Add unit tests for Security and URL classes

common/framework/url.php

@@ -44,7 +44,7 @@ class URL
 	 */
 	public static function getCanonicalURL($url)
 	{
-		if (preg_match('#^\.?/([^/]|$)#', $url))
+		if (preg_match('#^\.?/([^/]|$)#', $url) || !preg_match('#^(https?:|/)#', $url))
 		{
 			$proto = \RX_SSL ? 'https://' : 'http://';
 			$host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost';
@@ -89,7 +89,7 @@ class URL
 			return true;
 		}
 		
-		if ($domain === self::getDomainFromURL($_SERVER['HTTP_HOST']))
+		if ($domain === self::getDomainFromURL('http://' . $_SERVER['HTTP_HOST']))
 		{
 			return true;
 		}

tests/unit/framework/SecurityTest.php

@@ -0,0 +1,60 @@
+<?php
+
+class SecurityTest extends \Codeception\TestCase\Test
+{
+	public function testSanitize()
+	{
+		// Escape
+		$this->assertEquals('foo&lt;bar&gt;', Rhymix\Framework\Security::sanitize('foo<bar>', 'escape'));
+		
+		// Strip
+		$this->assertEquals('foobar', Rhymix\Framework\Security::sanitize('foo<p>bar</p>', 'strip'));
+		
+		// HTML (more thorough tests in HTMLFilterTest)
+		$this->assertEquals('<p>safe</p>', Rhymix\Framework\Security::sanitize('<p>safe<script>unsafe();</script></p>', 'html'));
+		
+		// Filename (more thorough tests in FilenameFilterTest)
+		$this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename'));
+	}
+	
+	public function testCheckCSRF()
+	{
+		$_SERVER['REQUEST_METHOD'] = 'GET';
+		$_SERVER['HTTP_REFERER'] = '';
+		$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
+		
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
+		
+		$_SERVER['HTTP_HOST'] = 'www.rhymix.org';
+		$_SERVER['HTTP_REFERER'] = 'http://www.foobar.com/';
+		$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
+		
+		$_SERVER['HTTP_HOST'] = 'www.rhymix.org';
+		$this->assertTrue(Rhymix\Framework\Security::checkCSRF('http://www.rhymix.org/'));
+	}
+	
+	public function testCheckXEE()
+	{
+		$xml = '<methodCall></methodCall>';
+		$this->assertTrue(Rhymix\Framework\Security::checkXEE($xml));
+		
+		$xml = '<?xml version="1.0" encoding="UTF-8"?><methodCall></methodCall>';
+		$this->assertTrue(Rhymix\Framework\Security::checkXEE($xml));
+		
+		$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo><methodCall attr="value"></methodCall>';
+		$this->assertTrue(Rhymix\Framework\Security::checkXEE($xml));
+		
+		$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo><whatever></whatever>';
+		$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
+		
+		$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo>';
+		$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
+		
+		$xml = '<?xml version="1.0" encoding="UTF-8"?><!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt"><methodCall></methodCall>';
+		$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
+		
+		$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><fault></fault>';
+		$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
+	}
+}

tests/unit/framework/URLTest.php

@@ -0,0 +1,72 @@
+<?php
+
+class URLTest extends \Codeception\TestCase\Test
+{
+	public function testGetCurrentURL()
+	{
+		$protocol = \RX_SSL ? 'https://' : 'http://';
+		$_SERVER['HTTP_HOST'] = 'www.rhymix.org';
+		$_SERVER['REQUEST_URI'] = '/index.php?foo=bar&xe=sucks';
+		$full_url = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+		
+		// Getting the current URL
+		$this->assertEquals($full_url, Rhymix\Framework\URL::getCurrentURL());
+		
+		// Adding items to the query string
+		$this->assertEquals($full_url . '&var=1&arr%5B0%5D=2&arr%5B1%5D=3', Rhymix\Framework\URL::getCurrentURL(array('var' => '1', 'arr' => array(2, 3))));
+		
+		// Removing item from the query string
+		$this->assertEquals($protocol . $_SERVER['HTTP_HOST'] . '/index.php?xe=sucks', Rhymix\Framework\URL::getCurrentURL(array('foo' => null)));
+		
+		// Adding and removing parameters at the same time
+		$this->assertEquals($protocol . $_SERVER['HTTP_HOST'] . '/index.php?xe=sucks&l=ko', Rhymix\Framework\URL::getCurrentURL(array('l' => 'ko', 'foo' => null)));
+	}
+	
+	public function testGetCanonicalURL()
+	{
+		$protocol = \RX_SSL ? 'https://' : 'http://';
+		$_SERVER['HTTP_HOST'] = 'www.rhymix.org';
+		
+        $tests = array(
+        	'foo/bar' => $protocol . $_SERVER['HTTP_HOST'] . \RX_BASEURL . 'foo/bar',
+        	'./foo/bar' => $protocol . $_SERVER['HTTP_HOST'] . \RX_BASEURL . 'foo/bar',
+        	'/foo/bar' => $protocol . $_SERVER['HTTP_HOST'] . \RX_BASEURL . 'foo/bar',
+        	'//www.example.com/foo' => $protocol . 'www.example.com/foo',
+        	'http://xn--cg4bkiv2oina.com/' => 'http://삼성전자.com/',
+		);
+		
+		foreach ($tests as $from => $to)
+		{
+			$this->assertEquals($to, Rhymix\Framework\URL::getCanonicalURL($from));
+		}
+	}
+	
+	public function testGetDomainFromURL()
+	{
+        $tests = array(
+        	'https://www.rhymix.org/foo/bar' => 'www.rhymix.org',
+        	'https://www.rhymix.org:8080/foo/bar' => 'www.rhymix.org',
+        	'http://xn--cg4bkiv2oina.com/' => '삼성전자.com',
+		);
+		
+		foreach ($tests as $from => $to)
+		{
+			$this->assertEquals($to, Rhymix\Framework\URL::getDomainFromURL($from));
+		}
+	}
+	
+	public function testIsInternalURL()
+	{
+		// This function is checked in Security::checkCSRF()
+	}
+	
+	public function testEncodeIdna()
+	{
+		$this->assertEquals('xn--9i1bl3b186bf9e.xn--3e0b707e', Rhymix\Framework\URL::encodeIdna('퓨니코드.한국'));
+	}
+	
+	public function testDecodeIdna()
+	{
+		$this->assertEquals('퓨니코드.한국', Rhymix\Framework\URL::decodeIdna('xn--9i1bl3b186bf9e.xn--3e0b707e'));
+	}
+}