1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
<?php
/**
* Piwik - Open source web analytics
*
* @link http://piwik.org
* @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later
*/
use Piwik\Common;
use Piwik\FrontController;
use Piwik\Plugins\Annotations\API as AnnotationsAPI;
use Piwik\Plugins\Goals\API as GoalsAPI;
use Piwik\Plugins\SegmentEditor\API as SegmentEditorAPI;
use Piwik\WidgetsList;
require_once PIWIK_INCLUDE_PATH . '/tests/PHPUnit/Fixtures/ManySitesImportedLogs.php';
/**
* Imports visits from several log files using the python log importer &
* adds goals/sites/etc. attempting to create XSS.
*/
class Test_Piwik_Fixture_ManySitesImportedLogsWithXssAttempts extends Test_Piwik_Fixture_ManySitesImportedLogs
{
public function setUp()
{
parent::setUp();
$this->setupDashboards();
$this->setupXssSegment();
$this->addAnnotations();
}
public function setUpWebsitesAndGoals()
{
// for conversion testing
$siteName = self::makeXssContent("site name", $sanitize = true);
self::createWebsite($this->dateTime, $ecommerce = 1, $siteName);
GoalsAPI::getInstance()->addGoal(
$this->idSite, self::makeXssContent("goal name"), 'url', 'http', 'contains', false, 5);
self::createWebsite($this->dateTime, $ecommerce = 0, $siteName = 'Piwik test two',
$siteUrl = 'http://example-site-two.com');
}
/** Creates two dashboards that split the widgets up into different groups. */
public function setupDashboards()
{
$dashboardColumnCount = 3;
$dashboardCount = 3;
$dashboards = array();
for ($i = 0; $i != $dashboardCount; ++$i) {
$layout = array();
for ($j = 0; $j != $dashboardColumnCount; ++$j) {
$layout[] = array();
}
$dashboards[] = $layout;
}
$oldGet = $_GET;
$_GET['idSite'] = $this->idSite;
// collect widgets to add to the layout
$groupedWidgets = array();
$dashboard = 0;
foreach (WidgetsList::get() as $category => $widgets) {
foreach ($widgets as $widget) {
if ($widget['uniqueId'] == 'widgetSEOgetRank'
|| $widget['uniqueId'] == 'widgetReferersgetKeywordsForPage'
|| strpos($widget['uniqueId'], 'widgetExample') === 0
) {
continue;
}
$dashboard = ($dashboard + 1) % $dashboardCount;
$groupedWidgets[$dashboard][] = array(
'uniqueId' => $widget['uniqueId'],
'parameters' => $widget['parameters']
);
}
}
// distribute widgets in each dashboard
$column = 0;
foreach ($groupedWidgets as $dashboardIndex => $dashboardWidgets) {
foreach ($dashboardWidgets as $widget) {
$column = ($column + 1) % $dashboardColumnCount;
$dashboards[$dashboardIndex][$column][] = $widget;
}
}
foreach ($dashboards as $id => $layout) {
$_GET['name'] = self::makeXssContent('dashboard name' . $id);
$_GET['layout'] = Common::json_encode($layout);
$_GET['idDashboard'] = $id + 1;
FrontController::getInstance()->fetchDispatch('Dashboard', 'saveLayout');
}
$_GET = $oldGet;
}
public function setupXssSegment()
{
$segmentName = self::makeXssContent('segment');
$segmentDefinition = "browserCode==FF";
SegmentEditorAPI::getInstance()->add(
$segmentName, $segmentDefinition, $this->idSite, $autoArchive = true, $enabledAllUsers = true);
}
public function addAnnotations()
{
AnnotationsAPI::getInstance()->add($this->idSite, '2012-08-09', "Note 1", $starred = 1);
AnnotationsAPI::getInstance()->add(
$this->idSite, '2012-08-08', self::makeXssContent("annotation"), $starred = 0);
AnnotationsAPI::getInstance()->add($this->idSite, '2012-08-10', "Note 3", $starred = 1);
}
// NOTE: since API_Request does sanitization, API methods do not. when calling them, we must
// sometimes do sanitization ourselves.
public static function makeXssContent($type, $sanitize = false)
{
$result = "<script>$('body').html('$type XSS!');</script>";
if ($sanitize) {
$result = Common::sanitizeInputValue($result);
}
return $result;
}
}
|
