fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-02 01:52:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Add unit tests for Security and URL classes

Browse source
This commit is contained in:
Kijin Sung 2016-03-12 19:44:05 +09:00
parent 6d13142f30
commit b693c8cdad
3 changed files with 134 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

60
tests/unit/framework/SecurityTest.php
View file

@ -0,0 +1,60 @@
<?php
class SecurityTest extends \Codeception\TestCase\Test
{
public function testSanitize()
{
// Escape
$this->assertEquals('foo&lt;bar&gt;', Rhymix\Framework\Security::sanitize('foo<bar>', 'escape'));
// Strip
$this->assertEquals('foobar', Rhymix\Framework\Security::sanitize('foo<p>bar</p>', 'strip'));
// HTML (more thorough tests in HTMLFilterTest)
$this->assertEquals('<p>safe</p>', Rhymix\Framework\Security::sanitize('<p>safe<script>unsafe();</script></p>', 'html'));
// Filename (more thorough tests in FilenameFilterTest)
$this->assertEquals('foo(bar).xls', Rhymix\Framework\Security::sanitize('foo<bar>.xls', 'filename'));
}
public function testCheckCSRF()
{
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_REFERER'] = '';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['REQUEST_METHOD'] = 'POST';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_HOST'] = 'www.rhymix.org';
$_SERVER['HTTP_REFERER'] = 'http://www.foobar.com/';
$this->assertFalse(Rhymix\Framework\Security::checkCSRF());
$_SERVER['HTTP_HOST'] = 'www.rhymix.org';
$this->assertTrue(Rhymix\Framework\Security::checkCSRF('http://www.rhymix.org/'));
}
public function testCheckXEE()
{
$xml = '<methodCall></methodCall>';
$this->assertTrue(Rhymix\Framework\Security::checkXEE($xml));
$xml = '<?xml version="1.0" encoding="UTF-8"?><methodCall></methodCall>';
$this->assertTrue(Rhymix\Framework\Security::checkXEE($xml));
$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo><methodCall attr="value"></methodCall>';
$this->assertTrue(Rhymix\Framework\Security::checkXEE($xml));
$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo><whatever></whatever>';
$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo>';
$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
$xml = '<?xml version="1.0" encoding="UTF-8"?><!ENTITY xxe SYSTEM "http://www.attacker.com/text.txt"><methodCall></methodCall>';
$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
$xml = '<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/passwd" >]><fault></fault>';
$this->assertFalse(Rhymix\Framework\Security::checkXEE($xml));
}
}