diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-05-31 17:52:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-05-31 17:52:19 +0200 |
commit | ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch) | |
tree | b235a4ed0e5291d7ad2f008df5bbed4d43200cbe /tests | |
parent | 268309df5d8110f516940be06e9481d66f3fb5d6 (diff) | |
parent | 86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff) | |
download | Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip |
Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols
Add a whitelist of protocols for URLs
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Url/WhitelistProtocolsTest.php | 63 | ||||
-rw-r--r-- | tests/plugins/PluginMarkdownTest.php | 11 | ||||
-rw-r--r-- | tests/plugins/resources/markdown.html | 11 | ||||
-rw-r--r-- | tests/plugins/resources/markdown.md | 12 |
4 files changed, 92 insertions, 5 deletions
diff --git a/tests/Url/WhitelistProtocolsTest.php b/tests/Url/WhitelistProtocolsTest.php new file mode 100644 index 00000000..a3156804 --- /dev/null +++ b/tests/Url/WhitelistProtocolsTest.php | |||
@@ -0,0 +1,63 @@ | |||
1 | <?php | ||
2 | |||
3 | require_once 'application/Url.php'; | ||
4 | |||
5 | use Shaarli\Config\ConfigManager; | ||
6 | |||
7 | /** | ||
8 | * Class WhitelistProtocolsTest | ||
9 | * | ||
10 | * Test whitelist_protocols() function of Url. | ||
11 | */ | ||
12 | class WhitelistProtocolsTest extends PHPUnit_Framework_TestCase | ||
13 | { | ||
14 | /** | ||
15 | * Test whitelist_protocols() on a note (relative URL). | ||
16 | */ | ||
17 | public function testWhitelistProtocolsRelative() | ||
18 | { | ||
19 | $whitelist = ['ftp', 'magnet']; | ||
20 | $url = '?12443564'; | ||
21 | $this->assertEquals($url, whitelist_protocols($url, $whitelist)); | ||
22 | $url = '/path.jpg'; | ||
23 | $this->assertEquals($url, whitelist_protocols($url, $whitelist)); | ||
24 | } | ||
25 | |||
26 | /** | ||
27 | * Test whitelist_protocols() on a note (relative URL). | ||
28 | */ | ||
29 | public function testWhitelistProtocolMissing() | ||
30 | { | ||
31 | $whitelist = ['ftp', 'magnet']; | ||
32 | $url = 'test.tld/path/?query=value#hash'; | ||
33 | $this->assertEquals('http://'. $url, whitelist_protocols($url, $whitelist)); | ||
34 | } | ||
35 | |||
36 | /** | ||
37 | * Test whitelist_protocols() with allowed protocols. | ||
38 | */ | ||
39 | public function testWhitelistAllowedProtocol() | ||
40 | { | ||
41 | $whitelist = ['ftp', 'magnet']; | ||
42 | $url = 'http://test.tld/path/?query=value#hash'; | ||
43 | $this->assertEquals($url, whitelist_protocols($url, $whitelist)); | ||
44 | $url = 'https://test.tld/path/?query=value#hash'; | ||
45 | $this->assertEquals($url, whitelist_protocols($url, $whitelist)); | ||
46 | $url = 'ftp://test.tld/path/?query=value#hash'; | ||
47 | $this->assertEquals($url, whitelist_protocols($url, $whitelist)); | ||
48 | $url = 'magnet:test.tld/path/?query=value#hash'; | ||
49 | $this->assertEquals($url, whitelist_protocols($url, $whitelist)); | ||
50 | } | ||
51 | |||
52 | /** | ||
53 | * Test whitelist_protocols() with allowed protocols. | ||
54 | */ | ||
55 | public function testWhitelistDisallowedProtocol() | ||
56 | { | ||
57 | $whitelist = ['ftp', 'magnet']; | ||
58 | $url = 'javascript:alert("xss");'; | ||
59 | $this->assertEquals('http://alert("xss");', whitelist_protocols($url, $whitelist)); | ||
60 | $url = 'other://test.tld/path/?query=value#hash'; | ||
61 | $this->assertEquals('http://test.tld/path/?query=value#hash', whitelist_protocols($url, $whitelist)); | ||
62 | } | ||
63 | } | ||
diff --git a/tests/plugins/PluginMarkdownTest.php b/tests/plugins/PluginMarkdownTest.php index d8180ad6..96891f1f 100644 --- a/tests/plugins/PluginMarkdownTest.php +++ b/tests/plugins/PluginMarkdownTest.php | |||
@@ -26,6 +26,7 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
26 | { | 26 | { |
27 | PluginManager::$PLUGINS_PATH = 'plugins'; | 27 | PluginManager::$PLUGINS_PATH = 'plugins'; |
28 | $this->conf = new ConfigManager('tests/utils/config/configJson'); | 28 | $this->conf = new ConfigManager('tests/utils/config/configJson'); |
29 | $this->conf->set('security.allowed_protocols', ['ftp', 'magnet']); | ||
29 | } | 30 | } |
30 | 31 | ||
31 | /** | 32 | /** |
@@ -183,15 +184,19 @@ class PluginMarkdownTest extends PHPUnit_Framework_TestCase | |||
183 | } | 184 | } |
184 | 185 | ||
185 | /** | 186 | /** |
186 | * Test hashtag links processed with markdown. | 187 | * Make sure that the generated HTML match the reference HTML file. |
187 | */ | 188 | */ |
188 | public function testMarkdownHashtagLinks() | 189 | public function testMarkdownGlobalProcessDescription() |
189 | { | 190 | { |
190 | $md = file_get_contents('tests/plugins/resources/markdown.md'); | 191 | $md = file_get_contents('tests/plugins/resources/markdown.md'); |
191 | $md = format_description($md); | 192 | $md = format_description($md); |
192 | $html = file_get_contents('tests/plugins/resources/markdown.html'); | 193 | $html = file_get_contents('tests/plugins/resources/markdown.html'); |
193 | 194 | ||
194 | $data = process_markdown($md); | 195 | $data = process_markdown( |
196 | $md, | ||
197 | $this->conf->get('security.markdown_escape', true), | ||
198 | $this->conf->get('security.allowed_protocols') | ||
199 | ); | ||
195 | $this->assertEquals($html, $data); | 200 | $this->assertEquals($html, $data); |
196 | } | 201 | } |
197 | 202 | ||
diff --git a/tests/plugins/resources/markdown.html b/tests/plugins/resources/markdown.html index 07a5a32e..844a6f31 100644 --- a/tests/plugins/resources/markdown.html +++ b/tests/plugins/resources/markdown.html | |||
@@ -21,4 +21,13 @@ | |||
21 | next #foo</code></pre> | 21 | next #foo</code></pre> |
22 | <p>Block:</p> | 22 | <p>Block:</p> |
23 | <pre><code>lorem ipsum #foobar http://link.tld | 23 | <pre><code>lorem ipsum #foobar http://link.tld |
24 | #foobar http://link.tld</code></pre></div> \ No newline at end of file | 24 | #foobar http://link.tld</code></pre> |
25 | <p><a href="?123456">link</a><br /> | ||
26 | <img src="/img/train.png" alt="link" /><br /> | ||
27 | <a href="http://test.tld/path/?query=value#hash">link</a><br /> | ||
28 | <a href="http://test.tld/path/?query=value#hash">link</a><br /> | ||
29 | <a href="https://test.tld/path/?query=value#hash">link</a><br /> | ||
30 | <a href="ftp://test.tld/path/?query=value#hash">link</a><br /> | ||
31 | <a href="magnet:test.tld/path/?query=value#hash">link</a><br /> | ||
32 | <a href="http://alert('xss')">link</a><br /> | ||
33 | <a href="http://test.tld/path/?query=value#hash">link</a></p></div> \ No newline at end of file | ||
diff --git a/tests/plugins/resources/markdown.md b/tests/plugins/resources/markdown.md index 0b8be7c5..b8ebd934 100644 --- a/tests/plugins/resources/markdown.md +++ b/tests/plugins/resources/markdown.md | |||
@@ -21,4 +21,14 @@ Block: | |||
21 | ``` | 21 | ``` |
22 | lorem ipsum #foobar http://link.tld | 22 | lorem ipsum #foobar http://link.tld |
23 | #foobar http://link.tld | 23 | #foobar http://link.tld |
24 | ``` \ No newline at end of file | 24 | ``` |
25 | |||
26 | [link](?123456) | ||
27 | ![link](/img/train.png) | ||
28 | [link](test.tld/path/?query=value#hash) | ||
29 | [link](http://test.tld/path/?query=value#hash) | ||
30 | [link](https://test.tld/path/?query=value#hash) | ||
31 | [link](ftp://test.tld/path/?query=value#hash) | ||
32 | [link](magnet:test.tld/path/?query=value#hash) | ||
33 | [link](javascript:alert('xss')) | ||
34 | [link](other://test.tld/path/?query=value#hash) \ No newline at end of file | ||