From 34004612acb0c55f1cf86271d5a62c1b396ee829 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 16 Nov 2014 13:09:03 +0100 Subject: [ticket/security-171] Sanitize data from composer.json SECURITY-171 --- tests/extension/metadata_manager_test.php | 1 + tests/mock/metadata_manager.php | 2 ++ 2 files changed, 3 insertions(+) (limited to 'tests') diff --git a/tests/extension/metadata_manager_test.php b/tests/extension/metadata_manager_test.php index 8e27b39459..fab1d3af3a 100644 --- a/tests/extension/metadata_manager_test.php +++ b/tests/extension/metadata_manager_test.php @@ -123,6 +123,7 @@ class phpbb_extension_metadata_manager_test extends phpbb_database_test_case } $json = json_decode(file_get_contents($this->phpbb_root_path . 'ext/vendor2/foo/composer.json'), true); + array_walk_recursive($json, array($manager, 'sanitize_json')); $this->assertEquals($metadata, $json); } diff --git a/tests/mock/metadata_manager.php b/tests/mock/metadata_manager.php index 16900a0fc1..2443fad560 100644 --- a/tests/mock/metadata_manager.php +++ b/tests/mock/metadata_manager.php @@ -15,11 +15,13 @@ class phpbb_mock_metadata_manager extends \phpbb\extension\metadata_manager { public function set_metadata($metadata) { + array_walk_recursive($metadata, array($this, 'sanitize_json')); $this->metadata = $metadata; } public function merge_metadata($metadata) { + array_walk_recursive($metadata, array($this, 'sanitize_json')); $this->metadata = array_merge($this->metadata, $metadata); } } -- cgit v1.2.1 From 4ee05b1c17fa1be0c911c9d37e106f19b23ebac2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 17 Nov 2014 00:33:51 +0100 Subject: [ticket/security-171] Add tests for retrieved remote data in version_helper SECURITY-171 --- tests/version/version_helper_remote_test.php | 181 +++++++++++++++++++++++++++ 1 file changed, 181 insertions(+) create mode 100644 tests/version/version_helper_remote_test.php (limited to 'tests') diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php new file mode 100644 index 0000000000..8eff1dd520 --- /dev/null +++ b/tests/version/version_helper_remote_test.php @@ -0,0 +1,181 @@ + + * @license GNU General Public License, version 2 (GPL-2.0) + * + * For full copyright and license information, please see + * the docs/CREDITS.txt file. + * + */ + +namespace phpbb; + +class version_helper_remote_test extends \phpbb_test_case +{ + static $remote_data = ''; + protected $cache; + protected $version_helper; + + public function setUp() + { + parent::setUp(); + + global $phpbb_root_path, $phpEx; + + include_once($phpbb_root_path . 'includes/functions.' . $phpEx); + + $config = new \phpbb\config\config(array( + 'version' => '3.1.0', + )); + $container = new \phpbb_mock_container_builder(); + $db = new \phpbb\db\driver\factory($container); + $this->cache = $this->getMock('\phpbb\cache\service', array('get'), array(new \phpbb\cache\driver\null(), $config, $db, '../../', 'php')); + $this->cache->expects($this->any()) + ->method('get') + ->with($this->anything()) + ->will($this->returnValue(false)); + + $this->version_helper = new \phpbb\version_helper( + $this->cache, + $config, + new \phpbb\user('\phpbb\datetime') + ); + $this->user = new \phpbb\user('\phpbb\datetime'); + $this->user->add_lang('acp/common'); + } + + public function provider_get_versions() + { + return array( + array('', false), + array('foobar', false), + array('{ + "stable": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": null, + "security": false + } + } +}', true, array ( + 'stable' => array ( + '1.0' => array ( + 'current' => '1.0.1', + 'download' => 'https://www.phpbb.com/customise/db/download/104136', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/', + 'eol' => NULL, + 'security' => false, + ), + ), + 'unstable' => array ( + '1.0' => array ( + 'current' => '1.0.1', + 'download' => 'https://www.phpbb.com/customise/db/download/104136', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/', + 'eol' => NULL, + 'security' => false, + ), + ), + )), + array('{ + "foobar": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": null, + "security": false + } + } +}', false), + array('{ + "stable": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": "", + "security": "" + } + } +}', true, array ( + 'stable' => array ( + '1.0' => array ( + 'current' => '1.0.1<script>alert(\'foo\');</script>', + 'download' => 'https://www.phpbb.com/customise/db/download/104136<script>alert(\'foo\');</script>', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/<script>alert(\'foo\');</script>', + 'eol' => '<script>alert(\'foo\');</script>', + 'security' => '<script>alert(\'foo\');</script>', + ), + ), + 'unstable' => array ( + '1.0' => array ( + 'current' => '1.0.1<script>alert(\'foo\');</script>', + 'download' => 'https://www.phpbb.com/customise/db/download/104136<script>alert(\'foo\');</script>', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/<script>alert(\'foo\');</script>', + 'eol' => '<script>alert(\'foo\');</script>', + 'security' => '<script>alert(\'foo\');</script>', + ), + ), + )), + array('{ + "unstable": { + "1.0": { + "current": "1.0.1", + "download": "https://www.phpbb.com/customise/db/download/104136", + "announcement": "https://www.phpbb.com/customise/db/extension/boardrules/", + "eol": "", + "security": "" + } + } +}', true, array ( + 'unstable' => array ( + '1.0' => array ( + 'current' => '1.0.1<script>alert(\'foo\');</script>', + 'download' => 'https://www.phpbb.com/customise/db/download/104136<script>alert(\'foo\');</script>', + 'announcement' => 'https://www.phpbb.com/customise/db/extension/boardrules/<script>alert(\'foo\');</script>', + 'eol' => '<script>alert(\'foo\');</script>', + 'security' => '<script>alert(\'foo\');</script>', + ), + ), + 'stable' => array(), + )), + ); + } + + /** + * @dataProvider provider_get_versions + */ + public function test_get_versions($input, $valid_data, $expected_return = '') + { + self::$remote_data = $input; + + if (!$valid_data) + { + try { + $return = $this->version_helper->get_versions(); + } catch (\RuntimeException $e) { + $this->assertEquals((string)$e->getMessage(), $this->user->lang('VERSIONCHECK_FAIL')); + } + } + else + { + $return = $this->version_helper->get_versions(); + } + + $this->assertEquals($expected_return, $return); + } +} + +/** + * Mock function for get_remote_file() + */ +function get_remote_file($host, $path, $file, $errstr, $errno) +{ + return \phpbb\version_helper_remote_test::$remote_data; +} -- cgit v1.2.1 From f648fe88d5bb2a6661d008724f255bb6df2799ca Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 21 Nov 2014 23:49:54 +0100 Subject: [ticket/security-171] Modify tests for new file_downloader class SECURITY-171 --- tests/mock/file_downloader.php | 27 +++++++++++++++++++++++++++ tests/version/version_helper_remote_test.php | 16 ++++------------ 2 files changed, 31 insertions(+), 12 deletions(-) create mode 100644 tests/mock/file_downloader.php (limited to 'tests') diff --git a/tests/mock/file_downloader.php b/tests/mock/file_downloader.php new file mode 100644 index 0000000000..d8951cebf6 --- /dev/null +++ b/tests/mock/file_downloader.php @@ -0,0 +1,27 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +class phpbb_mock_file_downloader extends \phpbb\file_downloader +{ + public $data; + + public function set($data) + { + $this->data = $data; + } + + public function get($host, $directory, $filename, $port = 80, $timeout = 6) + { + return $this->data; + } +} diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php index 8eff1dd520..23634cdf0a 100644 --- a/tests/version/version_helper_remote_test.php +++ b/tests/version/version_helper_remote_test.php @@ -11,11 +11,9 @@ * */ -namespace phpbb; - class version_helper_remote_test extends \phpbb_test_case { - static $remote_data = ''; + protected $file_downloader; protected $cache; protected $version_helper; @@ -37,10 +35,12 @@ class version_helper_remote_test extends \phpbb_test_case ->method('get') ->with($this->anything()) ->will($this->returnValue(false)); + $this->file_downloader = new phpbb_mock_file_downloader(); $this->version_helper = new \phpbb\version_helper( $this->cache, $config, + $this->file_downloader, new \phpbb\user('\phpbb\datetime') ); $this->user = new \phpbb\user('\phpbb\datetime'); @@ -153,7 +153,7 @@ class version_helper_remote_test extends \phpbb_test_case */ public function test_get_versions($input, $valid_data, $expected_return = '') { - self::$remote_data = $input; + $this->file_downloader->set($input);; if (!$valid_data) { @@ -171,11 +171,3 @@ class version_helper_remote_test extends \phpbb_test_case $this->assertEquals($expected_return, $return); } } - -/** - * Mock function for get_remote_file() - */ -function get_remote_file($host, $path, $file, $errstr, $errno) -{ - return \phpbb\version_helper_remote_test::$remote_data; -} -- cgit v1.2.1 From 0f06b88ee7aa508ea44704f2973ce1e57f9accf2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 22 Nov 2014 15:48:09 +0100 Subject: [ticket/security-171] Remove duplicate semicolon from tests SECURITY-171 --- tests/version/version_helper_remote_test.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tests') diff --git a/tests/version/version_helper_remote_test.php b/tests/version/version_helper_remote_test.php index 23634cdf0a..65ae7646b9 100644 --- a/tests/version/version_helper_remote_test.php +++ b/tests/version/version_helper_remote_test.php @@ -153,7 +153,7 @@ class version_helper_remote_test extends \phpbb_test_case */ public function test_get_versions($input, $valid_data, $expected_return = '') { - $this->file_downloader->set($input);; + $this->file_downloader->set($input); if (!$valid_data) { -- cgit v1.2.1