1
0

RequestTest.php 56 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433
  1. <?php
  2. /**
  3. * @copyright 2013 Thomas Tanghus (thomas@tanghus.net)
  4. * @copyright 2016 Lukas Reschke lukas@owncloud.com
  5. * @copyright 2022 Stanimir Bozhilov (stanimir@audriga.com)
  6. *
  7. * This file is licensed under the Affero General Public License version 3 or
  8. * later.
  9. * See the COPYING-README file.
  10. */
  11. namespace Test\AppFramework\Http;
  12. use OC\AppFramework\Http\Request;
  13. use OC\Security\CSRF\CsrfToken;
  14. use OC\Security\CSRF\CsrfTokenManager;
  15. use OCP\IConfig;
  16. use OCP\IRequestId;
  17. /**
  18. * Class RequestTest
  19. *
  20. * @package OC\AppFramework\Http
  21. */
  22. class RequestTest extends \Test\TestCase {
  23. /** @var string */
  24. protected $stream = 'fakeinput://data';
  25. /** @var IRequestId */
  26. protected $requestId;
  27. /** @var IConfig */
  28. protected $config;
  29. /** @var CsrfTokenManager */
  30. protected $csrfTokenManager;
  31. protected function setUp(): void {
  32. parent::setUp();
  33. if (in_array('fakeinput', stream_get_wrappers())) {
  34. stream_wrapper_unregister('fakeinput');
  35. }
  36. stream_wrapper_register('fakeinput', 'Test\AppFramework\Http\RequestStream');
  37. $this->requestId = $this->createMock(IRequestId::class);
  38. $this->config = $this->createMock(IConfig::class);
  39. $this->csrfTokenManager = $this->getMockBuilder(CsrfTokenManager::class)
  40. ->disableOriginalConstructor()
  41. ->getMock();
  42. }
  43. protected function tearDown(): void {
  44. stream_wrapper_unregister('fakeinput');
  45. parent::tearDown();
  46. }
  47. public function testRequestAccessors() {
  48. $vars = [
  49. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  50. 'method' => 'GET',
  51. ];
  52. $request = new Request(
  53. $vars,
  54. $this->requestId,
  55. $this->config,
  56. $this->csrfTokenManager,
  57. $this->stream
  58. );
  59. // Countable
  60. $this->assertSame(2, count($request));
  61. // Array access
  62. $this->assertSame('Joey', $request['nickname']);
  63. // "Magic" accessors
  64. $this->assertSame('Joey', $request->{'nickname'});
  65. $this->assertTrue(isset($request['nickname']));
  66. $this->assertTrue(isset($request->{'nickname'}));
  67. $this->assertFalse(isset($request->{'flickname'}));
  68. // Only testing 'get', but same approach for post, files etc.
  69. $this->assertSame('Joey', $request->get['nickname']);
  70. // Always returns null if variable not set.
  71. $this->assertSame(null, $request->{'flickname'});
  72. }
  73. // urlParams has precedence over POST which has precedence over GET
  74. public function testPrecedence() {
  75. $vars = [
  76. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  77. 'post' => ['name' => 'Jane Doe', 'nickname' => 'Janey'],
  78. 'urlParams' => ['user' => 'jw', 'name' => 'Johnny Weissmüller'],
  79. 'method' => 'GET'
  80. ];
  81. $request = new Request(
  82. $vars,
  83. $this->requestId,
  84. $this->config,
  85. $this->csrfTokenManager,
  86. $this->stream
  87. );
  88. $this->assertSame(3, count($request));
  89. $this->assertSame('Janey', $request->{'nickname'});
  90. $this->assertSame('Johnny Weissmüller', $request->{'name'});
  91. }
  92. public function testImmutableArrayAccess() {
  93. $this->expectException(\RuntimeException::class);
  94. $vars = [
  95. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  96. 'method' => 'GET'
  97. ];
  98. $request = new Request(
  99. $vars,
  100. $this->requestId,
  101. $this->config,
  102. $this->csrfTokenManager,
  103. $this->stream
  104. );
  105. $request['nickname'] = 'Janey';
  106. }
  107. public function testImmutableMagicAccess() {
  108. $this->expectException(\RuntimeException::class);
  109. $vars = [
  110. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  111. 'method' => 'GET'
  112. ];
  113. $request = new Request(
  114. $vars,
  115. $this->requestId,
  116. $this->config,
  117. $this->csrfTokenManager,
  118. $this->stream
  119. );
  120. $request->{'nickname'} = 'Janey';
  121. }
  122. public function testGetTheMethodRight() {
  123. $this->expectException(\LogicException::class);
  124. $vars = [
  125. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  126. 'method' => 'GET',
  127. ];
  128. $request = new Request(
  129. $vars,
  130. $this->requestId,
  131. $this->config,
  132. $this->csrfTokenManager,
  133. $this->stream
  134. );
  135. $request->post;
  136. }
  137. public function testTheMethodIsRight() {
  138. $vars = [
  139. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  140. 'method' => 'GET',
  141. ];
  142. $request = new Request(
  143. $vars,
  144. $this->requestId,
  145. $this->config,
  146. $this->csrfTokenManager,
  147. $this->stream
  148. );
  149. $this->assertSame('GET', $request->method);
  150. $result = $request->get;
  151. $this->assertSame('John Q. Public', $result['name']);
  152. $this->assertSame('Joey', $result['nickname']);
  153. }
  154. public function testJsonPost() {
  155. global $data;
  156. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  157. $vars = [
  158. 'method' => 'POST',
  159. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  160. ];
  161. $request = new Request(
  162. $vars,
  163. $this->requestId,
  164. $this->config,
  165. $this->csrfTokenManager,
  166. $this->stream
  167. );
  168. $this->assertSame('POST', $request->method);
  169. $result = $request->post;
  170. $this->assertSame('John Q. Public', $result['name']);
  171. $this->assertSame('Joey', $result['nickname']);
  172. $this->assertSame('Joey', $request->params['nickname']);
  173. $this->assertSame('Joey', $request['nickname']);
  174. }
  175. public function testScimJsonPost() {
  176. global $data;
  177. $data = '{"userName":"testusername", "displayName":"Example User"}';
  178. $vars = [
  179. 'method' => 'POST',
  180. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  181. ];
  182. $request = new Request(
  183. $vars,
  184. $this->requestId,
  185. $this->config,
  186. $this->csrfTokenManager,
  187. $this->stream
  188. );
  189. $this->assertSame('POST', $request->method);
  190. $result = $request->post;
  191. $this->assertSame('testusername', $result['userName']);
  192. $this->assertSame('Example User', $result['displayName']);
  193. $this->assertSame('Example User', $request->params['displayName']);
  194. $this->assertSame('Example User', $request['displayName']);
  195. }
  196. public function testCustomJsonPost() {
  197. global $data;
  198. $data = '{"propertyA":"sometestvalue", "propertyB":"someothertestvalue"}';
  199. // Note: the content type used here is fictional and intended to check if the regex for JSON content types works fine
  200. $vars = [
  201. 'method' => 'POST',
  202. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  203. ];
  204. $request = new Request(
  205. $vars,
  206. $this->requestId,
  207. $this->config,
  208. $this->csrfTokenManager,
  209. $this->stream
  210. );
  211. $this->assertSame('POST', $request->method);
  212. $result = $request->post;
  213. $this->assertSame('sometestvalue', $result['propertyA']);
  214. $this->assertSame('someothertestvalue', $result['propertyB']);
  215. }
  216. public function notJsonDataProvider() {
  217. return [
  218. ['this is not valid json'],
  219. ['"just a string"'],
  220. ['{"just a string"}'],
  221. ];
  222. }
  223. /**
  224. * @dataProvider notJsonDataProvider
  225. */
  226. public function testNotJsonPost($testData) {
  227. global $data;
  228. $data = $testData;
  229. $vars = [
  230. 'method' => 'POST',
  231. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  232. ];
  233. $request = new Request(
  234. $vars,
  235. $this->requestId,
  236. $this->config,
  237. $this->csrfTokenManager,
  238. $this->stream
  239. );
  240. $this->assertEquals('POST', $request->method);
  241. $result = $request->post;
  242. // ensure there's no error attempting to decode the content
  243. }
  244. public function testNotScimJsonPost() {
  245. global $data;
  246. $data = 'this is not valid scim json';
  247. $vars = [
  248. 'method' => 'POST',
  249. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  250. ];
  251. $request = new Request(
  252. $vars,
  253. $this->requestId,
  254. $this->config,
  255. $this->csrfTokenManager,
  256. $this->stream
  257. );
  258. $this->assertEquals('POST', $request->method);
  259. $result = $request->post;
  260. // ensure there's no error attempting to decode the content
  261. }
  262. public function testNotCustomJsonPost() {
  263. global $data;
  264. $data = 'this is not valid json';
  265. $vars = [
  266. 'method' => 'POST',
  267. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  268. ];
  269. $request = new Request(
  270. $vars,
  271. $this->requestId,
  272. $this->config,
  273. $this->csrfTokenManager,
  274. $this->stream
  275. );
  276. $this->assertEquals('POST', $request->method);
  277. $result = $request->post;
  278. // ensure there's no error attempting to decode the content
  279. }
  280. public function testPatch() {
  281. global $data;
  282. $data = http_build_query(['name' => 'John Q. Public', 'nickname' => 'Joey'], '', '&');
  283. $vars = [
  284. 'method' => 'PATCH',
  285. 'server' => ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'],
  286. ];
  287. $request = new Request(
  288. $vars,
  289. $this->requestId,
  290. $this->config,
  291. $this->csrfTokenManager,
  292. $this->stream
  293. );
  294. $this->assertSame('PATCH', $request->method);
  295. $result = $request->patch;
  296. $this->assertSame('John Q. Public', $result['name']);
  297. $this->assertSame('Joey', $result['nickname']);
  298. }
  299. public function testJsonPatchAndPut() {
  300. global $data;
  301. // PUT content
  302. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  303. $vars = [
  304. 'method' => 'PUT',
  305. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  306. ];
  307. $request = new Request(
  308. $vars,
  309. $this->requestId,
  310. $this->config,
  311. $this->csrfTokenManager,
  312. $this->stream
  313. );
  314. $this->assertSame('PUT', $request->method);
  315. $result = $request->put;
  316. $this->assertSame('John Q. Public', $result['name']);
  317. $this->assertSame('Joey', $result['nickname']);
  318. // PATCH content
  319. $data = '{"name": "John Q. Public", "nickname": null}';
  320. $vars = [
  321. 'method' => 'PATCH',
  322. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  323. ];
  324. $request = new Request(
  325. $vars,
  326. $this->requestId,
  327. $this->config,
  328. $this->csrfTokenManager,
  329. $this->stream
  330. );
  331. $this->assertSame('PATCH', $request->method);
  332. $result = $request->patch;
  333. $this->assertSame('John Q. Public', $result['name']);
  334. $this->assertSame(null, $result['nickname']);
  335. }
  336. public function testScimJsonPatchAndPut() {
  337. global $data;
  338. // PUT content
  339. $data = '{"userName": "sometestusername", "displayName": "Example User"}';
  340. $vars = [
  341. 'method' => 'PUT',
  342. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  343. ];
  344. $request = new Request(
  345. $vars,
  346. $this->requestId,
  347. $this->config,
  348. $this->csrfTokenManager,
  349. $this->stream
  350. );
  351. $this->assertSame('PUT', $request->method);
  352. $result = $request->put;
  353. $this->assertSame('sometestusername', $result['userName']);
  354. $this->assertSame('Example User', $result['displayName']);
  355. // PATCH content
  356. $data = '{"userName": "sometestusername", "displayName": null}';
  357. $vars = [
  358. 'method' => 'PATCH',
  359. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  360. ];
  361. $request = new Request(
  362. $vars,
  363. $this->requestId,
  364. $this->config,
  365. $this->csrfTokenManager,
  366. $this->stream
  367. );
  368. $this->assertSame('PATCH', $request->method);
  369. $result = $request->patch;
  370. $this->assertSame('sometestusername', $result['userName']);
  371. $this->assertSame(null, $result['displayName']);
  372. }
  373. public function testCustomJsonPatchAndPut() {
  374. global $data;
  375. // PUT content
  376. $data = '{"propertyA": "sometestvalue", "propertyB": "someothertestvalue"}';
  377. $vars = [
  378. 'method' => 'PUT',
  379. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  380. ];
  381. $request = new Request(
  382. $vars,
  383. $this->requestId,
  384. $this->config,
  385. $this->csrfTokenManager,
  386. $this->stream
  387. );
  388. $this->assertSame('PUT', $request->method);
  389. $result = $request->put;
  390. $this->assertSame('sometestvalue', $result['propertyA']);
  391. $this->assertSame('someothertestvalue', $result['propertyB']);
  392. // PATCH content
  393. $data = '{"propertyA": "sometestvalue", "propertyB": null}';
  394. $vars = [
  395. 'method' => 'PATCH',
  396. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  397. ];
  398. $request = new Request(
  399. $vars,
  400. $this->requestId,
  401. $this->config,
  402. $this->csrfTokenManager,
  403. $this->stream
  404. );
  405. $this->assertSame('PATCH', $request->method);
  406. $result = $request->patch;
  407. $this->assertSame('sometestvalue', $result['propertyA']);
  408. $this->assertSame(null, $result['propertyB']);
  409. }
  410. public function testPutStream() {
  411. global $data;
  412. $data = file_get_contents(__DIR__ . '/../../../data/testimage.png');
  413. $vars = [
  414. 'put' => $data,
  415. 'method' => 'PUT',
  416. 'server' => [
  417. 'CONTENT_TYPE' => 'image/png',
  418. 'CONTENT_LENGTH' => (string)strlen($data)
  419. ],
  420. ];
  421. $request = new Request(
  422. $vars,
  423. $this->requestId,
  424. $this->config,
  425. $this->csrfTokenManager,
  426. $this->stream
  427. );
  428. $this->assertSame('PUT', $request->method);
  429. $resource = $request->put;
  430. $contents = stream_get_contents($resource);
  431. $this->assertSame($data, $contents);
  432. try {
  433. $resource = $request->put;
  434. } catch (\LogicException $e) {
  435. return;
  436. }
  437. $this->fail('Expected LogicException.');
  438. }
  439. public function testSetUrlParameters() {
  440. $vars = [
  441. 'post' => [],
  442. 'method' => 'POST',
  443. 'urlParams' => ['id' => '2'],
  444. ];
  445. $request = new Request(
  446. $vars,
  447. $this->requestId,
  448. $this->config,
  449. $this->csrfTokenManager,
  450. $this->stream
  451. );
  452. $newParams = ['id' => '3', 'test' => 'test2'];
  453. $request->setUrlParameters($newParams);
  454. $this->assertSame('test2', $request->getParam('test'));
  455. $this->assertEquals('3', $request->getParam('id'));
  456. $this->assertEquals('3', $request->getParams()['id']);
  457. }
  458. public function testGetRemoteAddressWithoutTrustedRemote() {
  459. $this->config
  460. ->expects($this->once())
  461. ->method('getSystemValue')
  462. ->with('trusted_proxies')
  463. ->willReturn([]);
  464. $request = new Request(
  465. [
  466. 'server' => [
  467. 'REMOTE_ADDR' => '10.0.0.2',
  468. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  469. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  470. ],
  471. ],
  472. $this->requestId,
  473. $this->config,
  474. $this->csrfTokenManager,
  475. $this->stream
  476. );
  477. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  478. }
  479. public function testGetRemoteAddressWithNoTrustedHeader() {
  480. $this->config
  481. ->expects($this->exactly(2))
  482. ->method('getSystemValue')
  483. ->withConsecutive(
  484. ['trusted_proxies'],
  485. ['forwarded_for_headers'],
  486. )->willReturnOnConsecutiveCalls(
  487. ['10.0.0.2'],
  488. []
  489. );
  490. $request = new Request(
  491. [
  492. 'server' => [
  493. 'REMOTE_ADDR' => '10.0.0.2',
  494. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  495. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  496. ],
  497. ],
  498. $this->requestId,
  499. $this->config,
  500. $this->csrfTokenManager,
  501. $this->stream
  502. );
  503. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  504. }
  505. public function testGetRemoteAddressWithSingleTrustedRemote() {
  506. $this->config
  507. ->expects($this->exactly(2))
  508. ->method('getSystemValue')
  509. ->withConsecutive(
  510. ['trusted_proxies'],
  511. ['forwarded_for_headers'],
  512. )-> willReturnOnConsecutiveCalls(
  513. ['10.0.0.2'],
  514. ['HTTP_X_FORWARDED'],
  515. );
  516. $request = new Request(
  517. [
  518. 'server' => [
  519. 'REMOTE_ADDR' => '10.0.0.2',
  520. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  521. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  522. ],
  523. ],
  524. $this->requestId,
  525. $this->config,
  526. $this->csrfTokenManager,
  527. $this->stream
  528. );
  529. $this->assertSame('10.4.0.4', $request->getRemoteAddress());
  530. }
  531. public function testGetRemoteAddressWithMultipleTrustedRemotes() {
  532. $this->config
  533. ->expects($this->exactly(2))
  534. ->method('getSystemValue')
  535. ->willReturnMap([
  536. ['trusted_proxies', [], ['10.0.0.2', '::1']],
  537. ['forwarded_for_headers', ['HTTP_X_FORWARDED_FOR'], ['HTTP_X_FORWARDED']],
  538. ]);
  539. $request = new Request(
  540. [
  541. 'server' => [
  542. 'REMOTE_ADDR' => '10.0.0.2',
  543. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4, ::1',
  544. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  545. ],
  546. ],
  547. $this->requestId,
  548. $this->config,
  549. $this->csrfTokenManager,
  550. $this->stream
  551. );
  552. $this->assertSame('10.4.0.4', $request->getRemoteAddress());
  553. }
  554. public function testGetRemoteAddressIPv6WithSingleTrustedRemote() {
  555. $this->config
  556. ->expects($this->exactly(2))
  557. ->method('getSystemValue')
  558. ->withConsecutive(
  559. ['trusted_proxies'],
  560. ['forwarded_for_headers'],
  561. )-> willReturnOnConsecutiveCalls(
  562. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  563. ['HTTP_X_FORWARDED'],
  564. );
  565. $request = new Request(
  566. [
  567. 'server' => [
  568. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  569. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  570. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  571. ],
  572. ],
  573. $this->requestId,
  574. $this->config,
  575. $this->csrfTokenManager,
  576. $this->stream
  577. );
  578. $this->assertSame('10.4.0.4', $request->getRemoteAddress());
  579. }
  580. public function testGetRemoteAddressVerifyPriorityHeader() {
  581. $this->config
  582. ->expects($this->exactly(2))
  583. ->method('getSystemValue')
  584. ->withConsecutive(
  585. ['trusted_proxies'],
  586. ['forwarded_for_headers'],
  587. )-> willReturnOnConsecutiveCalls(
  588. ['10.0.0.2'],
  589. [
  590. 'HTTP_X_FORWARDED',
  591. 'HTTP_X_FORWARDED_FOR',
  592. 'HTTP_CLIENT_IP',
  593. ],
  594. );
  595. $request = new Request(
  596. [
  597. 'server' => [
  598. 'REMOTE_ADDR' => '10.0.0.2',
  599. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  600. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  601. ],
  602. ],
  603. $this->requestId,
  604. $this->config,
  605. $this->csrfTokenManager,
  606. $this->stream
  607. );
  608. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  609. }
  610. public function testGetRemoteAddressIPv6VerifyPriorityHeader() {
  611. $this->config
  612. ->expects($this->exactly(2))
  613. ->method('getSystemValue')
  614. ->withConsecutive(
  615. ['trusted_proxies'],
  616. ['forwarded_for_headers'],
  617. )-> willReturnOnConsecutiveCalls(
  618. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  619. [
  620. 'HTTP_X_FORWARDED',
  621. 'HTTP_X_FORWARDED_FOR',
  622. 'HTTP_CLIENT_IP',
  623. ],
  624. );
  625. $request = new Request(
  626. [
  627. 'server' => [
  628. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  629. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  630. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  631. ],
  632. ],
  633. $this->requestId,
  634. $this->config,
  635. $this->csrfTokenManager,
  636. $this->stream
  637. );
  638. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  639. }
  640. public function testGetRemoteAddressWithMatchingCidrTrustedRemote() {
  641. $this->config
  642. ->expects($this->exactly(2))
  643. ->method('getSystemValue')
  644. ->withConsecutive(
  645. ['trusted_proxies'],
  646. ['forwarded_for_headers'],
  647. )-> willReturnOnConsecutiveCalls(
  648. ['192.168.2.0/24'],
  649. ['HTTP_X_FORWARDED_FOR'],
  650. );
  651. $request = new Request(
  652. [
  653. 'server' => [
  654. 'REMOTE_ADDR' => '192.168.2.99',
  655. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  656. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  657. ],
  658. ],
  659. $this->requestId,
  660. $this->config,
  661. $this->csrfTokenManager,
  662. $this->stream
  663. );
  664. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  665. }
  666. public function testGetRemoteAddressWithNotMatchingCidrTrustedRemote() {
  667. $this->config
  668. ->expects($this->once())
  669. ->method('getSystemValue')
  670. ->with('trusted_proxies')
  671. ->willReturn(['192.168.2.0/24']);
  672. $request = new Request(
  673. [
  674. 'server' => [
  675. 'REMOTE_ADDR' => '192.168.3.99',
  676. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  677. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  678. ],
  679. ],
  680. $this->requestId,
  681. $this->config,
  682. $this->csrfTokenManager,
  683. $this->stream
  684. );
  685. $this->assertSame('192.168.3.99', $request->getRemoteAddress());
  686. }
  687. public function testGetRemoteIpv6AddressWithMatchingIpv6CidrTrustedRemote() {
  688. $this->config
  689. ->expects($this->exactly(2))
  690. ->method('getSystemValue')
  691. ->withConsecutive(
  692. ['trusted_proxies'],
  693. ['forwarded_for_headers']
  694. )->willReturnOnConsecutiveCalls(
  695. ['2001:db8:85a3:8d3:1319:8a20::/95'],
  696. ['HTTP_X_FORWARDED_FOR']
  697. );
  698. $request = new Request(
  699. [
  700. 'server' => [
  701. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a21:370:7348',
  702. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  703. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  704. ],
  705. ],
  706. $this->requestId,
  707. $this->config,
  708. $this->csrfTokenManager,
  709. $this->stream
  710. );
  711. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  712. }
  713. public function testGetRemoteAddressIpv6WithNotMatchingCidrTrustedRemote() {
  714. $this->config
  715. ->expects($this->once())
  716. ->method('getSystemValue')
  717. ->with('trusted_proxies')
  718. ->willReturn(['fd::/8']);
  719. $request = new Request(
  720. [
  721. 'server' => [
  722. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  723. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  724. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  725. ],
  726. ],
  727. $this->requestId,
  728. $this->config,
  729. $this->csrfTokenManager,
  730. $this->stream
  731. );
  732. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  733. }
  734. public function testGetRemoteAddressIpv6WithInvalidTrustedProxy() {
  735. $this->config
  736. ->expects($this->once())
  737. ->method('getSystemValue')
  738. ->with('trusted_proxies')
  739. ->willReturn(['fx::/8']);
  740. $request = new Request(
  741. [
  742. 'server' => [
  743. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  744. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  745. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  746. ],
  747. ],
  748. $this->requestId,
  749. $this->config,
  750. $this->csrfTokenManager,
  751. $this->stream
  752. );
  753. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  754. }
  755. public function testGetRemoteAddressWithXForwardedForIPv6() {
  756. $this->config
  757. ->expects($this->exactly(2))
  758. ->method('getSystemValue')
  759. ->withConsecutive(
  760. ['trusted_proxies'],
  761. ['forwarded_for_headers'],
  762. )-> willReturnOnConsecutiveCalls(
  763. ['192.168.2.0/24'],
  764. ['HTTP_X_FORWARDED_FOR'],
  765. );
  766. $request = new Request(
  767. [
  768. 'server' => [
  769. 'REMOTE_ADDR' => '192.168.2.99',
  770. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
  771. ],
  772. ],
  773. $this->requestId,
  774. $this->config,
  775. $this->csrfTokenManager,
  776. $this->stream
  777. );
  778. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  779. }
  780. /**
  781. * @return array
  782. */
  783. public function httpProtocolProvider() {
  784. return [
  785. // Valid HTTP 1.0
  786. ['HTTP/1.0', 'HTTP/1.0'],
  787. ['http/1.0', 'HTTP/1.0'],
  788. ['HTTp/1.0', 'HTTP/1.0'],
  789. // Valid HTTP 1.1
  790. ['HTTP/1.1', 'HTTP/1.1'],
  791. ['http/1.1', 'HTTP/1.1'],
  792. ['HTTp/1.1', 'HTTP/1.1'],
  793. // Valid HTTP 2.0
  794. ['HTTP/2', 'HTTP/2'],
  795. ['http/2', 'HTTP/2'],
  796. ['HTTp/2', 'HTTP/2'],
  797. // Invalid
  798. ['HTTp/394', 'HTTP/1.1'],
  799. ['InvalidProvider/1.1', 'HTTP/1.1'],
  800. [null, 'HTTP/1.1'],
  801. ['', 'HTTP/1.1'],
  802. ];
  803. }
  804. /**
  805. * @dataProvider httpProtocolProvider
  806. *
  807. * @param mixed $input
  808. * @param string $expected
  809. */
  810. public function testGetHttpProtocol($input, $expected) {
  811. $request = new Request(
  812. [
  813. 'server' => [
  814. 'SERVER_PROTOCOL' => $input,
  815. ],
  816. ],
  817. $this->requestId,
  818. $this->config,
  819. $this->csrfTokenManager,
  820. $this->stream
  821. );
  822. $this->assertSame($expected, $request->getHttpProtocol());
  823. }
  824. public function testGetServerProtocolWithOverride() {
  825. $this->config
  826. ->expects($this->exactly(3))
  827. ->method('getSystemValueString')
  828. ->willReturnMap([
  829. ['overwriteprotocol', '', 'customProtocol'],
  830. ['overwritecondaddr', '', ''],
  831. ]);
  832. $request = new Request(
  833. [],
  834. $this->requestId,
  835. $this->config,
  836. $this->csrfTokenManager,
  837. $this->stream
  838. );
  839. $this->assertSame('customProtocol', $request->getServerProtocol());
  840. }
  841. public function testGetServerProtocolWithProtoValid() {
  842. $this->config
  843. ->method('getSystemValue')
  844. ->willReturnCallback(function ($key, $default) {
  845. if ($key === 'trusted_proxies') {
  846. return ['1.2.3.4'];
  847. }
  848. return $default;
  849. });
  850. $requestHttps = new Request(
  851. [
  852. 'server' => [
  853. 'HTTP_X_FORWARDED_PROTO' => 'HtTpS',
  854. 'REMOTE_ADDR' => '1.2.3.4',
  855. ],
  856. ],
  857. $this->requestId,
  858. $this->config,
  859. $this->csrfTokenManager,
  860. $this->stream
  861. );
  862. $requestHttp = new Request(
  863. [
  864. 'server' => [
  865. 'HTTP_X_FORWARDED_PROTO' => 'HTTp',
  866. 'REMOTE_ADDR' => '1.2.3.4',
  867. ],
  868. ],
  869. $this->requestId,
  870. $this->config,
  871. $this->csrfTokenManager,
  872. $this->stream
  873. );
  874. $this->assertSame('https', $requestHttps->getServerProtocol());
  875. $this->assertSame('http', $requestHttp->getServerProtocol());
  876. }
  877. public function testGetServerProtocolWithHttpsServerValueOn() {
  878. $this->config
  879. ->method('getSystemValue')
  880. ->willReturnCallback(function ($key, $default) {
  881. return $default;
  882. });
  883. $request = new Request(
  884. [
  885. 'server' => [
  886. 'HTTPS' => 'on'
  887. ],
  888. ],
  889. $this->requestId,
  890. $this->config,
  891. $this->csrfTokenManager,
  892. $this->stream
  893. );
  894. $this->assertSame('https', $request->getServerProtocol());
  895. }
  896. public function testGetServerProtocolWithHttpsServerValueOff() {
  897. $this->config
  898. ->method('getSystemValue')
  899. ->willReturnCallback(function ($key, $default) {
  900. return $default;
  901. });
  902. $request = new Request(
  903. [
  904. 'server' => [
  905. 'HTTPS' => 'off'
  906. ],
  907. ],
  908. $this->requestId,
  909. $this->config,
  910. $this->csrfTokenManager,
  911. $this->stream
  912. );
  913. $this->assertSame('http', $request->getServerProtocol());
  914. }
  915. public function testGetServerProtocolWithHttpsServerValueEmpty() {
  916. $this->config
  917. ->method('getSystemValue')
  918. ->willReturnCallback(function ($key, $default) {
  919. return $default;
  920. });
  921. $request = new Request(
  922. [
  923. 'server' => [
  924. 'HTTPS' => ''
  925. ],
  926. ],
  927. $this->requestId,
  928. $this->config,
  929. $this->csrfTokenManager,
  930. $this->stream
  931. );
  932. $this->assertSame('http', $request->getServerProtocol());
  933. }
  934. public function testGetServerProtocolDefault() {
  935. $this->config
  936. ->method('getSystemValue')
  937. ->willReturnCallback(function ($key, $default) {
  938. return $default;
  939. });
  940. $request = new Request(
  941. [],
  942. $this->requestId,
  943. $this->config,
  944. $this->csrfTokenManager,
  945. $this->stream
  946. );
  947. $this->assertSame('http', $request->getServerProtocol());
  948. }
  949. public function testGetServerProtocolBehindLoadBalancers() {
  950. $this->config
  951. ->method('getSystemValue')
  952. ->willReturnCallback(function ($key, $default) {
  953. if ($key === 'trusted_proxies') {
  954. return ['1.2.3.4'];
  955. }
  956. return $default;
  957. });
  958. $request = new Request(
  959. [
  960. 'server' => [
  961. 'HTTP_X_FORWARDED_PROTO' => 'https,http,http',
  962. 'REMOTE_ADDR' => '1.2.3.4',
  963. ],
  964. ],
  965. $this->requestId,
  966. $this->config,
  967. $this->csrfTokenManager,
  968. $this->stream
  969. );
  970. $this->assertSame('https', $request->getServerProtocol());
  971. }
  972. /**
  973. * @dataProvider userAgentProvider
  974. * @param string $testAgent
  975. * @param array $userAgent
  976. * @param bool $matches
  977. */
  978. public function testUserAgent($testAgent, $userAgent, $matches) {
  979. $request = new Request(
  980. [
  981. 'server' => [
  982. 'HTTP_USER_AGENT' => $testAgent,
  983. ]
  984. ],
  985. $this->requestId,
  986. $this->config,
  987. $this->csrfTokenManager,
  988. $this->stream
  989. );
  990. $this->assertSame($matches, $request->isUserAgent($userAgent));
  991. }
  992. /**
  993. * @dataProvider userAgentProvider
  994. * @param string $testAgent
  995. * @param array $userAgent
  996. * @param bool $matches
  997. */
  998. public function testUndefinedUserAgent($testAgent, $userAgent, $matches) {
  999. $request = new Request(
  1000. [],
  1001. $this->requestId,
  1002. $this->config,
  1003. $this->csrfTokenManager,
  1004. $this->stream
  1005. );
  1006. $this->assertFalse($request->isUserAgent($userAgent));
  1007. }
  1008. /**
  1009. * @return array
  1010. */
  1011. public function userAgentProvider() {
  1012. return [
  1013. [
  1014. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1015. [
  1016. Request::USER_AGENT_IE
  1017. ],
  1018. true,
  1019. ],
  1020. [
  1021. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  1022. [
  1023. Request::USER_AGENT_IE
  1024. ],
  1025. false,
  1026. ],
  1027. [
  1028. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
  1029. [
  1030. Request::USER_AGENT_CHROME
  1031. ],
  1032. true,
  1033. ],
  1034. [
  1035. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
  1036. [
  1037. Request::USER_AGENT_CHROME
  1038. ],
  1039. true,
  1040. ],
  1041. [
  1042. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  1043. [
  1044. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  1045. ],
  1046. true,
  1047. ],
  1048. [
  1049. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1050. [
  1051. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  1052. ],
  1053. false,
  1054. ],
  1055. [
  1056. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1057. [
  1058. Request::USER_AGENT_IE,
  1059. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  1060. ],
  1061. true,
  1062. ],
  1063. [
  1064. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  1065. [
  1066. Request::USER_AGENT_IE,
  1067. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  1068. ],
  1069. true,
  1070. ],
  1071. [
  1072. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  1073. [
  1074. Request::USER_AGENT_FREEBOX
  1075. ],
  1076. false,
  1077. ],
  1078. [
  1079. 'Mozilla/5.0',
  1080. [
  1081. Request::USER_AGENT_FREEBOX
  1082. ],
  1083. true,
  1084. ],
  1085. [
  1086. 'Fake Mozilla/5.0',
  1087. [
  1088. Request::USER_AGENT_FREEBOX
  1089. ],
  1090. false,
  1091. ],
  1092. [
  1093. 'Mozilla/5.0 (Android) ownCloud-android/2.0.0',
  1094. [
  1095. Request::USER_AGENT_CLIENT_ANDROID
  1096. ],
  1097. true,
  1098. ],
  1099. [
  1100. 'Mozilla/5.0 (Android) Nextcloud-android/2.0.0',
  1101. [
  1102. Request::USER_AGENT_CLIENT_ANDROID
  1103. ],
  1104. true,
  1105. ],
  1106. [
  1107. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.99 Safari/537.36 Vivaldi/2.9.1705.41',
  1108. [
  1109. Request::USER_AGENT_CHROME
  1110. ],
  1111. true
  1112. ],
  1113. [
  1114. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75',
  1115. [
  1116. Request::USER_AGENT_CHROME
  1117. ],
  1118. true
  1119. ],
  1120. [
  1121. 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67',
  1122. [
  1123. Request::USER_AGENT_CHROME
  1124. ],
  1125. true
  1126. ]
  1127. ];
  1128. }
  1129. public function dataMatchClientVersion(): array {
  1130. return [
  1131. [
  1132. 'Mozilla/5.0 (Android) Nextcloud-android/3.24.1',
  1133. Request::USER_AGENT_CLIENT_ANDROID,
  1134. '3.24.1',
  1135. ],
  1136. [
  1137. 'Mozilla/5.0 (iOS) Nextcloud-iOS/4.8.2',
  1138. Request::USER_AGENT_CLIENT_IOS,
  1139. '4.8.2',
  1140. ],
  1141. [
  1142. 'Mozilla/5.0 (Windows) mirall/3.8.1',
  1143. Request::USER_AGENT_CLIENT_DESKTOP,
  1144. '3.8.1',
  1145. ],
  1146. [
  1147. 'Mozilla/5.0 (Android) Nextcloud-Talk v17.10.0',
  1148. Request::USER_AGENT_TALK_ANDROID,
  1149. '17.10.0',
  1150. ],
  1151. [
  1152. 'Mozilla/5.0 (iOS) Nextcloud-Talk v17.0.1',
  1153. Request::USER_AGENT_TALK_IOS,
  1154. '17.0.1',
  1155. ],
  1156. [
  1157. 'Mozilla/5.0 (Windows) Nextcloud-Talk v0.6.0',
  1158. Request::USER_AGENT_TALK_DESKTOP,
  1159. '0.6.0',
  1160. ],
  1161. [
  1162. 'Mozilla/5.0 (Windows) Nextcloud-Outlook v1.0.0',
  1163. Request::USER_AGENT_OUTLOOK_ADDON,
  1164. '1.0.0',
  1165. ],
  1166. [
  1167. 'Mozilla/5.0 (Linux) Nextcloud-Thunderbird v1.0.0',
  1168. Request::USER_AGENT_THUNDERBIRD_ADDON,
  1169. '1.0.0',
  1170. ],
  1171. ];
  1172. }
  1173. /**
  1174. * @dataProvider dataMatchClientVersion
  1175. * @param string $testAgent
  1176. * @param string $userAgent
  1177. * @param string $version
  1178. */
  1179. public function testMatchClientVersion(string $testAgent, string $userAgent, string $version): void {
  1180. preg_match($userAgent, $testAgent, $matches);
  1181. $this->assertSame($version, $matches[1]);
  1182. }
  1183. public function testInsecureServerHostServerNameHeader() {
  1184. $request = new Request(
  1185. [
  1186. 'server' => [
  1187. 'SERVER_NAME' => 'from.server.name:8080',
  1188. ]
  1189. ],
  1190. $this->requestId,
  1191. $this->config,
  1192. $this->csrfTokenManager,
  1193. $this->stream
  1194. );
  1195. $this->assertSame('from.server.name:8080', $request->getInsecureServerHost());
  1196. }
  1197. public function testInsecureServerHostHttpHostHeader() {
  1198. $request = new Request(
  1199. [
  1200. 'server' => [
  1201. 'SERVER_NAME' => 'from.server.name:8080',
  1202. 'HTTP_HOST' => 'from.host.header:8080',
  1203. ]
  1204. ],
  1205. $this->requestId,
  1206. $this->config,
  1207. $this->csrfTokenManager,
  1208. $this->stream
  1209. );
  1210. $this->assertSame('from.host.header:8080', $request->getInsecureServerHost());
  1211. }
  1212. public function testInsecureServerHostHttpFromForwardedHeaderSingle() {
  1213. $this->config
  1214. ->method('getSystemValue')
  1215. ->willReturnCallback(function ($key, $default) {
  1216. if ($key === 'trusted_proxies') {
  1217. return ['1.2.3.4'];
  1218. }
  1219. return $default;
  1220. });
  1221. $request = new Request(
  1222. [
  1223. 'server' => [
  1224. 'SERVER_NAME' => 'from.server.name:8080',
  1225. 'HTTP_HOST' => 'from.host.header:8080',
  1226. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host:8080',
  1227. 'REMOTE_ADDR' => '1.2.3.4',
  1228. ]
  1229. ],
  1230. $this->requestId,
  1231. $this->config,
  1232. $this->csrfTokenManager,
  1233. $this->stream
  1234. );
  1235. $this->assertSame('from.forwarded.host:8080', $request->getInsecureServerHost());
  1236. }
  1237. public function testInsecureServerHostHttpFromForwardedHeaderStacked() {
  1238. $this->config
  1239. ->method('getSystemValue')
  1240. ->willReturnCallback(function ($key, $default) {
  1241. if ($key === 'trusted_proxies') {
  1242. return ['1.2.3.4'];
  1243. }
  1244. return $default;
  1245. });
  1246. $request = new Request(
  1247. [
  1248. 'server' => [
  1249. 'SERVER_NAME' => 'from.server.name:8080',
  1250. 'HTTP_HOST' => 'from.host.header:8080',
  1251. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host2:8080,another.one:9000',
  1252. 'REMOTE_ADDR' => '1.2.3.4',
  1253. ]
  1254. ],
  1255. $this->requestId,
  1256. $this->config,
  1257. $this->csrfTokenManager,
  1258. $this->stream
  1259. );
  1260. $this->assertSame('from.forwarded.host2:8080', $request->getInsecureServerHost());
  1261. }
  1262. public function testGetServerHostWithOverwriteHost() {
  1263. $this->config
  1264. ->method('getSystemValueString')
  1265. ->willReturnCallback(function ($key, $default) {
  1266. if ($key === 'overwritecondaddr') {
  1267. return '';
  1268. } elseif ($key === 'overwritehost') {
  1269. return 'my.overwritten.host';
  1270. }
  1271. return $default;
  1272. });
  1273. $request = new Request(
  1274. [],
  1275. $this->requestId,
  1276. $this->config,
  1277. $this->csrfTokenManager,
  1278. $this->stream
  1279. );
  1280. $this->assertSame('my.overwritten.host', $request->getServerHost());
  1281. }
  1282. public function testGetServerHostWithTrustedDomain() {
  1283. $this->config
  1284. ->method('getSystemValue')
  1285. ->willReturnCallback(function ($key, $default) {
  1286. if ($key === 'trusted_proxies') {
  1287. return ['1.2.3.4'];
  1288. } elseif ($key === 'trusted_domains') {
  1289. return ['my.trusted.host'];
  1290. }
  1291. return $default;
  1292. });
  1293. $request = new Request(
  1294. [
  1295. 'server' => [
  1296. 'HTTP_X_FORWARDED_HOST' => 'my.trusted.host',
  1297. 'REMOTE_ADDR' => '1.2.3.4',
  1298. ],
  1299. ],
  1300. $this->requestId,
  1301. $this->config,
  1302. $this->csrfTokenManager,
  1303. $this->stream
  1304. );
  1305. $this->assertSame('my.trusted.host', $request->getServerHost());
  1306. }
  1307. public function testGetServerHostWithUntrustedDomain() {
  1308. $this->config
  1309. ->method('getSystemValue')
  1310. ->willReturnCallback(function ($key, $default) {
  1311. if ($key === 'trusted_proxies') {
  1312. return ['1.2.3.4'];
  1313. } elseif ($key === 'trusted_domains') {
  1314. return ['my.trusted.host'];
  1315. }
  1316. return $default;
  1317. });
  1318. $request = new Request(
  1319. [
  1320. 'server' => [
  1321. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1322. 'REMOTE_ADDR' => '1.2.3.4',
  1323. ],
  1324. ],
  1325. $this->requestId,
  1326. $this->config,
  1327. $this->csrfTokenManager,
  1328. $this->stream
  1329. );
  1330. $this->assertSame('my.trusted.host', $request->getServerHost());
  1331. }
  1332. public function testGetServerHostWithNoTrustedDomain() {
  1333. $this->config
  1334. ->method('getSystemValue')
  1335. ->willReturnCallback(function ($key, $default) {
  1336. if ($key === 'trusted_proxies') {
  1337. return ['1.2.3.4'];
  1338. }
  1339. return $default;
  1340. });
  1341. $request = new Request(
  1342. [
  1343. 'server' => [
  1344. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1345. 'REMOTE_ADDR' => '1.2.3.4',
  1346. ],
  1347. ],
  1348. $this->requestId,
  1349. $this->config,
  1350. $this->csrfTokenManager,
  1351. $this->stream
  1352. );
  1353. $this->assertSame('', $request->getServerHost());
  1354. }
  1355. /**
  1356. * @return array
  1357. */
  1358. public function dataGetServerHostTrustedDomain() {
  1359. return [
  1360. 'is array' => ['my.trusted.host', ['my.trusted.host']],
  1361. 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
  1362. 'is string' => ['my.trusted.host', 'my.trusted.host'],
  1363. 'is null' => ['', null],
  1364. ];
  1365. }
  1366. /**
  1367. * @dataProvider dataGetServerHostTrustedDomain
  1368. * @param $expected
  1369. * @param $trustedDomain
  1370. */
  1371. public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
  1372. $this->config
  1373. ->method('getSystemValue')
  1374. ->willReturnCallback(function ($key, $default) use ($trustedDomain) {
  1375. if ($key === 'trusted_proxies') {
  1376. return ['1.2.3.4'];
  1377. }
  1378. if ($key === 'trusted_domains') {
  1379. return $trustedDomain;
  1380. }
  1381. return $default;
  1382. });
  1383. $request = new Request(
  1384. [
  1385. 'server' => [
  1386. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1387. 'REMOTE_ADDR' => '1.2.3.4',
  1388. ],
  1389. ],
  1390. $this->requestId,
  1391. $this->config,
  1392. $this->csrfTokenManager,
  1393. $this->stream
  1394. );
  1395. $this->assertSame($expected, $request->getServerHost());
  1396. }
  1397. public function testGetOverwriteHostDefaultNull() {
  1398. $this->config
  1399. ->expects($this->once())
  1400. ->method('getSystemValueString')
  1401. ->with('overwritehost')
  1402. ->willReturn('');
  1403. $request = new Request(
  1404. [],
  1405. $this->requestId,
  1406. $this->config,
  1407. $this->csrfTokenManager,
  1408. $this->stream
  1409. );
  1410. $this->assertNull(self::invokePrivate($request, 'getOverwriteHost'));
  1411. }
  1412. public function testGetOverwriteHostWithOverwrite() {
  1413. $this->config
  1414. ->expects($this->exactly(3))
  1415. ->method('getSystemValueString')
  1416. ->willReturnMap([
  1417. ['overwritehost', '', 'www.owncloud.org'],
  1418. ['overwritecondaddr', '', ''],
  1419. ]);
  1420. $request = new Request(
  1421. [],
  1422. $this->requestId,
  1423. $this->config,
  1424. $this->csrfTokenManager,
  1425. $this->stream
  1426. );
  1427. $this->assertSame('www.owncloud.org', self::invokePrivate($request, 'getOverwriteHost'));
  1428. }
  1429. public function testGetPathInfoNotProcessible() {
  1430. $this->expectException(\Exception::class);
  1431. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1432. $request = new Request(
  1433. [
  1434. 'server' => [
  1435. 'REQUEST_URI' => '/foo.php',
  1436. 'SCRIPT_NAME' => '/var/www/index.php',
  1437. ]
  1438. ],
  1439. $this->requestId,
  1440. $this->config,
  1441. $this->csrfTokenManager,
  1442. $this->stream
  1443. );
  1444. $request->getPathInfo();
  1445. }
  1446. public function testGetRawPathInfoNotProcessible() {
  1447. $this->expectException(\Exception::class);
  1448. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1449. $request = new Request(
  1450. [
  1451. 'server' => [
  1452. 'REQUEST_URI' => '/foo.php',
  1453. 'SCRIPT_NAME' => '/var/www/index.php',
  1454. ]
  1455. ],
  1456. $this->requestId,
  1457. $this->config,
  1458. $this->csrfTokenManager,
  1459. $this->stream
  1460. );
  1461. $request->getRawPathInfo();
  1462. }
  1463. /**
  1464. * @dataProvider genericPathInfoProvider
  1465. * @param string $requestUri
  1466. * @param string $scriptName
  1467. * @param string $expected
  1468. */
  1469. public function testGetPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1470. $request = new Request(
  1471. [
  1472. 'server' => [
  1473. 'REQUEST_URI' => $requestUri,
  1474. 'SCRIPT_NAME' => $scriptName,
  1475. ]
  1476. ],
  1477. $this->requestId,
  1478. $this->config,
  1479. $this->csrfTokenManager,
  1480. $this->stream
  1481. );
  1482. $this->assertSame($expected, $request->getPathInfo());
  1483. }
  1484. /**
  1485. * @dataProvider genericPathInfoProvider
  1486. * @param string $requestUri
  1487. * @param string $scriptName
  1488. * @param string $expected
  1489. */
  1490. public function testGetRawPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1491. $request = new Request(
  1492. [
  1493. 'server' => [
  1494. 'REQUEST_URI' => $requestUri,
  1495. 'SCRIPT_NAME' => $scriptName,
  1496. ]
  1497. ],
  1498. $this->requestId,
  1499. $this->config,
  1500. $this->csrfTokenManager,
  1501. $this->stream
  1502. );
  1503. $this->assertSame($expected, $request->getRawPathInfo());
  1504. }
  1505. /**
  1506. * @dataProvider rawPathInfoProvider
  1507. * @param string $requestUri
  1508. * @param string $scriptName
  1509. * @param string $expected
  1510. */
  1511. public function testGetRawPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1512. $request = new Request(
  1513. [
  1514. 'server' => [
  1515. 'REQUEST_URI' => $requestUri,
  1516. 'SCRIPT_NAME' => $scriptName,
  1517. ]
  1518. ],
  1519. $this->requestId,
  1520. $this->config,
  1521. $this->csrfTokenManager,
  1522. $this->stream
  1523. );
  1524. $this->assertSame($expected, $request->getRawPathInfo());
  1525. }
  1526. /**
  1527. * @dataProvider pathInfoProvider
  1528. * @param string $requestUri
  1529. * @param string $scriptName
  1530. * @param string $expected
  1531. */
  1532. public function testGetPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1533. $request = new Request(
  1534. [
  1535. 'server' => [
  1536. 'REQUEST_URI' => $requestUri,
  1537. 'SCRIPT_NAME' => $scriptName,
  1538. ]
  1539. ],
  1540. $this->requestId,
  1541. $this->config,
  1542. $this->csrfTokenManager,
  1543. $this->stream
  1544. );
  1545. $this->assertSame($expected, $request->getPathInfo());
  1546. }
  1547. /**
  1548. * @return array
  1549. */
  1550. public function genericPathInfoProvider() {
  1551. return [
  1552. ['/core/index.php?XDEBUG_SESSION_START=14600', '/core/index.php', ''],
  1553. ['/index.php/apps/files/', 'index.php', '/apps/files/'],
  1554. ['/index.php/apps/files/../&amp;/&?someQueryParameter=QueryParam', 'index.php', '/apps/files/../&amp;/&'],
  1555. ['/remote.php/漢字編碼方法 / 汉字编码方法', 'remote.php', '/漢字編碼方法 / 汉字编码方法'],
  1556. ['///removeTrailin//gSlashes///', 'remote.php', '/removeTrailin/gSlashes/'],
  1557. ['/', '/', ''],
  1558. ['', '', ''],
  1559. ];
  1560. }
  1561. /**
  1562. * @return array
  1563. */
  1564. public function rawPathInfoProvider() {
  1565. return [
  1566. ['/foo%2Fbar/subfolder', '', 'foo%2Fbar/subfolder'],
  1567. ];
  1568. }
  1569. /**
  1570. * @return array
  1571. */
  1572. public function pathInfoProvider() {
  1573. return [
  1574. ['/foo%2Fbar/subfolder', '', 'foo/bar/subfolder'],
  1575. ];
  1576. }
  1577. public function testGetRequestUriWithoutOverwrite() {
  1578. $this->config
  1579. ->expects($this->once())
  1580. ->method('getSystemValueString')
  1581. ->with('overwritewebroot')
  1582. ->willReturn('');
  1583. $request = new Request(
  1584. [
  1585. 'server' => [
  1586. 'REQUEST_URI' => '/test.php'
  1587. ]
  1588. ],
  1589. $this->requestId,
  1590. $this->config,
  1591. $this->csrfTokenManager,
  1592. $this->stream
  1593. );
  1594. $this->assertSame('/test.php', $request->getRequestUri());
  1595. }
  1596. public function providesGetRequestUriWithOverwriteData() {
  1597. return [
  1598. ['/scriptname.php/some/PathInfo', '/owncloud/', ''],
  1599. ['/scriptname.php/some/PathInfo', '/owncloud/', '123', '123.123.123.123'],
  1600. ];
  1601. }
  1602. /**
  1603. * @dataProvider providesGetRequestUriWithOverwriteData
  1604. */
  1605. public function testGetRequestUriWithOverwrite($expectedUri, $overwriteWebRoot, $overwriteCondAddr, $remoteAddr = '') {
  1606. $this->config
  1607. ->expects($this->exactly(2))
  1608. ->method('getSystemValueString')
  1609. ->willReturnMap([
  1610. ['overwritewebroot', '', $overwriteWebRoot],
  1611. ['overwritecondaddr', '', $overwriteCondAddr],
  1612. ]);
  1613. $request = $this->getMockBuilder(Request::class)
  1614. ->setMethods(['getScriptName'])
  1615. ->setConstructorArgs([
  1616. [
  1617. 'server' => [
  1618. 'REQUEST_URI' => '/test.php/some/PathInfo',
  1619. 'SCRIPT_NAME' => '/test.php',
  1620. 'REMOTE_ADDR' => $remoteAddr
  1621. ]
  1622. ],
  1623. $this->requestId,
  1624. $this->config,
  1625. $this->csrfTokenManager,
  1626. $this->stream
  1627. ])
  1628. ->getMock();
  1629. $request
  1630. ->expects($this->once())
  1631. ->method('getScriptName')
  1632. ->willReturn('/scriptname.php');
  1633. $this->assertSame($expectedUri, $request->getRequestUri());
  1634. }
  1635. public function testPassesCSRFCheckWithGet() {
  1636. /** @var Request $request */
  1637. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1638. ->setMethods(['getScriptName'])
  1639. ->setConstructorArgs([
  1640. [
  1641. 'get' => [
  1642. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1643. ],
  1644. 'cookies' => [
  1645. 'nc_sameSiteCookiestrict' => 'true',
  1646. 'nc_sameSiteCookielax' => 'true',
  1647. ],
  1648. ],
  1649. $this->requestId,
  1650. $this->config,
  1651. $this->csrfTokenManager,
  1652. $this->stream
  1653. ])
  1654. ->getMock();
  1655. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1656. $this->csrfTokenManager
  1657. ->expects($this->once())
  1658. ->method('isTokenValid')
  1659. ->with($token)
  1660. ->willReturn(true);
  1661. $this->assertTrue($request->passesCSRFCheck());
  1662. }
  1663. public function testPassesCSRFCheckWithPost() {
  1664. /** @var Request $request */
  1665. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1666. ->setMethods(['getScriptName'])
  1667. ->setConstructorArgs([
  1668. [
  1669. 'post' => [
  1670. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1671. ],
  1672. 'cookies' => [
  1673. 'nc_sameSiteCookiestrict' => 'true',
  1674. 'nc_sameSiteCookielax' => 'true',
  1675. ],
  1676. ],
  1677. $this->requestId,
  1678. $this->config,
  1679. $this->csrfTokenManager,
  1680. $this->stream
  1681. ])
  1682. ->getMock();
  1683. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1684. $this->csrfTokenManager
  1685. ->expects($this->once())
  1686. ->method('isTokenValid')
  1687. ->with($token)
  1688. ->willReturn(true);
  1689. $this->assertTrue($request->passesCSRFCheck());
  1690. }
  1691. public function testPassesCSRFCheckWithHeader() {
  1692. /** @var Request $request */
  1693. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1694. ->setMethods(['getScriptName'])
  1695. ->setConstructorArgs([
  1696. [
  1697. 'server' => [
  1698. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1699. ],
  1700. 'cookies' => [
  1701. 'nc_sameSiteCookiestrict' => 'true',
  1702. 'nc_sameSiteCookielax' => 'true',
  1703. ],
  1704. ],
  1705. $this->requestId,
  1706. $this->config,
  1707. $this->csrfTokenManager,
  1708. $this->stream
  1709. ])
  1710. ->getMock();
  1711. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1712. $this->csrfTokenManager
  1713. ->expects($this->once())
  1714. ->method('isTokenValid')
  1715. ->with($token)
  1716. ->willReturn(true);
  1717. $this->assertTrue($request->passesCSRFCheck());
  1718. }
  1719. public function testPassesCSRFCheckWithGetAndWithoutCookies() {
  1720. /** @var Request $request */
  1721. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1722. ->setMethods(['getScriptName'])
  1723. ->setConstructorArgs([
  1724. [
  1725. 'get' => [
  1726. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1727. ],
  1728. ],
  1729. $this->requestId,
  1730. $this->config,
  1731. $this->csrfTokenManager,
  1732. $this->stream
  1733. ])
  1734. ->getMock();
  1735. $this->csrfTokenManager
  1736. ->expects($this->once())
  1737. ->method('isTokenValid')
  1738. ->willReturn(true);
  1739. $this->assertTrue($request->passesCSRFCheck());
  1740. }
  1741. public function testPassesCSRFCheckWithPostAndWithoutCookies() {
  1742. /** @var Request $request */
  1743. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1744. ->setMethods(['getScriptName'])
  1745. ->setConstructorArgs([
  1746. [
  1747. 'post' => [
  1748. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1749. ],
  1750. ],
  1751. $this->requestId,
  1752. $this->config,
  1753. $this->csrfTokenManager,
  1754. $this->stream
  1755. ])
  1756. ->getMock();
  1757. $this->csrfTokenManager
  1758. ->expects($this->once())
  1759. ->method('isTokenValid')
  1760. ->willReturn(true);
  1761. $this->assertTrue($request->passesCSRFCheck());
  1762. }
  1763. public function testPassesCSRFCheckWithHeaderAndWithoutCookies() {
  1764. /** @var Request $request */
  1765. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1766. ->setMethods(['getScriptName'])
  1767. ->setConstructorArgs([
  1768. [
  1769. 'server' => [
  1770. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1771. ],
  1772. ],
  1773. $this->requestId,
  1774. $this->config,
  1775. $this->csrfTokenManager,
  1776. $this->stream
  1777. ])
  1778. ->getMock();
  1779. $this->csrfTokenManager
  1780. ->expects($this->once())
  1781. ->method('isTokenValid')
  1782. ->willReturn(true);
  1783. $this->assertTrue($request->passesCSRFCheck());
  1784. }
  1785. public function testFailsCSRFCheckWithHeaderAndNotAllChecksPassing() {
  1786. /** @var Request $request */
  1787. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1788. ->setMethods(['getScriptName'])
  1789. ->setConstructorArgs([
  1790. [
  1791. 'server' => [
  1792. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1793. ],
  1794. 'cookies' => [
  1795. session_name() => 'asdf',
  1796. 'nc_sameSiteCookiestrict' => 'true',
  1797. ],
  1798. ],
  1799. $this->requestId,
  1800. $this->config,
  1801. $this->csrfTokenManager,
  1802. $this->stream
  1803. ])
  1804. ->getMock();
  1805. $this->csrfTokenManager
  1806. ->expects($this->never())
  1807. ->method('isTokenValid');
  1808. $this->assertFalse($request->passesCSRFCheck());
  1809. }
  1810. public function testPassesStrictCookieCheckWithAllCookiesAndStrict() {
  1811. /** @var Request $request */
  1812. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1813. ->setMethods(['getScriptName', 'getCookieParams'])
  1814. ->setConstructorArgs([
  1815. [
  1816. 'server' => [
  1817. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1818. ],
  1819. 'cookies' => [
  1820. session_name() => 'asdf',
  1821. '__Host-nc_sameSiteCookiestrict' => 'true',
  1822. '__Host-nc_sameSiteCookielax' => 'true',
  1823. ],
  1824. ],
  1825. $this->requestId,
  1826. $this->config,
  1827. $this->csrfTokenManager,
  1828. $this->stream
  1829. ])
  1830. ->getMock();
  1831. $request
  1832. ->expects($this->any())
  1833. ->method('getCookieParams')
  1834. ->willReturn([
  1835. 'secure' => true,
  1836. 'path' => '/',
  1837. ]);
  1838. $this->assertTrue($request->passesStrictCookieCheck());
  1839. }
  1840. public function testFailsStrictCookieCheckWithAllCookiesAndMissingStrict() {
  1841. /** @var Request $request */
  1842. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1843. ->setMethods(['getScriptName', 'getCookieParams'])
  1844. ->setConstructorArgs([
  1845. [
  1846. 'server' => [
  1847. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1848. ],
  1849. 'cookies' => [
  1850. session_name() => 'asdf',
  1851. 'nc_sameSiteCookiestrict' => 'true',
  1852. 'nc_sameSiteCookielax' => 'true',
  1853. ],
  1854. ],
  1855. $this->requestId,
  1856. $this->config,
  1857. $this->csrfTokenManager,
  1858. $this->stream
  1859. ])
  1860. ->getMock();
  1861. $request
  1862. ->expects($this->any())
  1863. ->method('getCookieParams')
  1864. ->willReturn([
  1865. 'secure' => true,
  1866. 'path' => '/',
  1867. ]);
  1868. $this->assertFalse($request->passesStrictCookieCheck());
  1869. }
  1870. public function testGetCookieParams() {
  1871. /** @var Request $request */
  1872. $request = $this->getMockBuilder(Request::class)
  1873. ->setMethods(['getScriptName'])
  1874. ->setConstructorArgs([
  1875. [],
  1876. $this->requestId,
  1877. $this->config,
  1878. $this->csrfTokenManager,
  1879. $this->stream
  1880. ])
  1881. ->getMock();
  1882. $actual = $request->getCookieParams();
  1883. $this->assertSame(session_get_cookie_params(), $actual);
  1884. }
  1885. public function testPassesStrictCookieCheckWithAllCookies() {
  1886. /** @var Request $request */
  1887. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1888. ->setMethods(['getScriptName'])
  1889. ->setConstructorArgs([
  1890. [
  1891. 'server' => [
  1892. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1893. ],
  1894. 'cookies' => [
  1895. session_name() => 'asdf',
  1896. 'nc_sameSiteCookiestrict' => 'true',
  1897. 'nc_sameSiteCookielax' => 'true',
  1898. ],
  1899. ],
  1900. $this->requestId,
  1901. $this->config,
  1902. $this->csrfTokenManager,
  1903. $this->stream
  1904. ])
  1905. ->getMock();
  1906. $this->assertTrue($request->passesStrictCookieCheck());
  1907. }
  1908. public function testPassesStrictCookieCheckWithRandomCookies() {
  1909. /** @var Request $request */
  1910. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1911. ->setMethods(['getScriptName'])
  1912. ->setConstructorArgs([
  1913. [
  1914. 'server' => [
  1915. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1916. ],
  1917. 'cookies' => [
  1918. 'RandomCookie' => 'asdf',
  1919. ],
  1920. ],
  1921. $this->requestId,
  1922. $this->config,
  1923. $this->csrfTokenManager,
  1924. $this->stream
  1925. ])
  1926. ->getMock();
  1927. $this->assertTrue($request->passesStrictCookieCheck());
  1928. }
  1929. public function testFailsStrictCookieCheckWithSessionCookie() {
  1930. /** @var Request $request */
  1931. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1932. ->setMethods(['getScriptName'])
  1933. ->setConstructorArgs([
  1934. [
  1935. 'server' => [
  1936. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1937. ],
  1938. 'cookies' => [
  1939. session_name() => 'asdf',
  1940. ],
  1941. ],
  1942. $this->requestId,
  1943. $this->config,
  1944. $this->csrfTokenManager,
  1945. $this->stream
  1946. ])
  1947. ->getMock();
  1948. $this->assertFalse($request->passesStrictCookieCheck());
  1949. }
  1950. public function testFailsStrictCookieCheckWithRememberMeCookie() {
  1951. /** @var Request $request */
  1952. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1953. ->setMethods(['getScriptName'])
  1954. ->setConstructorArgs([
  1955. [
  1956. 'server' => [
  1957. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1958. ],
  1959. 'cookies' => [
  1960. 'nc_token' => 'asdf',
  1961. ],
  1962. ],
  1963. $this->requestId,
  1964. $this->config,
  1965. $this->csrfTokenManager,
  1966. $this->stream
  1967. ])
  1968. ->getMock();
  1969. $this->assertFalse($request->passesStrictCookieCheck());
  1970. }
  1971. public function testFailsCSRFCheckWithPostAndWithCookies() {
  1972. /** @var Request $request */
  1973. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1974. ->setMethods(['getScriptName'])
  1975. ->setConstructorArgs([
  1976. [
  1977. 'post' => [
  1978. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1979. ],
  1980. 'cookies' => [
  1981. session_name() => 'asdf',
  1982. 'foo' => 'bar',
  1983. ],
  1984. ],
  1985. $this->requestId,
  1986. $this->config,
  1987. $this->csrfTokenManager,
  1988. $this->stream
  1989. ])
  1990. ->getMock();
  1991. $this->csrfTokenManager
  1992. ->expects($this->never())
  1993. ->method('isTokenValid');
  1994. $this->assertFalse($request->passesCSRFCheck());
  1995. }
  1996. public function testFailStrictCookieCheckWithOnlyLaxCookie() {
  1997. /** @var Request $request */
  1998. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1999. ->setMethods(['getScriptName'])
  2000. ->setConstructorArgs([
  2001. [
  2002. 'server' => [
  2003. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2004. ],
  2005. 'cookies' => [
  2006. session_name() => 'asdf',
  2007. 'nc_sameSiteCookielax' => 'true',
  2008. ],
  2009. ],
  2010. $this->requestId,
  2011. $this->config,
  2012. $this->csrfTokenManager,
  2013. $this->stream
  2014. ])
  2015. ->getMock();
  2016. $this->assertFalse($request->passesStrictCookieCheck());
  2017. }
  2018. public function testFailStrictCookieCheckWithOnlyStrictCookie() {
  2019. /** @var Request $request */
  2020. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2021. ->setMethods(['getScriptName'])
  2022. ->setConstructorArgs([
  2023. [
  2024. 'server' => [
  2025. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2026. ],
  2027. 'cookies' => [
  2028. session_name() => 'asdf',
  2029. 'nc_sameSiteCookiestrict' => 'true',
  2030. ],
  2031. ],
  2032. $this->requestId,
  2033. $this->config,
  2034. $this->csrfTokenManager,
  2035. $this->stream
  2036. ])
  2037. ->getMock();
  2038. $this->assertFalse($request->passesStrictCookieCheck());
  2039. }
  2040. public function testPassesLaxCookieCheck() {
  2041. /** @var Request $request */
  2042. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2043. ->setMethods(['getScriptName'])
  2044. ->setConstructorArgs([
  2045. [
  2046. 'server' => [
  2047. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2048. ],
  2049. 'cookies' => [
  2050. session_name() => 'asdf',
  2051. 'nc_sameSiteCookielax' => 'true',
  2052. ],
  2053. ],
  2054. $this->requestId,
  2055. $this->config,
  2056. $this->csrfTokenManager,
  2057. $this->stream
  2058. ])
  2059. ->getMock();
  2060. $this->assertTrue($request->passesLaxCookieCheck());
  2061. }
  2062. public function testFailsLaxCookieCheckWithOnlyStrictCookie() {
  2063. /** @var Request $request */
  2064. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2065. ->setMethods(['getScriptName'])
  2066. ->setConstructorArgs([
  2067. [
  2068. 'server' => [
  2069. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2070. ],
  2071. 'cookies' => [
  2072. session_name() => 'asdf',
  2073. 'nc_sameSiteCookiestrict' => 'true',
  2074. ],
  2075. ],
  2076. $this->requestId,
  2077. $this->config,
  2078. $this->csrfTokenManager,
  2079. $this->stream
  2080. ])
  2081. ->getMock();
  2082. $this->assertFalse($request->passesLaxCookieCheck());
  2083. }
  2084. public function testSkipCookieCheckForOCSRequests() {
  2085. /** @var Request $request */
  2086. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2087. ->setMethods(['getScriptName'])
  2088. ->setConstructorArgs([
  2089. [
  2090. 'server' => [
  2091. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2092. 'HTTP_OCS_APIREQUEST' => 'true',
  2093. ],
  2094. 'cookies' => [
  2095. session_name() => 'asdf',
  2096. 'nc_sameSiteCookiestrict' => 'false',
  2097. ],
  2098. ],
  2099. $this->requestId,
  2100. $this->config,
  2101. $this->csrfTokenManager,
  2102. $this->stream
  2103. ])
  2104. ->getMock();
  2105. $this->assertTrue($request->passesStrictCookieCheck());
  2106. }
  2107. /**
  2108. * @return array
  2109. */
  2110. public function invalidTokenDataProvider() {
  2111. return [
  2112. ['InvalidSentToken'],
  2113. ['InvalidSentToken:InvalidSecret'],
  2114. [''],
  2115. ];
  2116. }
  2117. /**
  2118. * @dataProvider invalidTokenDataProvider
  2119. * @param string $invalidToken
  2120. */
  2121. public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
  2122. /** @var Request $request */
  2123. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2124. ->setMethods(['getScriptName'])
  2125. ->setConstructorArgs([
  2126. [
  2127. 'server' => [
  2128. 'HTTP_REQUESTTOKEN' => $invalidToken,
  2129. ],
  2130. ],
  2131. $this->requestId,
  2132. $this->config,
  2133. $this->csrfTokenManager,
  2134. $this->stream
  2135. ])
  2136. ->getMock();
  2137. $token = new CsrfToken($invalidToken);
  2138. $this->csrfTokenManager
  2139. ->expects($this->any())
  2140. ->method('isTokenValid')
  2141. ->with($token)
  2142. ->willReturn(false);
  2143. $this->assertFalse($request->passesCSRFCheck());
  2144. }
  2145. public function testPassesCSRFCheckWithoutTokenFail() {
  2146. /** @var Request $request */
  2147. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2148. ->setMethods(['getScriptName'])
  2149. ->setConstructorArgs([
  2150. [],
  2151. $this->requestId,
  2152. $this->config,
  2153. $this->csrfTokenManager,
  2154. $this->stream
  2155. ])
  2156. ->getMock();
  2157. $this->assertFalse($request->passesCSRFCheck());
  2158. }
  2159. }