Révision f581c0a8
Ajouté par Assos Assos il y a presque 4 ans
drupal7/modules/simpletest/tests/request_sanitizer.test | ||
---|---|---|
1 |
<?php |
|
2 |
|
|
3 |
/** |
|
4 |
* @file |
|
5 |
* Tests for the RequestSanitizer class. |
|
6 |
*/ |
|
7 |
|
|
8 |
/** |
|
9 |
* Tests DrupalRequestSanitizer class. |
|
10 |
*/ |
|
11 |
class RequestSanitizerTest extends DrupalUnitTestCase { |
|
12 |
|
|
13 |
/** |
|
14 |
* Log of errors triggered during sanitization. |
|
15 |
* |
|
16 |
* @var array |
|
17 |
*/ |
|
18 |
protected $errors; |
|
19 |
|
|
20 |
/** |
|
21 |
* {@inheritdoc} |
|
22 |
*/ |
|
23 |
public static function getInfo() { |
|
24 |
return array( |
|
25 |
'name' => 'DrupalRequestSanitizer', |
|
26 |
'description' => 'Test the DrupalRequestSanitizer class', |
|
27 |
'group' => 'System', |
|
28 |
); |
|
29 |
} |
|
30 |
|
|
31 |
/** |
|
32 |
* {@inheritdoc} |
|
33 |
*/ |
|
34 |
protected function setUp() { |
|
35 |
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc'; |
|
36 |
parent::setUp(); |
|
37 |
set_error_handler(array($this, "sanitizerTestErrorHandler")); |
|
38 |
} |
|
39 |
|
|
40 |
/** |
|
41 |
* Iterate through all the RequestSanitizerTests. |
|
42 |
*/ |
|
43 |
public function testRequestSanitization() { |
|
44 |
foreach ($this->requestSanitizerTests() as $label => $data) { |
|
45 |
$this->errors = array(); |
|
46 |
// Normalize the test parameters. |
|
47 |
$test = array( |
|
48 |
'request' => $data[0], |
|
49 |
'expected' => isset($data[1]) ? $data[1] : array(), |
|
50 |
'expected_errors' => isset($data[2]) ? $data[2] : NULL, |
|
51 |
'whitelist' => isset($data[3]) ? $data[3] : array(), |
|
52 |
); |
|
53 |
$this->requestSanitizationTest($test['request'], $test['expected'], $test['expected_errors'], $test['whitelist'], $label); |
|
54 |
} |
|
55 |
} |
|
56 |
|
|
57 |
/** |
|
58 |
* Tests RequestSanitizer class. |
|
59 |
* |
|
60 |
* @param \SanitizerTestRequest $request |
|
61 |
* The request to sanitize. |
|
62 |
* @param array $expected |
|
63 |
* An array of expected request parameters after sanitization. |
|
64 |
* @param array|null $expected_errors |
|
65 |
* An array of expected errors. If set to NULL then error logging is |
|
66 |
* disabled. |
|
67 |
* @param array $whitelist |
|
68 |
* An array of keys to whitelist and not sanitize. |
|
69 |
* @param string $label |
|
70 |
* A descriptive name for each test / group of assertions. |
|
71 |
* |
|
72 |
* @throws \ReflectionException |
|
73 |
*/ |
|
74 |
public function requestSanitizationTest(SanitizerTestRequest $request, array $expected = array(), array $expected_errors = NULL, array $whitelist = array(), $label = NULL) { |
|
75 |
// Set up globals. |
|
76 |
$_GET = $request->getQuery(); |
|
77 |
$_POST = $request->getRequest(); |
|
78 |
$_COOKIE = $request->getCookies(); |
|
79 |
$_REQUEST = array_merge($request->getQuery(), $request->getRequest()); |
|
80 |
|
|
81 |
$GLOBALS['conf']['sanitize_input_whitelist'] = $whitelist; |
|
82 |
$GLOBALS['conf']['sanitize_input_logging'] = is_null($expected_errors) ? FALSE : TRUE; |
|
83 |
if ($label !== 'already sanitized request') { |
|
84 |
$reflection = new \ReflectionProperty('DrupalRequestSanitizer', 'sanitized'); |
|
85 |
$reflection->setAccessible(TRUE); |
|
86 |
$reflection->setValue(NULL, FALSE); |
|
87 |
} |
|
88 |
DrupalRequestSanitizer::sanitize(); |
|
89 |
if (isset($_GET['destination'])) { |
|
90 |
DrupalRequestSanitizer::cleanDestination(); |
|
91 |
} |
|
92 |
|
|
93 |
// Normalise the expected data. |
|
94 |
$expected += array( |
|
95 |
'cookies' => array(), |
|
96 |
'query' => array(), |
|
97 |
'request' => array(), |
|
98 |
); |
|
99 |
|
|
100 |
// Test PHP globals. |
|
101 |
$this->assertEqualLabelled($expected['cookies'], $_COOKIE, NULL, 'Other', $label . ' (COOKIE)'); |
|
102 |
$this->assertEqualLabelled($expected['query'], $_GET, NULL, 'Other', $label . ' (GET)'); |
|
103 |
$this->assertEqualLabelled($expected['request'], $_POST, NULL, 'Other', $label . ' (POST)'); |
|
104 |
$expected_request = array_merge($expected['query'], $expected['request']); |
|
105 |
$this->assertEqualLabelled($expected_request, $_REQUEST, NULL, 'Other', $label . ' (REQUEST)'); |
|
106 |
|
|
107 |
// Ensure any expected errors have been triggered. |
|
108 |
if (!empty($expected_errors)) { |
|
109 |
foreach ($expected_errors as $expected_error) { |
|
110 |
$this->assertError($expected_error, E_USER_NOTICE, $label . ' (errors)'); |
|
111 |
} |
|
112 |
} |
|
113 |
else { |
|
114 |
$this->assertEqualLabelled(array(), $this->errors, NULL, 'Other', $label . ' (errors)'); |
|
115 |
} |
|
116 |
} |
|
117 |
|
|
118 |
/** |
|
119 |
* Data provider for testRequestSanitization. |
|
120 |
* |
|
121 |
* @return array |
|
122 |
* A list of tests to carry out. |
|
123 |
*/ |
|
124 |
public function requestSanitizerTests() { |
|
125 |
$tests = array(); |
|
126 |
|
|
127 |
$request = new SanitizerTestRequest(array('q' => 'index.php')); |
|
128 |
$tests['no sanitization GET'] = array($request, array('query' => array('q' => 'index.php'))); |
|
129 |
|
|
130 |
$request = new SanitizerTestRequest(array(), array('field' => 'value')); |
|
131 |
$tests['no sanitization POST'] = array($request, array('request' => array('field' => 'value'))); |
|
132 |
|
|
133 |
$request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value')); |
|
134 |
$tests['no sanitization COOKIE'] = array($request, array('cookies' => array('key' => 'value'))); |
|
135 |
|
|
136 |
$request = new SanitizerTestRequest(array('q' => 'index.php'), array('field' => 'value'), array(), array('key' => 'value')); |
|
137 |
$tests['no sanitization GET, POST, COOKIE'] = array($request, array('query' => array('q' => 'index.php'), 'request' => array('field' => 'value'), 'cookies' => array('key' => 'value'))); |
|
138 |
|
|
139 |
$request = new SanitizerTestRequest(array('q' => 'index.php')); |
|
140 |
$tests['no sanitization GET log'] = array($request, array('query' => array('q' => 'index.php')), array()); |
|
141 |
|
|
142 |
$request = new SanitizerTestRequest(array(), array('field' => 'value')); |
|
143 |
$tests['no sanitization POST log'] = array($request, array('request' => array('field' => 'value')), array()); |
|
144 |
|
|
145 |
$request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value')); |
|
146 |
$tests['no sanitization COOKIE log'] = array($request, array('cookies' => array('key' => 'value')), array()); |
|
147 |
|
|
148 |
$request = new SanitizerTestRequest(array('#q' => 'index.php')); |
|
149 |
$tests['sanitization GET'] = array($request); |
|
150 |
|
|
151 |
$request = new SanitizerTestRequest(array(), array('#field' => 'value')); |
|
152 |
$tests['sanitization POST'] = array($request); |
|
153 |
|
|
154 |
$request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value')); |
|
155 |
$tests['sanitization COOKIE'] = array($request); |
|
156 |
|
|
157 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value')); |
|
158 |
$tests['sanitization GET, POST, COOKIE'] = array($request); |
|
159 |
|
|
160 |
$request = new SanitizerTestRequest(array('#q' => 'index.php')); |
|
161 |
$tests['sanitization GET log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q')); |
|
162 |
|
|
163 |
$request = new SanitizerTestRequest(array(), array('#field' => 'value')); |
|
164 |
$tests['sanitization POST log'] = array($request, array(), array('Potentially unsafe keys removed from request body parameters (POST): #field')); |
|
165 |
|
|
166 |
$request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value')); |
|
167 |
$tests['sanitization COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from cookie parameters (COOKIE): #key')); |
|
168 |
|
|
169 |
$request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value')); |
|
170 |
$tests['sanitization GET, POST, COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q', 'Potentially unsafe keys removed from request body parameters (POST): #field', 'Potentially unsafe keys removed from cookie parameters (COOKIE): #key')); |
|
171 |
|
|
172 |
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo'))); |
|
173 |
$tests['recursive sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar')); |
|
174 |
|
|
175 |
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo'))); |
|
176 |
$tests['recursive no sanitization whitelist'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array('#bar' => 'foo'))), array(), array('#bar')); |
|
177 |
|
|
178 |
$request = new SanitizerTestRequest(array(), array('#field' => 'value')); |
|
179 |
$tests['no sanitization POST whitelist'] = array($request, array('request' => array('#field' => 'value')), array(), array('#field')); |
|
180 |
|
|
181 |
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo', '#foo' => 'bar'))); |
|
182 |
$tests['recursive multiple sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar, #foo')); |
|
183 |
|
|
184 |
$request = new SanitizerTestRequest(array('#q' => 'index.php')); |
|
185 |
$tests['already sanitized request'] = array($request, array('query' => array('#q' => 'index.php'))); |
|
186 |
|
|
187 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value')); |
|
188 |
$tests['destination removal GET'] = array($request); |
|
189 |
|
|
190 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value')); |
|
191 |
$tests['destination removal GET log'] = array($request, array(), array('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: #test')); |
|
192 |
|
|
193 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value')); |
|
194 |
$tests['destination removal subkey'] = array($request); |
|
195 |
|
|
196 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value')); |
|
197 |
$tests['destination whitelist'] = array($request, array('query' => array('destination' => 'whatever?q[%23test]=value')), array(), array('#test')); |
|
198 |
|
|
199 |
$request = new SanitizerTestRequest(array('destination' => "whatever?\x00bar=base&%23test=value")); |
|
200 |
$tests['destination removal zero byte'] = array($request); |
|
201 |
|
|
202 |
$request = new SanitizerTestRequest(array('destination' => 'whatever?q=value')); |
|
203 |
$tests['destination kept'] = array($request, array('query' => array('destination' => 'whatever?q=value'))); |
|
204 |
|
|
205 |
$request = new SanitizerTestRequest(array('destination' => 'whatever')); |
|
206 |
$tests['destination no query'] = array($request, array('query' => array('destination' => 'whatever'))); |
|
207 |
|
|
208 |
return $tests; |
|
209 |
} |
|
210 |
|
|
211 |
/** |
|
212 |
* Catches and logs errors to $this->errors. |
|
213 |
* |
|
214 |
* @param int $errno |
|
215 |
* The severity level of the error. |
|
216 |
* @param string $errstr |
|
217 |
* The error message. |
|
218 |
*/ |
|
219 |
public function sanitizerTestErrorHandler($errno, $errstr) { |
|
220 |
$this->errors[] = compact('errno', 'errstr'); |
|
221 |
} |
|
222 |
|
|
223 |
/** |
|
224 |
* Asserts that the expected error has been logged. |
|
225 |
* |
|
226 |
* @param string $errstr |
|
227 |
* The error message. |
|
228 |
* @param int $errno |
|
229 |
* The severity level of the error. |
|
230 |
* @param string $label |
|
231 |
* The label to include with the message. |
|
232 |
* |
|
233 |
* @return bool |
|
234 |
* TRUE if the assertion succeeded, FALSE otherwise. |
|
235 |
*/ |
|
236 |
protected function assertError($errstr, $errno, $label) { |
|
237 |
$label = (empty($label)) ? '' : $label . ': '; |
|
238 |
foreach ($this->errors as $error) { |
|
239 |
if ($error['errstr'] === $errstr && $error['errno'] === $errno) { |
|
240 |
return $this->pass($label . "Error with level $errno and message '$errstr' found"); |
|
241 |
} |
|
242 |
} |
|
243 |
return $this->fail($label . "Error with level $errno and message '$errstr' not found in " . var_export($this->errors, TRUE)); |
|
244 |
} |
|
245 |
|
|
246 |
/** |
|
247 |
* Asserts two values are equal, includes a label. |
|
248 |
* |
|
249 |
* @param mixed $first |
|
250 |
* The first value to check. |
|
251 |
* @param mixed $second |
|
252 |
* The second value to check. |
|
253 |
* @param string $message |
|
254 |
* The message to display along with the assertion. |
|
255 |
* @param string $group |
|
256 |
* The type of assertion - examples are "Browser", "PHP". |
|
257 |
* @param string $label |
|
258 |
* The label to include with the message. |
|
259 |
* |
|
260 |
* @return bool |
|
261 |
* TRUE if the assertion succeeded, FALSE otherwise. |
|
262 |
*/ |
|
263 |
protected function assertEqualLabelled($first, $second, $message = '', $group = 'Other', $label = '') { |
|
264 |
$label = (empty($label)) ? '' : $label . ': '; |
|
265 |
$message = $message ? $message : t('Value @first is equal to value @second.', array( |
|
266 |
'@first' => var_export($first, TRUE), |
|
267 |
'@second' => var_export($second, TRUE), |
|
268 |
)); |
|
269 |
return $this->assert($first == $second, $label . $message, $group); |
|
270 |
} |
|
271 |
|
|
272 |
} |
|
273 |
|
|
274 |
/** |
|
275 |
* Basic HTTP Request class. |
|
276 |
*/ |
|
277 |
class SanitizerTestRequest { |
|
278 |
|
|
279 |
/** |
|
280 |
* The query (GET). |
|
281 |
* |
|
282 |
* @var array |
|
283 |
*/ |
|
284 |
protected $query; |
|
285 |
|
|
286 |
/** |
|
287 |
* The request (POST). |
|
288 |
* |
|
289 |
* @var array |
|
290 |
*/ |
|
291 |
protected $request; |
|
292 |
|
|
293 |
/** |
|
294 |
* The request attributes. |
|
295 |
* |
|
296 |
* @var array |
|
297 |
*/ |
|
298 |
protected $attributes; |
|
299 |
|
|
300 |
/** |
|
301 |
* The request cookies. |
|
302 |
* |
|
303 |
* @var array |
|
304 |
*/ |
|
305 |
protected $cookies; |
|
306 |
|
|
307 |
/** |
|
308 |
* Constructor. |
|
309 |
* |
|
310 |
* @param array $query |
|
311 |
* The GET parameters. |
|
312 |
* @param array $request |
|
313 |
* The POST parameters. |
|
314 |
* @param array $attributes |
|
315 |
* The request attributes. |
|
316 |
* @param array $cookies |
|
317 |
* The COOKIE parameters. |
|
318 |
*/ |
|
319 |
public function __construct(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array()) { |
|
320 |
$this->query = $query; |
|
321 |
$this->request = $request; |
|
322 |
$this->attributes = $attributes; |
|
323 |
$this->cookies = $cookies; |
|
324 |
} |
|
325 |
|
|
326 |
/** |
|
327 |
* Getter for $query. |
|
328 |
*/ |
|
329 |
public function getQuery() { |
|
330 |
return $this->query; |
|
331 |
} |
|
332 |
|
|
333 |
/** |
|
334 |
* Getter for $request. |
|
335 |
*/ |
|
336 |
public function getRequest() { |
|
337 |
return $this->request; |
|
338 |
} |
|
339 |
|
|
340 |
/** |
|
341 |
* Getter for $attributes. |
|
342 |
*/ |
|
343 |
public function getAttributes() { |
|
344 |
return $this->attributes; |
|
345 |
} |
|
346 |
|
|
347 |
/** |
|
348 |
* Getter for $cookies. |
|
349 |
*/ |
|
350 |
public function getCookies() { |
|
351 |
return $this->cookies; |
|
352 |
} |
|
353 |
|
|
354 |
} |
Formats disponibles : Unified diff
Udpate to 7.72