1
0

RequestTest.php 52 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264
  1. <?php
  2. /**
  3. * @copyright 2013 Thomas Tanghus (thomas@tanghus.net)
  4. * @copyright 2016 Lukas Reschke lukas@owncloud.com
  5. * @copyright 2022 Stanimir Bozhilov (stanimir@audriga.com)
  6. *
  7. * This file is licensed under the Affero General Public License version 3 or
  8. * later.
  9. * See the COPYING-README file.
  10. */
  11. namespace Test\AppFramework\Http;
  12. use OC\AppFramework\Http\Request;
  13. use OC\Security\CSRF\CsrfToken;
  14. use OC\Security\CSRF\CsrfTokenManager;
  15. use OCP\IConfig;
  16. use OCP\IRequestId;
  17. /**
  18. * Class RequestTest
  19. *
  20. * @package OC\AppFramework\Http
  21. */
  22. class RequestTest extends \Test\TestCase {
  23. /** @var string */
  24. protected $stream = 'fakeinput://data';
  25. /** @var IRequestId */
  26. protected $requestId;
  27. /** @var IConfig */
  28. protected $config;
  29. /** @var CsrfTokenManager */
  30. protected $csrfTokenManager;
  31. protected function setUp(): void {
  32. parent::setUp();
  33. if (in_array('fakeinput', stream_get_wrappers())) {
  34. stream_wrapper_unregister('fakeinput');
  35. }
  36. stream_wrapper_register('fakeinput', 'Test\AppFramework\Http\RequestStream');
  37. $this->requestId = $this->createMock(IRequestId::class);
  38. $this->config = $this->createMock(IConfig::class);
  39. $this->csrfTokenManager = $this->getMockBuilder(CsrfTokenManager::class)
  40. ->disableOriginalConstructor()
  41. ->getMock();
  42. }
  43. protected function tearDown(): void {
  44. stream_wrapper_unregister('fakeinput');
  45. parent::tearDown();
  46. }
  47. public function testRequestAccessors() {
  48. $vars = [
  49. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  50. 'method' => 'GET',
  51. ];
  52. $request = new Request(
  53. $vars,
  54. $this->requestId,
  55. $this->config,
  56. $this->csrfTokenManager,
  57. $this->stream
  58. );
  59. // Countable
  60. $this->assertSame(2, count($request));
  61. // Array access
  62. $this->assertSame('Joey', $request['nickname']);
  63. // "Magic" accessors
  64. $this->assertSame('Joey', $request->{'nickname'});
  65. $this->assertTrue(isset($request['nickname']));
  66. $this->assertTrue(isset($request->{'nickname'}));
  67. $this->assertFalse(isset($request->{'flickname'}));
  68. // Only testing 'get', but same approach for post, files etc.
  69. $this->assertSame('Joey', $request->get['nickname']);
  70. // Always returns null if variable not set.
  71. $this->assertSame(null, $request->{'flickname'});
  72. }
  73. // urlParams has precedence over POST which has precedence over GET
  74. public function testPrecedence() {
  75. $vars = [
  76. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  77. 'post' => ['name' => 'Jane Doe', 'nickname' => 'Janey'],
  78. 'urlParams' => ['user' => 'jw', 'name' => 'Johnny Weissmüller'],
  79. 'method' => 'GET'
  80. ];
  81. $request = new Request(
  82. $vars,
  83. $this->requestId,
  84. $this->config,
  85. $this->csrfTokenManager,
  86. $this->stream
  87. );
  88. $this->assertSame(3, count($request));
  89. $this->assertSame('Janey', $request->{'nickname'});
  90. $this->assertSame('Johnny Weissmüller', $request->{'name'});
  91. }
  92. public function testImmutableArrayAccess() {
  93. $this->expectException(\RuntimeException::class);
  94. $vars = [
  95. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  96. 'method' => 'GET'
  97. ];
  98. $request = new Request(
  99. $vars,
  100. $this->requestId,
  101. $this->config,
  102. $this->csrfTokenManager,
  103. $this->stream
  104. );
  105. $request['nickname'] = 'Janey';
  106. }
  107. public function testImmutableMagicAccess() {
  108. $this->expectException(\RuntimeException::class);
  109. $vars = [
  110. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  111. 'method' => 'GET'
  112. ];
  113. $request = new Request(
  114. $vars,
  115. $this->requestId,
  116. $this->config,
  117. $this->csrfTokenManager,
  118. $this->stream
  119. );
  120. $request->{'nickname'} = 'Janey';
  121. }
  122. public function testGetTheMethodRight() {
  123. $this->expectException(\LogicException::class);
  124. $vars = [
  125. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  126. 'method' => 'GET',
  127. ];
  128. $request = new Request(
  129. $vars,
  130. $this->requestId,
  131. $this->config,
  132. $this->csrfTokenManager,
  133. $this->stream
  134. );
  135. $request->post;
  136. }
  137. public function testTheMethodIsRight() {
  138. $vars = [
  139. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  140. 'method' => 'GET',
  141. ];
  142. $request = new Request(
  143. $vars,
  144. $this->requestId,
  145. $this->config,
  146. $this->csrfTokenManager,
  147. $this->stream
  148. );
  149. $this->assertSame('GET', $request->method);
  150. $result = $request->get;
  151. $this->assertSame('John Q. Public', $result['name']);
  152. $this->assertSame('Joey', $result['nickname']);
  153. }
  154. public function testJsonPost() {
  155. global $data;
  156. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  157. $vars = [
  158. 'method' => 'POST',
  159. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  160. ];
  161. $request = new Request(
  162. $vars,
  163. $this->requestId,
  164. $this->config,
  165. $this->csrfTokenManager,
  166. $this->stream
  167. );
  168. $this->assertSame('POST', $request->method);
  169. $result = $request->post;
  170. $this->assertSame('John Q. Public', $result['name']);
  171. $this->assertSame('Joey', $result['nickname']);
  172. $this->assertSame('Joey', $request->params['nickname']);
  173. $this->assertSame('Joey', $request['nickname']);
  174. }
  175. public function testScimJsonPost() {
  176. global $data;
  177. $data = '{"userName":"testusername", "displayName":"Example User"}';
  178. $vars = [
  179. 'method' => 'POST',
  180. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  181. ];
  182. $request = new Request(
  183. $vars,
  184. $this->requestId,
  185. $this->config,
  186. $this->csrfTokenManager,
  187. $this->stream
  188. );
  189. $this->assertSame('POST', $request->method);
  190. $result = $request->post;
  191. $this->assertSame('testusername', $result['userName']);
  192. $this->assertSame('Example User', $result['displayName']);
  193. $this->assertSame('Example User', $request->params['displayName']);
  194. $this->assertSame('Example User', $request['displayName']);
  195. }
  196. public function testCustomJsonPost() {
  197. global $data;
  198. $data = '{"propertyA":"sometestvalue", "propertyB":"someothertestvalue"}';
  199. // Note: the content type used here is fictional and intended to check if the regex for JSON content types works fine
  200. $vars = [
  201. 'method' => 'POST',
  202. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  203. ];
  204. $request = new Request(
  205. $vars,
  206. $this->requestId,
  207. $this->config,
  208. $this->csrfTokenManager,
  209. $this->stream
  210. );
  211. $this->assertSame('POST', $request->method);
  212. $result = $request->post;
  213. $this->assertSame('sometestvalue', $result['propertyA']);
  214. $this->assertSame('someothertestvalue', $result['propertyB']);
  215. }
  216. public function notJsonDataProvider() {
  217. return [
  218. ['this is not valid json'],
  219. ['"just a string"'],
  220. ['{"just a string"}'],
  221. ];
  222. }
  223. /**
  224. * @dataProvider notJsonDataProvider
  225. */
  226. public function testNotJsonPost($testData) {
  227. global $data;
  228. $data = $testData;
  229. $vars = [
  230. 'method' => 'POST',
  231. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  232. ];
  233. $request = new Request(
  234. $vars,
  235. $this->requestId,
  236. $this->config,
  237. $this->csrfTokenManager,
  238. $this->stream
  239. );
  240. $this->assertEquals('POST', $request->method);
  241. $result = $request->post;
  242. // ensure there's no error attempting to decode the content
  243. }
  244. public function testNotScimJsonPost() {
  245. global $data;
  246. $data = 'this is not valid scim json';
  247. $vars = [
  248. 'method' => 'POST',
  249. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  250. ];
  251. $request = new Request(
  252. $vars,
  253. $this->requestId,
  254. $this->config,
  255. $this->csrfTokenManager,
  256. $this->stream
  257. );
  258. $this->assertEquals('POST', $request->method);
  259. $result = $request->post;
  260. // ensure there's no error attempting to decode the content
  261. }
  262. public function testNotCustomJsonPost() {
  263. global $data;
  264. $data = 'this is not valid json';
  265. $vars = [
  266. 'method' => 'POST',
  267. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  268. ];
  269. $request = new Request(
  270. $vars,
  271. $this->requestId,
  272. $this->config,
  273. $this->csrfTokenManager,
  274. $this->stream
  275. );
  276. $this->assertEquals('POST', $request->method);
  277. $result = $request->post;
  278. // ensure there's no error attempting to decode the content
  279. }
  280. public function testPatch() {
  281. global $data;
  282. $data = http_build_query(['name' => 'John Q. Public', 'nickname' => 'Joey'], '', '&');
  283. $vars = [
  284. 'method' => 'PATCH',
  285. 'server' => ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'],
  286. ];
  287. $request = new Request(
  288. $vars,
  289. $this->requestId,
  290. $this->config,
  291. $this->csrfTokenManager,
  292. $this->stream
  293. );
  294. $this->assertSame('PATCH', $request->method);
  295. $result = $request->patch;
  296. $this->assertSame('John Q. Public', $result['name']);
  297. $this->assertSame('Joey', $result['nickname']);
  298. }
  299. public function testJsonPatchAndPut() {
  300. global $data;
  301. // PUT content
  302. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  303. $vars = [
  304. 'method' => 'PUT',
  305. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  306. ];
  307. $request = new Request(
  308. $vars,
  309. $this->requestId,
  310. $this->config,
  311. $this->csrfTokenManager,
  312. $this->stream
  313. );
  314. $this->assertSame('PUT', $request->method);
  315. $result = $request->put;
  316. $this->assertSame('John Q. Public', $result['name']);
  317. $this->assertSame('Joey', $result['nickname']);
  318. // PATCH content
  319. $data = '{"name": "John Q. Public", "nickname": null}';
  320. $vars = [
  321. 'method' => 'PATCH',
  322. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  323. ];
  324. $request = new Request(
  325. $vars,
  326. $this->requestId,
  327. $this->config,
  328. $this->csrfTokenManager,
  329. $this->stream
  330. );
  331. $this->assertSame('PATCH', $request->method);
  332. $result = $request->patch;
  333. $this->assertSame('John Q. Public', $result['name']);
  334. $this->assertSame(null, $result['nickname']);
  335. }
  336. public function testScimJsonPatchAndPut() {
  337. global $data;
  338. // PUT content
  339. $data = '{"userName": "sometestusername", "displayName": "Example User"}';
  340. $vars = [
  341. 'method' => 'PUT',
  342. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  343. ];
  344. $request = new Request(
  345. $vars,
  346. $this->requestId,
  347. $this->config,
  348. $this->csrfTokenManager,
  349. $this->stream
  350. );
  351. $this->assertSame('PUT', $request->method);
  352. $result = $request->put;
  353. $this->assertSame('sometestusername', $result['userName']);
  354. $this->assertSame('Example User', $result['displayName']);
  355. // PATCH content
  356. $data = '{"userName": "sometestusername", "displayName": null}';
  357. $vars = [
  358. 'method' => 'PATCH',
  359. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  360. ];
  361. $request = new Request(
  362. $vars,
  363. $this->requestId,
  364. $this->config,
  365. $this->csrfTokenManager,
  366. $this->stream
  367. );
  368. $this->assertSame('PATCH', $request->method);
  369. $result = $request->patch;
  370. $this->assertSame('sometestusername', $result['userName']);
  371. $this->assertSame(null, $result['displayName']);
  372. }
  373. public function testCustomJsonPatchAndPut() {
  374. global $data;
  375. // PUT content
  376. $data = '{"propertyA": "sometestvalue", "propertyB": "someothertestvalue"}';
  377. $vars = [
  378. 'method' => 'PUT',
  379. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  380. ];
  381. $request = new Request(
  382. $vars,
  383. $this->requestId,
  384. $this->config,
  385. $this->csrfTokenManager,
  386. $this->stream
  387. );
  388. $this->assertSame('PUT', $request->method);
  389. $result = $request->put;
  390. $this->assertSame('sometestvalue', $result['propertyA']);
  391. $this->assertSame('someothertestvalue', $result['propertyB']);
  392. // PATCH content
  393. $data = '{"propertyA": "sometestvalue", "propertyB": null}';
  394. $vars = [
  395. 'method' => 'PATCH',
  396. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  397. ];
  398. $request = new Request(
  399. $vars,
  400. $this->requestId,
  401. $this->config,
  402. $this->csrfTokenManager,
  403. $this->stream
  404. );
  405. $this->assertSame('PATCH', $request->method);
  406. $result = $request->patch;
  407. $this->assertSame('sometestvalue', $result['propertyA']);
  408. $this->assertSame(null, $result['propertyB']);
  409. }
  410. public function testPutStream() {
  411. global $data;
  412. $data = file_get_contents(__DIR__ . '/../../../data/testimage.png');
  413. $vars = [
  414. 'put' => $data,
  415. 'method' => 'PUT',
  416. 'server' => [
  417. 'CONTENT_TYPE' => 'image/png',
  418. 'CONTENT_LENGTH' => (string)strlen($data)
  419. ],
  420. ];
  421. $request = new Request(
  422. $vars,
  423. $this->requestId,
  424. $this->config,
  425. $this->csrfTokenManager,
  426. $this->stream
  427. );
  428. $this->assertSame('PUT', $request->method);
  429. $resource = $request->put;
  430. $contents = stream_get_contents($resource);
  431. $this->assertSame($data, $contents);
  432. try {
  433. $resource = $request->put;
  434. } catch (\LogicException $e) {
  435. return;
  436. }
  437. $this->fail('Expected LogicException.');
  438. }
  439. public function testSetUrlParameters() {
  440. $vars = [
  441. 'post' => [],
  442. 'method' => 'POST',
  443. 'urlParams' => ['id' => '2'],
  444. ];
  445. $request = new Request(
  446. $vars,
  447. $this->requestId,
  448. $this->config,
  449. $this->csrfTokenManager,
  450. $this->stream
  451. );
  452. $newParams = ['id' => '3', 'test' => 'test2'];
  453. $request->setUrlParameters($newParams);
  454. $this->assertSame('test2', $request->getParam('test'));
  455. $this->assertEquals('3', $request->getParam('id'));
  456. $this->assertEquals('3', $request->getParams()['id']);
  457. }
  458. public function dataGetRemoteAddress(): array {
  459. return [
  460. 'IPv4 without trusted remote' => [
  461. [
  462. 'REMOTE_ADDR' => '10.0.0.2',
  463. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  464. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  465. ],
  466. [],
  467. [],
  468. '10.0.0.2',
  469. ],
  470. 'IPv4 without trusted headers' => [
  471. [
  472. 'REMOTE_ADDR' => '10.0.0.2',
  473. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  474. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  475. ],
  476. ['10.0.0.2'],
  477. [],
  478. '10.0.0.2',
  479. ],
  480. 'IPv4 with single trusted remote' => [
  481. [
  482. 'REMOTE_ADDR' => '10.0.0.2',
  483. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  484. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  485. ],
  486. ['10.0.0.2'],
  487. ['HTTP_X_FORWARDED'],
  488. '10.4.0.4',
  489. ],
  490. 'IPv6 with single trusted remote' => [
  491. [
  492. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  493. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  494. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  495. ],
  496. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  497. ['HTTP_X_FORWARDED'],
  498. '10.4.0.4',
  499. ],
  500. 'IPv4 with multiple trusted remotes' => [
  501. [
  502. 'REMOTE_ADDR' => '10.0.0.2',
  503. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4, ::1',
  504. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  505. ],
  506. ['10.0.0.2', '::1'],
  507. ['HTTP_X_FORWARDED'],
  508. '10.4.0.4',
  509. ],
  510. 'IPv4 order of forwarded-for headers' => [
  511. [
  512. 'REMOTE_ADDR' => '10.0.0.2',
  513. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  514. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  515. ],
  516. ['10.0.0.2'],
  517. [
  518. 'HTTP_X_FORWARDED',
  519. 'HTTP_X_FORWARDED_FOR',
  520. 'HTTP_CLIENT_IP',
  521. ],
  522. '192.168.0.233',
  523. ],
  524. 'IPv4 order of forwarded-for headers (reversed)' => [
  525. [
  526. 'REMOTE_ADDR' => '10.0.0.2',
  527. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  528. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  529. ],
  530. ['10.0.0.2'],
  531. [
  532. 'HTTP_CLIENT_IP',
  533. 'HTTP_X_FORWARDED_FOR',
  534. 'HTTP_X_FORWARDED',
  535. ],
  536. '10.4.0.4',
  537. ],
  538. 'IPv6 order of forwarded-for headers' => [
  539. [
  540. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  541. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  542. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  543. ],
  544. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  545. [
  546. 'HTTP_X_FORWARDED',
  547. 'HTTP_X_FORWARDED_FOR',
  548. 'HTTP_CLIENT_IP',
  549. ],
  550. '192.168.0.233',
  551. ],
  552. 'IPv4 matching CIDR of trusted proxy' => [
  553. [
  554. 'REMOTE_ADDR' => '192.168.3.99',
  555. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  556. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  557. ],
  558. ['192.168.2.0/24'],
  559. ['HTTP_X_FORWARDED_FOR'],
  560. '192.168.3.99',
  561. ],
  562. 'IPv6 matching CIDR of trusted proxy' => [
  563. [
  564. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a21:370:7348',
  565. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  566. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  567. ],
  568. ['2001:db8:85a3:8d3:1319:8a20::/95'],
  569. ['HTTP_X_FORWARDED_FOR'],
  570. '192.168.0.233',
  571. ],
  572. 'IPv6 not matching CIDR of trusted proxy' => [
  573. [
  574. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  575. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  576. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  577. ],
  578. ['fd::/8'],
  579. [],
  580. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  581. ],
  582. 'IPv6 with invalid trusted proxy' => [
  583. [
  584. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  585. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  586. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  587. ],
  588. ['fx::/8'],
  589. [],
  590. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  591. ],
  592. 'IPv4 forwarded for IPv6' => [
  593. [
  594. 'REMOTE_ADDR' => '192.168.2.99',
  595. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
  596. ],
  597. ['192.168.2.0/24'],
  598. ['HTTP_X_FORWARDED_FOR'],
  599. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  600. ],
  601. 'IPv4 with port' => [
  602. [
  603. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  604. 'HTTP_X_FORWARDED_FOR' => '192.168.2.99:8080',
  605. ],
  606. ['2001:db8::/8'],
  607. ['HTTP_X_FORWARDED_FOR'],
  608. '192.168.2.99',
  609. ],
  610. 'IPv6 with port' => [
  611. [
  612. 'REMOTE_ADDR' => '192.168.2.99',
  613. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]:8080',
  614. ],
  615. ['192.168.2.0/24'],
  616. ['HTTP_X_FORWARDED_FOR'],
  617. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  618. ],
  619. ];
  620. }
  621. /**
  622. * @dataProvider dataGetRemoteAddress
  623. */
  624. public function testGetRemoteAddress(array $headers, array $trustedProxies, array $forwardedForHeaders, string $expected): void {
  625. $this->config
  626. ->method('getSystemValue')
  627. ->withConsecutive(
  628. ['trusted_proxies'],
  629. ['forwarded_for_headers'],
  630. )
  631. ->willReturnOnConsecutiveCalls(
  632. $trustedProxies,
  633. $forwardedForHeaders,
  634. );
  635. $request = new Request(
  636. [
  637. 'server' => $headers,
  638. ],
  639. $this->requestId,
  640. $this->config,
  641. $this->csrfTokenManager,
  642. $this->stream
  643. );
  644. $this->assertSame($expected, $request->getRemoteAddress());
  645. }
  646. /**
  647. * @return array
  648. */
  649. public function httpProtocolProvider() {
  650. return [
  651. // Valid HTTP 1.0
  652. ['HTTP/1.0', 'HTTP/1.0'],
  653. ['http/1.0', 'HTTP/1.0'],
  654. ['HTTp/1.0', 'HTTP/1.0'],
  655. // Valid HTTP 1.1
  656. ['HTTP/1.1', 'HTTP/1.1'],
  657. ['http/1.1', 'HTTP/1.1'],
  658. ['HTTp/1.1', 'HTTP/1.1'],
  659. // Valid HTTP 2.0
  660. ['HTTP/2', 'HTTP/2'],
  661. ['http/2', 'HTTP/2'],
  662. ['HTTp/2', 'HTTP/2'],
  663. // Invalid
  664. ['HTTp/394', 'HTTP/1.1'],
  665. ['InvalidProvider/1.1', 'HTTP/1.1'],
  666. [null, 'HTTP/1.1'],
  667. ['', 'HTTP/1.1'],
  668. ];
  669. }
  670. /**
  671. * @dataProvider httpProtocolProvider
  672. *
  673. * @param mixed $input
  674. * @param string $expected
  675. */
  676. public function testGetHttpProtocol($input, $expected) {
  677. $request = new Request(
  678. [
  679. 'server' => [
  680. 'SERVER_PROTOCOL' => $input,
  681. ],
  682. ],
  683. $this->requestId,
  684. $this->config,
  685. $this->csrfTokenManager,
  686. $this->stream
  687. );
  688. $this->assertSame($expected, $request->getHttpProtocol());
  689. }
  690. public function testGetServerProtocolWithOverride() {
  691. $this->config
  692. ->expects($this->exactly(3))
  693. ->method('getSystemValueString')
  694. ->willReturnMap([
  695. ['overwriteprotocol', '', 'customProtocol'],
  696. ['overwritecondaddr', '', ''],
  697. ]);
  698. $request = new Request(
  699. [],
  700. $this->requestId,
  701. $this->config,
  702. $this->csrfTokenManager,
  703. $this->stream
  704. );
  705. $this->assertSame('customProtocol', $request->getServerProtocol());
  706. }
  707. public function testGetServerProtocolWithProtoValid() {
  708. $this->config
  709. ->method('getSystemValue')
  710. ->willReturnCallback(function ($key, $default) {
  711. if ($key === 'trusted_proxies') {
  712. return ['1.2.3.4'];
  713. }
  714. return $default;
  715. });
  716. $requestHttps = new Request(
  717. [
  718. 'server' => [
  719. 'HTTP_X_FORWARDED_PROTO' => 'HtTpS',
  720. 'REMOTE_ADDR' => '1.2.3.4',
  721. ],
  722. ],
  723. $this->requestId,
  724. $this->config,
  725. $this->csrfTokenManager,
  726. $this->stream
  727. );
  728. $requestHttp = new Request(
  729. [
  730. 'server' => [
  731. 'HTTP_X_FORWARDED_PROTO' => 'HTTp',
  732. 'REMOTE_ADDR' => '1.2.3.4',
  733. ],
  734. ],
  735. $this->requestId,
  736. $this->config,
  737. $this->csrfTokenManager,
  738. $this->stream
  739. );
  740. $this->assertSame('https', $requestHttps->getServerProtocol());
  741. $this->assertSame('http', $requestHttp->getServerProtocol());
  742. }
  743. public function testGetServerProtocolWithHttpsServerValueOn() {
  744. $this->config
  745. ->method('getSystemValue')
  746. ->willReturnCallback(function ($key, $default) {
  747. return $default;
  748. });
  749. $request = new Request(
  750. [
  751. 'server' => [
  752. 'HTTPS' => 'on'
  753. ],
  754. ],
  755. $this->requestId,
  756. $this->config,
  757. $this->csrfTokenManager,
  758. $this->stream
  759. );
  760. $this->assertSame('https', $request->getServerProtocol());
  761. }
  762. public function testGetServerProtocolWithHttpsServerValueOff() {
  763. $this->config
  764. ->method('getSystemValue')
  765. ->willReturnCallback(function ($key, $default) {
  766. return $default;
  767. });
  768. $request = new Request(
  769. [
  770. 'server' => [
  771. 'HTTPS' => 'off'
  772. ],
  773. ],
  774. $this->requestId,
  775. $this->config,
  776. $this->csrfTokenManager,
  777. $this->stream
  778. );
  779. $this->assertSame('http', $request->getServerProtocol());
  780. }
  781. public function testGetServerProtocolWithHttpsServerValueEmpty() {
  782. $this->config
  783. ->method('getSystemValue')
  784. ->willReturnCallback(function ($key, $default) {
  785. return $default;
  786. });
  787. $request = new Request(
  788. [
  789. 'server' => [
  790. 'HTTPS' => ''
  791. ],
  792. ],
  793. $this->requestId,
  794. $this->config,
  795. $this->csrfTokenManager,
  796. $this->stream
  797. );
  798. $this->assertSame('http', $request->getServerProtocol());
  799. }
  800. public function testGetServerProtocolDefault() {
  801. $this->config
  802. ->method('getSystemValue')
  803. ->willReturnCallback(function ($key, $default) {
  804. return $default;
  805. });
  806. $request = new Request(
  807. [],
  808. $this->requestId,
  809. $this->config,
  810. $this->csrfTokenManager,
  811. $this->stream
  812. );
  813. $this->assertSame('http', $request->getServerProtocol());
  814. }
  815. public function testGetServerProtocolBehindLoadBalancers() {
  816. $this->config
  817. ->method('getSystemValue')
  818. ->willReturnCallback(function ($key, $default) {
  819. if ($key === 'trusted_proxies') {
  820. return ['1.2.3.4'];
  821. }
  822. return $default;
  823. });
  824. $request = new Request(
  825. [
  826. 'server' => [
  827. 'HTTP_X_FORWARDED_PROTO' => 'https,http,http',
  828. 'REMOTE_ADDR' => '1.2.3.4',
  829. ],
  830. ],
  831. $this->requestId,
  832. $this->config,
  833. $this->csrfTokenManager,
  834. $this->stream
  835. );
  836. $this->assertSame('https', $request->getServerProtocol());
  837. }
  838. /**
  839. * @dataProvider userAgentProvider
  840. * @param string $testAgent
  841. * @param array $userAgent
  842. * @param bool $matches
  843. */
  844. public function testUserAgent($testAgent, $userAgent, $matches) {
  845. $request = new Request(
  846. [
  847. 'server' => [
  848. 'HTTP_USER_AGENT' => $testAgent,
  849. ]
  850. ],
  851. $this->requestId,
  852. $this->config,
  853. $this->csrfTokenManager,
  854. $this->stream
  855. );
  856. $this->assertSame($matches, $request->isUserAgent($userAgent));
  857. }
  858. /**
  859. * @dataProvider userAgentProvider
  860. * @param string $testAgent
  861. * @param array $userAgent
  862. * @param bool $matches
  863. */
  864. public function testUndefinedUserAgent($testAgent, $userAgent, $matches) {
  865. $request = new Request(
  866. [],
  867. $this->requestId,
  868. $this->config,
  869. $this->csrfTokenManager,
  870. $this->stream
  871. );
  872. $this->assertFalse($request->isUserAgent($userAgent));
  873. }
  874. /**
  875. * @return array
  876. */
  877. public function userAgentProvider() {
  878. return [
  879. [
  880. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  881. [
  882. Request::USER_AGENT_IE
  883. ],
  884. true,
  885. ],
  886. [
  887. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  888. [
  889. Request::USER_AGENT_IE
  890. ],
  891. false,
  892. ],
  893. [
  894. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
  895. [
  896. Request::USER_AGENT_CHROME
  897. ],
  898. true,
  899. ],
  900. [
  901. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
  902. [
  903. Request::USER_AGENT_CHROME
  904. ],
  905. true,
  906. ],
  907. [
  908. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  909. [
  910. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  911. ],
  912. true,
  913. ],
  914. [
  915. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  916. [
  917. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  918. ],
  919. false,
  920. ],
  921. [
  922. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  923. [
  924. Request::USER_AGENT_IE,
  925. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  926. ],
  927. true,
  928. ],
  929. [
  930. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  931. [
  932. Request::USER_AGENT_IE,
  933. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  934. ],
  935. true,
  936. ],
  937. [
  938. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  939. [
  940. Request::USER_AGENT_FREEBOX
  941. ],
  942. false,
  943. ],
  944. [
  945. 'Mozilla/5.0',
  946. [
  947. Request::USER_AGENT_FREEBOX
  948. ],
  949. true,
  950. ],
  951. [
  952. 'Fake Mozilla/5.0',
  953. [
  954. Request::USER_AGENT_FREEBOX
  955. ],
  956. false,
  957. ],
  958. [
  959. 'Mozilla/5.0 (Android) ownCloud-android/2.0.0',
  960. [
  961. Request::USER_AGENT_CLIENT_ANDROID
  962. ],
  963. true,
  964. ],
  965. [
  966. 'Mozilla/5.0 (Android) Nextcloud-android/2.0.0',
  967. [
  968. Request::USER_AGENT_CLIENT_ANDROID
  969. ],
  970. true,
  971. ],
  972. [
  973. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.99 Safari/537.36 Vivaldi/2.9.1705.41',
  974. [
  975. Request::USER_AGENT_CHROME
  976. ],
  977. true
  978. ],
  979. [
  980. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75',
  981. [
  982. Request::USER_AGENT_CHROME
  983. ],
  984. true
  985. ],
  986. [
  987. 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67',
  988. [
  989. Request::USER_AGENT_CHROME
  990. ],
  991. true
  992. ]
  993. ];
  994. }
  995. public function dataMatchClientVersion(): array {
  996. return [
  997. [
  998. 'Mozilla/5.0 (Android) Nextcloud-android/3.24.1',
  999. Request::USER_AGENT_CLIENT_ANDROID,
  1000. '3.24.1',
  1001. ],
  1002. [
  1003. 'Mozilla/5.0 (iOS) Nextcloud-iOS/4.8.2',
  1004. Request::USER_AGENT_CLIENT_IOS,
  1005. '4.8.2',
  1006. ],
  1007. [
  1008. 'Mozilla/5.0 (Windows) mirall/3.8.1',
  1009. Request::USER_AGENT_CLIENT_DESKTOP,
  1010. '3.8.1',
  1011. ],
  1012. [
  1013. 'Mozilla/5.0 (Android) Nextcloud-Talk v17.10.0',
  1014. Request::USER_AGENT_TALK_ANDROID,
  1015. '17.10.0',
  1016. ],
  1017. [
  1018. 'Mozilla/5.0 (iOS) Nextcloud-Talk v17.0.1',
  1019. Request::USER_AGENT_TALK_IOS,
  1020. '17.0.1',
  1021. ],
  1022. [
  1023. 'Mozilla/5.0 (Windows) Nextcloud-Talk v0.6.0',
  1024. Request::USER_AGENT_TALK_DESKTOP,
  1025. '0.6.0',
  1026. ],
  1027. [
  1028. 'Mozilla/5.0 (Windows) Nextcloud-Outlook v1.0.0',
  1029. Request::USER_AGENT_OUTLOOK_ADDON,
  1030. '1.0.0',
  1031. ],
  1032. [
  1033. 'Mozilla/5.0 (Linux) Nextcloud-Thunderbird v1.0.0',
  1034. Request::USER_AGENT_THUNDERBIRD_ADDON,
  1035. '1.0.0',
  1036. ],
  1037. ];
  1038. }
  1039. /**
  1040. * @dataProvider dataMatchClientVersion
  1041. * @param string $testAgent
  1042. * @param string $userAgent
  1043. * @param string $version
  1044. */
  1045. public function testMatchClientVersion(string $testAgent, string $userAgent, string $version): void {
  1046. preg_match($userAgent, $testAgent, $matches);
  1047. $this->assertSame($version, $matches[1]);
  1048. }
  1049. public function testInsecureServerHostServerNameHeader() {
  1050. $request = new Request(
  1051. [
  1052. 'server' => [
  1053. 'SERVER_NAME' => 'from.server.name:8080',
  1054. ]
  1055. ],
  1056. $this->requestId,
  1057. $this->config,
  1058. $this->csrfTokenManager,
  1059. $this->stream
  1060. );
  1061. $this->assertSame('from.server.name:8080', $request->getInsecureServerHost());
  1062. }
  1063. public function testInsecureServerHostHttpHostHeader() {
  1064. $request = new Request(
  1065. [
  1066. 'server' => [
  1067. 'SERVER_NAME' => 'from.server.name:8080',
  1068. 'HTTP_HOST' => 'from.host.header:8080',
  1069. ]
  1070. ],
  1071. $this->requestId,
  1072. $this->config,
  1073. $this->csrfTokenManager,
  1074. $this->stream
  1075. );
  1076. $this->assertSame('from.host.header:8080', $request->getInsecureServerHost());
  1077. }
  1078. public function testInsecureServerHostHttpFromForwardedHeaderSingle() {
  1079. $this->config
  1080. ->method('getSystemValue')
  1081. ->willReturnCallback(function ($key, $default) {
  1082. if ($key === 'trusted_proxies') {
  1083. return ['1.2.3.4'];
  1084. }
  1085. return $default;
  1086. });
  1087. $request = new Request(
  1088. [
  1089. 'server' => [
  1090. 'SERVER_NAME' => 'from.server.name:8080',
  1091. 'HTTP_HOST' => 'from.host.header:8080',
  1092. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host:8080',
  1093. 'REMOTE_ADDR' => '1.2.3.4',
  1094. ]
  1095. ],
  1096. $this->requestId,
  1097. $this->config,
  1098. $this->csrfTokenManager,
  1099. $this->stream
  1100. );
  1101. $this->assertSame('from.forwarded.host:8080', $request->getInsecureServerHost());
  1102. }
  1103. public function testInsecureServerHostHttpFromForwardedHeaderStacked() {
  1104. $this->config
  1105. ->method('getSystemValue')
  1106. ->willReturnCallback(function ($key, $default) {
  1107. if ($key === 'trusted_proxies') {
  1108. return ['1.2.3.4'];
  1109. }
  1110. return $default;
  1111. });
  1112. $request = new Request(
  1113. [
  1114. 'server' => [
  1115. 'SERVER_NAME' => 'from.server.name:8080',
  1116. 'HTTP_HOST' => 'from.host.header:8080',
  1117. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host2:8080,another.one:9000',
  1118. 'REMOTE_ADDR' => '1.2.3.4',
  1119. ]
  1120. ],
  1121. $this->requestId,
  1122. $this->config,
  1123. $this->csrfTokenManager,
  1124. $this->stream
  1125. );
  1126. $this->assertSame('from.forwarded.host2:8080', $request->getInsecureServerHost());
  1127. }
  1128. public function testGetServerHostWithOverwriteHost() {
  1129. $this->config
  1130. ->method('getSystemValueString')
  1131. ->willReturnCallback(function ($key, $default) {
  1132. if ($key === 'overwritecondaddr') {
  1133. return '';
  1134. } elseif ($key === 'overwritehost') {
  1135. return 'my.overwritten.host';
  1136. }
  1137. return $default;
  1138. });
  1139. $request = new Request(
  1140. [],
  1141. $this->requestId,
  1142. $this->config,
  1143. $this->csrfTokenManager,
  1144. $this->stream
  1145. );
  1146. $this->assertSame('my.overwritten.host', $request->getServerHost());
  1147. }
  1148. public function testGetServerHostWithTrustedDomain() {
  1149. $this->config
  1150. ->method('getSystemValue')
  1151. ->willReturnCallback(function ($key, $default) {
  1152. if ($key === 'trusted_proxies') {
  1153. return ['1.2.3.4'];
  1154. } elseif ($key === 'trusted_domains') {
  1155. return ['my.trusted.host'];
  1156. }
  1157. return $default;
  1158. });
  1159. $request = new Request(
  1160. [
  1161. 'server' => [
  1162. 'HTTP_X_FORWARDED_HOST' => 'my.trusted.host',
  1163. 'REMOTE_ADDR' => '1.2.3.4',
  1164. ],
  1165. ],
  1166. $this->requestId,
  1167. $this->config,
  1168. $this->csrfTokenManager,
  1169. $this->stream
  1170. );
  1171. $this->assertSame('my.trusted.host', $request->getServerHost());
  1172. }
  1173. public function testGetServerHostWithUntrustedDomain() {
  1174. $this->config
  1175. ->method('getSystemValue')
  1176. ->willReturnCallback(function ($key, $default) {
  1177. if ($key === 'trusted_proxies') {
  1178. return ['1.2.3.4'];
  1179. } elseif ($key === 'trusted_domains') {
  1180. return ['my.trusted.host'];
  1181. }
  1182. return $default;
  1183. });
  1184. $request = new Request(
  1185. [
  1186. 'server' => [
  1187. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1188. 'REMOTE_ADDR' => '1.2.3.4',
  1189. ],
  1190. ],
  1191. $this->requestId,
  1192. $this->config,
  1193. $this->csrfTokenManager,
  1194. $this->stream
  1195. );
  1196. $this->assertSame('my.trusted.host', $request->getServerHost());
  1197. }
  1198. public function testGetServerHostWithNoTrustedDomain() {
  1199. $this->config
  1200. ->method('getSystemValue')
  1201. ->willReturnCallback(function ($key, $default) {
  1202. if ($key === 'trusted_proxies') {
  1203. return ['1.2.3.4'];
  1204. }
  1205. return $default;
  1206. });
  1207. $request = new Request(
  1208. [
  1209. 'server' => [
  1210. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1211. 'REMOTE_ADDR' => '1.2.3.4',
  1212. ],
  1213. ],
  1214. $this->requestId,
  1215. $this->config,
  1216. $this->csrfTokenManager,
  1217. $this->stream
  1218. );
  1219. $this->assertSame('', $request->getServerHost());
  1220. }
  1221. /**
  1222. * @return array
  1223. */
  1224. public function dataGetServerHostTrustedDomain() {
  1225. return [
  1226. 'is array' => ['my.trusted.host', ['my.trusted.host']],
  1227. 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
  1228. 'is string' => ['my.trusted.host', 'my.trusted.host'],
  1229. 'is null' => ['', null],
  1230. ];
  1231. }
  1232. /**
  1233. * @dataProvider dataGetServerHostTrustedDomain
  1234. * @param $expected
  1235. * @param $trustedDomain
  1236. */
  1237. public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
  1238. $this->config
  1239. ->method('getSystemValue')
  1240. ->willReturnCallback(function ($key, $default) use ($trustedDomain) {
  1241. if ($key === 'trusted_proxies') {
  1242. return ['1.2.3.4'];
  1243. }
  1244. if ($key === 'trusted_domains') {
  1245. return $trustedDomain;
  1246. }
  1247. return $default;
  1248. });
  1249. $request = new Request(
  1250. [
  1251. 'server' => [
  1252. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1253. 'REMOTE_ADDR' => '1.2.3.4',
  1254. ],
  1255. ],
  1256. $this->requestId,
  1257. $this->config,
  1258. $this->csrfTokenManager,
  1259. $this->stream
  1260. );
  1261. $this->assertSame($expected, $request->getServerHost());
  1262. }
  1263. public function testGetOverwriteHostDefaultNull() {
  1264. $this->config
  1265. ->expects($this->once())
  1266. ->method('getSystemValueString')
  1267. ->with('overwritehost')
  1268. ->willReturn('');
  1269. $request = new Request(
  1270. [],
  1271. $this->requestId,
  1272. $this->config,
  1273. $this->csrfTokenManager,
  1274. $this->stream
  1275. );
  1276. $this->assertNull(self::invokePrivate($request, 'getOverwriteHost'));
  1277. }
  1278. public function testGetOverwriteHostWithOverwrite() {
  1279. $this->config
  1280. ->expects($this->exactly(3))
  1281. ->method('getSystemValueString')
  1282. ->willReturnMap([
  1283. ['overwritehost', '', 'www.owncloud.org'],
  1284. ['overwritecondaddr', '', ''],
  1285. ]);
  1286. $request = new Request(
  1287. [],
  1288. $this->requestId,
  1289. $this->config,
  1290. $this->csrfTokenManager,
  1291. $this->stream
  1292. );
  1293. $this->assertSame('www.owncloud.org', self::invokePrivate($request, 'getOverwriteHost'));
  1294. }
  1295. public function testGetPathInfoNotProcessible() {
  1296. $this->expectException(\Exception::class);
  1297. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1298. $request = new Request(
  1299. [
  1300. 'server' => [
  1301. 'REQUEST_URI' => '/foo.php',
  1302. 'SCRIPT_NAME' => '/var/www/index.php',
  1303. ]
  1304. ],
  1305. $this->requestId,
  1306. $this->config,
  1307. $this->csrfTokenManager,
  1308. $this->stream
  1309. );
  1310. $request->getPathInfo();
  1311. }
  1312. public function testGetRawPathInfoNotProcessible() {
  1313. $this->expectException(\Exception::class);
  1314. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1315. $request = new Request(
  1316. [
  1317. 'server' => [
  1318. 'REQUEST_URI' => '/foo.php',
  1319. 'SCRIPT_NAME' => '/var/www/index.php',
  1320. ]
  1321. ],
  1322. $this->requestId,
  1323. $this->config,
  1324. $this->csrfTokenManager,
  1325. $this->stream
  1326. );
  1327. $request->getRawPathInfo();
  1328. }
  1329. /**
  1330. * @dataProvider genericPathInfoProvider
  1331. * @param string $requestUri
  1332. * @param string $scriptName
  1333. * @param string $expected
  1334. */
  1335. public function testGetPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1336. $request = new Request(
  1337. [
  1338. 'server' => [
  1339. 'REQUEST_URI' => $requestUri,
  1340. 'SCRIPT_NAME' => $scriptName,
  1341. ]
  1342. ],
  1343. $this->requestId,
  1344. $this->config,
  1345. $this->csrfTokenManager,
  1346. $this->stream
  1347. );
  1348. $this->assertSame($expected, $request->getPathInfo());
  1349. }
  1350. /**
  1351. * @dataProvider genericPathInfoProvider
  1352. * @param string $requestUri
  1353. * @param string $scriptName
  1354. * @param string $expected
  1355. */
  1356. public function testGetRawPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1357. $request = new Request(
  1358. [
  1359. 'server' => [
  1360. 'REQUEST_URI' => $requestUri,
  1361. 'SCRIPT_NAME' => $scriptName,
  1362. ]
  1363. ],
  1364. $this->requestId,
  1365. $this->config,
  1366. $this->csrfTokenManager,
  1367. $this->stream
  1368. );
  1369. $this->assertSame($expected, $request->getRawPathInfo());
  1370. }
  1371. /**
  1372. * @dataProvider rawPathInfoProvider
  1373. * @param string $requestUri
  1374. * @param string $scriptName
  1375. * @param string $expected
  1376. */
  1377. public function testGetRawPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1378. $request = new Request(
  1379. [
  1380. 'server' => [
  1381. 'REQUEST_URI' => $requestUri,
  1382. 'SCRIPT_NAME' => $scriptName,
  1383. ]
  1384. ],
  1385. $this->requestId,
  1386. $this->config,
  1387. $this->csrfTokenManager,
  1388. $this->stream
  1389. );
  1390. $this->assertSame($expected, $request->getRawPathInfo());
  1391. }
  1392. /**
  1393. * @dataProvider pathInfoProvider
  1394. * @param string $requestUri
  1395. * @param string $scriptName
  1396. * @param string $expected
  1397. */
  1398. public function testGetPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1399. $request = new Request(
  1400. [
  1401. 'server' => [
  1402. 'REQUEST_URI' => $requestUri,
  1403. 'SCRIPT_NAME' => $scriptName,
  1404. ]
  1405. ],
  1406. $this->requestId,
  1407. $this->config,
  1408. $this->csrfTokenManager,
  1409. $this->stream
  1410. );
  1411. $this->assertSame($expected, $request->getPathInfo());
  1412. }
  1413. /**
  1414. * @return array
  1415. */
  1416. public function genericPathInfoProvider() {
  1417. return [
  1418. ['/core/index.php?XDEBUG_SESSION_START=14600', '/core/index.php', ''],
  1419. ['/index.php/apps/files/', 'index.php', '/apps/files/'],
  1420. ['/index.php/apps/files/../&amp;/&?someQueryParameter=QueryParam', 'index.php', '/apps/files/../&amp;/&'],
  1421. ['/remote.php/漢字編碼方法 / 汉字编码方法', 'remote.php', '/漢字編碼方法 / 汉字编码方法'],
  1422. ['///removeTrailin//gSlashes///', 'remote.php', '/removeTrailin/gSlashes/'],
  1423. ['/', '/', ''],
  1424. ['', '', ''],
  1425. ];
  1426. }
  1427. /**
  1428. * @return array
  1429. */
  1430. public function rawPathInfoProvider() {
  1431. return [
  1432. ['/foo%2Fbar/subfolder', '', 'foo%2Fbar/subfolder'],
  1433. ];
  1434. }
  1435. /**
  1436. * @return array
  1437. */
  1438. public function pathInfoProvider() {
  1439. return [
  1440. ['/foo%2Fbar/subfolder', '', 'foo/bar/subfolder'],
  1441. ];
  1442. }
  1443. public function testGetRequestUriWithoutOverwrite() {
  1444. $this->config
  1445. ->expects($this->once())
  1446. ->method('getSystemValueString')
  1447. ->with('overwritewebroot')
  1448. ->willReturn('');
  1449. $request = new Request(
  1450. [
  1451. 'server' => [
  1452. 'REQUEST_URI' => '/test.php'
  1453. ]
  1454. ],
  1455. $this->requestId,
  1456. $this->config,
  1457. $this->csrfTokenManager,
  1458. $this->stream
  1459. );
  1460. $this->assertSame('/test.php', $request->getRequestUri());
  1461. }
  1462. public function providesGetRequestUriWithOverwriteData() {
  1463. return [
  1464. ['/scriptname.php/some/PathInfo', '/owncloud/', ''],
  1465. ['/scriptname.php/some/PathInfo', '/owncloud/', '123', '123.123.123.123'],
  1466. ];
  1467. }
  1468. /**
  1469. * @dataProvider providesGetRequestUriWithOverwriteData
  1470. */
  1471. public function testGetRequestUriWithOverwrite($expectedUri, $overwriteWebRoot, $overwriteCondAddr, $remoteAddr = '') {
  1472. $this->config
  1473. ->expects($this->exactly(2))
  1474. ->method('getSystemValueString')
  1475. ->willReturnMap([
  1476. ['overwritewebroot', '', $overwriteWebRoot],
  1477. ['overwritecondaddr', '', $overwriteCondAddr],
  1478. ]);
  1479. $request = $this->getMockBuilder(Request::class)
  1480. ->setMethods(['getScriptName'])
  1481. ->setConstructorArgs([
  1482. [
  1483. 'server' => [
  1484. 'REQUEST_URI' => '/test.php/some/PathInfo',
  1485. 'SCRIPT_NAME' => '/test.php',
  1486. 'REMOTE_ADDR' => $remoteAddr
  1487. ]
  1488. ],
  1489. $this->requestId,
  1490. $this->config,
  1491. $this->csrfTokenManager,
  1492. $this->stream
  1493. ])
  1494. ->getMock();
  1495. $request
  1496. ->expects($this->once())
  1497. ->method('getScriptName')
  1498. ->willReturn('/scriptname.php');
  1499. $this->assertSame($expectedUri, $request->getRequestUri());
  1500. }
  1501. public function testPassesCSRFCheckWithGet() {
  1502. /** @var Request $request */
  1503. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1504. ->setMethods(['getScriptName'])
  1505. ->setConstructorArgs([
  1506. [
  1507. 'get' => [
  1508. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1509. ],
  1510. 'cookies' => [
  1511. 'nc_sameSiteCookiestrict' => 'true',
  1512. 'nc_sameSiteCookielax' => 'true',
  1513. ],
  1514. ],
  1515. $this->requestId,
  1516. $this->config,
  1517. $this->csrfTokenManager,
  1518. $this->stream
  1519. ])
  1520. ->getMock();
  1521. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1522. $this->csrfTokenManager
  1523. ->expects($this->once())
  1524. ->method('isTokenValid')
  1525. ->with($token)
  1526. ->willReturn(true);
  1527. $this->assertTrue($request->passesCSRFCheck());
  1528. }
  1529. public function testPassesCSRFCheckWithPost() {
  1530. /** @var Request $request */
  1531. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1532. ->setMethods(['getScriptName'])
  1533. ->setConstructorArgs([
  1534. [
  1535. 'post' => [
  1536. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1537. ],
  1538. 'cookies' => [
  1539. 'nc_sameSiteCookiestrict' => 'true',
  1540. 'nc_sameSiteCookielax' => 'true',
  1541. ],
  1542. ],
  1543. $this->requestId,
  1544. $this->config,
  1545. $this->csrfTokenManager,
  1546. $this->stream
  1547. ])
  1548. ->getMock();
  1549. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1550. $this->csrfTokenManager
  1551. ->expects($this->once())
  1552. ->method('isTokenValid')
  1553. ->with($token)
  1554. ->willReturn(true);
  1555. $this->assertTrue($request->passesCSRFCheck());
  1556. }
  1557. public function testPassesCSRFCheckWithHeader() {
  1558. /** @var Request $request */
  1559. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1560. ->setMethods(['getScriptName'])
  1561. ->setConstructorArgs([
  1562. [
  1563. 'server' => [
  1564. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1565. ],
  1566. 'cookies' => [
  1567. 'nc_sameSiteCookiestrict' => 'true',
  1568. 'nc_sameSiteCookielax' => 'true',
  1569. ],
  1570. ],
  1571. $this->requestId,
  1572. $this->config,
  1573. $this->csrfTokenManager,
  1574. $this->stream
  1575. ])
  1576. ->getMock();
  1577. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1578. $this->csrfTokenManager
  1579. ->expects($this->once())
  1580. ->method('isTokenValid')
  1581. ->with($token)
  1582. ->willReturn(true);
  1583. $this->assertTrue($request->passesCSRFCheck());
  1584. }
  1585. public function testPassesCSRFCheckWithGetAndWithoutCookies() {
  1586. /** @var Request $request */
  1587. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1588. ->setMethods(['getScriptName'])
  1589. ->setConstructorArgs([
  1590. [
  1591. 'get' => [
  1592. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1593. ],
  1594. ],
  1595. $this->requestId,
  1596. $this->config,
  1597. $this->csrfTokenManager,
  1598. $this->stream
  1599. ])
  1600. ->getMock();
  1601. $this->csrfTokenManager
  1602. ->expects($this->once())
  1603. ->method('isTokenValid')
  1604. ->willReturn(true);
  1605. $this->assertTrue($request->passesCSRFCheck());
  1606. }
  1607. public function testPassesCSRFCheckWithPostAndWithoutCookies() {
  1608. /** @var Request $request */
  1609. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1610. ->setMethods(['getScriptName'])
  1611. ->setConstructorArgs([
  1612. [
  1613. 'post' => [
  1614. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1615. ],
  1616. ],
  1617. $this->requestId,
  1618. $this->config,
  1619. $this->csrfTokenManager,
  1620. $this->stream
  1621. ])
  1622. ->getMock();
  1623. $this->csrfTokenManager
  1624. ->expects($this->once())
  1625. ->method('isTokenValid')
  1626. ->willReturn(true);
  1627. $this->assertTrue($request->passesCSRFCheck());
  1628. }
  1629. public function testPassesCSRFCheckWithHeaderAndWithoutCookies() {
  1630. /** @var Request $request */
  1631. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1632. ->setMethods(['getScriptName'])
  1633. ->setConstructorArgs([
  1634. [
  1635. 'server' => [
  1636. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1637. ],
  1638. ],
  1639. $this->requestId,
  1640. $this->config,
  1641. $this->csrfTokenManager,
  1642. $this->stream
  1643. ])
  1644. ->getMock();
  1645. $this->csrfTokenManager
  1646. ->expects($this->once())
  1647. ->method('isTokenValid')
  1648. ->willReturn(true);
  1649. $this->assertTrue($request->passesCSRFCheck());
  1650. }
  1651. public function testFailsCSRFCheckWithHeaderAndNotAllChecksPassing() {
  1652. /** @var Request $request */
  1653. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1654. ->setMethods(['getScriptName'])
  1655. ->setConstructorArgs([
  1656. [
  1657. 'server' => [
  1658. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1659. ],
  1660. 'cookies' => [
  1661. session_name() => 'asdf',
  1662. 'nc_sameSiteCookiestrict' => 'true',
  1663. ],
  1664. ],
  1665. $this->requestId,
  1666. $this->config,
  1667. $this->csrfTokenManager,
  1668. $this->stream
  1669. ])
  1670. ->getMock();
  1671. $this->csrfTokenManager
  1672. ->expects($this->never())
  1673. ->method('isTokenValid');
  1674. $this->assertFalse($request->passesCSRFCheck());
  1675. }
  1676. public function testPassesStrictCookieCheckWithAllCookiesAndStrict() {
  1677. /** @var Request $request */
  1678. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1679. ->setMethods(['getScriptName', 'getCookieParams'])
  1680. ->setConstructorArgs([
  1681. [
  1682. 'server' => [
  1683. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1684. ],
  1685. 'cookies' => [
  1686. session_name() => 'asdf',
  1687. '__Host-nc_sameSiteCookiestrict' => 'true',
  1688. '__Host-nc_sameSiteCookielax' => 'true',
  1689. ],
  1690. ],
  1691. $this->requestId,
  1692. $this->config,
  1693. $this->csrfTokenManager,
  1694. $this->stream
  1695. ])
  1696. ->getMock();
  1697. $request
  1698. ->expects($this->any())
  1699. ->method('getCookieParams')
  1700. ->willReturn([
  1701. 'secure' => true,
  1702. 'path' => '/',
  1703. ]);
  1704. $this->assertTrue($request->passesStrictCookieCheck());
  1705. }
  1706. public function testFailsStrictCookieCheckWithAllCookiesAndMissingStrict() {
  1707. /** @var Request $request */
  1708. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1709. ->setMethods(['getScriptName', 'getCookieParams'])
  1710. ->setConstructorArgs([
  1711. [
  1712. 'server' => [
  1713. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1714. ],
  1715. 'cookies' => [
  1716. session_name() => 'asdf',
  1717. 'nc_sameSiteCookiestrict' => 'true',
  1718. 'nc_sameSiteCookielax' => 'true',
  1719. ],
  1720. ],
  1721. $this->requestId,
  1722. $this->config,
  1723. $this->csrfTokenManager,
  1724. $this->stream
  1725. ])
  1726. ->getMock();
  1727. $request
  1728. ->expects($this->any())
  1729. ->method('getCookieParams')
  1730. ->willReturn([
  1731. 'secure' => true,
  1732. 'path' => '/',
  1733. ]);
  1734. $this->assertFalse($request->passesStrictCookieCheck());
  1735. }
  1736. public function testGetCookieParams() {
  1737. /** @var Request $request */
  1738. $request = $this->getMockBuilder(Request::class)
  1739. ->setMethods(['getScriptName'])
  1740. ->setConstructorArgs([
  1741. [],
  1742. $this->requestId,
  1743. $this->config,
  1744. $this->csrfTokenManager,
  1745. $this->stream
  1746. ])
  1747. ->getMock();
  1748. $actual = $request->getCookieParams();
  1749. $this->assertSame(session_get_cookie_params(), $actual);
  1750. }
  1751. public function testPassesStrictCookieCheckWithAllCookies() {
  1752. /** @var Request $request */
  1753. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1754. ->setMethods(['getScriptName'])
  1755. ->setConstructorArgs([
  1756. [
  1757. 'server' => [
  1758. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1759. ],
  1760. 'cookies' => [
  1761. session_name() => 'asdf',
  1762. 'nc_sameSiteCookiestrict' => 'true',
  1763. 'nc_sameSiteCookielax' => 'true',
  1764. ],
  1765. ],
  1766. $this->requestId,
  1767. $this->config,
  1768. $this->csrfTokenManager,
  1769. $this->stream
  1770. ])
  1771. ->getMock();
  1772. $this->assertTrue($request->passesStrictCookieCheck());
  1773. }
  1774. public function testPassesStrictCookieCheckWithRandomCookies() {
  1775. /** @var Request $request */
  1776. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1777. ->setMethods(['getScriptName'])
  1778. ->setConstructorArgs([
  1779. [
  1780. 'server' => [
  1781. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1782. ],
  1783. 'cookies' => [
  1784. 'RandomCookie' => 'asdf',
  1785. ],
  1786. ],
  1787. $this->requestId,
  1788. $this->config,
  1789. $this->csrfTokenManager,
  1790. $this->stream
  1791. ])
  1792. ->getMock();
  1793. $this->assertTrue($request->passesStrictCookieCheck());
  1794. }
  1795. public function testFailsStrictCookieCheckWithSessionCookie() {
  1796. /** @var Request $request */
  1797. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1798. ->setMethods(['getScriptName'])
  1799. ->setConstructorArgs([
  1800. [
  1801. 'server' => [
  1802. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1803. ],
  1804. 'cookies' => [
  1805. session_name() => 'asdf',
  1806. ],
  1807. ],
  1808. $this->requestId,
  1809. $this->config,
  1810. $this->csrfTokenManager,
  1811. $this->stream
  1812. ])
  1813. ->getMock();
  1814. $this->assertFalse($request->passesStrictCookieCheck());
  1815. }
  1816. public function testFailsStrictCookieCheckWithRememberMeCookie() {
  1817. /** @var Request $request */
  1818. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1819. ->setMethods(['getScriptName'])
  1820. ->setConstructorArgs([
  1821. [
  1822. 'server' => [
  1823. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1824. ],
  1825. 'cookies' => [
  1826. 'nc_token' => 'asdf',
  1827. ],
  1828. ],
  1829. $this->requestId,
  1830. $this->config,
  1831. $this->csrfTokenManager,
  1832. $this->stream
  1833. ])
  1834. ->getMock();
  1835. $this->assertFalse($request->passesStrictCookieCheck());
  1836. }
  1837. public function testFailsCSRFCheckWithPostAndWithCookies() {
  1838. /** @var Request $request */
  1839. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1840. ->setMethods(['getScriptName'])
  1841. ->setConstructorArgs([
  1842. [
  1843. 'post' => [
  1844. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1845. ],
  1846. 'cookies' => [
  1847. session_name() => 'asdf',
  1848. 'foo' => 'bar',
  1849. ],
  1850. ],
  1851. $this->requestId,
  1852. $this->config,
  1853. $this->csrfTokenManager,
  1854. $this->stream
  1855. ])
  1856. ->getMock();
  1857. $this->csrfTokenManager
  1858. ->expects($this->never())
  1859. ->method('isTokenValid');
  1860. $this->assertFalse($request->passesCSRFCheck());
  1861. }
  1862. public function testFailStrictCookieCheckWithOnlyLaxCookie() {
  1863. /** @var Request $request */
  1864. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1865. ->setMethods(['getScriptName'])
  1866. ->setConstructorArgs([
  1867. [
  1868. 'server' => [
  1869. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1870. ],
  1871. 'cookies' => [
  1872. session_name() => 'asdf',
  1873. 'nc_sameSiteCookielax' => 'true',
  1874. ],
  1875. ],
  1876. $this->requestId,
  1877. $this->config,
  1878. $this->csrfTokenManager,
  1879. $this->stream
  1880. ])
  1881. ->getMock();
  1882. $this->assertFalse($request->passesStrictCookieCheck());
  1883. }
  1884. public function testFailStrictCookieCheckWithOnlyStrictCookie() {
  1885. /** @var Request $request */
  1886. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1887. ->setMethods(['getScriptName'])
  1888. ->setConstructorArgs([
  1889. [
  1890. 'server' => [
  1891. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1892. ],
  1893. 'cookies' => [
  1894. session_name() => 'asdf',
  1895. 'nc_sameSiteCookiestrict' => 'true',
  1896. ],
  1897. ],
  1898. $this->requestId,
  1899. $this->config,
  1900. $this->csrfTokenManager,
  1901. $this->stream
  1902. ])
  1903. ->getMock();
  1904. $this->assertFalse($request->passesStrictCookieCheck());
  1905. }
  1906. public function testPassesLaxCookieCheck() {
  1907. /** @var Request $request */
  1908. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1909. ->setMethods(['getScriptName'])
  1910. ->setConstructorArgs([
  1911. [
  1912. 'server' => [
  1913. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1914. ],
  1915. 'cookies' => [
  1916. session_name() => 'asdf',
  1917. 'nc_sameSiteCookielax' => 'true',
  1918. ],
  1919. ],
  1920. $this->requestId,
  1921. $this->config,
  1922. $this->csrfTokenManager,
  1923. $this->stream
  1924. ])
  1925. ->getMock();
  1926. $this->assertTrue($request->passesLaxCookieCheck());
  1927. }
  1928. public function testFailsLaxCookieCheckWithOnlyStrictCookie() {
  1929. /** @var Request $request */
  1930. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1931. ->setMethods(['getScriptName'])
  1932. ->setConstructorArgs([
  1933. [
  1934. 'server' => [
  1935. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1936. ],
  1937. 'cookies' => [
  1938. session_name() => 'asdf',
  1939. 'nc_sameSiteCookiestrict' => 'true',
  1940. ],
  1941. ],
  1942. $this->requestId,
  1943. $this->config,
  1944. $this->csrfTokenManager,
  1945. $this->stream
  1946. ])
  1947. ->getMock();
  1948. $this->assertFalse($request->passesLaxCookieCheck());
  1949. }
  1950. public function testSkipCookieCheckForOCSRequests() {
  1951. /** @var Request $request */
  1952. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1953. ->setMethods(['getScriptName'])
  1954. ->setConstructorArgs([
  1955. [
  1956. 'server' => [
  1957. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1958. 'HTTP_OCS_APIREQUEST' => 'true',
  1959. ],
  1960. 'cookies' => [
  1961. session_name() => 'asdf',
  1962. 'nc_sameSiteCookiestrict' => 'false',
  1963. ],
  1964. ],
  1965. $this->requestId,
  1966. $this->config,
  1967. $this->csrfTokenManager,
  1968. $this->stream
  1969. ])
  1970. ->getMock();
  1971. $this->assertTrue($request->passesStrictCookieCheck());
  1972. }
  1973. /**
  1974. * @return array
  1975. */
  1976. public function invalidTokenDataProvider() {
  1977. return [
  1978. ['InvalidSentToken'],
  1979. ['InvalidSentToken:InvalidSecret'],
  1980. [''],
  1981. ];
  1982. }
  1983. /**
  1984. * @dataProvider invalidTokenDataProvider
  1985. * @param string $invalidToken
  1986. */
  1987. public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
  1988. /** @var Request $request */
  1989. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1990. ->setMethods(['getScriptName'])
  1991. ->setConstructorArgs([
  1992. [
  1993. 'server' => [
  1994. 'HTTP_REQUESTTOKEN' => $invalidToken,
  1995. ],
  1996. ],
  1997. $this->requestId,
  1998. $this->config,
  1999. $this->csrfTokenManager,
  2000. $this->stream
  2001. ])
  2002. ->getMock();
  2003. $token = new CsrfToken($invalidToken);
  2004. $this->csrfTokenManager
  2005. ->expects($this->any())
  2006. ->method('isTokenValid')
  2007. ->with($token)
  2008. ->willReturn(false);
  2009. $this->assertFalse($request->passesCSRFCheck());
  2010. }
  2011. public function testPassesCSRFCheckWithoutTokenFail() {
  2012. /** @var Request $request */
  2013. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2014. ->setMethods(['getScriptName'])
  2015. ->setConstructorArgs([
  2016. [],
  2017. $this->requestId,
  2018. $this->config,
  2019. $this->csrfTokenManager,
  2020. $this->stream
  2021. ])
  2022. ->getMock();
  2023. $this->assertFalse($request->passesCSRFCheck());
  2024. }
  2025. }