. * * @author TechFuze * @copyright Copyright (c) 2013 - 2016, Techfuze. (http://techfuze.net) * @copyright Copyright (c) 1996 - 2015, Free Software Foundation, Inc. (http://www.fsf.org/) * @license http://opensource.org/licenses/GPL-3.0 GPLv3 License * * @link http://fuzeworks.techfuze.net * @since Version 0.0.1 * * @version Version 0.0.1 */ use FuzeWorks\Factory; /** * Class SecurityTest. * * Core testing suite, will test security class functionality */ class securityTest extends CoreTestAbstract { public function setUp() { // Set cookie for security test $_COOKIE['fw_csrf_cookie'] = md5(uniqid(mt_rand(), TRUE)); // Set config for Security class $config = Factory::getInstance()->config->getConfig('security'); $config->csrf_protection = true; $config->csrf_token_name = 'fw_csrf_token'; $config->csrf_cookie_name = 'fw_csrf_cookie'; $this->security = new Mock_Core_Security(); } // -------------------------------------------------------------------- public function test_csrf_verify() { $_SERVER['REQUEST_METHOD'] = 'GET'; $this->assertInstanceOf('FuzeWorks\Security', $this->security->csrf_verify()); } // -------------------------------------------------------------------- /** * @expectedException FuzeWorks\SecurityException */ public function test_csrf_verify_invalid() { // Without issuing $_POST[csrf_token_name], this request will triggering CSRF error $_SERVER['REQUEST_METHOD'] = 'POST'; $this->security->csrf_verify(); } // -------------------------------------------------------------------- public function test_csrf_verify_valid() { $_SERVER['REQUEST_METHOD'] = 'POST'; $_POST[$this->security->csrf_token_name] = $this->security->csrf_hash; $this->assertInstanceOf('FuzeWorks\Security', $this->security->csrf_verify()); } // -------------------------------------------------------------------- public function test_get_csrf_hash() { $this->assertEquals($this->security->csrf_hash, $this->security->get_csrf_hash()); } // -------------------------------------------------------------------- public function test_get_csrf_token_name() { $this->assertEquals('fw_csrf_token', $this->security->get_csrf_token_name()); } // -------------------------------------------------------------------- public function test_xss_clean() { $harm_string = "Hello, i try to your site"; $harmless_string = $this->security->xss_clean($harm_string); $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_string); } // -------------------------------------------------------------------- public function test_xss_clean_string_array() { $harm_strings = array( "Hello, i try to your site", "Simple clean string", "Hello, i try to your site" ); $harmless_strings = $this->security->xss_clean($harm_strings); $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_strings[0]); $this->assertEquals("Simple clean string", $harmless_strings[1]); $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_strings[2]); } // -------------------------------------------------------------------- public function test_xss_clean_image_valid() { $harm_string = '

'; $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); // $this->assertTrue($xss_clean_return); } // -------------------------------------------------------------------- public function test_xss_clean_image_invalid() { $harm_string = '

'; $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); $this->assertFalse($xss_clean_return); } // -------------------------------------------------------------------- public function test_xss_clean_entity_double_encoded() { $input = 'Clickhere'; $this->assertEquals('Clickhere', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- public function text_xss_clean_js_link_removal() { // This one is to prevent a false positive $this->assertEquals( "", $this->security->xss_clean("") ); } // -------------------------------------------------------------------- public function test_xss_clean_js_img_removal() { $input = '

Clickhere'; $this->assertEquals('', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- public function test_xss_clean_sanitize_naughty_html_tags() { $this->assertEquals('<unclosedTag', $this->security->xss_clean('assertEquals('<blink>', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals( ' src="x">', $this->security->xss_clean(' src="x">') ); $this->assertEquals( '

on=">"x onerror="alert(1)">', $this->security->xss_clean('

on=">"x onerror="alert(1)">') ); } // -------------------------------------------------------------------- public function test_xss_clean_sanitize_naughty_html_attributes() { $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('onOutsideOfTag=test', $this->security->xss_clean('onOutsideOfTag=test')); $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals( '\' xss=removed>', $this->security->xss_clean('\' onAfterGreaterThan="quotes">') ); $this->assertEquals( '\' xss=removed>', $this->security->xss_clean('\' onAfterGreaterThan=noQuotes>') ); $this->assertEquals( '

on=<svg> onerror=alert(1)>', $this->security->xss_clean('

on=

"<svg> onerror=alert(1) onmouseover=alert(1)>', $this->security->xss_clean('

on=\'x\' onerror=``,alert(1)>', $this->security->xss_clean('

on=\'x\' onerror=``,alert(1)>') ); $this->assertEquals( '', $this->security->xss_clean('') ); $this->assertEquals( '

on=\'x\' onerror=,xssm()>', $this->security->xss_clean('

on=\'x\' onerror=,xssm()>') ); $this->assertEquals( '

', $this->security->xss_clean('