1 |
85ad3d82
|
Assos Assos
|
<?php
|
2 |
|
|
|
3 |
|
|
/**
|
4 |
|
|
* @file security_review.test.
|
5 |
|
|
* Drupal test cases for Security Review.
|
6 |
|
|
*/
|
7 |
|
|
|
8 |
|
|
/**
|
9 |
|
|
* Tests the functionality of the Security Review module.
|
10 |
|
|
*/
|
11 |
|
|
class SecurityReviewTestCase extends DrupalWebTestCase {
|
12 |
|
|
|
13 |
|
|
public static function getInfo() {
|
14 |
|
|
return array(
|
15 |
|
|
'name' => 'Security Review tests',
|
16 |
|
|
'description' => 'Test the Security Review module.',
|
17 |
|
|
'group' => 'Security Review',
|
18 |
|
|
);
|
19 |
|
|
}
|
20 |
|
|
|
21 |
|
|
public function setUp() {
|
22 |
|
|
// Enable the Security Review module.
|
23 |
|
|
parent::setUp('security_review');
|
24 |
|
|
module_load_include('inc', 'security_review');
|
25 |
|
|
$this->privileged_user = $this->drupalCreateUser(array(
|
26 |
|
|
'run security checks',
|
27 |
|
|
'access security review list',
|
28 |
|
|
'access administration pages',
|
29 |
|
|
'administer filters',
|
30 |
|
|
'administer site configuration',
|
31 |
|
|
'create article content',
|
32 |
|
|
'administer nodes',
|
33 |
|
|
'administer content types',
|
34 |
|
|
));
|
35 |
|
|
$this->drupalLogin($this->privileged_user);
|
36 |
|
|
}
|
37 |
|
|
|
38 |
|
|
public function testUI() {
|
39 |
|
|
$checklist = security_review_get_checklist();
|
40 |
|
|
$secrev_checks = $checklist['security_review'];
|
41 |
|
|
|
42 |
|
|
$this->drupalGet('admin/reports/security-review');
|
43 |
|
|
$this->assertText('Click the button below to run the security checklist and review the results.');
|
44 |
|
|
|
45 |
|
|
$this->assertText('Before running the checklist please review the settings page at', 'First time message appears before checklist has been run.');
|
46 |
|
|
$settings_path = 'admin/reports/security-review/settings';
|
47 |
|
|
$this->assertLinkByHref($settings_path, 0, 'Link to settings appears');
|
48 |
|
|
$this->drupalGet($settings_path);
|
49 |
|
|
$this->assertText('Untrusted roles', 'Untrusted roles header appears');
|
50 |
|
|
$this->assertFieldChecked('edit-security-review-untrusted-roles-1', 'Anonymous users are marked as untrusted');
|
51 |
|
|
$this->assertFieldChecked('edit-security-review-untrusted-roles-2', 'Authenticated users are marked as untrusted');
|
52 |
|
|
$this->assertNoFieldChecked('edit-security-review-untrusted-roles-3', 'Adminitrator users are not marked as untrusted');
|
53 |
|
|
$this->assertFieldChecked('edit-security-review-log', 'Log results is checked');
|
54 |
|
|
$this->assertText('Base URL check method');
|
55 |
|
|
|
56 |
|
|
// Confirm checks are available for skipping here.
|
57 |
|
|
foreach ($secrev_checks as $name => $check) {
|
58 |
|
|
$this->assertText($check['title'], "Skip option appears for $name check");
|
59 |
|
|
$field = 'edit-security-review-skip-' . str_replace('_', '-', $name);
|
60 |
|
|
$this->assertNoFieldChecked($field, 'Adminitrator users are not marked as untrusted');
|
61 |
|
|
}
|
62 |
|
|
|
63 |
|
|
// Confirm check-specific help pages are working.
|
64 |
|
|
foreach ($secrev_checks as $name => $check) {
|
65 |
|
|
$path = 'admin/reports/security-review/help/security_review/' . $name;
|
66 |
|
|
$this->drupalGet($path);
|
67 |
|
|
$this->assertNoText('Check-specfic help', 'The top-level help text does not appear on check-specific pages');
|
68 |
|
|
}
|
69 |
|
|
|
70 |
|
|
// Run the checklist
|
71 |
|
|
$this->runChecklist();
|
72 |
|
|
$this->assertText('Review results from last run');
|
73 |
|
|
$this->assertText('Details');
|
74 |
|
|
$this->assertText('Skip');
|
75 |
|
|
|
76 |
|
|
// Test status page test.
|
77 |
|
|
$this->drupalGet('admin/reports/status');
|
78 |
|
|
$this->assertText('There are failed Security Review checks');
|
79 |
|
|
$this->assertLinkByHref('admin/reports/security-review', 0, 'Link to checklist appears');
|
80 |
|
|
}
|
81 |
|
|
|
82 |
|
|
/**
|
83 |
|
|
* Helper function for running the checklist.
|
84 |
|
|
*
|
85 |
|
|
*/
|
86 |
|
|
protected function runChecklist() {
|
87 |
|
|
$run_path = 'admin/reports/security-review';
|
88 |
|
|
$edit = array();
|
89 |
|
|
$this->drupalPost($run_path, $edit, t('Run checklist'));
|
90 |
|
|
}
|
91 |
|
|
|
92 |
|
|
public function testCheckResults() {
|
93 |
|
|
$checklist = security_review_get_checklist();
|
94 |
|
|
$secrev_checks = $checklist['security_review'];
|
95 |
|
|
// Assert that all checks return expected format.
|
96 |
|
|
foreach ($secrev_checks as $name => $check) {
|
97 |
|
|
$callback = $check['callback'];
|
98 |
|
|
$return = $callback();
|
99 |
|
|
$this->assertTrue(is_array($return), "Check $name returns an array");
|
100 |
|
|
$this->assertTrue(array_key_exists('result', $return), "Check $name has key 'result'");
|
101 |
|
|
}
|
102 |
|
|
// Note, not all checks can be tested (such as file permission checks)
|
103 |
|
|
// because of the shared dependencies of simpletest with the host.
|
104 |
|
|
|
105 |
|
|
// Test text formats check.
|
106 |
|
|
$check = security_review_check_input_formats();
|
107 |
|
|
$this->assertTrue($check['result'], 'Text formats check passes');
|
108 |
|
|
|
109 |
|
|
// No content yet submitted.
|
110 |
|
|
$check = security_review_check_field();
|
111 |
|
|
$this->assertTrue($check['result'], 'Unsafe content in fields check passes');
|
112 |
|
|
|
113 |
|
|
// Error reporting defaults to screen.
|
114 |
|
|
$check = security_review_check_error_reporting();
|
115 |
|
|
$this->assertFalse($check['result'], 'Error reporting check fails');
|
116 |
|
|
|
117 |
|
|
// Failed logins is null.
|
118 |
|
|
$check = security_review_check_failed_logins();
|
119 |
|
|
$this->assertTrue(is_null($check['result']), 'Failed logins check is null');
|
120 |
|
|
|
121 |
|
|
// Upload extensions passes.
|
122 |
|
|
$check = security_review_check_upload_extensions();
|
123 |
|
|
$this->assertTrue($check['result'], 'Upload extensions check passes');
|
124 |
|
|
|
125 |
|
|
// No admin permissions granted.
|
126 |
|
|
$check = security_review_check_admin_permissions();
|
127 |
|
|
$this->assertTrue($check['result'], 'Admin permission check passes');
|
128 |
|
|
}
|
129 |
|
|
|
130 |
|
|
public function testChecksUI() {
|
131 |
|
|
$this->runChecklist();
|
132 |
|
|
$this->assertText('Untrusted users are not allowed to input dangerous HTML tags.');
|
133 |
|
|
$this->assertText('Errors are written to the screen.');
|
134 |
|
|
$this->assertText('Dangerous tags were not found in any submitted content (fields).');
|
135 |
|
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
136 |
|
|
// Alter text formats.
|
137 |
|
|
$edit = array('filters[filter_html][status]' => FALSE);
|
138 |
|
|
$submit_button = 'Save configuration';
|
139 |
|
|
$this->drupalPost('admin/config/content/formats/filtered_html', $edit, $submit_button);
|
140 |
|
|
$this->runChecklist();
|
141 |
|
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
142 |
|
|
// Confirm some other checks haven't changed.
|
143 |
|
|
$this->assertText('Errors are written to the screen.');
|
144 |
|
|
$this->assertText('Dangerous tags were not found in any submitted content (fields).');
|
145 |
|
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
146 |
|
|
// Alter error reporting.
|
147 |
|
|
$edit = array('error_level' => 0);
|
148 |
|
|
$this->drupalPost('admin/config/development/logging', $edit, $submit_button);
|
149 |
|
|
$this->runChecklist();
|
150 |
|
|
$this->assertText('Error reporting set to log only.');
|
151 |
|
|
// Confirm some other checks haven't changed.
|
152 |
|
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
153 |
|
|
$this->assertText('Dangerous tags were not found in any submitted content (fields).');
|
154 |
|
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
155 |
|
|
// Create node with JS.
|
156 |
|
|
$edit = array(
|
157 |
|
|
'title' => 'test node',
|
158 |
|
|
'body[und][0][value]' => '<script>alert("testing!");</script>',
|
159 |
|
|
);
|
160 |
|
|
$this->drupalPost('node/add/article', $edit, 'Save');
|
161 |
|
|
$this->runChecklist();
|
162 |
|
|
$this->assertText('Dangerous tags were found in submitted content (fields).');
|
163 |
|
|
// Confirm some other checks haven't changed.
|
164 |
|
|
$this->assertText('Error reporting set to log only.');
|
165 |
|
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
166 |
|
|
$this->assertText('Only safe extensions are allowed for uploaded files and images.');
|
167 |
|
|
// Alter article image upload extensions.
|
168 |
|
|
$edit = array('instance[settings][file_extensions]' => 'exe, php');
|
169 |
|
|
$this->drupalPost('admin/structure/types/manage/article/fields/field_image', $edit, 'Save settings');
|
170 |
|
|
$this->runChecklist();
|
171 |
|
|
$this->assertText('Unsafe file extensions are allowed in uploads.');
|
172 |
|
|
// Confirm some other checks haven't changed.
|
173 |
|
|
$this->assertText('Dangerous tags were found in submitted content (fields).');
|
174 |
|
|
$this->assertText('Error reporting set to log only.');
|
175 |
|
|
$this->assertText('Untrusted users are allowed to input dangerous HTML tags.');
|
176 |
|
|
}
|
177 |
|
|
|
178 |
|
|
public function testCheckSkippingUI() {
|
179 |
|
|
$submit_button = 'Save configuration';
|
180 |
|
|
// Skip error reporting, change setting and test check result.
|
181 |
|
|
$edit = array('security_review_skip[error_reporting]' => TRUE);
|
182 |
|
|
$this->drupalPost('admin/reports/security-review/settings', $edit, $submit_button);
|
183 |
|
|
$this->runChecklist();
|
184 |
|
|
$this->assertText('Errors are written to the screen.');
|
185 |
|
|
// Alter error reporting.
|
186 |
|
|
$edit = array('error_level' => 0);
|
187 |
|
|
$this->drupalPost('admin/config/development/logging', $edit, $submit_button);
|
188 |
|
|
$this->runChecklist();
|
189 |
|
|
// Result still the same.
|
190 |
|
|
$this->assertText('Errors are written to the screen.');
|
191 |
|
|
}
|
192 |
|
|
|
193 |
|
|
} |