Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/nextcloud/server.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/tests/lib/appframework/http/RequestTest.php
diff options
context:
space:
mode:
authorLukas Reschke <lukas@owncloud.com>2015-08-13 08:36:42 +0300
committerLukas Reschke <lukas@owncloud.com>2015-08-14 02:31:32 +0300
commit8313a3fcb3b24bf9e36f48581f64336623ae1ead (patch)
tree5f5f665dca0cd395a6706389c5e2e1f11b95380d /tests/lib/appframework/http/RequestTest.php
parent1f96fb3352ad43155586d6deae95bf889768ba05 (diff)
Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
Diffstat (limited to 'tests/lib/appframework/http/RequestTest.php')
-rw-r--r--tests/lib/appframework/http/RequestTest.php117
1 files changed, 102 insertions, 15 deletions
diff --git a/tests/lib/appframework/http/RequestTest.php b/tests/lib/appframework/http/RequestTest.php
index 10a9e486c97..deb28909869 100644
--- a/tests/lib/appframework/http/RequestTest.php
+++ b/tests/lib/appframework/http/RequestTest.php
@@ -10,6 +10,7 @@
namespace OC\AppFramework\Http;
+use OC\Security\Crypto;
use OCP\Security\ISecureRandom;
use OCP\IConfig;
@@ -53,6 +54,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -85,6 +87,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -96,8 +99,8 @@ class RequestTest extends \Test\TestCase {
/**
- * @expectedException \RuntimeException
- */
+ * @expectedException \RuntimeException
+ */
public function testImmutableArrayAccess() {
$vars = array(
'get' => array('name' => 'John Q. Public', 'nickname' => 'Joey'),
@@ -107,6 +110,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -115,8 +119,8 @@ class RequestTest extends \Test\TestCase {
}
/**
- * @expectedException \RuntimeException
- */
+ * @expectedException \RuntimeException
+ */
public function testImmutableMagicAccess() {
$vars = array(
'get' => array('name' => 'John Q. Public', 'nickname' => 'Joey'),
@@ -126,6 +130,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -134,8 +139,8 @@ class RequestTest extends \Test\TestCase {
}
/**
- * @expectedException \LogicException
- */
+ * @expectedException \LogicException
+ */
public function testGetTheMethodRight() {
$vars = array(
'get' => array('name' => 'John Q. Public', 'nickname' => 'Joey'),
@@ -145,6 +150,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -161,6 +167,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -182,6 +189,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -206,6 +214,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -230,6 +239,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -250,6 +260,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -274,6 +285,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -303,6 +315,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -324,6 +337,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -347,6 +361,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -358,6 +373,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
\OC::$server->getSecureRandom(),
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -382,6 +398,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -410,6 +427,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -438,6 +456,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -470,6 +489,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -497,6 +517,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -506,10 +527,10 @@ class RequestTest extends \Test\TestCase {
public function testGetServerProtocolWithProtoValid() {
$this->config
- ->expects($this->exactly(2))
- ->method('getSystemValue')
- ->with('overwriteprotocol')
- ->will($this->returnValue(''));
+ ->expects($this->exactly(2))
+ ->method('getSystemValue')
+ ->with('overwriteprotocol')
+ ->will($this->returnValue(''));
$requestHttps = new Request(
[
@@ -518,6 +539,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -528,6 +550,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -551,6 +574,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -571,6 +595,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -587,6 +612,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -607,6 +633,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -628,6 +655,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -716,6 +744,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -732,6 +761,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -749,6 +779,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -766,6 +797,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -793,6 +825,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -814,6 +847,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -840,6 +874,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -866,6 +901,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -882,6 +918,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -909,6 +946,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -924,6 +962,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -944,6 +983,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -964,6 +1004,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -986,6 +1027,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1008,6 +1050,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1030,6 +1073,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1052,6 +1096,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1105,6 +1150,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1144,6 +1190,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
])
@@ -1157,17 +1204,25 @@ class RequestTest extends \Test\TestCase {
}
public function testPassesCSRFCheckWithGet() {
+ $crypto = $this->getMock('\OCP\Security\ICrypto');
+ $crypto
+ ->expects($this->once())
+ ->method('decrypt')
+ ->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
+ ->will($this->returnValue('MyStoredRequestToken'));
+
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'get' => [
- 'requesttoken' => 'MyStoredRequestToken',
+ 'requesttoken' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
+ $crypto,
$this->config,
$this->stream
])
@@ -1177,17 +1232,25 @@ class RequestTest extends \Test\TestCase {
}
public function testPassesCSRFCheckWithPost() {
+ $crypto = $this->getMock('\OCP\Security\ICrypto');
+ $crypto
+ ->expects($this->once())
+ ->method('decrypt')
+ ->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
+ ->will($this->returnValue('MyStoredRequestToken'));
+
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'post' => [
- 'requesttoken' => 'MyStoredRequestToken',
+ 'requesttoken' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
+ $crypto,
$this->config,
$this->stream
])
@@ -1197,17 +1260,24 @@ class RequestTest extends \Test\TestCase {
}
public function testPassesCSRFCheckWithHeader() {
+ $crypto = $this->getMock('\OCP\Security\ICrypto');
+ $crypto
+ ->expects($this->once())
+ ->method('decrypt')
+ ->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
+ ->will($this->returnValue('MyStoredRequestToken'));
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
- 'HTTP_REQUESTTOKEN' => 'MyStoredRequestToken',
+ 'HTTP_REQUESTTOKEN' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
+ $crypto,
$this->config,
$this->stream
])
@@ -1216,18 +1286,34 @@ class RequestTest extends \Test\TestCase {
$this->assertTrue($request->passesCSRFCheck());
}
- public function testPassesCSRFCheckWithInvalidToken() {
+ public function invalidTokenDataProvider() {
+ return [
+ ['InvalidSentToken'],
+ ['InvalidSentToken:InvalidSecret'],
+ [null],
+ [''],
+ ];
+ }
+
+ /**
+ * @dataProvider invalidTokenDataProvider
+ * @param string $invalidToken
+ */
+ public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
+ $crypto = new Crypto($this->config, $this->secureRandom);
+
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
- 'HTTP_REQUESTTOKEN' => 'MyInvalidSentToken',
+ 'HTTP_REQUESTTOKEN' => $invalidToken,
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
+ $crypto,
$this->config,
$this->stream
])
@@ -1243,6 +1329,7 @@ class RequestTest extends \Test\TestCase {
->setConstructorArgs([
[],
$this->secureRandom,
+ $this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
])
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-02 00:14:12 +0300