Project

General

Profile

Paste
Download (13 KB) Statistics
| Branch: | Revision:

root / drupal7 / modules / simpletest / tests / request_sanitizer.test @ f581c0a8

1
<?php
2

    
3
/**
4
 * @file
5
 * Tests for the RequestSanitizer class.
6
 */
7

    
8
/**
9
 * Tests DrupalRequestSanitizer class.
10
 */
11
class RequestSanitizerTest extends DrupalUnitTestCase {
12

    
13
  /**
14
   * Log of errors triggered during sanitization.
15
   *
16
   * @var array
17
   */
18
  protected $errors;
19

    
20
  /**
21
   * {@inheritdoc}
22
   */
23
  public static function getInfo() {
24
    return array(
25
      'name' => 'DrupalRequestSanitizer',
26
      'description' => 'Test the DrupalRequestSanitizer class',
27
      'group' => 'System',
28
    );
29
  }
30

    
31
  /**
32
   * {@inheritdoc}
33
   */
34
  protected function setUp() {
35
    require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
36
    parent::setUp();
37
    set_error_handler(array($this, "sanitizerTestErrorHandler"));
38
  }
39

    
40
  /**
41
   * Iterate through all the RequestSanitizerTests.
42
   */
43
  public function testRequestSanitization() {
44
    foreach ($this->requestSanitizerTests() as $label => $data) {
45
      $this->errors = array();
46
      // Normalize the test parameters.
47
      $test = array(
48
        'request' => $data[0],
49
        'expected' => isset($data[1]) ? $data[1] : array(),
50
        'expected_errors' => isset($data[2]) ? $data[2] : NULL,
51
        'whitelist' => isset($data[3]) ? $data[3] : array(),
52
      );
53
      $this->requestSanitizationTest($test['request'], $test['expected'], $test['expected_errors'], $test['whitelist'], $label);
54
    }
55
  }
56

    
57
  /**
58
   * Tests RequestSanitizer class.
59
   *
60
   * @param \SanitizerTestRequest $request
61
   *   The request to sanitize.
62
   * @param array $expected
63
   *   An array of expected request parameters after sanitization.
64
   * @param array|null $expected_errors
65
   *   An array of expected errors. If set to NULL then error logging is
66
   *   disabled.
67
   * @param array $whitelist
68
   *   An array of keys to whitelist and not sanitize.
69
   * @param string $label
70
   *   A descriptive name for each test / group of assertions.
71
   *
72
   * @throws \ReflectionException
73
   */
74
  public function requestSanitizationTest(SanitizerTestRequest $request, array $expected = array(), array $expected_errors = NULL, array $whitelist = array(), $label = NULL) {
75
    // Set up globals.
76
    $_GET = $request->getQuery();
77
    $_POST = $request->getRequest();
78
    $_COOKIE = $request->getCookies();
79
    $_REQUEST = array_merge($request->getQuery(), $request->getRequest());
80

    
81
    $GLOBALS['conf']['sanitize_input_whitelist'] = $whitelist;
82
    $GLOBALS['conf']['sanitize_input_logging'] = is_null($expected_errors) ? FALSE : TRUE;
83
    if ($label !== 'already sanitized request') {
84
      $reflection = new \ReflectionProperty('DrupalRequestSanitizer', 'sanitized');
85
      $reflection->setAccessible(TRUE);
86
      $reflection->setValue(NULL, FALSE);
87
    }
88
    DrupalRequestSanitizer::sanitize();
89
    if (isset($_GET['destination'])) {
90
      DrupalRequestSanitizer::cleanDestination();
91
    }
92

    
93
    // Normalise the expected data.
94
    $expected += array(
95
      'cookies' => array(),
96
      'query' => array(),
97
      'request' => array(),
98
    );
99

    
100
    // Test PHP globals.
101
    $this->assertEqualLabelled($expected['cookies'], $_COOKIE, NULL, 'Other', $label . ' (COOKIE)');
102
    $this->assertEqualLabelled($expected['query'], $_GET, NULL, 'Other', $label . ' (GET)');
103
    $this->assertEqualLabelled($expected['request'], $_POST, NULL, 'Other', $label . ' (POST)');
104
    $expected_request = array_merge($expected['query'], $expected['request']);
105
    $this->assertEqualLabelled($expected_request, $_REQUEST, NULL, 'Other', $label . ' (REQUEST)');
106

    
107
    // Ensure any expected errors have been triggered.
108
    if (!empty($expected_errors)) {
109
      foreach ($expected_errors as $expected_error) {
110
        $this->assertError($expected_error, E_USER_NOTICE, $label . ' (errors)');
111
      }
112
    }
113
    else {
114
      $this->assertEqualLabelled(array(), $this->errors, NULL, 'Other', $label . ' (errors)');
115
    }
116
  }
117

    
118
  /**
119
   * Data provider for testRequestSanitization.
120
   *
121
   * @return array
122
   *   A list of tests to carry out.
123
   */
124
  public function requestSanitizerTests() {
125
    $tests = array();
126

    
127
    $request = new SanitizerTestRequest(array('q' => 'index.php'));
128
    $tests['no sanitization GET'] = array($request, array('query' => array('q' => 'index.php')));
129

    
130
    $request = new SanitizerTestRequest(array(), array('field' => 'value'));
131
    $tests['no sanitization POST'] = array($request, array('request' => array('field' => 'value')));
132

    
133
    $request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value'));
134
    $tests['no sanitization COOKIE'] = array($request, array('cookies' => array('key' => 'value')));
135

    
136
    $request = new SanitizerTestRequest(array('q' => 'index.php'), array('field' => 'value'), array(), array('key' => 'value'));
137
    $tests['no sanitization GET, POST, COOKIE'] = array($request, array('query' => array('q' => 'index.php'), 'request' => array('field' => 'value'), 'cookies' => array('key' => 'value')));
138

    
139
    $request = new SanitizerTestRequest(array('q' => 'index.php'));
140
    $tests['no sanitization GET log'] = array($request, array('query' => array('q' => 'index.php')), array());
141

    
142
    $request = new SanitizerTestRequest(array(), array('field' => 'value'));
143
    $tests['no sanitization POST log'] = array($request, array('request' => array('field' => 'value')), array());
144

    
145
    $request = new SanitizerTestRequest(array(), array(), array(), array('key' => 'value'));
146
    $tests['no sanitization COOKIE log'] = array($request, array('cookies' => array('key' => 'value')), array());
147

    
148
    $request = new SanitizerTestRequest(array('#q' => 'index.php'));
149
    $tests['sanitization GET'] = array($request);
150

    
151
    $request = new SanitizerTestRequest(array(), array('#field' => 'value'));
152
    $tests['sanitization POST'] = array($request);
153

    
154
    $request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value'));
155
    $tests['sanitization COOKIE'] = array($request);
156

    
157
    $request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value'));
158
    $tests['sanitization GET, POST, COOKIE'] = array($request);
159

    
160
    $request = new SanitizerTestRequest(array('#q' => 'index.php'));
161
    $tests['sanitization GET log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q'));
162

    
163
    $request = new SanitizerTestRequest(array(), array('#field' => 'value'));
164
    $tests['sanitization POST log'] = array($request, array(), array('Potentially unsafe keys removed from request body parameters (POST): #field'));
165

    
166
    $request = new SanitizerTestRequest(array(), array(), array(), array('#key' => 'value'));
167
    $tests['sanitization COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from cookie parameters (COOKIE): #key'));
168

    
169
    $request = new SanitizerTestRequest(array('#q' => 'index.php'), array('#field' => 'value'), array(), array('#key' => 'value'));
170
    $tests['sanitization GET, POST, COOKIE log'] = array($request, array(), array('Potentially unsafe keys removed from query string parameters (GET): #q', 'Potentially unsafe keys removed from request body parameters (POST): #field', 'Potentially unsafe keys removed from cookie parameters (COOKIE): #key'));
171

    
172
    $request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo')));
173
    $tests['recursive sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar'));
174

    
175
    $request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo')));
176
    $tests['recursive no sanitization whitelist'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array('#bar' => 'foo'))), array(), array('#bar'));
177

    
178
    $request = new SanitizerTestRequest(array(), array('#field' => 'value'));
179
    $tests['no sanitization POST whitelist'] = array($request, array('request' => array('#field' => 'value')), array(), array('#field'));
180

    
181
    $request = new SanitizerTestRequest(array('q' => 'index.php', 'foo' => array('#bar' => 'foo', '#foo' => 'bar')));
182
    $tests['recursive multiple sanitization log'] = array($request, array('query' => array('q' => 'index.php', 'foo' => array())), array('Potentially unsafe keys removed from query string parameters (GET): #bar, #foo'));
183

    
184
    $request = new SanitizerTestRequest(array('#q' => 'index.php'));
185
    $tests['already sanitized request'] = array($request, array('query' => array('#q' => 'index.php')));
186

    
187
    $request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value'));
188
    $tests['destination removal GET'] = array($request);
189

    
190
    $request = new SanitizerTestRequest(array('destination' => 'whatever?%23test=value'));
191
    $tests['destination removal GET log'] = array($request, array(), array('Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: #test'));
192

    
193
    $request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value'));
194
    $tests['destination removal subkey'] = array($request);
195

    
196
    $request = new SanitizerTestRequest(array('destination' => 'whatever?q[%23test]=value'));
197
    $tests['destination whitelist'] = array($request, array('query' => array('destination' => 'whatever?q[%23test]=value')), array(), array('#test'));
198

    
199
    $request = new SanitizerTestRequest(array('destination' => "whatever?\x00bar=base&%23test=value"));
200
    $tests['destination removal zero byte'] = array($request);
201

    
202
    $request = new SanitizerTestRequest(array('destination' => 'whatever?q=value'));
203
    $tests['destination kept'] = array($request, array('query' => array('destination' => 'whatever?q=value')));
204

    
205
    $request = new SanitizerTestRequest(array('destination' => 'whatever'));
206
    $tests['destination no query'] = array($request, array('query' => array('destination' => 'whatever')));
207

    
208
    return $tests;
209
  }
210

    
211
  /**
212
   * Catches and logs errors to $this->errors.
213
   *
214
   * @param int $errno
215
   *   The severity level of the error.
216
   * @param string $errstr
217
   *   The error message.
218
   */
219
  public function sanitizerTestErrorHandler($errno, $errstr) {
220
    $this->errors[] = compact('errno', 'errstr');
221
  }
222

    
223
  /**
224
   * Asserts that the expected error has been logged.
225
   *
226
   * @param string $errstr
227
   *   The error message.
228
   * @param int $errno
229
   *   The severity level of the error.
230
   * @param string $label
231
   *   The label to include with the message.
232
   *
233
   * @return bool
234
   *   TRUE if the assertion succeeded, FALSE otherwise.
235
   */
236
  protected function assertError($errstr, $errno, $label) {
237
    $label = (empty($label)) ? '' : $label . ': ';
238
    foreach ($this->errors as $error) {
239
      if ($error['errstr'] === $errstr && $error['errno'] === $errno) {
240
        return $this->pass($label . "Error with level $errno and message '$errstr' found");
241
      }
242
    }
243
    return $this->fail($label . "Error with level $errno and message '$errstr' not found in " . var_export($this->errors, TRUE));
244
  }
245

    
246
  /**
247
   * Asserts two values are equal, includes a label.
248
   *
249
   * @param mixed $first
250
   *   The first value to check.
251
   * @param mixed $second
252
   *   The second value to check.
253
   * @param string $message
254
   *   The message to display along with the assertion.
255
   * @param string $group
256
   *   The type of assertion - examples are "Browser", "PHP".
257
   * @param string $label
258
   *   The label to include with the message.
259
   *
260
   * @return bool
261
   *   TRUE if the assertion succeeded, FALSE otherwise.
262
   */
263
  protected function assertEqualLabelled($first, $second, $message = '', $group = 'Other', $label = '') {
264
    $label = (empty($label)) ? '' : $label . ': ';
265
    $message = $message ? $message : t('Value @first is equal to value @second.', array(
266
      '@first' => var_export($first, TRUE),
267
      '@second' => var_export($second, TRUE),
268
    ));
269
    return $this->assert($first == $second, $label . $message, $group);
270
  }
271

    
272
}
273

    
274
/**
275
 * Basic HTTP Request class.
276
 */
277
class SanitizerTestRequest {
278

    
279
  /**
280
   * The query (GET).
281
   *
282
   * @var array
283
   */
284
  protected $query;
285

    
286
  /**
287
   * The request (POST).
288
   *
289
   * @var array
290
   */
291
  protected $request;
292

    
293
  /**
294
   * The request attributes.
295
   *
296
   * @var array
297
   */
298
  protected $attributes;
299

    
300
  /**
301
   * The request cookies.
302
   *
303
   * @var array
304
   */
305
  protected $cookies;
306

    
307
  /**
308
   * Constructor.
309
   *
310
   * @param array $query
311
   *   The GET parameters.
312
   * @param array $request
313
   *   The POST parameters.
314
   * @param array $attributes
315
   *   The request attributes.
316
   * @param array $cookies
317
   *   The COOKIE parameters.
318
   */
319
  public function __construct(array $query = array(), array $request = array(), array $attributes = array(), array $cookies = array()) {
320
    $this->query = $query;
321
    $this->request = $request;
322
    $this->attributes = $attributes;
323
    $this->cookies = $cookies;
324
  }
325

    
326
  /**
327
   * Getter for $query.
328
   */
329
  public function getQuery() {
330
    return $this->query;
331
  }
332

    
333
  /**
334
   * Getter for $request.
335
   */
336
  public function getRequest() {
337
    return $this->request;
338
  }
339

    
340
  /**
341
   * Getter for $attributes.
342
   */
343
  public function getAttributes() {
344
    return $this->attributes;
345
  }
346

    
347
  /**
348
   * Getter for $cookies.
349
   */
350
  public function getCookies() {
351
    return $this->cookies;
352
  }
353

    
354
}