aboutsummaryrefslogtreecommitdiffhomepage
path: root/tests
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-05-31 17:52:19 +0200
committerGitHub <noreply@github.com>2017-05-31 17:52:19 +0200
commitac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch)
treeb235a4ed0e5291d7ad2f008df5bbed4d43200cbe /tests
parent268309df5d8110f516940be06e9481d66f3fb5d6 (diff)
parent86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff)
downloadShaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip
Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
Diffstat (limited to 'tests')
-rw-r--r--tests/Url/WhitelistProtocolsTest.php63
-rw-r--r--tests/plugins/PluginMarkdownTest.php11
-rw-r--r--tests/plugins/resources/markdown.html11
-rw-r--r--tests/plugins/resources/markdown.md12
4 files changed, 92 insertions, 5 deletions
diff --git a/tests/Url/WhitelistProtocolsTest.php b/tests/Url/WhitelistProtocolsTest.php
new file mode 100644
index 00000000..a3156804
--- /dev/null
+++ b/tests/Url/WhitelistProtocolsTest.php
@@ -0,0 +1,63 @@
1<?php
2
3require_once 'application/Url.php';
4
5use Shaarli\Config\ConfigManager;
6
7/**
8 * Class WhitelistProtocolsTest
9 *
10 * Test whitelist_protocols() function of Url.
11 */
12class WhitelistProtocolsTest extends PHPUnit_Framework_TestCase
13{
14 /**
15 * Test whitelist_protocols() on a note (relative URL).
16 */
17 public function testWhitelistProtocolsRelative()
18 {
19 $whitelist = ['ftp', 'magnet'];
20 $url = '?12443564';
21 $this->assertEquals($url, whitelist_protocols($url, $whitelist));
22 $url = '/path.jpg';
23 $this->assertEquals($url, whitelist_protocols($url, $whitelist));
24 }
25
26 /**
27 * Test whitelist_protocols() on a note (relative URL).
28 */
29 public function testWhitelistProtocolMissing()
30 {
31 $whitelist = ['ftp', 'magnet'];
32 $url = 'test.tld/path/?query=value#hash';
33 $this->assertEquals('http://'. $url, whitelist_protocols($url, $whitelist));
34 }
35
36 /**
37 * Test whitelist_protocols() with allowed protocols.
38 */
39 public function testWhitelistAllowedProtocol()
40 {
41 $whitelist = ['ftp', 'magnet'];
42 $url = 'http://test.tld/path/?query=value#hash';
43 $this->assertEquals($url, whitelist_protocols($url, $whitelist));
44 $url = 'https://test.tld/path/?query=value#hash';
45 $this->assertEquals($url, whitelist_protocols($url, $whitelist));
46 $url = 'ftp://test.tld/path/?query=value#hash';
47 $this->assertEquals($url, whitelist_protocols($url, $whitelist));
48 $url = 'magnet:test.tld/path/?query=value#hash';
49 $this->assertEquals($url, whitelist_protocols($url, $whitelist));
50 }
51
52 /**
53 * Test whitelist_protocols() with allowed protocols.
54 */
55 public function testWhitelistDisallowedProtocol()
56 {
57 $whitelist = ['ftp', 'magnet'];
58 $url = 'javascript:alert("xss");';
59 $this->assertEquals('http://alert("xss");', whitelist_protocols($url, $whitelist));
60 $url = 'other://test.tld/path/?query=value#hash';
61 $this->assertEquals('http://test.tld/path/?query=value#hash', whitelist_protocols($url, $whitelist));
62 }
63}
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php
index d8180ad6..96891f1f 100644
--- a/tests/plugins/PluginMarkdownTest.php
+++ b/tests/plugins/PluginMarkdownTest.php
@@ -26,6 +26,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
26 { 26 {
27 PluginManager::$PLUGINS_PATH = 'plugins'; 27 PluginManager::$PLUGINS_PATH = 'plugins';
28 $this->conf = new ConfigManager('tests/utils/config/configJson'); 28 $this->conf = new ConfigManager('tests/utils/config/configJson');
29 $this->conf->set('security.allowed_protocols', ['ftp', 'magnet']);
29 } 30 }
30 31
31 /** 32 /**
@@ -183,15 +184,19 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase
183 } 184 }
184 185
185 /** 186 /**
186 * Test hashtag links processed with markdown. 187 * Make sure that the generated HTML match the reference HTML file.
187 */ 188 */
188 public function testMarkdownHashtagLinks() 189 public function testMarkdownGlobalProcessDescription()
189 { 190 {
190 $md = file_get_contents('tests/plugins/resources/markdown.md'); 191 $md = file_get_contents('tests/plugins/resources/markdown.md');
191 $md = format_description($md); 192 $md = format_description($md);
192 $html = file_get_contents('tests/plugins/resources/markdown.html'); 193 $html = file_get_contents('tests/plugins/resources/markdown.html');
193 194
194 $data = process_markdown($md); 195 $data = process_markdown(
196 $md,
197 $this->conf->get('security.markdown_escape', true),
198 $this->conf->get('security.allowed_protocols')
199 );
195 $this->assertEquals($html, $data); 200 $this->assertEquals($html, $data);
196 } 201 }
197 202
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html
index 07a5a32e..844a6f31 100644
--- a/tests/plugins/resources/markdown.html
+++ b/tests/plugins/resources/markdown.html
@@ -21,4 +21,13 @@
21next #foo</code></pre> 21next #foo</code></pre>
22<p>Block:</p> 22<p>Block:</p>
23<pre><code>lorem ipsum #foobar http://link.tld 23<pre><code>lorem ipsum #foobar http://link.tld
24#foobar http://link.tld</code></pre></div> \ No newline at end of file 24#foobar http://link.tld</code></pre>
25<p><a href="?123456">link</a><br />
26<img src="/img/train.png" alt="link" /><br />
27<a href="http://test.tld/path/?query=value#hash">link</a><br />
28<a href="http://test.tld/path/?query=value#hash">link</a><br />
29<a href="https://test.tld/path/?query=value#hash">link</a><br />
30<a href="ftp://test.tld/path/?query=value#hash">link</a><br />
31<a href="magnet:test.tld/path/?query=value#hash">link</a><br />
32<a href="http://alert('xss')">link</a><br />
33<a href="http://test.tld/path/?query=value#hash">link</a></p></div> \ No newline at end of file
diff --git a/tests/plugins/resources/markdown.md b/tests/plugins/resources/markdown.md
index 0b8be7c5..b8ebd934 100644
--- a/tests/plugins/resources/markdown.md
+++ b/tests/plugins/resources/markdown.md
@@ -21,4 +21,14 @@ Block:
21``` 21```
22lorem ipsum #foobar http://link.tld 22lorem ipsum #foobar http://link.tld
23#foobar http://link.tld 23#foobar http://link.tld
24``` \ No newline at end of file 24```
25
26[link](?123456)
27![link](/img/train.png)
28[link](test.tld/path/?query=value#hash)
29[link](http://test.tld/path/?query=value#hash)
30[link](https://test.tld/path/?query=value#hash)
31[link](ftp://test.tld/path/?query=value#hash)
32[link](magnet:test.tld/path/?query=value#hash)
33[link](javascript:alert('xss'))
34[link](other://test.tld/path/?query=value#hash) \ No newline at end of file