1
|
<?php
|
2
|
|
3
|
/**
|
4
|
* @file
|
5
|
* Tests for the RequestSanitizer class.
|
6
|
*/
|
7
|
|
8
|
/**
|
9
|
* Tests DrupalRequestSanitizer class.
|
10
|
*/
|
11
|
class RequestSanitizerTest extends DrupalUnitTestCase {
|
12
|
|
13
|
/**
|
14
|
* Log of errors triggered during sanitization.
|
15
|
*
|
16
|
* @var array
|
17
|
*/
|
18
|
protected $errors;
|
19
|
|
20
|
/**
|
21
|
* {@inheritdoc}
|
22
|
*/
|
23
|
public static function getInfo() {
|
24
|
return array(
|
25
|
'name' => 'DrupalRequestSanitizer',
|
26
|
'description' => 'Test the DrupalRequestSanitizer class',
|
27
|
'group' => 'System',
|
28
|
);
|
29
|
}
|
30
|
|
31
|
/**
|
32
|
* {@inheritdoc}
|
33
|
*/
|
34
|
protected function setUp() {
|
35
|
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
|
36
|
parent::setUp();
|
37
|
set_error_handler(array($this, "sanitizerTestErrorHandler"));
|
38
|
}
|
39
|
|
40
|
/**
|
41
|
* Iterate through all the RequestSanitizerTests.
|
42
|
*/
|
43
|
public function testRequestSanitization() {
|
44
|
foreach ($this->requestSanitizerTests() as $label => $data) {
|
45
|
$this->errors = array();
|
46
|
// Normalize the test parameters.
|
47
|
$test = array(
|
48
|
'request' => $data[0],
|
49
|
'expected' => isset($data[1]) ? $data[1] : array(),
|
50
|
'expected_errors' => isset($data[2]) ? $data[2] : NULL,
|
51
|
'whitelist' => isset($data[3]) ? $data[3] : array(),
|
52
|
);
|
53
|
$this->requestSanitizationTest($test['request'], $test['expected'], $test['expected_errors'], $test['whitelist'], $label);
|
54
|
}
|
55
|
}
|
56
|
|
57
|
/**
|
58
|
* Tests RequestSanitizer class.
|
59
|
*
|
60
|
* @param \SanitizerTestRequest $request
|
61
|
* The request to sanitize.
|
62
|
* @param array $expected
|
63
|
* An array of expected request parameters after sanitization.
|
64
|
* @param array|null $expected_errors
|
65
|
* An array of expected errors. If set to NULL then error logging is
|
66
|
* disabled.
|
67
|
* @param array $whitelist
|
68
|
* An array of keys to whitelist and not sanitize.
|
69
|
* @param string $label
|
70
|
* A descriptive name for each test / group of assertions.
|
71
|
*
|
72
|
* @throws \ReflectionException
|
73
|
*/
|
74
|
public function requestSanitizationTest(SanitizerTestRequest $request, array $expected = array(), array $expected_errors = NULL, array $whitelist = array(), $label = NULL) {
|
75
|
// Set up globals.
|
76
|
$_GET = $request->getQuery();
|
77
|
$_POST = $request->getRequest();
|
78
|
$_COOKIE = $request->getCookies();
|
79
|
$_REQUEST = array_merge($request->getQuery(), $request->getRequest());
|
80
|
|
81
|
$GLOBALS['conf']['sanitize_input_whitelist'] = $whitelist;
|
82
|
$GLOBALS['conf']['sanitize_input_logging'] = is_null($expected_errors) ? FALSE : TRUE;
|
83
|
if ($label !== 'already sanitized request') {
|
84
|
$reflection = new \ReflectionProperty('DrupalRequestSanitizer', 'sanitized');
|
85
|
$reflection->setAccessible(TRUE);
|
86
|
$reflection->setValue(NULL, FALSE);
|
87
|
}
|
88
|
DrupalRequestSanitizer::sanitize();
|
89
|
if (isset($_GET['destination'])) {
|
90
|
DrupalRequestSanitizer::cleanDestination();
|
91
|
}
|
92
|
|
93
|
// Normalise the expected data.
|
94
|
$expected += array(
|
95
|
'cookies' => array(),
|
96
|
'query' => array(),
|
97
|
'request' => array(),
|
98
|
);
|
99
|
|
100
|
// Test PHP globals.
|
101
|
$this->assertEqualLabelled($expected['cookies'], $_COOKIE, NULL, 'Other', $label . ' (COOKIE)');
|
102
|
$this->assertEqualLabelled($expected['query'], $_GET, NULL, 'Other', $label . ' (GET)');
|
103
|
$this->assertEqualLabelled($expected['request'], $_POST, NULL, 'Other', $label . ' (POST)');
|
104
|
$expected_request = array_merge($expected['query'], $expected['request']);
|
105
|
$this->assertEqualLabelled($expected_request, $_REQUEST, NULL, 'Other', $label . ' (REQUEST)');
|
106
|
|
107
|
// Ensure any expected errors have been triggered.
|
108
|
if (!empty($expected_errors)) {
|
109
|
foreach ($expected_errors as $expected_error) {
|
110
|
$this->assertError($expected_error, E_USER_NOTICE, $label . ' (errors)');
|
111
|
}
|
112
|
}
|
113
|
else {
|
114
|
$this->assertEqualLabelled(array(), $this->errors, NULL, 'Other', $label . ' (errors)');
|
115
|
}
|
116
|
}
|
117
|
|
118
|
/**
|
119
|
* Data provider for testRequestSanitization.
|
120
|
*
|
121
|
* @return array
|
122
|
* A list of tests to carry out.
|
123
|
*/
|
124
|
public function requestSanitizerTests() {
|
125
|
$tests = array();
|
126
|
|
127
|
$request = new SanitizerTestRequest(array('q' => 'index.php'));
|
128
|
$tests['no sanitization GET'] = array($request, array('query' => array('q' => 'index.php')));
|
129
|
|
130
|
$request = new SanitizerTestRequest(array(), array('field' => 'value'));
|
131
|
$tests['no sanitization POST'] = array($request, array('request' => array('field' => 'value')));
|
132
|
|
133
|
$request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value'));
|
134
|
$tests['no sanitization COOKIE'] = array($request, array('cookies' => array('key' => 'value')));
|
135
|
|
136
|
$request = new SanitizerTestRequest(array('q' => 'index.php'), array('field' => 'value'), array(), array('key' => 'value'));
|
137
|
$tests['no sanitization GET, POST, COOKIE'] = array($request, array('query' => array('q' => 'index.php'), 'request' => array('field' => 'value'), 'cookies' => array('key' => 'value')));
|
138
|
|
139
|
$request = new SanitizerTestRequest(array('q' => 'index.php'));
|
140
|
$tests['no sanitization GET log'] = array($request, array('query' => array('q' => 'index.php')), array());
|
141
|
|
142
|
$request = new SanitizerTestRequest(array(), array('field' => 'value'));
|
143
|
$tests['no sanitization POST log'] = array($request, array('request' => array('field' => 'value')), array());
|
144
|
|
145
|
$request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value'));
|
146
|
$tests['no sanitization COOKIE log'] = array($request, array('cookies' => array('key' => 'value')), array());
|
147
|
|
148
|
$request = new SanitizerTestRequest(array('#q' => 'index.php'));
|
149
|
$tests['sanitization GET'] = array($request);
|
150
|
|
151
|
$request = new SanitizerTestRequest(array(), array('#field' => 'value'));
|
152
|
$tests['sanitization POST'] = array($request);
|
153
|
|
154
|
$request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value'));
|
155
|
$tests['sanitization COOKIE'] = array($request);
|
156
|
|
157
|
$request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value'));
|
158
|
$tests['sanitization GET, POST, COOKIE'] = array($request);
|
159
|
|
160
|
$request = new SanitizerTestRequest(array('#q' => 'index.php'));
|
161
|
$tests['sanitization GET log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q'));
|
162
|
|
163
|
$request = new SanitizerTestRequest(array(), array('#field' => 'value'));
|
164
|
$tests['sanitization POST log'] = array($request, array(), array('Potentially unsafe keys removed from request body parameters (POST): #field'));
|
165
|
|
166
|
$request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value'));
|
167
|
$tests['sanitization COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from cookie parameters (COOKIE): #key'));
|
168
|
|
169
|
$request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value'));
|
170
|
$tests['sanitization GET, POST, COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q', 'Potentially unsafe keys removed from request body parameters (POST): #field', 'Potentially unsafe keys removed from cookie parameters (COOKIE): #key'));
|
171
|
|
172
|
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo')));
|
173
|
$tests['recursive sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar'));
|
174
|
|
175
|
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo')));
|
176
|
$tests['recursive no sanitization whitelist'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array('#bar' => 'foo'))), array(), array('#bar'));
|
177
|
|
178
|
$request = new SanitizerTestRequest(array(), array('#field' => 'value'));
|
179
|
$tests['no sanitization POST whitelist'] = array($request, array('request' => array('#field' => 'value')), array(), array('#field'));
|
180
|
|
181
|
$request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo', '#foo' => 'bar')));
|
182
|
$tests['recursive multiple sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar, #foo'));
|
183
|
|
184
|
$request = new SanitizerTestRequest(array('#q' => 'index.php'));
|
185
|
$tests['already sanitized request'] = array($request, array('query' => array('#q' => 'index.php')));
|
186
|
|
187
|
$request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value'));
|
188
|
$tests['destination removal GET'] = array($request);
|
189
|
|
190
|
$request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value'));
|
191
|
$tests['destination removal GET log'] = array($request, array(), array('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: #test'));
|
192
|
|
193
|
$request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value'));
|
194
|
$tests['destination removal subkey'] = array($request);
|
195
|
|
196
|
$request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value'));
|
197
|
$tests['destination whitelist'] = array($request, array('query' => array('destination' => 'whatever?q[%23test]=value')), array(), array('#test'));
|
198
|
|
199
|
$request = new SanitizerTestRequest(array('destination' => "whatever?\x00bar=base&%23test=value"));
|
200
|
$tests['destination removal zero byte'] = array($request);
|
201
|
|
202
|
$request = new SanitizerTestRequest(array('destination' => 'whatever?q=value'));
|
203
|
$tests['destination kept'] = array($request, array('query' => array('destination' => 'whatever?q=value')));
|
204
|
|
205
|
$request = new SanitizerTestRequest(array('destination' => 'whatever'));
|
206
|
$tests['destination no query'] = array($request, array('query' => array('destination' => 'whatever')));
|
207
|
|
208
|
return $tests;
|
209
|
}
|
210
|
|
211
|
/**
|
212
|
* Catches and logs errors to $this->errors.
|
213
|
*
|
214
|
* @param int $errno
|
215
|
* The severity level of the error.
|
216
|
* @param string $errstr
|
217
|
* The error message.
|
218
|
*/
|
219
|
public function sanitizerTestErrorHandler($errno, $errstr) {
|
220
|
$this->errors[] = compact('errno', 'errstr');
|
221
|
}
|
222
|
|
223
|
/**
|
224
|
* Asserts that the expected error has been logged.
|
225
|
*
|
226
|
* @param string $errstr
|
227
|
* The error message.
|
228
|
* @param int $errno
|
229
|
* The severity level of the error.
|
230
|
* @param string $label
|
231
|
* The label to include with the message.
|
232
|
*
|
233
|
* @return bool
|
234
|
* TRUE if the assertion succeeded, FALSE otherwise.
|
235
|
*/
|
236
|
protected function assertError($errstr, $errno, $label) {
|
237
|
$label = (empty($label)) ? '' : $label . ': ';
|
238
|
foreach ($this->errors as $error) {
|
239
|
if ($error['errstr'] === $errstr && $error['errno'] === $errno) {
|
240
|
return $this->pass($label . "Error with level $errno and message '$errstr' found");
|
241
|
}
|
242
|
}
|
243
|
return $this->fail($label . "Error with level $errno and message '$errstr' not found in " . var_export($this->errors, TRUE));
|
244
|
}
|
245
|
|
246
|
/**
|
247
|
* Asserts two values are equal, includes a label.
|
248
|
*
|
249
|
* @param mixed $first
|
250
|
* The first value to check.
|
251
|
* @param mixed $second
|
252
|
* The second value to check.
|
253
|
* @param string $message
|
254
|
* The message to display along with the assertion.
|
255
|
* @param string $group
|
256
|
* The type of assertion - examples are "Browser", "PHP".
|
257
|
* @param string $label
|
258
|
* The label to include with the message.
|
259
|
*
|
260
|
* @return bool
|
261
|
* TRUE if the assertion succeeded, FALSE otherwise.
|
262
|
*/
|
263
|
protected function assertEqualLabelled($first, $second, $message = '', $group = 'Other', $label = '') {
|
264
|
$label = (empty($label)) ? '' : $label . ': ';
|
265
|
$message = $message ? $message : t('Value @first is equal to value @second.', array(
|
266
|
'@first' => var_export($first, TRUE),
|
267
|
'@second' => var_export($second, TRUE),
|
268
|
));
|
269
|
return $this->assert($first == $second, $label . $message, $group);
|
270
|
}
|
271
|
|
272
|
}
|
273
|
|
274
|
/**
|
275
|
* Basic HTTP Request class.
|
276
|
*/
|
277
|
class SanitizerTestRequest {
|
278
|
|
279
|
/**
|
280
|
* The query (GET).
|
281
|
*
|
282
|
* @var array
|
283
|
*/
|
284
|
protected $query;
|
285
|
|
286
|
/**
|
287
|
* The request (POST).
|
288
|
*
|
289
|
* @var array
|
290
|
*/
|
291
|
protected $request;
|
292
|
|
293
|
/**
|
294
|
* The request attributes.
|
295
|
*
|
296
|
* @var array
|
297
|
*/
|
298
|
protected $attributes;
|
299
|
|
300
|
/**
|
301
|
* The request cookies.
|
302
|
*
|
303
|
* @var array
|
304
|
*/
|
305
|
protected $cookies;
|
306
|
|
307
|
/**
|
308
|
* Constructor.
|
309
|
*
|
310
|
* @param array $query
|
311
|
* The GET parameters.
|
312
|
* @param array $request
|
313
|
* The POST parameters.
|
314
|
* @param array $attributes
|
315
|
* The request attributes.
|
316
|
* @param array $cookies
|
317
|
* The COOKIE parameters.
|
318
|
*/
|
319
|
public function __construct(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array()) {
|
320
|
$this->query = $query;
|
321
|
$this->request = $request;
|
322
|
$this->attributes = $attributes;
|
323
|
$this->cookies = $cookies;
|
324
|
}
|
325
|
|
326
|
/**
|
327
|
* Getter for $query.
|
328
|
*/
|
329
|
public function getQuery() {
|
330
|
return $this->query;
|
331
|
}
|
332
|
|
333
|
/**
|
334
|
* Getter for $request.
|
335
|
*/
|
336
|
public function getRequest() {
|
337
|
return $this->request;
|
338
|
}
|
339
|
|
340
|
/**
|
341
|
* Getter for $attributes.
|
342
|
*/
|
343
|
public function getAttributes() {
|
344
|
return $this->attributes;
|
345
|
}
|
346
|
|
347
|
/**
|
348
|
* Getter for $cookies.
|
349
|
*/
|
350
|
public function getCookies() {
|
351
|
return $this->cookies;
|
352
|
}
|
353
|
|
354
|
}
|