Révision f581c0a8
Ajouté par Assos Assos il y a presque 4 ans
| drupal7/modules/simpletest/tests/request_sanitizer.test | ||
|---|---|---|
| 1 |
<?php |
|
| 2 |
|
|
| 3 |
/** |
|
| 4 |
* @file |
|
| 5 |
* Tests for the RequestSanitizer class. |
|
| 6 |
*/ |
|
| 7 |
|
|
| 8 |
/** |
|
| 9 |
* Tests DrupalRequestSanitizer class. |
|
| 10 |
*/ |
|
| 11 |
class RequestSanitizerTest extends DrupalUnitTestCase {
|
|
| 12 |
|
|
| 13 |
/** |
|
| 14 |
* Log of errors triggered during sanitization. |
|
| 15 |
* |
|
| 16 |
* @var array |
|
| 17 |
*/ |
|
| 18 |
protected $errors; |
|
| 19 |
|
|
| 20 |
/** |
|
| 21 |
* {@inheritdoc}
|
|
| 22 |
*/ |
|
| 23 |
public static function getInfo() {
|
|
| 24 |
return array( |
|
| 25 |
'name' => 'DrupalRequestSanitizer', |
|
| 26 |
'description' => 'Test the DrupalRequestSanitizer class', |
|
| 27 |
'group' => 'System', |
|
| 28 |
); |
|
| 29 |
} |
|
| 30 |
|
|
| 31 |
/** |
|
| 32 |
* {@inheritdoc}
|
|
| 33 |
*/ |
|
| 34 |
protected function setUp() {
|
|
| 35 |
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; |
|
| 36 |
parent::setUp(); |
|
| 37 |
set_error_handler(array($this, "sanitizerTestErrorHandler")); |
|
| 38 |
} |
|
| 39 |
|
|
| 40 |
/** |
|
| 41 |
* Iterate through all the RequestSanitizerTests. |
|
| 42 |
*/ |
|
| 43 |
public function testRequestSanitization() {
|
|
| 44 |
foreach ($this->requestSanitizerTests() as $label => $data) {
|
|
| 45 |
$this->errors = array(); |
|
| 46 |
// Normalize the test parameters. |
|
| 47 |
$test = array( |
|
| 48 |
'request' => $data[0], |
|
| 49 |
'expected' => isset($data[1]) ? $data[1] : array(), |
|
| 50 |
'expected_errors' => isset($data[2]) ? $data[2] : NULL, |
|
| 51 |
'whitelist' => isset($data[3]) ? $data[3] : array(), |
|
| 52 |
); |
|
| 53 |
$this->requestSanitizationTest($test['request'], $test['expected'], $test['expected_errors'], $test['whitelist'], $label); |
|
| 54 |
} |
|
| 55 |
} |
|
| 56 |
|
|
| 57 |
/** |
|
| 58 |
* Tests RequestSanitizer class. |
|
| 59 |
* |
|
| 60 |
* @param \SanitizerTestRequest $request |
|
| 61 |
* The request to sanitize. |
|
| 62 |
* @param array $expected |
|
| 63 |
* An array of expected request parameters after sanitization. |
|
| 64 |
* @param array|null $expected_errors |
|
| 65 |
* An array of expected errors. If set to NULL then error logging is |
|
| 66 |
* disabled. |
|
| 67 |
* @param array $whitelist |
|
| 68 |
* An array of keys to whitelist and not sanitize. |
|
| 69 |
* @param string $label |
|
| 70 |
* A descriptive name for each test / group of assertions. |
|
| 71 |
* |
|
| 72 |
* @throws \ReflectionException |
|
| 73 |
*/ |
|
| 74 |
public function requestSanitizationTest(SanitizerTestRequest $request, array $expected = array(), array $expected_errors = NULL, array $whitelist = array(), $label = NULL) {
|
|
| 75 |
// Set up globals. |
|
| 76 |
$_GET = $request->getQuery(); |
|
| 77 |
$_POST = $request->getRequest(); |
|
| 78 |
$_COOKIE = $request->getCookies(); |
|
| 79 |
$_REQUEST = array_merge($request->getQuery(), $request->getRequest()); |
|
| 80 |
|
|
| 81 |
$GLOBALS['conf']['sanitize_input_whitelist'] = $whitelist; |
|
| 82 |
$GLOBALS['conf']['sanitize_input_logging'] = is_null($expected_errors) ? FALSE : TRUE; |
|
| 83 |
if ($label !== 'already sanitized request') {
|
|
| 84 |
$reflection = new \ReflectionProperty('DrupalRequestSanitizer', 'sanitized');
|
|
| 85 |
$reflection->setAccessible(TRUE); |
|
| 86 |
$reflection->setValue(NULL, FALSE); |
|
| 87 |
} |
|
| 88 |
DrupalRequestSanitizer::sanitize(); |
|
| 89 |
if (isset($_GET['destination'])) {
|
|
| 90 |
DrupalRequestSanitizer::cleanDestination(); |
|
| 91 |
} |
|
| 92 |
|
|
| 93 |
// Normalise the expected data. |
|
| 94 |
$expected += array( |
|
| 95 |
'cookies' => array(), |
|
| 96 |
'query' => array(), |
|
| 97 |
'request' => array(), |
|
| 98 |
); |
|
| 99 |
|
|
| 100 |
// Test PHP globals. |
|
| 101 |
$this->assertEqualLabelled($expected['cookies'], $_COOKIE, NULL, 'Other', $label . ' (COOKIE)'); |
|
| 102 |
$this->assertEqualLabelled($expected['query'], $_GET, NULL, 'Other', $label . ' (GET)'); |
|
| 103 |
$this->assertEqualLabelled($expected['request'], $_POST, NULL, 'Other', $label . ' (POST)'); |
|
| 104 |
$expected_request = array_merge($expected['query'], $expected['request']); |
|
| 105 |
$this->assertEqualLabelled($expected_request, $_REQUEST, NULL, 'Other', $label . ' (REQUEST)'); |
|
| 106 |
|
|
| 107 |
// Ensure any expected errors have been triggered. |
|
| 108 |
if (!empty($expected_errors)) {
|
|
| 109 |
foreach ($expected_errors as $expected_error) {
|
|
| 110 |
$this->assertError($expected_error, E_USER_NOTICE, $label . ' (errors)'); |
|
| 111 |
} |
|
| 112 |
} |
|
| 113 |
else {
|
|
| 114 |
$this->assertEqualLabelled(array(), $this->errors, NULL, 'Other', $label . ' (errors)'); |
|
| 115 |
} |
|
| 116 |
} |
|
| 117 |
|
|
| 118 |
/** |
|
| 119 |
* Data provider for testRequestSanitization. |
|
| 120 |
* |
|
| 121 |
* @return array |
|
| 122 |
* A list of tests to carry out. |
|
| 123 |
*/ |
|
| 124 |
public function requestSanitizerTests() {
|
|
| 125 |
$tests = array(); |
|
| 126 |
|
|
| 127 |
$request = new SanitizerTestRequest(array('q' => 'index.php'));
|
|
| 128 |
$tests['no sanitization GET'] = array($request, array('query' => array('q' => 'index.php')));
|
|
| 129 |
|
|
| 130 |
$request = new SanitizerTestRequest(array(), array('field' => 'value'));
|
|
| 131 |
$tests['no sanitization POST'] = array($request, array('request' => array('field' => 'value')));
|
|
| 132 |
|
|
| 133 |
$request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value'));
|
|
| 134 |
$tests['no sanitization COOKIE'] = array($request, array('cookies' => array('key' => 'value')));
|
|
| 135 |
|
|
| 136 |
$request = new SanitizerTestRequest(array('q' => 'index.php'), array('field' => 'value'), array(), array('key' => 'value'));
|
|
| 137 |
$tests['no sanitization GET, POST, COOKIE'] = array($request, array('query' => array('q' => 'index.php'), 'request' => array('field' => 'value'), 'cookies' => array('key' => 'value')));
|
|
| 138 |
|
|
| 139 |
$request = new SanitizerTestRequest(array('q' => 'index.php'));
|
|
| 140 |
$tests['no sanitization GET log'] = array($request, array('query' => array('q' => 'index.php')), array());
|
|
| 141 |
|
|
| 142 |
$request = new SanitizerTestRequest(array(), array('field' => 'value'));
|
|
| 143 |
$tests['no sanitization POST log'] = array($request, array('request' => array('field' => 'value')), array());
|
|
| 144 |
|
|
| 145 |
$request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value'));
|
|
| 146 |
$tests['no sanitization COOKIE log'] = array($request, array('cookies' => array('key' => 'value')), array());
|
|
| 147 |
|
|
| 148 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'));
|
|
| 149 |
$tests['sanitization GET'] = array($request); |
|
| 150 |
|
|
| 151 |
$request = new SanitizerTestRequest(array(), array('#field' => 'value'));
|
|
| 152 |
$tests['sanitization POST'] = array($request); |
|
| 153 |
|
|
| 154 |
$request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value'));
|
|
| 155 |
$tests['sanitization COOKIE'] = array($request); |
|
| 156 |
|
|
| 157 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value'));
|
|
| 158 |
$tests['sanitization GET, POST, COOKIE'] = array($request); |
|
| 159 |
|
|
| 160 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'));
|
|
| 161 |
$tests['sanitization GET log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q'));
|
|
| 162 |
|
|
| 163 |
$request = new SanitizerTestRequest(array(), array('#field' => 'value'));
|
|
| 164 |
$tests['sanitization POST log'] = array($request, array(), array('Potentially unsafe keys removed from request body parameters (POST): #field'));
|
|
| 165 |
|
|
| 166 |
$request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value'));
|
|
| 167 |
$tests['sanitization COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from cookie parameters (COOKIE): #key'));
|
|
| 168 |
|
|
| 169 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value'));
|
|
| 170 |
$tests['sanitization GET, POST, COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q', 'Potentially unsafe keys removed from request body parameters (POST): #field', 'Potentially unsafe keys removed from cookie parameters (COOKIE): #key'));
|
|
| 171 |
|
|
| 172 |
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo')));
|
|
| 173 |
$tests['recursive sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar'));
|
|
| 174 |
|
|
| 175 |
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo')));
|
|
| 176 |
$tests['recursive no sanitization whitelist'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array('#bar' => 'foo'))), array(), array('#bar'));
|
|
| 177 |
|
|
| 178 |
$request = new SanitizerTestRequest(array(), array('#field' => 'value'));
|
|
| 179 |
$tests['no sanitization POST whitelist'] = array($request, array('request' => array('#field' => 'value')), array(), array('#field'));
|
|
| 180 |
|
|
| 181 |
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo', '#foo' => 'bar')));
|
|
| 182 |
$tests['recursive multiple sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar, #foo'));
|
|
| 183 |
|
|
| 184 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'));
|
|
| 185 |
$tests['already sanitized request'] = array($request, array('query' => array('#q' => 'index.php')));
|
|
| 186 |
|
|
| 187 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value'));
|
|
| 188 |
$tests['destination removal GET'] = array($request); |
|
| 189 |
|
|
| 190 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value'));
|
|
| 191 |
$tests['destination removal GET log'] = array($request, array(), array('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: #test'));
|
|
| 192 |
|
|
| 193 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value'));
|
|
| 194 |
$tests['destination removal subkey'] = array($request); |
|
| 195 |
|
|
| 196 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value'));
|
|
| 197 |
$tests['destination whitelist'] = array($request, array('query' => array('destination' => 'whatever?q[%23test]=value')), array(), array('#test'));
|
|
| 198 |
|
|
| 199 |
$request = new SanitizerTestRequest(array('destination' => "whatever?\x00bar=base&%23test=value"));
|
|
| 200 |
$tests['destination removal zero byte'] = array($request); |
|
| 201 |
|
|
| 202 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?q=value'));
|
|
| 203 |
$tests['destination kept'] = array($request, array('query' => array('destination' => 'whatever?q=value')));
|
|
| 204 |
|
|
| 205 |
$request = new SanitizerTestRequest(array('destination' => 'whatever'));
|
|
| 206 |
$tests['destination no query'] = array($request, array('query' => array('destination' => 'whatever')));
|
|
| 207 |
|
|
| 208 |
return $tests; |
|
| 209 |
} |
|
| 210 |
|
|
| 211 |
/** |
|
| 212 |
* Catches and logs errors to $this->errors. |
|
| 213 |
* |
|
| 214 |
* @param int $errno |
|
| 215 |
* The severity level of the error. |
|
| 216 |
* @param string $errstr |
|
| 217 |
* The error message. |
|
| 218 |
*/ |
|
| 219 |
public function sanitizerTestErrorHandler($errno, $errstr) {
|
|
| 220 |
$this->errors[] = compact('errno', 'errstr');
|
|
| 221 |
} |
|
| 222 |
|
|
| 223 |
/** |
|
| 224 |
* Asserts that the expected error has been logged. |
|
| 225 |
* |
|
| 226 |
* @param string $errstr |
|
| 227 |
* The error message. |
|
| 228 |
* @param int $errno |
|
| 229 |
* The severity level of the error. |
|
| 230 |
* @param string $label |
|
| 231 |
* The label to include with the message. |
|
| 232 |
* |
|
| 233 |
* @return bool |
|
| 234 |
* TRUE if the assertion succeeded, FALSE otherwise. |
|
| 235 |
*/ |
|
| 236 |
protected function assertError($errstr, $errno, $label) {
|
|
| 237 |
$label = (empty($label)) ? '' : $label . ': '; |
|
| 238 |
foreach ($this->errors as $error) {
|
|
| 239 |
if ($error['errstr'] === $errstr && $error['errno'] === $errno) {
|
|
| 240 |
return $this->pass($label . "Error with level $errno and message '$errstr' found"); |
|
| 241 |
} |
|
| 242 |
} |
|
| 243 |
return $this->fail($label . "Error with level $errno and message '$errstr' not found in " . var_export($this->errors, TRUE)); |
|
| 244 |
} |
|
| 245 |
|
|
| 246 |
/** |
|
| 247 |
* Asserts two values are equal, includes a label. |
|
| 248 |
* |
|
| 249 |
* @param mixed $first |
|
| 250 |
* The first value to check. |
|
| 251 |
* @param mixed $second |
|
| 252 |
* The second value to check. |
|
| 253 |
* @param string $message |
|
| 254 |
* The message to display along with the assertion. |
|
| 255 |
* @param string $group |
|
| 256 |
* The type of assertion - examples are "Browser", "PHP". |
|
| 257 |
* @param string $label |
|
| 258 |
* The label to include with the message. |
|
| 259 |
* |
|
| 260 |
* @return bool |
|
| 261 |
* TRUE if the assertion succeeded, FALSE otherwise. |
|
| 262 |
*/ |
|
| 263 |
protected function assertEqualLabelled($first, $second, $message = '', $group = 'Other', $label = '') {
|
|
| 264 |
$label = (empty($label)) ? '' : $label . ': '; |
|
| 265 |
$message = $message ? $message : t('Value @first is equal to value @second.', array(
|
|
| 266 |
'@first' => var_export($first, TRUE), |
|
| 267 |
'@second' => var_export($second, TRUE), |
|
| 268 |
)); |
|
| 269 |
return $this->assert($first == $second, $label . $message, $group); |
|
| 270 |
} |
|
| 271 |
|
|
| 272 |
} |
|
| 273 |
|
|
| 274 |
/** |
|
| 275 |
* Basic HTTP Request class. |
|
| 276 |
*/ |
|
| 277 |
class SanitizerTestRequest {
|
|
| 278 |
|
|
| 279 |
/** |
|
| 280 |
* The query (GET). |
|
| 281 |
* |
|
| 282 |
* @var array |
|
| 283 |
*/ |
|
| 284 |
protected $query; |
|
| 285 |
|
|
| 286 |
/** |
|
| 287 |
* The request (POST). |
|
| 288 |
* |
|
| 289 |
* @var array |
|
| 290 |
*/ |
|
| 291 |
protected $request; |
|
| 292 |
|
|
| 293 |
/** |
|
| 294 |
* The request attributes. |
|
| 295 |
* |
|
| 296 |
* @var array |
|
| 297 |
*/ |
|
| 298 |
protected $attributes; |
|
| 299 |
|
|
| 300 |
/** |
|
| 301 |
* The request cookies. |
|
| 302 |
* |
|
| 303 |
* @var array |
|
| 304 |
*/ |
|
| 305 |
protected $cookies; |
|
| 306 |
|
|
| 307 |
/** |
|
| 308 |
* Constructor. |
|
| 309 |
* |
|
| 310 |
* @param array $query |
|
| 311 |
* The GET parameters. |
|
| 312 |
* @param array $request |
|
| 313 |
* The POST parameters. |
|
| 314 |
* @param array $attributes |
|
| 315 |
* The request attributes. |
|
| 316 |
* @param array $cookies |
|
| 317 |
* The COOKIE parameters. |
|
| 318 |
*/ |
|
| 319 |
public function __construct(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array()) {
|
|
| 320 |
$this->query = $query; |
|
| 321 |
$this->request = $request; |
|
| 322 |
$this->attributes = $attributes; |
|
| 323 |
$this->cookies = $cookies; |
|
| 324 |
} |
|
| 325 |
|
|
| 326 |
/** |
|
| 327 |
* Getter for $query. |
|
| 328 |
*/ |
|
| 329 |
public function getQuery() {
|
|
| 330 |
return $this->query; |
|
| 331 |
} |
|
| 332 |
|
|
| 333 |
/** |
|
| 334 |
* Getter for $request. |
|
| 335 |
*/ |
|
| 336 |
public function getRequest() {
|
|
| 337 |
return $this->request; |
|
| 338 |
} |
|
| 339 |
|
|
| 340 |
/** |
|
| 341 |
* Getter for $attributes. |
|
| 342 |
*/ |
|
| 343 |
public function getAttributes() {
|
|
| 344 |
return $this->attributes; |
|
| 345 |
} |
|
| 346 |
|
|
| 347 |
/** |
|
| 348 |
* Getter for $cookies. |
|
| 349 |
*/ |
|
| 350 |
public function getCookies() {
|
|
| 351 |
return $this->cookies; |
|
| 352 |
} |
|
| 353 |
|
|
| 354 |
} |
|
Formats disponibles : Unified diff
Udpate to 7.72