runChecklist();
|
|
189
|
// Result still the same.
|
|
190
|
$this->assertText('Errors are written to the screen.');
|
|
191
|
}
|
|
192
|
|
|
193
|
}
|
