RequestTest.php 56 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432
  1. <?php
  2. /**
  3. * @copyright 2013 Thomas Tanghus (thomas@tanghus.net)
  4. * @copyright 2016 Lukas Reschke lukas@owncloud.com
  5. * @copyright 2022 Stanimir Bozhilov (stanimir@audriga.com)
  6. *
  7. * This file is licensed under the Affero General Public License version 3 or
  8. * later.
  9. * See the COPYING-README file.
  10. */
  11. namespace Test\AppFramework\Http;
  12. use OC\AppFramework\Http\Request;
  13. use OC\Security\CSRF\CsrfToken;
  14. use OC\Security\CSRF\CsrfTokenManager;
  15. use OCP\IConfig;
  16. use OCP\IRequestId;
  17. /**
  18. * Class RequestTest
  19. *
  20. * @package OC\AppFramework\Http
  21. */
  22. class RequestTest extends \Test\TestCase {
  23. /** @var string */
  24. protected $stream = 'fakeinput://data';
  25. /** @var IRequestId */
  26. protected $requestId;
  27. /** @var IConfig */
  28. protected $config;
  29. /** @var CsrfTokenManager */
  30. protected $csrfTokenManager;
  31. protected function setUp(): void {
  32. parent::setUp();
  33. if (in_array('fakeinput', stream_get_wrappers())) {
  34. stream_wrapper_unregister('fakeinput');
  35. }
  36. stream_wrapper_register('fakeinput', 'Test\AppFramework\Http\RequestStream');
  37. $this->requestId = $this->createMock(IRequestId::class);
  38. $this->config = $this->createMock(IConfig::class);
  39. $this->csrfTokenManager = $this->getMockBuilder(CsrfTokenManager::class)
  40. ->disableOriginalConstructor()
  41. ->getMock();
  42. }
  43. protected function tearDown(): void {
  44. stream_wrapper_unregister('fakeinput');
  45. parent::tearDown();
  46. }
  47. public function testRequestAccessors() {
  48. $vars = [
  49. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  50. 'method' => 'GET',
  51. ];
  52. $request = new Request(
  53. $vars,
  54. $this->requestId,
  55. $this->config,
  56. $this->csrfTokenManager,
  57. $this->stream
  58. );
  59. // Countable
  60. $this->assertSame(2, count($request));
  61. // Array access
  62. $this->assertSame('Joey', $request['nickname']);
  63. // "Magic" accessors
  64. $this->assertSame('Joey', $request->{'nickname'});
  65. $this->assertTrue(isset($request['nickname']));
  66. $this->assertTrue(isset($request->{'nickname'}));
  67. $this->assertFalse(isset($request->{'flickname'}));
  68. // Only testing 'get', but same approach for post, files etc.
  69. $this->assertSame('Joey', $request->get['nickname']);
  70. // Always returns null if variable not set.
  71. $this->assertSame(null, $request->{'flickname'});
  72. }
  73. // urlParams has precedence over POST which has precedence over GET
  74. public function testPrecedence() {
  75. $vars = [
  76. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  77. 'post' => ['name' => 'Jane Doe', 'nickname' => 'Janey'],
  78. 'urlParams' => ['user' => 'jw', 'name' => 'Johnny Weissmüller'],
  79. 'method' => 'GET'
  80. ];
  81. $request = new Request(
  82. $vars,
  83. $this->requestId,
  84. $this->config,
  85. $this->csrfTokenManager,
  86. $this->stream
  87. );
  88. $this->assertSame(3, count($request));
  89. $this->assertSame('Janey', $request->{'nickname'});
  90. $this->assertSame('Johnny Weissmüller', $request->{'name'});
  91. }
  92. public function testImmutableArrayAccess() {
  93. $this->expectException(\RuntimeException::class);
  94. $vars = [
  95. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  96. 'method' => 'GET'
  97. ];
  98. $request = new Request(
  99. $vars,
  100. $this->requestId,
  101. $this->config,
  102. $this->csrfTokenManager,
  103. $this->stream
  104. );
  105. $request['nickname'] = 'Janey';
  106. }
  107. public function testImmutableMagicAccess() {
  108. $this->expectException(\RuntimeException::class);
  109. $vars = [
  110. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  111. 'method' => 'GET'
  112. ];
  113. $request = new Request(
  114. $vars,
  115. $this->requestId,
  116. $this->config,
  117. $this->csrfTokenManager,
  118. $this->stream
  119. );
  120. $request->{'nickname'} = 'Janey';
  121. }
  122. public function testGetTheMethodRight() {
  123. $this->expectException(\LogicException::class);
  124. $vars = [
  125. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  126. 'method' => 'GET',
  127. ];
  128. $request = new Request(
  129. $vars,
  130. $this->requestId,
  131. $this->config,
  132. $this->csrfTokenManager,
  133. $this->stream
  134. );
  135. $request->post;
  136. }
  137. public function testTheMethodIsRight() {
  138. $vars = [
  139. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  140. 'method' => 'GET',
  141. ];
  142. $request = new Request(
  143. $vars,
  144. $this->requestId,
  145. $this->config,
  146. $this->csrfTokenManager,
  147. $this->stream
  148. );
  149. $this->assertSame('GET', $request->method);
  150. $result = $request->get;
  151. $this->assertSame('John Q. Public', $result['name']);
  152. $this->assertSame('Joey', $result['nickname']);
  153. }
  154. public function testJsonPost() {
  155. global $data;
  156. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  157. $vars = [
  158. 'method' => 'POST',
  159. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  160. ];
  161. $request = new Request(
  162. $vars,
  163. $this->requestId,
  164. $this->config,
  165. $this->csrfTokenManager,
  166. $this->stream
  167. );
  168. $this->assertSame('POST', $request->method);
  169. $result = $request->post;
  170. $this->assertSame('John Q. Public', $result['name']);
  171. $this->assertSame('Joey', $result['nickname']);
  172. $this->assertSame('Joey', $request->params['nickname']);
  173. $this->assertSame('Joey', $request['nickname']);
  174. }
  175. public function testScimJsonPost() {
  176. global $data;
  177. $data = '{"userName":"testusername", "displayName":"Example User"}';
  178. $vars = [
  179. 'method' => 'POST',
  180. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  181. ];
  182. $request = new Request(
  183. $vars,
  184. $this->requestId,
  185. $this->config,
  186. $this->csrfTokenManager,
  187. $this->stream
  188. );
  189. $this->assertSame('POST', $request->method);
  190. $result = $request->post;
  191. $this->assertSame('testusername', $result['userName']);
  192. $this->assertSame('Example User', $result['displayName']);
  193. $this->assertSame('Example User', $request->params['displayName']);
  194. $this->assertSame('Example User', $request['displayName']);
  195. }
  196. public function testCustomJsonPost() {
  197. global $data;
  198. $data = '{"propertyA":"sometestvalue", "propertyB":"someothertestvalue"}';
  199. // Note: the content type used here is fictional and intended to check if the regex for JSON content types works fine
  200. $vars = [
  201. 'method' => 'POST',
  202. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  203. ];
  204. $request = new Request(
  205. $vars,
  206. $this->requestId,
  207. $this->config,
  208. $this->csrfTokenManager,
  209. $this->stream
  210. );
  211. $this->assertSame('POST', $request->method);
  212. $result = $request->post;
  213. $this->assertSame('sometestvalue', $result['propertyA']);
  214. $this->assertSame('someothertestvalue', $result['propertyB']);
  215. }
  216. public function notJsonDataProvider() {
  217. return [
  218. ['this is not valid json'],
  219. ['"just a string"'],
  220. ['{"just a string"}'],
  221. ];
  222. }
  223. /**
  224. * @dataProvider notJsonDataProvider
  225. */
  226. public function testNotJsonPost($testData) {
  227. global $data;
  228. $data = $testData;
  229. $vars = [
  230. 'method' => 'POST',
  231. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  232. ];
  233. $request = new Request(
  234. $vars,
  235. $this->requestId,
  236. $this->config,
  237. $this->csrfTokenManager,
  238. $this->stream
  239. );
  240. $this->assertEquals('POST', $request->method);
  241. $result = $request->post;
  242. // ensure there's no error attempting to decode the content
  243. }
  244. public function testNotScimJsonPost() {
  245. global $data;
  246. $data = 'this is not valid scim json';
  247. $vars = [
  248. 'method' => 'POST',
  249. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  250. ];
  251. $request = new Request(
  252. $vars,
  253. $this->requestId,
  254. $this->config,
  255. $this->csrfTokenManager,
  256. $this->stream
  257. );
  258. $this->assertEquals('POST', $request->method);
  259. $result = $request->post;
  260. // ensure there's no error attempting to decode the content
  261. }
  262. public function testNotCustomJsonPost() {
  263. global $data;
  264. $data = 'this is not valid json';
  265. $vars = [
  266. 'method' => 'POST',
  267. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  268. ];
  269. $request = new Request(
  270. $vars,
  271. $this->requestId,
  272. $this->config,
  273. $this->csrfTokenManager,
  274. $this->stream
  275. );
  276. $this->assertEquals('POST', $request->method);
  277. $result = $request->post;
  278. // ensure there's no error attempting to decode the content
  279. }
  280. public function testPatch() {
  281. global $data;
  282. $data = http_build_query(['name' => 'John Q. Public', 'nickname' => 'Joey'], '', '&');
  283. $vars = [
  284. 'method' => 'PATCH',
  285. 'server' => ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'],
  286. ];
  287. $request = new Request(
  288. $vars,
  289. $this->requestId,
  290. $this->config,
  291. $this->csrfTokenManager,
  292. $this->stream
  293. );
  294. $this->assertSame('PATCH', $request->method);
  295. $result = $request->patch;
  296. $this->assertSame('John Q. Public', $result['name']);
  297. $this->assertSame('Joey', $result['nickname']);
  298. }
  299. public function testJsonPatchAndPut() {
  300. global $data;
  301. // PUT content
  302. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  303. $vars = [
  304. 'method' => 'PUT',
  305. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  306. ];
  307. $request = new Request(
  308. $vars,
  309. $this->requestId,
  310. $this->config,
  311. $this->csrfTokenManager,
  312. $this->stream
  313. );
  314. $this->assertSame('PUT', $request->method);
  315. $result = $request->put;
  316. $this->assertSame('John Q. Public', $result['name']);
  317. $this->assertSame('Joey', $result['nickname']);
  318. // PATCH content
  319. $data = '{"name": "John Q. Public", "nickname": null}';
  320. $vars = [
  321. 'method' => 'PATCH',
  322. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  323. ];
  324. $request = new Request(
  325. $vars,
  326. $this->requestId,
  327. $this->config,
  328. $this->csrfTokenManager,
  329. $this->stream
  330. );
  331. $this->assertSame('PATCH', $request->method);
  332. $result = $request->patch;
  333. $this->assertSame('John Q. Public', $result['name']);
  334. $this->assertSame(null, $result['nickname']);
  335. }
  336. public function testScimJsonPatchAndPut() {
  337. global $data;
  338. // PUT content
  339. $data = '{"userName": "sometestusername", "displayName": "Example User"}';
  340. $vars = [
  341. 'method' => 'PUT',
  342. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  343. ];
  344. $request = new Request(
  345. $vars,
  346. $this->requestId,
  347. $this->config,
  348. $this->csrfTokenManager,
  349. $this->stream
  350. );
  351. $this->assertSame('PUT', $request->method);
  352. $result = $request->put;
  353. $this->assertSame('sometestusername', $result['userName']);
  354. $this->assertSame('Example User', $result['displayName']);
  355. // PATCH content
  356. $data = '{"userName": "sometestusername", "displayName": null}';
  357. $vars = [
  358. 'method' => 'PATCH',
  359. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  360. ];
  361. $request = new Request(
  362. $vars,
  363. $this->requestId,
  364. $this->config,
  365. $this->csrfTokenManager,
  366. $this->stream
  367. );
  368. $this->assertSame('PATCH', $request->method);
  369. $result = $request->patch;
  370. $this->assertSame('sometestusername', $result['userName']);
  371. $this->assertSame(null, $result['displayName']);
  372. }
  373. public function testCustomJsonPatchAndPut() {
  374. global $data;
  375. // PUT content
  376. $data = '{"propertyA": "sometestvalue", "propertyB": "someothertestvalue"}';
  377. $vars = [
  378. 'method' => 'PUT',
  379. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  380. ];
  381. $request = new Request(
  382. $vars,
  383. $this->requestId,
  384. $this->config,
  385. $this->csrfTokenManager,
  386. $this->stream
  387. );
  388. $this->assertSame('PUT', $request->method);
  389. $result = $request->put;
  390. $this->assertSame('sometestvalue', $result['propertyA']);
  391. $this->assertSame('someothertestvalue', $result['propertyB']);
  392. // PATCH content
  393. $data = '{"propertyA": "sometestvalue", "propertyB": null}';
  394. $vars = [
  395. 'method' => 'PATCH',
  396. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  397. ];
  398. $request = new Request(
  399. $vars,
  400. $this->requestId,
  401. $this->config,
  402. $this->csrfTokenManager,
  403. $this->stream
  404. );
  405. $this->assertSame('PATCH', $request->method);
  406. $result = $request->patch;
  407. $this->assertSame('sometestvalue', $result['propertyA']);
  408. $this->assertSame(null, $result['propertyB']);
  409. }
  410. public function testPutStream() {
  411. global $data;
  412. $data = file_get_contents(__DIR__ . '/../../../data/testimage.png');
  413. $vars = [
  414. 'put' => $data,
  415. 'method' => 'PUT',
  416. 'server' => [
  417. 'CONTENT_TYPE' => 'image/png',
  418. 'CONTENT_LENGTH' => (string)strlen($data)
  419. ],
  420. ];
  421. $request = new Request(
  422. $vars,
  423. $this->requestId,
  424. $this->config,
  425. $this->csrfTokenManager,
  426. $this->stream
  427. );
  428. $this->assertSame('PUT', $request->method);
  429. $resource = $request->put;
  430. $contents = stream_get_contents($resource);
  431. $this->assertSame($data, $contents);
  432. try {
  433. $resource = $request->put;
  434. } catch (\LogicException $e) {
  435. return;
  436. }
  437. $this->fail('Expected LogicException.');
  438. }
  439. public function testSetUrlParameters() {
  440. $vars = [
  441. 'post' => [],
  442. 'method' => 'POST',
  443. 'urlParams' => ['id' => '2'],
  444. ];
  445. $request = new Request(
  446. $vars,
  447. $this->requestId,
  448. $this->config,
  449. $this->csrfTokenManager,
  450. $this->stream
  451. );
  452. $newParams = ['id' => '3', 'test' => 'test2'];
  453. $request->setUrlParameters($newParams);
  454. $this->assertSame('test2', $request->getParam('test'));
  455. $this->assertEquals('3', $request->getParam('id'));
  456. $this->assertEquals('3', $request->getParams()['id']);
  457. }
  458. public function testGetRemoteAddressWithoutTrustedRemote() {
  459. $this->config
  460. ->expects($this->once())
  461. ->method('getSystemValue')
  462. ->with('trusted_proxies')
  463. ->willReturn([]);
  464. $request = new Request(
  465. [
  466. 'server' => [
  467. 'REMOTE_ADDR' => '10.0.0.2',
  468. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  469. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  470. ],
  471. ],
  472. $this->requestId,
  473. $this->config,
  474. $this->csrfTokenManager,
  475. $this->stream
  476. );
  477. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  478. }
  479. public function testGetRemoteAddressWithNoTrustedHeader() {
  480. $this->config
  481. ->expects($this->exactly(2))
  482. ->method('getSystemValue')
  483. ->withConsecutive(
  484. ['trusted_proxies'],
  485. ['forwarded_for_headers'],
  486. )->willReturnOnConsecutiveCalls(
  487. ['10.0.0.2'],
  488. []
  489. );
  490. $request = new Request(
  491. [
  492. 'server' => [
  493. 'REMOTE_ADDR' => '10.0.0.2',
  494. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  495. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  496. ],
  497. ],
  498. $this->requestId,
  499. $this->config,
  500. $this->csrfTokenManager,
  501. $this->stream
  502. );
  503. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  504. }
  505. public function testGetRemoteAddressWithSingleTrustedRemote() {
  506. $this->config
  507. ->expects($this->exactly(2))
  508. ->method('getSystemValue')
  509. ->withConsecutive(
  510. ['trusted_proxies'],
  511. ['forwarded_for_headers'],
  512. )-> willReturnOnConsecutiveCalls(
  513. ['10.0.0.2'],
  514. ['HTTP_X_FORWARDED'],
  515. );
  516. $request = new Request(
  517. [
  518. 'server' => [
  519. 'REMOTE_ADDR' => '10.0.0.2',
  520. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  521. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  522. ],
  523. ],
  524. $this->requestId,
  525. $this->config,
  526. $this->csrfTokenManager,
  527. $this->stream
  528. );
  529. $this->assertSame('10.4.0.4', $request->getRemoteAddress());
  530. }
  531. public function testGetRemoteAddressWithMultipleTrustedRemotes() {
  532. $this->config
  533. ->expects($this->exactly(2))
  534. ->method('getSystemValue')
  535. ->willReturnMap([
  536. ['trusted_proxies', [], ['10.0.0.2', '::1']],
  537. ['forwarded_for_headers', ['HTTP_X_FORWARDED_FOR'], ['HTTP_X_FORWARDED']],
  538. ]);
  539. $request = new Request(
  540. [
  541. 'server' => [
  542. 'REMOTE_ADDR' => '10.0.0.2',
  543. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4, ::1',
  544. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  545. ],
  546. ],
  547. $this->requestId,
  548. $this->config,
  549. $this->csrfTokenManager,
  550. $this->stream
  551. );
  552. $this->assertSame('10.4.0.4', $request->getRemoteAddress());
  553. }
  554. public function testGetRemoteAddressIPv6WithSingleTrustedRemote() {
  555. $this->config
  556. ->expects($this->exactly(2))
  557. ->method('getSystemValue')
  558. ->withConsecutive(
  559. ['trusted_proxies'],
  560. ['forwarded_for_headers'],
  561. )-> willReturnOnConsecutiveCalls(
  562. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  563. ['HTTP_X_FORWARDED'],
  564. );
  565. $request = new Request(
  566. [
  567. 'server' => [
  568. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  569. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  570. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  571. ],
  572. ],
  573. $this->requestId,
  574. $this->config,
  575. $this->csrfTokenManager,
  576. $this->stream
  577. );
  578. $this->assertSame('10.4.0.4', $request->getRemoteAddress());
  579. }
  580. public function testGetRemoteAddressVerifyPriorityHeader() {
  581. $this->config
  582. ->expects($this->exactly(2))
  583. ->method('getSystemValue')
  584. ->withConsecutive(
  585. ['trusted_proxies'],
  586. ['forwarded_for_headers'],
  587. )-> willReturnOnConsecutiveCalls(
  588. ['10.0.0.2'],
  589. [
  590. 'HTTP_X_FORWARDED',
  591. 'HTTP_X_FORWARDED_FOR',
  592. 'HTTP_CLIENT_IP',
  593. ],
  594. );
  595. $request = new Request(
  596. [
  597. 'server' => [
  598. 'REMOTE_ADDR' => '10.0.0.2',
  599. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  600. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  601. ],
  602. ],
  603. $this->requestId,
  604. $this->config,
  605. $this->csrfTokenManager,
  606. $this->stream
  607. );
  608. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  609. }
  610. public function testGetRemoteAddressIPv6VerifyPriorityHeader() {
  611. $this->config
  612. ->expects($this->exactly(2))
  613. ->method('getSystemValue')
  614. ->withConsecutive(
  615. ['trusted_proxies'],
  616. ['forwarded_for_headers'],
  617. )-> willReturnOnConsecutiveCalls(
  618. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  619. [
  620. 'HTTP_X_FORWARDED',
  621. 'HTTP_X_FORWARDED_FOR',
  622. 'HTTP_CLIENT_IP',
  623. ],
  624. );
  625. $request = new Request(
  626. [
  627. 'server' => [
  628. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  629. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  630. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  631. ],
  632. ],
  633. $this->requestId,
  634. $this->config,
  635. $this->csrfTokenManager,
  636. $this->stream
  637. );
  638. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  639. }
  640. public function testGetRemoteAddressWithMatchingCidrTrustedRemote() {
  641. $this->config
  642. ->expects($this->exactly(2))
  643. ->method('getSystemValue')
  644. ->withConsecutive(
  645. ['trusted_proxies'],
  646. ['forwarded_for_headers'],
  647. )-> willReturnOnConsecutiveCalls(
  648. ['192.168.2.0/24'],
  649. ['HTTP_X_FORWARDED_FOR'],
  650. );
  651. $request = new Request(
  652. [
  653. 'server' => [
  654. 'REMOTE_ADDR' => '192.168.2.99',
  655. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  656. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  657. ],
  658. ],
  659. $this->requestId,
  660. $this->config,
  661. $this->csrfTokenManager,
  662. $this->stream
  663. );
  664. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  665. }
  666. public function testGetRemoteAddressWithNotMatchingCidrTrustedRemote() {
  667. $this->config
  668. ->expects($this->once())
  669. ->method('getSystemValue')
  670. ->with('trusted_proxies')
  671. ->willReturn(['192.168.2.0/24']);
  672. $request = new Request(
  673. [
  674. 'server' => [
  675. 'REMOTE_ADDR' => '192.168.3.99',
  676. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  677. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  678. ],
  679. ],
  680. $this->requestId,
  681. $this->config,
  682. $this->csrfTokenManager,
  683. $this->stream
  684. );
  685. $this->assertSame('192.168.3.99', $request->getRemoteAddress());
  686. }
  687. public function testGetRemoteIpv6AddressWithMatchingIpv6CidrTrustedRemote() {
  688. $this->config
  689. ->expects($this->exactly(2))
  690. ->method('getSystemValue')
  691. ->withConsecutive(
  692. ['trusted_proxies'],
  693. ['forwarded_for_headers']
  694. )->willReturnOnConsecutiveCalls(
  695. ['2001:db8:85a3:8d3:1319:8a20::/95'],
  696. ['HTTP_X_FORWARDED_FOR']
  697. );
  698. $request = new Request(
  699. [
  700. 'server' => [
  701. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a21:370:7348',
  702. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  703. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  704. ],
  705. ],
  706. $this->requestId,
  707. $this->config,
  708. $this->csrfTokenManager,
  709. $this->stream
  710. );
  711. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  712. }
  713. public function testGetRemoteAddressIpv6WithNotMatchingCidrTrustedRemote() {
  714. $this->config
  715. ->expects($this->once())
  716. ->method('getSystemValue')
  717. ->with('trusted_proxies')
  718. ->willReturn(['fd::/8']);
  719. $request = new Request(
  720. [
  721. 'server' => [
  722. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  723. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  724. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  725. ],
  726. ],
  727. $this->requestId,
  728. $this->config,
  729. $this->csrfTokenManager,
  730. $this->stream
  731. );
  732. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  733. }
  734. public function testGetRemoteAddressIpv6WithInvalidTrustedProxy() {
  735. $this->config
  736. ->expects($this->once())
  737. ->method('getSystemValue')
  738. ->with('trusted_proxies')
  739. ->willReturn(['fx::/8']);
  740. $request = new Request(
  741. [
  742. 'server' => [
  743. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  744. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  745. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  746. ],
  747. ],
  748. $this->requestId,
  749. $this->config,
  750. $this->csrfTokenManager,
  751. $this->stream
  752. );
  753. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  754. }
  755. public function testGetRemoteAddressWithXForwardedForIPv6() {
  756. $this->config
  757. ->expects($this->exactly(2))
  758. ->method('getSystemValue')
  759. ->withConsecutive(
  760. ['trusted_proxies'],
  761. ['forwarded_for_headers'],
  762. )-> willReturnOnConsecutiveCalls(
  763. ['192.168.2.0/24'],
  764. ['HTTP_X_FORWARDED_FOR'],
  765. );
  766. $request = new Request(
  767. [
  768. 'server' => [
  769. 'REMOTE_ADDR' => '192.168.2.99',
  770. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
  771. ],
  772. ],
  773. $this->requestId,
  774. $this->config,
  775. $this->csrfTokenManager,
  776. $this->stream
  777. );
  778. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  779. }
  780. /**
  781. * @return array
  782. */
  783. public function httpProtocolProvider() {
  784. return [
  785. // Valid HTTP 1.0
  786. ['HTTP/1.0', 'HTTP/1.0'],
  787. ['http/1.0', 'HTTP/1.0'],
  788. ['HTTp/1.0', 'HTTP/1.0'],
  789. // Valid HTTP 1.1
  790. ['HTTP/1.1', 'HTTP/1.1'],
  791. ['http/1.1', 'HTTP/1.1'],
  792. ['HTTp/1.1', 'HTTP/1.1'],
  793. // Valid HTTP 2.0
  794. ['HTTP/2', 'HTTP/2'],
  795. ['http/2', 'HTTP/2'],
  796. ['HTTp/2', 'HTTP/2'],
  797. // Invalid
  798. ['HTTp/394', 'HTTP/1.1'],
  799. ['InvalidProvider/1.1', 'HTTP/1.1'],
  800. [null, 'HTTP/1.1'],
  801. ['', 'HTTP/1.1'],
  802. ];
  803. }
  804. /**
  805. * @dataProvider httpProtocolProvider
  806. *
  807. * @param mixed $input
  808. * @param string $expected
  809. */
  810. public function testGetHttpProtocol($input, $expected) {
  811. $request = new Request(
  812. [
  813. 'server' => [
  814. 'SERVER_PROTOCOL' => $input,
  815. ],
  816. ],
  817. $this->requestId,
  818. $this->config,
  819. $this->csrfTokenManager,
  820. $this->stream
  821. );
  822. $this->assertSame($expected, $request->getHttpProtocol());
  823. }
  824. public function testGetServerProtocolWithOverride() {
  825. $this->config
  826. ->expects($this->exactly(3))
  827. ->method('getSystemValueString')
  828. ->willReturnMap([
  829. ['overwriteprotocol', '', 'customProtocol'],
  830. ['overwritecondaddr', '', ''],
  831. ]);
  832. $request = new Request(
  833. [],
  834. $this->requestId,
  835. $this->config,
  836. $this->csrfTokenManager,
  837. $this->stream
  838. );
  839. $this->assertSame('customProtocol', $request->getServerProtocol());
  840. }
  841. public function testGetServerProtocolWithProtoValid() {
  842. $this->config
  843. ->method('getSystemValue')
  844. ->willReturnCallback(function ($key, $default) {
  845. if ($key === 'trusted_proxies') {
  846. return ['1.2.3.4'];
  847. }
  848. return $default;
  849. });
  850. $requestHttps = new Request(
  851. [
  852. 'server' => [
  853. 'HTTP_X_FORWARDED_PROTO' => 'HtTpS',
  854. 'REMOTE_ADDR' => '1.2.3.4',
  855. ],
  856. ],
  857. $this->requestId,
  858. $this->config,
  859. $this->csrfTokenManager,
  860. $this->stream
  861. );
  862. $requestHttp = new Request(
  863. [
  864. 'server' => [
  865. 'HTTP_X_FORWARDED_PROTO' => 'HTTp',
  866. 'REMOTE_ADDR' => '1.2.3.4',
  867. ],
  868. ],
  869. $this->requestId,
  870. $this->config,
  871. $this->csrfTokenManager,
  872. $this->stream
  873. );
  874. $this->assertSame('https', $requestHttps->getServerProtocol());
  875. $this->assertSame('http', $requestHttp->getServerProtocol());
  876. }
  877. public function testGetServerProtocolWithHttpsServerValueOn() {
  878. $this->config
  879. ->method('getSystemValue')
  880. ->willReturnCallback(function ($key, $default) {
  881. return $default;
  882. });
  883. $request = new Request(
  884. [
  885. 'server' => [
  886. 'HTTPS' => 'on'
  887. ],
  888. ],
  889. $this->requestId,
  890. $this->config,
  891. $this->csrfTokenManager,
  892. $this->stream
  893. );
  894. $this->assertSame('https', $request->getServerProtocol());
  895. }
  896. public function testGetServerProtocolWithHttpsServerValueOff() {
  897. $this->config
  898. ->method('getSystemValue')
  899. ->willReturnCallback(function ($key, $default) {
  900. return $default;
  901. });
  902. $request = new Request(
  903. [
  904. 'server' => [
  905. 'HTTPS' => 'off'
  906. ],
  907. ],
  908. $this->requestId,
  909. $this->config,
  910. $this->csrfTokenManager,
  911. $this->stream
  912. );
  913. $this->assertSame('http', $request->getServerProtocol());
  914. }
  915. public function testGetServerProtocolWithHttpsServerValueEmpty() {
  916. $this->config
  917. ->method('getSystemValue')
  918. ->willReturnCallback(function ($key, $default) {
  919. return $default;
  920. });
  921. $request = new Request(
  922. [
  923. 'server' => [
  924. 'HTTPS' => ''
  925. ],
  926. ],
  927. $this->requestId,
  928. $this->config,
  929. $this->csrfTokenManager,
  930. $this->stream
  931. );
  932. $this->assertSame('http', $request->getServerProtocol());
  933. }
  934. public function testGetServerProtocolDefault() {
  935. $this->config
  936. ->method('getSystemValue')
  937. ->willReturnCallback(function ($key, $default) {
  938. return $default;
  939. });
  940. $request = new Request(
  941. [],
  942. $this->requestId,
  943. $this->config,
  944. $this->csrfTokenManager,
  945. $this->stream
  946. );
  947. $this->assertSame('http', $request->getServerProtocol());
  948. }
  949. public function testGetServerProtocolBehindLoadBalancers() {
  950. $this->config
  951. ->method('getSystemValue')
  952. ->willReturnCallback(function ($key, $default) {
  953. if ($key === 'trusted_proxies') {
  954. return ['1.2.3.4'];
  955. }
  956. return $default;
  957. });
  958. $request = new Request(
  959. [
  960. 'server' => [
  961. 'HTTP_X_FORWARDED_PROTO' => 'https,http,http',
  962. 'REMOTE_ADDR' => '1.2.3.4',
  963. ],
  964. ],
  965. $this->requestId,
  966. $this->config,
  967. $this->csrfTokenManager,
  968. $this->stream
  969. );
  970. $this->assertSame('https', $request->getServerProtocol());
  971. }
  972. /**
  973. * @dataProvider userAgentProvider
  974. * @param string $testAgent
  975. * @param array $userAgent
  976. * @param bool $matches
  977. */
  978. public function testUserAgent($testAgent, $userAgent, $matches) {
  979. $request = new Request(
  980. [
  981. 'server' => [
  982. 'HTTP_USER_AGENT' => $testAgent,
  983. ]
  984. ],
  985. $this->requestId,
  986. $this->config,
  987. $this->csrfTokenManager,
  988. $this->stream
  989. );
  990. $this->assertSame($matches, $request->isUserAgent($userAgent));
  991. }
  992. /**
  993. * @dataProvider userAgentProvider
  994. * @param string $testAgent
  995. * @param array $userAgent
  996. * @param bool $matches
  997. */
  998. public function testUndefinedUserAgent($testAgent, $userAgent, $matches) {
  999. $request = new Request(
  1000. [],
  1001. $this->requestId,
  1002. $this->config,
  1003. $this->csrfTokenManager,
  1004. $this->stream
  1005. );
  1006. $this->assertFalse($request->isUserAgent($userAgent));
  1007. }
  1008. /**
  1009. * @return array
  1010. */
  1011. public function userAgentProvider() {
  1012. return [
  1013. [
  1014. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1015. [
  1016. Request::USER_AGENT_IE
  1017. ],
  1018. true,
  1019. ],
  1020. [
  1021. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  1022. [
  1023. Request::USER_AGENT_IE
  1024. ],
  1025. false,
  1026. ],
  1027. [
  1028. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
  1029. [
  1030. Request::USER_AGENT_CHROME
  1031. ],
  1032. true,
  1033. ],
  1034. [
  1035. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
  1036. [
  1037. Request::USER_AGENT_CHROME
  1038. ],
  1039. true,
  1040. ],
  1041. [
  1042. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  1043. [
  1044. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  1045. ],
  1046. true,
  1047. ],
  1048. [
  1049. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1050. [
  1051. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  1052. ],
  1053. false,
  1054. ],
  1055. [
  1056. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1057. [
  1058. Request::USER_AGENT_IE,
  1059. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  1060. ],
  1061. true,
  1062. ],
  1063. [
  1064. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  1065. [
  1066. Request::USER_AGENT_IE,
  1067. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  1068. ],
  1069. true,
  1070. ],
  1071. [
  1072. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  1073. [
  1074. Request::USER_AGENT_FREEBOX
  1075. ],
  1076. false,
  1077. ],
  1078. [
  1079. 'Mozilla/5.0',
  1080. [
  1081. Request::USER_AGENT_FREEBOX
  1082. ],
  1083. true,
  1084. ],
  1085. [
  1086. 'Fake Mozilla/5.0',
  1087. [
  1088. Request::USER_AGENT_FREEBOX
  1089. ],
  1090. false,
  1091. ],
  1092. [
  1093. 'Mozilla/5.0 (Android) ownCloud-android/2.0.0',
  1094. [
  1095. Request::USER_AGENT_CLIENT_ANDROID
  1096. ],
  1097. true,
  1098. ],
  1099. [
  1100. 'Mozilla/5.0 (Android) Nextcloud-android/2.0.0',
  1101. [
  1102. Request::USER_AGENT_CLIENT_ANDROID
  1103. ],
  1104. true,
  1105. ],
  1106. [
  1107. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.99 Safari/537.36 Vivaldi/2.9.1705.41',
  1108. [
  1109. Request::USER_AGENT_CHROME
  1110. ],
  1111. true
  1112. ],
  1113. [
  1114. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75',
  1115. [
  1116. Request::USER_AGENT_CHROME
  1117. ],
  1118. true
  1119. ],
  1120. [
  1121. 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67',
  1122. [
  1123. Request::USER_AGENT_CHROME
  1124. ],
  1125. true
  1126. ]
  1127. ];
  1128. }
  1129. public function dataMatchClientVersion(): array {
  1130. return [
  1131. [
  1132. 'Mozilla/5.0 (Android) Nextcloud-android/3.24.1',
  1133. Request::USER_AGENT_CLIENT_ANDROID,
  1134. '3.24.1',
  1135. ],
  1136. [
  1137. 'Mozilla/5.0 (iOS) Nextcloud-iOS/4.8.2',
  1138. Request::USER_AGENT_CLIENT_IOS,
  1139. '4.8.2',
  1140. ],
  1141. [
  1142. 'Mozilla/5.0 (Windows) mirall/3.8.1',
  1143. Request::USER_AGENT_CLIENT_DESKTOP,
  1144. '3.8.1',
  1145. ],
  1146. [
  1147. 'Mozilla/5.0 (Android) Nextcloud-Talk v17.10.0',
  1148. Request::USER_AGENT_TALK_ANDROID,
  1149. '17.10.0',
  1150. ],
  1151. [
  1152. 'Mozilla/5.0 (iOS) Nextcloud-Talk v17.0.1',
  1153. Request::USER_AGENT_TALK_IOS,
  1154. '17.0.1',
  1155. ],
  1156. [
  1157. 'Mozilla/5.0 (Windows) Nextcloud-Talk v0.6.0',
  1158. Request::USER_AGENT_TALK_DESKTOP,
  1159. '0.6.0',
  1160. ],
  1161. [
  1162. 'Mozilla/5.0 (Windows) Nextcloud-Outlook v1.0.0',
  1163. Request::USER_AGENT_OUTLOOK_ADDON,
  1164. '1.0.0',
  1165. ],
  1166. [
  1167. 'Mozilla/5.0 (Linux) Nextcloud-Thunderbird v1.0.0',
  1168. Request::USER_AGENT_THUNDERBIRD_ADDON,
  1169. '1.0.0',
  1170. ],
  1171. ];
  1172. }
  1173. /**
  1174. * @dataProvider dataMatchClientVersion
  1175. * @param string $testAgent
  1176. * @param string $userAgent
  1177. * @param string $version
  1178. */
  1179. public function testMatchClientVersion(string $testAgent, string $userAgent, string $version): void {
  1180. preg_match($userAgent, $testAgent, $matches);
  1181. $this->assertSame($version, $matches[1]);
  1182. }
  1183. public function testInsecureServerHostServerNameHeader() {
  1184. $request = new Request(
  1185. [
  1186. 'server' => [
  1187. 'SERVER_NAME' => 'from.server.name:8080',
  1188. ]
  1189. ],
  1190. $this->requestId,
  1191. $this->config,
  1192. $this->csrfTokenManager,
  1193. $this->stream
  1194. );
  1195. $this->assertSame('from.server.name:8080', $request->getInsecureServerHost());
  1196. }
  1197. public function testInsecureServerHostHttpHostHeader() {
  1198. $request = new Request(
  1199. [
  1200. 'server' => [
  1201. 'SERVER_NAME' => 'from.server.name:8080',
  1202. 'HTTP_HOST' => 'from.host.header:8080',
  1203. ]
  1204. ],
  1205. $this->requestId,
  1206. $this->config,
  1207. $this->csrfTokenManager,
  1208. $this->stream
  1209. );
  1210. $this->assertSame('from.host.header:8080', $request->getInsecureServerHost());
  1211. }
  1212. public function testInsecureServerHostHttpFromForwardedHeaderSingle() {
  1213. $this->config
  1214. ->method('getSystemValue')
  1215. ->willReturnCallback(function ($key, $default) {
  1216. if ($key === 'trusted_proxies') {
  1217. return ['1.2.3.4'];
  1218. }
  1219. return $default;
  1220. });
  1221. $request = new Request(
  1222. [
  1223. 'server' => [
  1224. 'SERVER_NAME' => 'from.server.name:8080',
  1225. 'HTTP_HOST' => 'from.host.header:8080',
  1226. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host:8080',
  1227. 'REMOTE_ADDR' => '1.2.3.4',
  1228. ]
  1229. ],
  1230. $this->requestId,
  1231. $this->config,
  1232. $this->csrfTokenManager,
  1233. $this->stream
  1234. );
  1235. $this->assertSame('from.forwarded.host:8080', $request->getInsecureServerHost());
  1236. }
  1237. public function testInsecureServerHostHttpFromForwardedHeaderStacked() {
  1238. $this->config
  1239. ->method('getSystemValue')
  1240. ->willReturnCallback(function ($key, $default) {
  1241. if ($key === 'trusted_proxies') {
  1242. return ['1.2.3.4'];
  1243. }
  1244. return $default;
  1245. });
  1246. $request = new Request(
  1247. [
  1248. 'server' => [
  1249. 'SERVER_NAME' => 'from.server.name:8080',
  1250. 'HTTP_HOST' => 'from.host.header:8080',
  1251. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host2:8080,another.one:9000',
  1252. 'REMOTE_ADDR' => '1.2.3.4',
  1253. ]
  1254. ],
  1255. $this->requestId,
  1256. $this->config,
  1257. $this->csrfTokenManager,
  1258. $this->stream
  1259. );
  1260. $this->assertSame('from.forwarded.host2:8080', $request->getInsecureServerHost());
  1261. }
  1262. public function testGetServerHostWithOverwriteHost() {
  1263. $this->config
  1264. ->method('getSystemValueString')
  1265. ->willReturnCallback(function ($key, $default) {
  1266. if ($key === 'overwritecondaddr') {
  1267. return '';
  1268. } elseif ($key === 'overwritehost') {
  1269. return 'my.overwritten.host';
  1270. }
  1271. return $default;
  1272. });
  1273. $request = new Request(
  1274. [],
  1275. $this->requestId,
  1276. $this->config,
  1277. $this->csrfTokenManager,
  1278. $this->stream
  1279. );
  1280. $this->assertSame('my.overwritten.host', $request->getServerHost());
  1281. }
  1282. public function testGetServerHostWithTrustedDomain() {
  1283. $this->config
  1284. ->method('getSystemValue')
  1285. ->willReturnCallback(function ($key, $default) {
  1286. if ($key === 'trusted_proxies') {
  1287. return ['1.2.3.4'];
  1288. } elseif ($key === 'trusted_domains') {
  1289. return ['my.trusted.host'];
  1290. }
  1291. return $default;
  1292. });
  1293. $request = new Request(
  1294. [
  1295. 'server' => [
  1296. 'HTTP_X_FORWARDED_HOST' => 'my.trusted.host',
  1297. 'REMOTE_ADDR' => '1.2.3.4',
  1298. ],
  1299. ],
  1300. $this->requestId,
  1301. $this->config,
  1302. $this->csrfTokenManager,
  1303. $this->stream
  1304. );
  1305. $this->assertSame('my.trusted.host', $request->getServerHost());
  1306. }
  1307. public function testGetServerHostWithUntrustedDomain() {
  1308. $this->config
  1309. ->method('getSystemValue')
  1310. ->willReturnCallback(function ($key, $default) {
  1311. if ($key === 'trusted_proxies') {
  1312. return ['1.2.3.4'];
  1313. } elseif ($key === 'trusted_domains') {
  1314. return ['my.trusted.host'];
  1315. }
  1316. return $default;
  1317. });
  1318. $request = new Request(
  1319. [
  1320. 'server' => [
  1321. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1322. 'REMOTE_ADDR' => '1.2.3.4',
  1323. ],
  1324. ],
  1325. $this->requestId,
  1326. $this->config,
  1327. $this->csrfTokenManager,
  1328. $this->stream
  1329. );
  1330. $this->assertSame('my.trusted.host', $request->getServerHost());
  1331. }
  1332. public function testGetServerHostWithNoTrustedDomain() {
  1333. $this->config
  1334. ->method('getSystemValue')
  1335. ->willReturnCallback(function ($key, $default) {
  1336. if ($key === 'trusted_proxies') {
  1337. return ['1.2.3.4'];
  1338. }
  1339. return $default;
  1340. });
  1341. $request = new Request(
  1342. [
  1343. 'server' => [
  1344. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1345. 'REMOTE_ADDR' => '1.2.3.4',
  1346. ],
  1347. ],
  1348. $this->requestId,
  1349. $this->config,
  1350. $this->csrfTokenManager,
  1351. $this->stream
  1352. );
  1353. $this->assertSame('', $request->getServerHost());
  1354. }
  1355. /**
  1356. * @return array
  1357. */
  1358. public function dataGetServerHostTrustedDomain() {
  1359. return [
  1360. 'is array' => ['my.trusted.host', ['my.trusted.host']],
  1361. 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
  1362. 'is string' => ['my.trusted.host', 'my.trusted.host'],
  1363. 'is null' => ['', null],
  1364. ];
  1365. }
  1366. /**
  1367. * @dataProvider dataGetServerHostTrustedDomain
  1368. * @param $expected
  1369. * @param $trustedDomain
  1370. */
  1371. public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
  1372. $this->config
  1373. ->method('getSystemValue')
  1374. ->willReturnCallback(function ($key, $default) use ($trustedDomain) {
  1375. if ($key === 'trusted_proxies') {
  1376. return ['1.2.3.4'];
  1377. }
  1378. if ($key === 'trusted_domains') {
  1379. return $trustedDomain;
  1380. }
  1381. return $default;
  1382. });
  1383. $request = new Request(
  1384. [
  1385. 'server' => [
  1386. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1387. 'REMOTE_ADDR' => '1.2.3.4',
  1388. ],
  1389. ],
  1390. $this->requestId,
  1391. $this->config,
  1392. $this->csrfTokenManager,
  1393. $this->stream
  1394. );
  1395. $this->assertSame($expected, $request->getServerHost());
  1396. }
  1397. public function testGetOverwriteHostDefaultNull() {
  1398. $this->config
  1399. ->expects($this->once())
  1400. ->method('getSystemValueString')
  1401. ->with('overwritehost')
  1402. ->willReturn('');
  1403. $request = new Request(
  1404. [],
  1405. $this->requestId,
  1406. $this->config,
  1407. $this->csrfTokenManager,
  1408. $this->stream
  1409. );
  1410. $this->assertNull(self::invokePrivate($request, 'getOverwriteHost'));
  1411. }
  1412. public function testGetOverwriteHostWithOverwrite() {
  1413. $this->config
  1414. ->expects($this->exactly(3))
  1415. ->method('getSystemValueString')
  1416. ->willReturnMap([
  1417. ['overwritehost', '', 'www.owncloud.org'],
  1418. ['overwritecondaddr', '', ''],
  1419. ]);
  1420. $request = new Request(
  1421. [],
  1422. $this->requestId,
  1423. $this->config,
  1424. $this->csrfTokenManager,
  1425. $this->stream
  1426. );
  1427. $this->assertSame('www.owncloud.org', self::invokePrivate($request, 'getOverwriteHost'));
  1428. }
  1429. public function testGetPathInfoNotProcessible() {
  1430. $this->expectException(\Exception::class);
  1431. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1432. $request = new Request(
  1433. [
  1434. 'server' => [
  1435. 'REQUEST_URI' => '/foo.php',
  1436. 'SCRIPT_NAME' => '/var/www/index.php',
  1437. ]
  1438. ],
  1439. $this->requestId,
  1440. $this->config,
  1441. $this->csrfTokenManager,
  1442. $this->stream
  1443. );
  1444. $request->getPathInfo();
  1445. }
  1446. public function testGetRawPathInfoNotProcessible() {
  1447. $this->expectException(\Exception::class);
  1448. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1449. $request = new Request(
  1450. [
  1451. 'server' => [
  1452. 'REQUEST_URI' => '/foo.php',
  1453. 'SCRIPT_NAME' => '/var/www/index.php',
  1454. ]
  1455. ],
  1456. $this->requestId,
  1457. $this->config,
  1458. $this->csrfTokenManager,
  1459. $this->stream
  1460. );
  1461. $request->getRawPathInfo();
  1462. }
  1463. /**
  1464. * @dataProvider genericPathInfoProvider
  1465. * @param string $requestUri
  1466. * @param string $scriptName
  1467. * @param string $expected
  1468. */
  1469. public function testGetPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1470. $request = new Request(
  1471. [
  1472. 'server' => [
  1473. 'REQUEST_URI' => $requestUri,
  1474. 'SCRIPT_NAME' => $scriptName,
  1475. ]
  1476. ],
  1477. $this->requestId,
  1478. $this->config,
  1479. $this->csrfTokenManager,
  1480. $this->stream
  1481. );
  1482. $this->assertSame($expected, $request->getPathInfo());
  1483. }
  1484. /**
  1485. * @dataProvider genericPathInfoProvider
  1486. * @param string $requestUri
  1487. * @param string $scriptName
  1488. * @param string $expected
  1489. */
  1490. public function testGetRawPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1491. $request = new Request(
  1492. [
  1493. 'server' => [
  1494. 'REQUEST_URI' => $requestUri,
  1495. 'SCRIPT_NAME' => $scriptName,
  1496. ]
  1497. ],
  1498. $this->requestId,
  1499. $this->config,
  1500. $this->csrfTokenManager,
  1501. $this->stream
  1502. );
  1503. $this->assertSame($expected, $request->getRawPathInfo());
  1504. }
  1505. /**
  1506. * @dataProvider rawPathInfoProvider
  1507. * @param string $requestUri
  1508. * @param string $scriptName
  1509. * @param string $expected
  1510. */
  1511. public function testGetRawPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1512. $request = new Request(
  1513. [
  1514. 'server' => [
  1515. 'REQUEST_URI' => $requestUri,
  1516. 'SCRIPT_NAME' => $scriptName,
  1517. ]
  1518. ],
  1519. $this->requestId,
  1520. $this->config,
  1521. $this->csrfTokenManager,
  1522. $this->stream
  1523. );
  1524. $this->assertSame($expected, $request->getRawPathInfo());
  1525. }
  1526. /**
  1527. * @dataProvider pathInfoProvider
  1528. * @param string $requestUri
  1529. * @param string $scriptName
  1530. * @param string $expected
  1531. */
  1532. public function testGetPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1533. $request = new Request(
  1534. [
  1535. 'server' => [
  1536. 'REQUEST_URI' => $requestUri,
  1537. 'SCRIPT_NAME' => $scriptName,
  1538. ]
  1539. ],
  1540. $this->requestId,
  1541. $this->config,
  1542. $this->csrfTokenManager,
  1543. $this->stream
  1544. );
  1545. $this->assertSame($expected, $request->getPathInfo());
  1546. }
  1547. /**
  1548. * @return array
  1549. */
  1550. public function genericPathInfoProvider() {
  1551. return [
  1552. ['/core/index.php?XDEBUG_SESSION_START=14600', '/core/index.php', ''],
  1553. ['/index.php/apps/files/', 'index.php', '/apps/files/'],
  1554. ['/index.php/apps/files/../&amp;/&?someQueryParameter=QueryParam', 'index.php', '/apps/files/../&amp;/&'],
  1555. ['/remote.php/漢字編碼方法 / 汉字编码方法', 'remote.php', '/漢字編碼方法 / 汉字编码方法'],
  1556. ['///removeTrailin//gSlashes///', 'remote.php', '/removeTrailin/gSlashes/'],
  1557. ['/', '/', ''],
  1558. ['', '', ''],
  1559. ];
  1560. }
  1561. /**
  1562. * @return array
  1563. */
  1564. public function rawPathInfoProvider() {
  1565. return [
  1566. ['/foo%2Fbar/subfolder', '', 'foo%2Fbar/subfolder'],
  1567. ];
  1568. }
  1569. /**
  1570. * @return array
  1571. */
  1572. public function pathInfoProvider() {
  1573. return [
  1574. ['/foo%2Fbar/subfolder', '', 'foo/bar/subfolder'],
  1575. ];
  1576. }
  1577. public function testGetRequestUriWithoutOverwrite() {
  1578. $this->config
  1579. ->expects($this->once())
  1580. ->method('getSystemValueString')
  1581. ->with('overwritewebroot')
  1582. ->willReturn('');
  1583. $request = new Request(
  1584. [
  1585. 'server' => [
  1586. 'REQUEST_URI' => '/test.php'
  1587. ]
  1588. ],
  1589. $this->requestId,
  1590. $this->config,
  1591. $this->csrfTokenManager,
  1592. $this->stream
  1593. );
  1594. $this->assertSame('/test.php', $request->getRequestUri());
  1595. }
  1596. public function providesGetRequestUriWithOverwriteData() {
  1597. return [
  1598. ['/scriptname.php/some/PathInfo', '/owncloud/', ''],
  1599. ['/scriptname.php/some/PathInfo', '/owncloud/', '123'],
  1600. ];
  1601. }
  1602. /**
  1603. * @dataProvider providesGetRequestUriWithOverwriteData
  1604. */
  1605. public function testGetRequestUriWithOverwrite($expectedUri, $overwriteWebRoot, $overwriteCondAddr) {
  1606. $this->config
  1607. ->expects($this->exactly(2))
  1608. ->method('getSystemValueString')
  1609. ->willReturnMap([
  1610. ['overwritewebroot', '', $overwriteWebRoot],
  1611. ['overwritecondaddr', '', $overwriteCondAddr],
  1612. ]);
  1613. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1614. ->setMethods(['getScriptName'])
  1615. ->setConstructorArgs([
  1616. [
  1617. 'server' => [
  1618. 'REQUEST_URI' => '/test.php/some/PathInfo',
  1619. 'SCRIPT_NAME' => '/test.php',
  1620. ]
  1621. ],
  1622. $this->requestId,
  1623. $this->config,
  1624. $this->csrfTokenManager,
  1625. $this->stream
  1626. ])
  1627. ->getMock();
  1628. $request
  1629. ->expects($this->once())
  1630. ->method('getScriptName')
  1631. ->willReturn('/scriptname.php');
  1632. $this->assertSame($expectedUri, $request->getRequestUri());
  1633. }
  1634. public function testPassesCSRFCheckWithGet() {
  1635. /** @var Request $request */
  1636. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1637. ->setMethods(['getScriptName'])
  1638. ->setConstructorArgs([
  1639. [
  1640. 'get' => [
  1641. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1642. ],
  1643. 'cookies' => [
  1644. 'nc_sameSiteCookiestrict' => 'true',
  1645. 'nc_sameSiteCookielax' => 'true',
  1646. ],
  1647. ],
  1648. $this->requestId,
  1649. $this->config,
  1650. $this->csrfTokenManager,
  1651. $this->stream
  1652. ])
  1653. ->getMock();
  1654. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1655. $this->csrfTokenManager
  1656. ->expects($this->once())
  1657. ->method('isTokenValid')
  1658. ->with($token)
  1659. ->willReturn(true);
  1660. $this->assertTrue($request->passesCSRFCheck());
  1661. }
  1662. public function testPassesCSRFCheckWithPost() {
  1663. /** @var Request $request */
  1664. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1665. ->setMethods(['getScriptName'])
  1666. ->setConstructorArgs([
  1667. [
  1668. 'post' => [
  1669. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1670. ],
  1671. 'cookies' => [
  1672. 'nc_sameSiteCookiestrict' => 'true',
  1673. 'nc_sameSiteCookielax' => 'true',
  1674. ],
  1675. ],
  1676. $this->requestId,
  1677. $this->config,
  1678. $this->csrfTokenManager,
  1679. $this->stream
  1680. ])
  1681. ->getMock();
  1682. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1683. $this->csrfTokenManager
  1684. ->expects($this->once())
  1685. ->method('isTokenValid')
  1686. ->with($token)
  1687. ->willReturn(true);
  1688. $this->assertTrue($request->passesCSRFCheck());
  1689. }
  1690. public function testPassesCSRFCheckWithHeader() {
  1691. /** @var Request $request */
  1692. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1693. ->setMethods(['getScriptName'])
  1694. ->setConstructorArgs([
  1695. [
  1696. 'server' => [
  1697. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1698. ],
  1699. 'cookies' => [
  1700. 'nc_sameSiteCookiestrict' => 'true',
  1701. 'nc_sameSiteCookielax' => 'true',
  1702. ],
  1703. ],
  1704. $this->requestId,
  1705. $this->config,
  1706. $this->csrfTokenManager,
  1707. $this->stream
  1708. ])
  1709. ->getMock();
  1710. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1711. $this->csrfTokenManager
  1712. ->expects($this->once())
  1713. ->method('isTokenValid')
  1714. ->with($token)
  1715. ->willReturn(true);
  1716. $this->assertTrue($request->passesCSRFCheck());
  1717. }
  1718. public function testPassesCSRFCheckWithGetAndWithoutCookies() {
  1719. /** @var Request $request */
  1720. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1721. ->setMethods(['getScriptName'])
  1722. ->setConstructorArgs([
  1723. [
  1724. 'get' => [
  1725. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1726. ],
  1727. ],
  1728. $this->requestId,
  1729. $this->config,
  1730. $this->csrfTokenManager,
  1731. $this->stream
  1732. ])
  1733. ->getMock();
  1734. $this->csrfTokenManager
  1735. ->expects($this->once())
  1736. ->method('isTokenValid')
  1737. ->willReturn(true);
  1738. $this->assertTrue($request->passesCSRFCheck());
  1739. }
  1740. public function testPassesCSRFCheckWithPostAndWithoutCookies() {
  1741. /** @var Request $request */
  1742. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1743. ->setMethods(['getScriptName'])
  1744. ->setConstructorArgs([
  1745. [
  1746. 'post' => [
  1747. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1748. ],
  1749. ],
  1750. $this->requestId,
  1751. $this->config,
  1752. $this->csrfTokenManager,
  1753. $this->stream
  1754. ])
  1755. ->getMock();
  1756. $this->csrfTokenManager
  1757. ->expects($this->once())
  1758. ->method('isTokenValid')
  1759. ->willReturn(true);
  1760. $this->assertTrue($request->passesCSRFCheck());
  1761. }
  1762. public function testPassesCSRFCheckWithHeaderAndWithoutCookies() {
  1763. /** @var Request $request */
  1764. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1765. ->setMethods(['getScriptName'])
  1766. ->setConstructorArgs([
  1767. [
  1768. 'server' => [
  1769. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1770. ],
  1771. ],
  1772. $this->requestId,
  1773. $this->config,
  1774. $this->csrfTokenManager,
  1775. $this->stream
  1776. ])
  1777. ->getMock();
  1778. $this->csrfTokenManager
  1779. ->expects($this->once())
  1780. ->method('isTokenValid')
  1781. ->willReturn(true);
  1782. $this->assertTrue($request->passesCSRFCheck());
  1783. }
  1784. public function testFailsCSRFCheckWithHeaderAndNotAllChecksPassing() {
  1785. /** @var Request $request */
  1786. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1787. ->setMethods(['getScriptName'])
  1788. ->setConstructorArgs([
  1789. [
  1790. 'server' => [
  1791. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1792. ],
  1793. 'cookies' => [
  1794. session_name() => 'asdf',
  1795. 'nc_sameSiteCookiestrict' => 'true',
  1796. ],
  1797. ],
  1798. $this->requestId,
  1799. $this->config,
  1800. $this->csrfTokenManager,
  1801. $this->stream
  1802. ])
  1803. ->getMock();
  1804. $this->csrfTokenManager
  1805. ->expects($this->never())
  1806. ->method('isTokenValid');
  1807. $this->assertFalse($request->passesCSRFCheck());
  1808. }
  1809. public function testPassesStrictCookieCheckWithAllCookiesAndStrict() {
  1810. /** @var Request $request */
  1811. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1812. ->setMethods(['getScriptName', 'getCookieParams'])
  1813. ->setConstructorArgs([
  1814. [
  1815. 'server' => [
  1816. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1817. ],
  1818. 'cookies' => [
  1819. session_name() => 'asdf',
  1820. '__Host-nc_sameSiteCookiestrict' => 'true',
  1821. '__Host-nc_sameSiteCookielax' => 'true',
  1822. ],
  1823. ],
  1824. $this->requestId,
  1825. $this->config,
  1826. $this->csrfTokenManager,
  1827. $this->stream
  1828. ])
  1829. ->getMock();
  1830. $request
  1831. ->expects($this->any())
  1832. ->method('getCookieParams')
  1833. ->willReturn([
  1834. 'secure' => true,
  1835. 'path' => '/',
  1836. ]);
  1837. $this->assertTrue($request->passesStrictCookieCheck());
  1838. }
  1839. public function testFailsStrictCookieCheckWithAllCookiesAndMissingStrict() {
  1840. /** @var Request $request */
  1841. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1842. ->setMethods(['getScriptName', 'getCookieParams'])
  1843. ->setConstructorArgs([
  1844. [
  1845. 'server' => [
  1846. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1847. ],
  1848. 'cookies' => [
  1849. session_name() => 'asdf',
  1850. 'nc_sameSiteCookiestrict' => 'true',
  1851. 'nc_sameSiteCookielax' => 'true',
  1852. ],
  1853. ],
  1854. $this->requestId,
  1855. $this->config,
  1856. $this->csrfTokenManager,
  1857. $this->stream
  1858. ])
  1859. ->getMock();
  1860. $request
  1861. ->expects($this->any())
  1862. ->method('getCookieParams')
  1863. ->willReturn([
  1864. 'secure' => true,
  1865. 'path' => '/',
  1866. ]);
  1867. $this->assertFalse($request->passesStrictCookieCheck());
  1868. }
  1869. public function testGetCookieParams() {
  1870. /** @var Request $request */
  1871. $request = $this->getMockBuilder(Request::class)
  1872. ->setMethods(['getScriptName'])
  1873. ->setConstructorArgs([
  1874. [],
  1875. $this->requestId,
  1876. $this->config,
  1877. $this->csrfTokenManager,
  1878. $this->stream
  1879. ])
  1880. ->getMock();
  1881. $actual = $request->getCookieParams();
  1882. $this->assertSame(session_get_cookie_params(), $actual);
  1883. }
  1884. public function testPassesStrictCookieCheckWithAllCookies() {
  1885. /** @var Request $request */
  1886. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1887. ->setMethods(['getScriptName'])
  1888. ->setConstructorArgs([
  1889. [
  1890. 'server' => [
  1891. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1892. ],
  1893. 'cookies' => [
  1894. session_name() => 'asdf',
  1895. 'nc_sameSiteCookiestrict' => 'true',
  1896. 'nc_sameSiteCookielax' => 'true',
  1897. ],
  1898. ],
  1899. $this->requestId,
  1900. $this->config,
  1901. $this->csrfTokenManager,
  1902. $this->stream
  1903. ])
  1904. ->getMock();
  1905. $this->assertTrue($request->passesStrictCookieCheck());
  1906. }
  1907. public function testPassesStrictCookieCheckWithRandomCookies() {
  1908. /** @var Request $request */
  1909. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1910. ->setMethods(['getScriptName'])
  1911. ->setConstructorArgs([
  1912. [
  1913. 'server' => [
  1914. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1915. ],
  1916. 'cookies' => [
  1917. 'RandomCookie' => 'asdf',
  1918. ],
  1919. ],
  1920. $this->requestId,
  1921. $this->config,
  1922. $this->csrfTokenManager,
  1923. $this->stream
  1924. ])
  1925. ->getMock();
  1926. $this->assertTrue($request->passesStrictCookieCheck());
  1927. }
  1928. public function testFailsStrictCookieCheckWithSessionCookie() {
  1929. /** @var Request $request */
  1930. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1931. ->setMethods(['getScriptName'])
  1932. ->setConstructorArgs([
  1933. [
  1934. 'server' => [
  1935. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1936. ],
  1937. 'cookies' => [
  1938. session_name() => 'asdf',
  1939. ],
  1940. ],
  1941. $this->requestId,
  1942. $this->config,
  1943. $this->csrfTokenManager,
  1944. $this->stream
  1945. ])
  1946. ->getMock();
  1947. $this->assertFalse($request->passesStrictCookieCheck());
  1948. }
  1949. public function testFailsStrictCookieCheckWithRememberMeCookie() {
  1950. /** @var Request $request */
  1951. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1952. ->setMethods(['getScriptName'])
  1953. ->setConstructorArgs([
  1954. [
  1955. 'server' => [
  1956. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1957. ],
  1958. 'cookies' => [
  1959. 'nc_token' => 'asdf',
  1960. ],
  1961. ],
  1962. $this->requestId,
  1963. $this->config,
  1964. $this->csrfTokenManager,
  1965. $this->stream
  1966. ])
  1967. ->getMock();
  1968. $this->assertFalse($request->passesStrictCookieCheck());
  1969. }
  1970. public function testFailsCSRFCheckWithPostAndWithCookies() {
  1971. /** @var Request $request */
  1972. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1973. ->setMethods(['getScriptName'])
  1974. ->setConstructorArgs([
  1975. [
  1976. 'post' => [
  1977. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1978. ],
  1979. 'cookies' => [
  1980. session_name() => 'asdf',
  1981. 'foo' => 'bar',
  1982. ],
  1983. ],
  1984. $this->requestId,
  1985. $this->config,
  1986. $this->csrfTokenManager,
  1987. $this->stream
  1988. ])
  1989. ->getMock();
  1990. $this->csrfTokenManager
  1991. ->expects($this->never())
  1992. ->method('isTokenValid');
  1993. $this->assertFalse($request->passesCSRFCheck());
  1994. }
  1995. public function testFailStrictCookieCheckWithOnlyLaxCookie() {
  1996. /** @var Request $request */
  1997. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1998. ->setMethods(['getScriptName'])
  1999. ->setConstructorArgs([
  2000. [
  2001. 'server' => [
  2002. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2003. ],
  2004. 'cookies' => [
  2005. session_name() => 'asdf',
  2006. 'nc_sameSiteCookielax' => 'true',
  2007. ],
  2008. ],
  2009. $this->requestId,
  2010. $this->config,
  2011. $this->csrfTokenManager,
  2012. $this->stream
  2013. ])
  2014. ->getMock();
  2015. $this->assertFalse($request->passesStrictCookieCheck());
  2016. }
  2017. public function testFailStrictCookieCheckWithOnlyStrictCookie() {
  2018. /** @var Request $request */
  2019. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2020. ->setMethods(['getScriptName'])
  2021. ->setConstructorArgs([
  2022. [
  2023. 'server' => [
  2024. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2025. ],
  2026. 'cookies' => [
  2027. session_name() => 'asdf',
  2028. 'nc_sameSiteCookiestrict' => 'true',
  2029. ],
  2030. ],
  2031. $this->requestId,
  2032. $this->config,
  2033. $this->csrfTokenManager,
  2034. $this->stream
  2035. ])
  2036. ->getMock();
  2037. $this->assertFalse($request->passesStrictCookieCheck());
  2038. }
  2039. public function testPassesLaxCookieCheck() {
  2040. /** @var Request $request */
  2041. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2042. ->setMethods(['getScriptName'])
  2043. ->setConstructorArgs([
  2044. [
  2045. 'server' => [
  2046. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2047. ],
  2048. 'cookies' => [
  2049. session_name() => 'asdf',
  2050. 'nc_sameSiteCookielax' => 'true',
  2051. ],
  2052. ],
  2053. $this->requestId,
  2054. $this->config,
  2055. $this->csrfTokenManager,
  2056. $this->stream
  2057. ])
  2058. ->getMock();
  2059. $this->assertTrue($request->passesLaxCookieCheck());
  2060. }
  2061. public function testFailsLaxCookieCheckWithOnlyStrictCookie() {
  2062. /** @var Request $request */
  2063. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2064. ->setMethods(['getScriptName'])
  2065. ->setConstructorArgs([
  2066. [
  2067. 'server' => [
  2068. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2069. ],
  2070. 'cookies' => [
  2071. session_name() => 'asdf',
  2072. 'nc_sameSiteCookiestrict' => 'true',
  2073. ],
  2074. ],
  2075. $this->requestId,
  2076. $this->config,
  2077. $this->csrfTokenManager,
  2078. $this->stream
  2079. ])
  2080. ->getMock();
  2081. $this->assertFalse($request->passesLaxCookieCheck());
  2082. }
  2083. public function testSkipCookieCheckForOCSRequests() {
  2084. /** @var Request $request */
  2085. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2086. ->setMethods(['getScriptName'])
  2087. ->setConstructorArgs([
  2088. [
  2089. 'server' => [
  2090. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2091. 'HTTP_OCS_APIREQUEST' => 'true',
  2092. ],
  2093. 'cookies' => [
  2094. session_name() => 'asdf',
  2095. 'nc_sameSiteCookiestrict' => 'false',
  2096. ],
  2097. ],
  2098. $this->requestId,
  2099. $this->config,
  2100. $this->csrfTokenManager,
  2101. $this->stream
  2102. ])
  2103. ->getMock();
  2104. $this->assertTrue($request->passesStrictCookieCheck());
  2105. }
  2106. /**
  2107. * @return array
  2108. */
  2109. public function invalidTokenDataProvider() {
  2110. return [
  2111. ['InvalidSentToken'],
  2112. ['InvalidSentToken:InvalidSecret'],
  2113. [''],
  2114. ];
  2115. }
  2116. /**
  2117. * @dataProvider invalidTokenDataProvider
  2118. * @param string $invalidToken
  2119. */
  2120. public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
  2121. /** @var Request $request */
  2122. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2123. ->setMethods(['getScriptName'])
  2124. ->setConstructorArgs([
  2125. [
  2126. 'server' => [
  2127. 'HTTP_REQUESTTOKEN' => $invalidToken,
  2128. ],
  2129. ],
  2130. $this->requestId,
  2131. $this->config,
  2132. $this->csrfTokenManager,
  2133. $this->stream
  2134. ])
  2135. ->getMock();
  2136. $token = new CsrfToken($invalidToken);
  2137. $this->csrfTokenManager
  2138. ->expects($this->any())
  2139. ->method('isTokenValid')
  2140. ->with($token)
  2141. ->willReturn(false);
  2142. $this->assertFalse($request->passesCSRFCheck());
  2143. }
  2144. public function testPassesCSRFCheckWithoutTokenFail() {
  2145. /** @var Request $request */
  2146. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2147. ->setMethods(['getScriptName'])
  2148. ->setConstructorArgs([
  2149. [],
  2150. $this->requestId,
  2151. $this->config,
  2152. $this->csrfTokenManager,
  2153. $this->stream
  2154. ])
  2155. ->getMock();
  2156. $this->assertFalse($request->passesCSRFCheck());
  2157. }
  2158. }