RequestTest.php 53 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279
  1. <?php
  2. /**
  3. * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
  4. * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
  5. * SPDX-License-Identifier: AGPL-3.0-or-later
  6. */
  7. namespace Test\AppFramework\Http;
  8. use OC\AppFramework\Http\Request;
  9. use OC\Security\CSRF\CsrfToken;
  10. use OC\Security\CSRF\CsrfTokenManager;
  11. use OCP\IConfig;
  12. use OCP\IRequestId;
  13. /**
  14. * Class RequestTest
  15. *
  16. * @package OC\AppFramework\Http
  17. */
  18. class RequestTest extends \Test\TestCase {
  19. /** @var string */
  20. protected $stream = 'fakeinput://data';
  21. /** @var IRequestId */
  22. protected $requestId;
  23. /** @var IConfig */
  24. protected $config;
  25. /** @var CsrfTokenManager */
  26. protected $csrfTokenManager;
  27. protected function setUp(): void {
  28. parent::setUp();
  29. if (in_array('fakeinput', stream_get_wrappers())) {
  30. stream_wrapper_unregister('fakeinput');
  31. }
  32. stream_wrapper_register('fakeinput', 'Test\AppFramework\Http\RequestStream');
  33. $this->requestId = $this->createMock(IRequestId::class);
  34. $this->config = $this->createMock(IConfig::class);
  35. $this->csrfTokenManager = $this->getMockBuilder(CsrfTokenManager::class)
  36. ->disableOriginalConstructor()
  37. ->getMock();
  38. }
  39. protected function tearDown(): void {
  40. stream_wrapper_unregister('fakeinput');
  41. parent::tearDown();
  42. }
  43. public function testRequestAccessors() {
  44. $vars = [
  45. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  46. 'method' => 'GET',
  47. ];
  48. $request = new Request(
  49. $vars,
  50. $this->requestId,
  51. $this->config,
  52. $this->csrfTokenManager,
  53. $this->stream
  54. );
  55. // Countable
  56. $this->assertSame(2, count($request));
  57. // Array access
  58. $this->assertSame('Joey', $request['nickname']);
  59. // "Magic" accessors
  60. $this->assertSame('Joey', $request->{'nickname'});
  61. $this->assertTrue(isset($request['nickname']));
  62. $this->assertTrue(isset($request->{'nickname'}));
  63. $this->assertFalse(isset($request->{'flickname'}));
  64. // Only testing 'get', but same approach for post, files etc.
  65. $this->assertSame('Joey', $request->get['nickname']);
  66. // Always returns null if variable not set.
  67. $this->assertSame(null, $request->{'flickname'});
  68. }
  69. // urlParams has precedence over POST which has precedence over GET
  70. public function testPrecedence() {
  71. $vars = [
  72. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  73. 'post' => ['name' => 'Jane Doe', 'nickname' => 'Janey'],
  74. 'urlParams' => ['user' => 'jw', 'name' => 'Johnny Weissmüller'],
  75. 'method' => 'GET'
  76. ];
  77. $request = new Request(
  78. $vars,
  79. $this->requestId,
  80. $this->config,
  81. $this->csrfTokenManager,
  82. $this->stream
  83. );
  84. $this->assertSame(3, count($request));
  85. $this->assertSame('Janey', $request->{'nickname'});
  86. $this->assertSame('Johnny Weissmüller', $request->{'name'});
  87. }
  88. public function testImmutableArrayAccess() {
  89. $this->expectException(\RuntimeException::class);
  90. $vars = [
  91. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  92. 'method' => 'GET'
  93. ];
  94. $request = new Request(
  95. $vars,
  96. $this->requestId,
  97. $this->config,
  98. $this->csrfTokenManager,
  99. $this->stream
  100. );
  101. $request['nickname'] = 'Janey';
  102. }
  103. public function testImmutableMagicAccess() {
  104. $this->expectException(\RuntimeException::class);
  105. $vars = [
  106. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  107. 'method' => 'GET'
  108. ];
  109. $request = new Request(
  110. $vars,
  111. $this->requestId,
  112. $this->config,
  113. $this->csrfTokenManager,
  114. $this->stream
  115. );
  116. $request->{'nickname'} = 'Janey';
  117. }
  118. public function testGetTheMethodRight() {
  119. $this->expectException(\LogicException::class);
  120. $vars = [
  121. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  122. 'method' => 'GET',
  123. ];
  124. $request = new Request(
  125. $vars,
  126. $this->requestId,
  127. $this->config,
  128. $this->csrfTokenManager,
  129. $this->stream
  130. );
  131. $request->post;
  132. }
  133. public function testTheMethodIsRight() {
  134. $vars = [
  135. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  136. 'method' => 'GET',
  137. ];
  138. $request = new Request(
  139. $vars,
  140. $this->requestId,
  141. $this->config,
  142. $this->csrfTokenManager,
  143. $this->stream
  144. );
  145. $this->assertSame('GET', $request->method);
  146. $result = $request->get;
  147. $this->assertSame('John Q. Public', $result['name']);
  148. $this->assertSame('Joey', $result['nickname']);
  149. }
  150. public function testJsonPost() {
  151. global $data;
  152. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  153. $vars = [
  154. 'method' => 'POST',
  155. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  156. ];
  157. $request = new Request(
  158. $vars,
  159. $this->requestId,
  160. $this->config,
  161. $this->csrfTokenManager,
  162. $this->stream
  163. );
  164. $this->assertSame('POST', $request->method);
  165. $result = $request->post;
  166. $this->assertSame('John Q. Public', $result['name']);
  167. $this->assertSame('Joey', $result['nickname']);
  168. $this->assertSame('Joey', $request->params['nickname']);
  169. $this->assertSame('Joey', $request['nickname']);
  170. }
  171. public function testScimJsonPost() {
  172. global $data;
  173. $data = '{"userName":"testusername", "displayName":"Example User"}';
  174. $vars = [
  175. 'method' => 'POST',
  176. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  177. ];
  178. $request = new Request(
  179. $vars,
  180. $this->requestId,
  181. $this->config,
  182. $this->csrfTokenManager,
  183. $this->stream
  184. );
  185. $this->assertSame('POST', $request->method);
  186. $result = $request->post;
  187. $this->assertSame('testusername', $result['userName']);
  188. $this->assertSame('Example User', $result['displayName']);
  189. $this->assertSame('Example User', $request->params['displayName']);
  190. $this->assertSame('Example User', $request['displayName']);
  191. }
  192. public function testCustomJsonPost() {
  193. global $data;
  194. $data = '{"propertyA":"sometestvalue", "propertyB":"someothertestvalue"}';
  195. // Note: the content type used here is fictional and intended to check if the regex for JSON content types works fine
  196. $vars = [
  197. 'method' => 'POST',
  198. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  199. ];
  200. $request = new Request(
  201. $vars,
  202. $this->requestId,
  203. $this->config,
  204. $this->csrfTokenManager,
  205. $this->stream
  206. );
  207. $this->assertSame('POST', $request->method);
  208. $result = $request->post;
  209. $this->assertSame('sometestvalue', $result['propertyA']);
  210. $this->assertSame('someothertestvalue', $result['propertyB']);
  211. }
  212. public function notJsonDataProvider() {
  213. return [
  214. ['this is not valid json'],
  215. ['"just a string"'],
  216. ['{"just a string"}'],
  217. ];
  218. }
  219. /**
  220. * @dataProvider notJsonDataProvider
  221. */
  222. public function testNotJsonPost($testData) {
  223. global $data;
  224. $data = $testData;
  225. $vars = [
  226. 'method' => 'POST',
  227. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  228. ];
  229. $request = new Request(
  230. $vars,
  231. $this->requestId,
  232. $this->config,
  233. $this->csrfTokenManager,
  234. $this->stream
  235. );
  236. $this->assertEquals('POST', $request->method);
  237. $result = $request->post;
  238. // ensure there's no error attempting to decode the content
  239. }
  240. public function testNotScimJsonPost() {
  241. global $data;
  242. $data = 'this is not valid scim json';
  243. $vars = [
  244. 'method' => 'POST',
  245. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  246. ];
  247. $request = new Request(
  248. $vars,
  249. $this->requestId,
  250. $this->config,
  251. $this->csrfTokenManager,
  252. $this->stream
  253. );
  254. $this->assertEquals('POST', $request->method);
  255. $result = $request->post;
  256. // ensure there's no error attempting to decode the content
  257. }
  258. public function testNotCustomJsonPost() {
  259. global $data;
  260. $data = 'this is not valid json';
  261. $vars = [
  262. 'method' => 'POST',
  263. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  264. ];
  265. $request = new Request(
  266. $vars,
  267. $this->requestId,
  268. $this->config,
  269. $this->csrfTokenManager,
  270. $this->stream
  271. );
  272. $this->assertEquals('POST', $request->method);
  273. $result = $request->post;
  274. // ensure there's no error attempting to decode the content
  275. }
  276. public function testPatch() {
  277. global $data;
  278. $data = http_build_query(['name' => 'John Q. Public', 'nickname' => 'Joey'], '', '&');
  279. $vars = [
  280. 'method' => 'PATCH',
  281. 'server' => ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'],
  282. ];
  283. $request = new Request(
  284. $vars,
  285. $this->requestId,
  286. $this->config,
  287. $this->csrfTokenManager,
  288. $this->stream
  289. );
  290. $this->assertSame('PATCH', $request->method);
  291. $result = $request->patch;
  292. $this->assertSame('John Q. Public', $result['name']);
  293. $this->assertSame('Joey', $result['nickname']);
  294. }
  295. public function testJsonPatchAndPut() {
  296. global $data;
  297. // PUT content
  298. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  299. $vars = [
  300. 'method' => 'PUT',
  301. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  302. ];
  303. $request = new Request(
  304. $vars,
  305. $this->requestId,
  306. $this->config,
  307. $this->csrfTokenManager,
  308. $this->stream
  309. );
  310. $this->assertSame('PUT', $request->method);
  311. $result = $request->put;
  312. $this->assertSame('John Q. Public', $result['name']);
  313. $this->assertSame('Joey', $result['nickname']);
  314. // PATCH content
  315. $data = '{"name": "John Q. Public", "nickname": null}';
  316. $vars = [
  317. 'method' => 'PATCH',
  318. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  319. ];
  320. $request = new Request(
  321. $vars,
  322. $this->requestId,
  323. $this->config,
  324. $this->csrfTokenManager,
  325. $this->stream
  326. );
  327. $this->assertSame('PATCH', $request->method);
  328. $result = $request->patch;
  329. $this->assertSame('John Q. Public', $result['name']);
  330. $this->assertSame(null, $result['nickname']);
  331. }
  332. public function testScimJsonPatchAndPut() {
  333. global $data;
  334. // PUT content
  335. $data = '{"userName": "sometestusername", "displayName": "Example User"}';
  336. $vars = [
  337. 'method' => 'PUT',
  338. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  339. ];
  340. $request = new Request(
  341. $vars,
  342. $this->requestId,
  343. $this->config,
  344. $this->csrfTokenManager,
  345. $this->stream
  346. );
  347. $this->assertSame('PUT', $request->method);
  348. $result = $request->put;
  349. $this->assertSame('sometestusername', $result['userName']);
  350. $this->assertSame('Example User', $result['displayName']);
  351. // PATCH content
  352. $data = '{"userName": "sometestusername", "displayName": null}';
  353. $vars = [
  354. 'method' => 'PATCH',
  355. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  356. ];
  357. $request = new Request(
  358. $vars,
  359. $this->requestId,
  360. $this->config,
  361. $this->csrfTokenManager,
  362. $this->stream
  363. );
  364. $this->assertSame('PATCH', $request->method);
  365. $result = $request->patch;
  366. $this->assertSame('sometestusername', $result['userName']);
  367. $this->assertSame(null, $result['displayName']);
  368. }
  369. public function testCustomJsonPatchAndPut() {
  370. global $data;
  371. // PUT content
  372. $data = '{"propertyA": "sometestvalue", "propertyB": "someothertestvalue"}';
  373. $vars = [
  374. 'method' => 'PUT',
  375. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  376. ];
  377. $request = new Request(
  378. $vars,
  379. $this->requestId,
  380. $this->config,
  381. $this->csrfTokenManager,
  382. $this->stream
  383. );
  384. $this->assertSame('PUT', $request->method);
  385. $result = $request->put;
  386. $this->assertSame('sometestvalue', $result['propertyA']);
  387. $this->assertSame('someothertestvalue', $result['propertyB']);
  388. // PATCH content
  389. $data = '{"propertyA": "sometestvalue", "propertyB": null}';
  390. $vars = [
  391. 'method' => 'PATCH',
  392. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  393. ];
  394. $request = new Request(
  395. $vars,
  396. $this->requestId,
  397. $this->config,
  398. $this->csrfTokenManager,
  399. $this->stream
  400. );
  401. $this->assertSame('PATCH', $request->method);
  402. $result = $request->patch;
  403. $this->assertSame('sometestvalue', $result['propertyA']);
  404. $this->assertSame(null, $result['propertyB']);
  405. }
  406. public function testPutStream() {
  407. global $data;
  408. $data = file_get_contents(__DIR__ . '/../../../data/testimage.png');
  409. $vars = [
  410. 'put' => $data,
  411. 'method' => 'PUT',
  412. 'server' => [
  413. 'CONTENT_TYPE' => 'image/png',
  414. 'CONTENT_LENGTH' => (string)strlen($data)
  415. ],
  416. ];
  417. $request = new Request(
  418. $vars,
  419. $this->requestId,
  420. $this->config,
  421. $this->csrfTokenManager,
  422. $this->stream
  423. );
  424. $this->assertSame('PUT', $request->method);
  425. $resource = $request->put;
  426. $contents = stream_get_contents($resource);
  427. $this->assertSame($data, $contents);
  428. try {
  429. $resource = $request->put;
  430. } catch (\LogicException $e) {
  431. return;
  432. }
  433. $this->fail('Expected LogicException.');
  434. }
  435. public function testSetUrlParameters() {
  436. $vars = [
  437. 'post' => [],
  438. 'method' => 'POST',
  439. 'urlParams' => ['id' => '2'],
  440. ];
  441. $request = new Request(
  442. $vars,
  443. $this->requestId,
  444. $this->config,
  445. $this->csrfTokenManager,
  446. $this->stream
  447. );
  448. $newParams = ['id' => '3', 'test' => 'test2'];
  449. $request->setUrlParameters($newParams);
  450. $this->assertSame('test2', $request->getParam('test'));
  451. $this->assertEquals('3', $request->getParam('id'));
  452. $this->assertEquals('3', $request->getParams()['id']);
  453. }
  454. public function dataGetRemoteAddress(): array {
  455. return [
  456. 'IPv4 without trusted remote' => [
  457. [
  458. 'REMOTE_ADDR' => '10.0.0.2',
  459. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  460. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  461. ],
  462. [],
  463. [],
  464. '10.0.0.2',
  465. ],
  466. 'IPv4 without trusted headers' => [
  467. [
  468. 'REMOTE_ADDR' => '10.0.0.2',
  469. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  470. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  471. ],
  472. ['10.0.0.2'],
  473. [],
  474. '10.0.0.2',
  475. ],
  476. 'IPv4 with single trusted remote' => [
  477. [
  478. 'REMOTE_ADDR' => '10.0.0.2',
  479. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  480. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  481. ],
  482. ['10.0.0.2'],
  483. ['HTTP_X_FORWARDED'],
  484. '10.4.0.4',
  485. ],
  486. 'IPv6 with single trusted remote' => [
  487. [
  488. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  489. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  490. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  491. ],
  492. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  493. ['HTTP_X_FORWARDED'],
  494. '10.4.0.4',
  495. ],
  496. 'IPv4 with multiple trusted remotes' => [
  497. [
  498. 'REMOTE_ADDR' => '10.0.0.2',
  499. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4, ::1',
  500. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  501. ],
  502. ['10.0.0.2', '::1'],
  503. ['HTTP_X_FORWARDED'],
  504. '10.4.0.4',
  505. ],
  506. 'IPv4 order of forwarded-for headers' => [
  507. [
  508. 'REMOTE_ADDR' => '10.0.0.2',
  509. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  510. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  511. ],
  512. ['10.0.0.2'],
  513. [
  514. 'HTTP_X_FORWARDED',
  515. 'HTTP_X_FORWARDED_FOR',
  516. 'HTTP_CLIENT_IP',
  517. ],
  518. '192.168.0.233',
  519. ],
  520. 'IPv4 order of forwarded-for headers (reversed)' => [
  521. [
  522. 'REMOTE_ADDR' => '10.0.0.2',
  523. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  524. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  525. ],
  526. ['10.0.0.2'],
  527. [
  528. 'HTTP_CLIENT_IP',
  529. 'HTTP_X_FORWARDED_FOR',
  530. 'HTTP_X_FORWARDED',
  531. ],
  532. '10.4.0.4',
  533. ],
  534. 'IPv6 order of forwarded-for headers' => [
  535. [
  536. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  537. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  538. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  539. ],
  540. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  541. [
  542. 'HTTP_X_FORWARDED',
  543. 'HTTP_X_FORWARDED_FOR',
  544. 'HTTP_CLIENT_IP',
  545. ],
  546. '192.168.0.233',
  547. ],
  548. 'IPv4 matching CIDR of trusted proxy' => [
  549. [
  550. 'REMOTE_ADDR' => '192.168.3.99',
  551. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  552. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  553. ],
  554. ['192.168.2.0/24'],
  555. ['HTTP_X_FORWARDED_FOR'],
  556. '192.168.3.99',
  557. ],
  558. 'IPv6 matching CIDR of trusted proxy' => [
  559. [
  560. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a21:370:7348',
  561. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  562. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  563. ],
  564. ['2001:db8:85a3:8d3:1319:8a20::/95'],
  565. ['HTTP_X_FORWARDED_FOR'],
  566. '192.168.0.233',
  567. ],
  568. 'IPv6 not matching CIDR of trusted proxy' => [
  569. [
  570. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  571. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  572. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  573. ],
  574. ['fd::/8'],
  575. [],
  576. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  577. ],
  578. 'IPv6 with invalid trusted proxy' => [
  579. [
  580. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  581. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  582. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233',
  583. ],
  584. ['fx::/8'],
  585. [],
  586. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  587. ],
  588. 'IPv4 forwarded for IPv6' => [
  589. [
  590. 'REMOTE_ADDR' => '192.168.2.99',
  591. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
  592. ],
  593. ['192.168.2.0/24'],
  594. ['HTTP_X_FORWARDED_FOR'],
  595. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  596. ],
  597. 'IPv4 with port' => [
  598. [
  599. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  600. 'HTTP_X_FORWARDED_FOR' => '192.168.2.99:8080',
  601. ],
  602. ['2001:db8::/8'],
  603. ['HTTP_X_FORWARDED_FOR'],
  604. '192.168.2.99',
  605. ],
  606. 'IPv6 with port' => [
  607. [
  608. 'REMOTE_ADDR' => '192.168.2.99',
  609. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]:8080',
  610. ],
  611. ['192.168.2.0/24'],
  612. ['HTTP_X_FORWARDED_FOR'],
  613. '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  614. ],
  615. ];
  616. }
  617. /**
  618. * @dataProvider dataGetRemoteAddress
  619. */
  620. public function testGetRemoteAddress(array $headers, array $trustedProxies, array $forwardedForHeaders, string $expected): void {
  621. $this->config
  622. ->method('getSystemValue')
  623. ->withConsecutive(
  624. ['trusted_proxies'],
  625. ['forwarded_for_headers'],
  626. )
  627. ->willReturnOnConsecutiveCalls(
  628. $trustedProxies,
  629. $forwardedForHeaders,
  630. );
  631. $request = new Request(
  632. [
  633. 'server' => $headers,
  634. ],
  635. $this->requestId,
  636. $this->config,
  637. $this->csrfTokenManager,
  638. $this->stream
  639. );
  640. $this->assertSame($expected, $request->getRemoteAddress());
  641. }
  642. /**
  643. * @return array
  644. */
  645. public function httpProtocolProvider() {
  646. return [
  647. // Valid HTTP 1.0
  648. ['HTTP/1.0', 'HTTP/1.0'],
  649. ['http/1.0', 'HTTP/1.0'],
  650. ['HTTp/1.0', 'HTTP/1.0'],
  651. // Valid HTTP 1.1
  652. ['HTTP/1.1', 'HTTP/1.1'],
  653. ['http/1.1', 'HTTP/1.1'],
  654. ['HTTp/1.1', 'HTTP/1.1'],
  655. // Valid HTTP 2.0
  656. ['HTTP/2', 'HTTP/2'],
  657. ['http/2', 'HTTP/2'],
  658. ['HTTp/2', 'HTTP/2'],
  659. // Invalid
  660. ['HTTp/394', 'HTTP/1.1'],
  661. ['InvalidProvider/1.1', 'HTTP/1.1'],
  662. [null, 'HTTP/1.1'],
  663. ['', 'HTTP/1.1'],
  664. ];
  665. }
  666. /**
  667. * @dataProvider httpProtocolProvider
  668. *
  669. * @param mixed $input
  670. * @param string $expected
  671. */
  672. public function testGetHttpProtocol($input, $expected) {
  673. $request = new Request(
  674. [
  675. 'server' => [
  676. 'SERVER_PROTOCOL' => $input,
  677. ],
  678. ],
  679. $this->requestId,
  680. $this->config,
  681. $this->csrfTokenManager,
  682. $this->stream
  683. );
  684. $this->assertSame($expected, $request->getHttpProtocol());
  685. }
  686. public function testGetServerProtocolWithOverride() {
  687. $this->config
  688. ->expects($this->exactly(3))
  689. ->method('getSystemValueString')
  690. ->willReturnMap([
  691. ['overwriteprotocol', '', 'customProtocol'],
  692. ['overwritecondaddr', '', ''],
  693. ]);
  694. $request = new Request(
  695. [],
  696. $this->requestId,
  697. $this->config,
  698. $this->csrfTokenManager,
  699. $this->stream
  700. );
  701. $this->assertSame('customProtocol', $request->getServerProtocol());
  702. }
  703. public function testGetServerProtocolWithProtoValid() {
  704. $this->config
  705. ->method('getSystemValue')
  706. ->willReturnCallback(function ($key, $default) {
  707. if ($key === 'trusted_proxies') {
  708. return ['1.2.3.4'];
  709. }
  710. return $default;
  711. });
  712. $requestHttps = new Request(
  713. [
  714. 'server' => [
  715. 'HTTP_X_FORWARDED_PROTO' => 'HtTpS',
  716. 'REMOTE_ADDR' => '1.2.3.4',
  717. ],
  718. ],
  719. $this->requestId,
  720. $this->config,
  721. $this->csrfTokenManager,
  722. $this->stream
  723. );
  724. $requestHttp = new Request(
  725. [
  726. 'server' => [
  727. 'HTTP_X_FORWARDED_PROTO' => 'HTTp',
  728. 'REMOTE_ADDR' => '1.2.3.4',
  729. ],
  730. ],
  731. $this->requestId,
  732. $this->config,
  733. $this->csrfTokenManager,
  734. $this->stream
  735. );
  736. $this->assertSame('https', $requestHttps->getServerProtocol());
  737. $this->assertSame('http', $requestHttp->getServerProtocol());
  738. }
  739. public function testGetServerProtocolWithHttpsServerValueOn() {
  740. $this->config
  741. ->method('getSystemValue')
  742. ->willReturnCallback(function ($key, $default) {
  743. return $default;
  744. });
  745. $request = new Request(
  746. [
  747. 'server' => [
  748. 'HTTPS' => 'on'
  749. ],
  750. ],
  751. $this->requestId,
  752. $this->config,
  753. $this->csrfTokenManager,
  754. $this->stream
  755. );
  756. $this->assertSame('https', $request->getServerProtocol());
  757. }
  758. public function testGetServerProtocolWithHttpsServerValueOff() {
  759. $this->config
  760. ->method('getSystemValue')
  761. ->willReturnCallback(function ($key, $default) {
  762. return $default;
  763. });
  764. $request = new Request(
  765. [
  766. 'server' => [
  767. 'HTTPS' => 'off'
  768. ],
  769. ],
  770. $this->requestId,
  771. $this->config,
  772. $this->csrfTokenManager,
  773. $this->stream
  774. );
  775. $this->assertSame('http', $request->getServerProtocol());
  776. }
  777. public function testGetServerProtocolWithHttpsServerValueEmpty() {
  778. $this->config
  779. ->method('getSystemValue')
  780. ->willReturnCallback(function ($key, $default) {
  781. return $default;
  782. });
  783. $request = new Request(
  784. [
  785. 'server' => [
  786. 'HTTPS' => ''
  787. ],
  788. ],
  789. $this->requestId,
  790. $this->config,
  791. $this->csrfTokenManager,
  792. $this->stream
  793. );
  794. $this->assertSame('http', $request->getServerProtocol());
  795. }
  796. public function testGetServerProtocolDefault() {
  797. $this->config
  798. ->method('getSystemValue')
  799. ->willReturnCallback(function ($key, $default) {
  800. return $default;
  801. });
  802. $request = new Request(
  803. [],
  804. $this->requestId,
  805. $this->config,
  806. $this->csrfTokenManager,
  807. $this->stream
  808. );
  809. $this->assertSame('http', $request->getServerProtocol());
  810. }
  811. public function testGetServerProtocolBehindLoadBalancers() {
  812. $this->config
  813. ->method('getSystemValue')
  814. ->willReturnCallback(function ($key, $default) {
  815. if ($key === 'trusted_proxies') {
  816. return ['1.2.3.4'];
  817. }
  818. return $default;
  819. });
  820. $request = new Request(
  821. [
  822. 'server' => [
  823. 'HTTP_X_FORWARDED_PROTO' => 'https,http,http',
  824. 'REMOTE_ADDR' => '1.2.3.4',
  825. ],
  826. ],
  827. $this->requestId,
  828. $this->config,
  829. $this->csrfTokenManager,
  830. $this->stream
  831. );
  832. $this->assertSame('https', $request->getServerProtocol());
  833. }
  834. /**
  835. * @dataProvider userAgentProvider
  836. * @param string $testAgent
  837. * @param array $userAgent
  838. * @param bool $matches
  839. */
  840. public function testUserAgent($testAgent, $userAgent, $matches) {
  841. $request = new Request(
  842. [
  843. 'server' => [
  844. 'HTTP_USER_AGENT' => $testAgent,
  845. ]
  846. ],
  847. $this->requestId,
  848. $this->config,
  849. $this->csrfTokenManager,
  850. $this->stream
  851. );
  852. $this->assertSame($matches, $request->isUserAgent($userAgent));
  853. }
  854. /**
  855. * @dataProvider userAgentProvider
  856. * @param string $testAgent
  857. * @param array $userAgent
  858. * @param bool $matches
  859. */
  860. public function testUndefinedUserAgent($testAgent, $userAgent, $matches) {
  861. $request = new Request(
  862. [],
  863. $this->requestId,
  864. $this->config,
  865. $this->csrfTokenManager,
  866. $this->stream
  867. );
  868. $this->assertFalse($request->isUserAgent($userAgent));
  869. }
  870. /**
  871. * @return array
  872. */
  873. public function userAgentProvider() {
  874. return [
  875. [
  876. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  877. [
  878. Request::USER_AGENT_IE
  879. ],
  880. true,
  881. ],
  882. [
  883. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  884. [
  885. Request::USER_AGENT_IE
  886. ],
  887. false,
  888. ],
  889. [
  890. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
  891. [
  892. Request::USER_AGENT_CHROME
  893. ],
  894. true,
  895. ],
  896. [
  897. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
  898. [
  899. Request::USER_AGENT_CHROME
  900. ],
  901. true,
  902. ],
  903. [
  904. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  905. [
  906. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  907. ],
  908. true,
  909. ],
  910. [
  911. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  912. [
  913. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  914. ],
  915. false,
  916. ],
  917. [
  918. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  919. [
  920. Request::USER_AGENT_IE,
  921. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  922. ],
  923. true,
  924. ],
  925. [
  926. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  927. [
  928. Request::USER_AGENT_IE,
  929. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  930. ],
  931. true,
  932. ],
  933. [
  934. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  935. [
  936. Request::USER_AGENT_FREEBOX
  937. ],
  938. false,
  939. ],
  940. [
  941. 'Mozilla/5.0',
  942. [
  943. Request::USER_AGENT_FREEBOX
  944. ],
  945. true,
  946. ],
  947. [
  948. 'Fake Mozilla/5.0',
  949. [
  950. Request::USER_AGENT_FREEBOX
  951. ],
  952. false,
  953. ],
  954. [
  955. 'Mozilla/5.0 (Android) ownCloud-android/2.0.0',
  956. [
  957. Request::USER_AGENT_CLIENT_ANDROID
  958. ],
  959. true,
  960. ],
  961. [
  962. 'Mozilla/5.0 (Android) Nextcloud-android/2.0.0',
  963. [
  964. Request::USER_AGENT_CLIENT_ANDROID
  965. ],
  966. true,
  967. ],
  968. [
  969. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.99 Safari/537.36 Vivaldi/2.9.1705.41',
  970. [
  971. Request::USER_AGENT_CHROME
  972. ],
  973. true
  974. ],
  975. [
  976. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75',
  977. [
  978. Request::USER_AGENT_CHROME
  979. ],
  980. true
  981. ],
  982. [
  983. 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67',
  984. [
  985. Request::USER_AGENT_CHROME
  986. ],
  987. true
  988. ]
  989. ];
  990. }
  991. public function dataMatchClientVersion(): array {
  992. return [
  993. [
  994. 'Mozilla/5.0 (Android) Nextcloud-android/3.24.1',
  995. Request::USER_AGENT_CLIENT_ANDROID,
  996. '3.24.1',
  997. ],
  998. [
  999. 'Mozilla/5.0 (iOS) Nextcloud-iOS/4.8.2',
  1000. Request::USER_AGENT_CLIENT_IOS,
  1001. '4.8.2',
  1002. ],
  1003. [
  1004. 'Mozilla/5.0 (Windows) mirall/3.8.1',
  1005. Request::USER_AGENT_CLIENT_DESKTOP,
  1006. '3.8.1',
  1007. ],
  1008. [
  1009. 'Mozilla/5.0 (Android) Nextcloud-Talk v17.10.0',
  1010. Request::USER_AGENT_TALK_ANDROID,
  1011. '17.10.0',
  1012. ],
  1013. [
  1014. 'Mozilla/5.0 (iOS) Nextcloud-Talk v17.0.1',
  1015. Request::USER_AGENT_TALK_IOS,
  1016. '17.0.1',
  1017. ],
  1018. [
  1019. 'Mozilla/5.0 (Windows) Nextcloud-Talk v0.6.0',
  1020. Request::USER_AGENT_TALK_DESKTOP,
  1021. '0.6.0',
  1022. ],
  1023. [
  1024. 'Mozilla/5.0 (Windows) Nextcloud-Outlook v1.0.0',
  1025. Request::USER_AGENT_OUTLOOK_ADDON,
  1026. '1.0.0',
  1027. ],
  1028. [
  1029. 'Mozilla/5.0 (Linux) Nextcloud-Thunderbird v1.0.0',
  1030. Request::USER_AGENT_THUNDERBIRD_ADDON,
  1031. '1.0.0',
  1032. ],
  1033. ];
  1034. }
  1035. /**
  1036. * @dataProvider dataMatchClientVersion
  1037. * @param string $testAgent
  1038. * @param string $userAgent
  1039. * @param string $version
  1040. */
  1041. public function testMatchClientVersion(string $testAgent, string $userAgent, string $version): void {
  1042. preg_match($userAgent, $testAgent, $matches);
  1043. $this->assertSame($version, $matches[1]);
  1044. }
  1045. public function testInsecureServerHostServerNameHeader() {
  1046. $request = new Request(
  1047. [
  1048. 'server' => [
  1049. 'SERVER_NAME' => 'from.server.name:8080',
  1050. ]
  1051. ],
  1052. $this->requestId,
  1053. $this->config,
  1054. $this->csrfTokenManager,
  1055. $this->stream
  1056. );
  1057. $this->assertSame('from.server.name:8080', $request->getInsecureServerHost());
  1058. }
  1059. public function testInsecureServerHostHttpHostHeader() {
  1060. $request = new Request(
  1061. [
  1062. 'server' => [
  1063. 'SERVER_NAME' => 'from.server.name:8080',
  1064. 'HTTP_HOST' => 'from.host.header:8080',
  1065. ]
  1066. ],
  1067. $this->requestId,
  1068. $this->config,
  1069. $this->csrfTokenManager,
  1070. $this->stream
  1071. );
  1072. $this->assertSame('from.host.header:8080', $request->getInsecureServerHost());
  1073. }
  1074. public function testInsecureServerHostHttpFromForwardedHeaderSingle() {
  1075. $this->config
  1076. ->method('getSystemValue')
  1077. ->willReturnCallback(function ($key, $default) {
  1078. if ($key === 'trusted_proxies') {
  1079. return ['1.2.3.4'];
  1080. }
  1081. return $default;
  1082. });
  1083. $request = new Request(
  1084. [
  1085. 'server' => [
  1086. 'SERVER_NAME' => 'from.server.name:8080',
  1087. 'HTTP_HOST' => 'from.host.header:8080',
  1088. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host:8080',
  1089. 'REMOTE_ADDR' => '1.2.3.4',
  1090. ]
  1091. ],
  1092. $this->requestId,
  1093. $this->config,
  1094. $this->csrfTokenManager,
  1095. $this->stream
  1096. );
  1097. $this->assertSame('from.forwarded.host:8080', $request->getInsecureServerHost());
  1098. }
  1099. public function testInsecureServerHostHttpFromForwardedHeaderStacked() {
  1100. $this->config
  1101. ->method('getSystemValue')
  1102. ->willReturnCallback(function ($key, $default) {
  1103. if ($key === 'trusted_proxies') {
  1104. return ['1.2.3.4'];
  1105. }
  1106. return $default;
  1107. });
  1108. $request = new Request(
  1109. [
  1110. 'server' => [
  1111. 'SERVER_NAME' => 'from.server.name:8080',
  1112. 'HTTP_HOST' => 'from.host.header:8080',
  1113. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host2:8080,another.one:9000',
  1114. 'REMOTE_ADDR' => '1.2.3.4',
  1115. ]
  1116. ],
  1117. $this->requestId,
  1118. $this->config,
  1119. $this->csrfTokenManager,
  1120. $this->stream
  1121. );
  1122. $this->assertSame('from.forwarded.host2:8080', $request->getInsecureServerHost());
  1123. }
  1124. public function testGetServerHostWithOverwriteHost() {
  1125. $this->config
  1126. ->method('getSystemValueString')
  1127. ->willReturnCallback(function ($key, $default) {
  1128. if ($key === 'overwritecondaddr') {
  1129. return '';
  1130. } elseif ($key === 'overwritehost') {
  1131. return 'my.overwritten.host';
  1132. }
  1133. return $default;
  1134. });
  1135. $request = new Request(
  1136. [],
  1137. $this->requestId,
  1138. $this->config,
  1139. $this->csrfTokenManager,
  1140. $this->stream
  1141. );
  1142. $this->assertSame('my.overwritten.host', $request->getServerHost());
  1143. }
  1144. public function testGetServerHostWithTrustedDomain() {
  1145. $this->config
  1146. ->method('getSystemValue')
  1147. ->willReturnCallback(function ($key, $default) {
  1148. if ($key === 'trusted_proxies') {
  1149. return ['1.2.3.4'];
  1150. } elseif ($key === 'trusted_domains') {
  1151. return ['my.trusted.host'];
  1152. }
  1153. return $default;
  1154. });
  1155. $request = new Request(
  1156. [
  1157. 'server' => [
  1158. 'HTTP_X_FORWARDED_HOST' => 'my.trusted.host',
  1159. 'REMOTE_ADDR' => '1.2.3.4',
  1160. ],
  1161. ],
  1162. $this->requestId,
  1163. $this->config,
  1164. $this->csrfTokenManager,
  1165. $this->stream
  1166. );
  1167. $this->assertSame('my.trusted.host', $request->getServerHost());
  1168. }
  1169. public function testGetServerHostWithUntrustedDomain() {
  1170. $this->config
  1171. ->method('getSystemValue')
  1172. ->willReturnCallback(function ($key, $default) {
  1173. if ($key === 'trusted_proxies') {
  1174. return ['1.2.3.4'];
  1175. } elseif ($key === 'trusted_domains') {
  1176. return ['my.trusted.host'];
  1177. }
  1178. return $default;
  1179. });
  1180. $request = new Request(
  1181. [
  1182. 'server' => [
  1183. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1184. 'REMOTE_ADDR' => '1.2.3.4',
  1185. ],
  1186. ],
  1187. $this->requestId,
  1188. $this->config,
  1189. $this->csrfTokenManager,
  1190. $this->stream
  1191. );
  1192. $this->assertSame('my.trusted.host', $request->getServerHost());
  1193. }
  1194. public function testGetServerHostWithNoTrustedDomain() {
  1195. $this->config
  1196. ->method('getSystemValue')
  1197. ->willReturnCallback(function ($key, $default) {
  1198. if ($key === 'trusted_proxies') {
  1199. return ['1.2.3.4'];
  1200. }
  1201. return $default;
  1202. });
  1203. $request = new Request(
  1204. [
  1205. 'server' => [
  1206. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1207. 'REMOTE_ADDR' => '1.2.3.4',
  1208. ],
  1209. ],
  1210. $this->requestId,
  1211. $this->config,
  1212. $this->csrfTokenManager,
  1213. $this->stream
  1214. );
  1215. $this->assertSame('', $request->getServerHost());
  1216. }
  1217. /**
  1218. * @return array
  1219. */
  1220. public function dataGetServerHostTrustedDomain() {
  1221. return [
  1222. 'is array' => ['my.trusted.host', ['my.trusted.host']],
  1223. 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
  1224. 'is string' => ['my.trusted.host', 'my.trusted.host'],
  1225. 'is null' => ['', null],
  1226. ];
  1227. }
  1228. /**
  1229. * @dataProvider dataGetServerHostTrustedDomain
  1230. * @param $expected
  1231. * @param $trustedDomain
  1232. */
  1233. public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
  1234. $this->config
  1235. ->method('getSystemValue')
  1236. ->willReturnCallback(function ($key, $default) use ($trustedDomain) {
  1237. if ($key === 'trusted_proxies') {
  1238. return ['1.2.3.4'];
  1239. }
  1240. if ($key === 'trusted_domains') {
  1241. return $trustedDomain;
  1242. }
  1243. return $default;
  1244. });
  1245. $request = new Request(
  1246. [
  1247. 'server' => [
  1248. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1249. 'REMOTE_ADDR' => '1.2.3.4',
  1250. ],
  1251. ],
  1252. $this->requestId,
  1253. $this->config,
  1254. $this->csrfTokenManager,
  1255. $this->stream
  1256. );
  1257. $this->assertSame($expected, $request->getServerHost());
  1258. }
  1259. public function testGetOverwriteHostDefaultNull() {
  1260. $this->config
  1261. ->expects($this->once())
  1262. ->method('getSystemValueString')
  1263. ->with('overwritehost')
  1264. ->willReturn('');
  1265. $request = new Request(
  1266. [],
  1267. $this->requestId,
  1268. $this->config,
  1269. $this->csrfTokenManager,
  1270. $this->stream
  1271. );
  1272. $this->assertNull(self::invokePrivate($request, 'getOverwriteHost'));
  1273. }
  1274. public function testGetOverwriteHostWithOverwrite() {
  1275. $this->config
  1276. ->expects($this->exactly(3))
  1277. ->method('getSystemValueString')
  1278. ->willReturnMap([
  1279. ['overwritehost', '', 'www.owncloud.org'],
  1280. ['overwritecondaddr', '', ''],
  1281. ]);
  1282. $request = new Request(
  1283. [],
  1284. $this->requestId,
  1285. $this->config,
  1286. $this->csrfTokenManager,
  1287. $this->stream
  1288. );
  1289. $this->assertSame('www.owncloud.org', self::invokePrivate($request, 'getOverwriteHost'));
  1290. }
  1291. public function testGetPathInfoNotProcessible() {
  1292. $this->expectException(\Exception::class);
  1293. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1294. $request = new Request(
  1295. [
  1296. 'server' => [
  1297. 'REQUEST_URI' => '/foo.php',
  1298. 'SCRIPT_NAME' => '/var/www/index.php',
  1299. ]
  1300. ],
  1301. $this->requestId,
  1302. $this->config,
  1303. $this->csrfTokenManager,
  1304. $this->stream
  1305. );
  1306. $request->getPathInfo();
  1307. }
  1308. public function testGetRawPathInfoNotProcessible() {
  1309. $this->expectException(\Exception::class);
  1310. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1311. $request = new Request(
  1312. [
  1313. 'server' => [
  1314. 'REQUEST_URI' => '/foo.php',
  1315. 'SCRIPT_NAME' => '/var/www/index.php',
  1316. ]
  1317. ],
  1318. $this->requestId,
  1319. $this->config,
  1320. $this->csrfTokenManager,
  1321. $this->stream
  1322. );
  1323. $request->getRawPathInfo();
  1324. }
  1325. /**
  1326. * @dataProvider genericPathInfoProvider
  1327. * @param string $requestUri
  1328. * @param string $scriptName
  1329. * @param string $expected
  1330. */
  1331. public function testGetPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1332. $request = new Request(
  1333. [
  1334. 'server' => [
  1335. 'REQUEST_URI' => $requestUri,
  1336. 'SCRIPT_NAME' => $scriptName,
  1337. ]
  1338. ],
  1339. $this->requestId,
  1340. $this->config,
  1341. $this->csrfTokenManager,
  1342. $this->stream
  1343. );
  1344. $this->assertSame($expected, $request->getPathInfo());
  1345. }
  1346. /**
  1347. * @dataProvider genericPathInfoProvider
  1348. * @param string $requestUri
  1349. * @param string $scriptName
  1350. * @param string $expected
  1351. */
  1352. public function testGetRawPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1353. $request = new Request(
  1354. [
  1355. 'server' => [
  1356. 'REQUEST_URI' => $requestUri,
  1357. 'SCRIPT_NAME' => $scriptName,
  1358. ]
  1359. ],
  1360. $this->requestId,
  1361. $this->config,
  1362. $this->csrfTokenManager,
  1363. $this->stream
  1364. );
  1365. $this->assertSame($expected, $request->getRawPathInfo());
  1366. }
  1367. /**
  1368. * @dataProvider rawPathInfoProvider
  1369. * @param string $requestUri
  1370. * @param string $scriptName
  1371. * @param string $expected
  1372. */
  1373. public function testGetRawPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1374. $request = new Request(
  1375. [
  1376. 'server' => [
  1377. 'REQUEST_URI' => $requestUri,
  1378. 'SCRIPT_NAME' => $scriptName,
  1379. ]
  1380. ],
  1381. $this->requestId,
  1382. $this->config,
  1383. $this->csrfTokenManager,
  1384. $this->stream
  1385. );
  1386. $this->assertSame($expected, $request->getRawPathInfo());
  1387. }
  1388. /**
  1389. * @dataProvider pathInfoProvider
  1390. * @param string $requestUri
  1391. * @param string $scriptName
  1392. * @param string $expected
  1393. */
  1394. public function testGetPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1395. $request = new Request(
  1396. [
  1397. 'server' => [
  1398. 'REQUEST_URI' => $requestUri,
  1399. 'SCRIPT_NAME' => $scriptName,
  1400. ]
  1401. ],
  1402. $this->requestId,
  1403. $this->config,
  1404. $this->csrfTokenManager,
  1405. $this->stream
  1406. );
  1407. $this->assertSame($expected, $request->getPathInfo());
  1408. }
  1409. /**
  1410. * @return array
  1411. */
  1412. public function genericPathInfoProvider() {
  1413. return [
  1414. ['/core/index.php?XDEBUG_SESSION_START=14600', '/core/index.php', ''],
  1415. ['/index.php/apps/files/', 'index.php', '/apps/files/'],
  1416. ['/index.php/apps/files/../&amp;/&?someQueryParameter=QueryParam', 'index.php', '/apps/files/../&amp;/&'],
  1417. ['/remote.php/漢字編碼方法 / 汉字编码方法', 'remote.php', '/漢字編碼方法 / 汉字编码方法'],
  1418. ['///removeTrailin//gSlashes///', 'remote.php', '/removeTrailin/gSlashes/'],
  1419. ['/', '/', ''],
  1420. ['', '', ''],
  1421. ];
  1422. }
  1423. /**
  1424. * @return array
  1425. */
  1426. public function rawPathInfoProvider() {
  1427. return [
  1428. ['/foo%2Fbar/subfolder', '', 'foo%2Fbar/subfolder'],
  1429. ];
  1430. }
  1431. /**
  1432. * @return array
  1433. */
  1434. public function pathInfoProvider() {
  1435. return [
  1436. ['/foo%2Fbar/subfolder', '', 'foo/bar/subfolder'],
  1437. ];
  1438. }
  1439. public function testGetRequestUriWithoutOverwrite() {
  1440. $this->config
  1441. ->expects($this->once())
  1442. ->method('getSystemValueString')
  1443. ->with('overwritewebroot')
  1444. ->willReturn('');
  1445. $request = new Request(
  1446. [
  1447. 'server' => [
  1448. 'REQUEST_URI' => '/test.php'
  1449. ]
  1450. ],
  1451. $this->requestId,
  1452. $this->config,
  1453. $this->csrfTokenManager,
  1454. $this->stream
  1455. );
  1456. $this->assertSame('/test.php', $request->getRequestUri());
  1457. }
  1458. public function providesGetRequestUriWithOverwriteData() {
  1459. return [
  1460. ['/scriptname.php/some/PathInfo', '/owncloud/', ''],
  1461. ['/scriptname.php/some/PathInfo', '/owncloud/', '123', '123.123.123.123'],
  1462. ];
  1463. }
  1464. /**
  1465. * @dataProvider providesGetRequestUriWithOverwriteData
  1466. */
  1467. public function testGetRequestUriWithOverwrite($expectedUri, $overwriteWebRoot, $overwriteCondAddr, $remoteAddr = '') {
  1468. $this->config
  1469. ->expects($this->exactly(2))
  1470. ->method('getSystemValueString')
  1471. ->willReturnMap([
  1472. ['overwritewebroot', '', $overwriteWebRoot],
  1473. ['overwritecondaddr', '', $overwriteCondAddr],
  1474. ]);
  1475. $request = $this->getMockBuilder(Request::class)
  1476. ->setMethods(['getScriptName'])
  1477. ->setConstructorArgs([
  1478. [
  1479. 'server' => [
  1480. 'REQUEST_URI' => '/test.php/some/PathInfo',
  1481. 'SCRIPT_NAME' => '/test.php',
  1482. 'REMOTE_ADDR' => $remoteAddr
  1483. ]
  1484. ],
  1485. $this->requestId,
  1486. $this->config,
  1487. $this->csrfTokenManager,
  1488. $this->stream
  1489. ])
  1490. ->getMock();
  1491. $request
  1492. ->expects($this->once())
  1493. ->method('getScriptName')
  1494. ->willReturn('/scriptname.php');
  1495. $this->assertSame($expectedUri, $request->getRequestUri());
  1496. }
  1497. public function testPassesCSRFCheckWithGet() {
  1498. /** @var Request $request */
  1499. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1500. ->setMethods(['getScriptName'])
  1501. ->setConstructorArgs([
  1502. [
  1503. 'get' => [
  1504. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1505. ],
  1506. 'cookies' => [
  1507. 'nc_sameSiteCookiestrict' => 'true',
  1508. 'nc_sameSiteCookielax' => 'true',
  1509. ],
  1510. ],
  1511. $this->requestId,
  1512. $this->config,
  1513. $this->csrfTokenManager,
  1514. $this->stream
  1515. ])
  1516. ->getMock();
  1517. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1518. $this->csrfTokenManager
  1519. ->expects($this->once())
  1520. ->method('isTokenValid')
  1521. ->with($token)
  1522. ->willReturn(true);
  1523. $this->assertTrue($request->passesCSRFCheck());
  1524. }
  1525. public function testPassesCSRFCheckWithPost() {
  1526. /** @var Request $request */
  1527. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1528. ->setMethods(['getScriptName'])
  1529. ->setConstructorArgs([
  1530. [
  1531. 'post' => [
  1532. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1533. ],
  1534. 'cookies' => [
  1535. 'nc_sameSiteCookiestrict' => 'true',
  1536. 'nc_sameSiteCookielax' => 'true',
  1537. ],
  1538. ],
  1539. $this->requestId,
  1540. $this->config,
  1541. $this->csrfTokenManager,
  1542. $this->stream
  1543. ])
  1544. ->getMock();
  1545. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1546. $this->csrfTokenManager
  1547. ->expects($this->once())
  1548. ->method('isTokenValid')
  1549. ->with($token)
  1550. ->willReturn(true);
  1551. $this->assertTrue($request->passesCSRFCheck());
  1552. }
  1553. public function testPassesCSRFCheckWithHeader() {
  1554. /** @var Request $request */
  1555. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1556. ->setMethods(['getScriptName'])
  1557. ->setConstructorArgs([
  1558. [
  1559. 'server' => [
  1560. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1561. ],
  1562. 'cookies' => [
  1563. 'nc_sameSiteCookiestrict' => 'true',
  1564. 'nc_sameSiteCookielax' => 'true',
  1565. ],
  1566. ],
  1567. $this->requestId,
  1568. $this->config,
  1569. $this->csrfTokenManager,
  1570. $this->stream
  1571. ])
  1572. ->getMock();
  1573. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1574. $this->csrfTokenManager
  1575. ->expects($this->once())
  1576. ->method('isTokenValid')
  1577. ->with($token)
  1578. ->willReturn(true);
  1579. $this->assertTrue($request->passesCSRFCheck());
  1580. }
  1581. public function testPassesCSRFCheckWithGetAndWithoutCookies() {
  1582. /** @var Request $request */
  1583. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1584. ->setMethods(['getScriptName'])
  1585. ->setConstructorArgs([
  1586. [
  1587. 'get' => [
  1588. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1589. ],
  1590. ],
  1591. $this->requestId,
  1592. $this->config,
  1593. $this->csrfTokenManager,
  1594. $this->stream
  1595. ])
  1596. ->getMock();
  1597. $this->csrfTokenManager
  1598. ->expects($this->once())
  1599. ->method('isTokenValid')
  1600. ->willReturn(true);
  1601. $this->assertTrue($request->passesCSRFCheck());
  1602. }
  1603. public function testPassesCSRFCheckWithPostAndWithoutCookies() {
  1604. /** @var Request $request */
  1605. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1606. ->setMethods(['getScriptName'])
  1607. ->setConstructorArgs([
  1608. [
  1609. 'post' => [
  1610. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1611. ],
  1612. ],
  1613. $this->requestId,
  1614. $this->config,
  1615. $this->csrfTokenManager,
  1616. $this->stream
  1617. ])
  1618. ->getMock();
  1619. $this->csrfTokenManager
  1620. ->expects($this->once())
  1621. ->method('isTokenValid')
  1622. ->willReturn(true);
  1623. $this->assertTrue($request->passesCSRFCheck());
  1624. }
  1625. public function testPassesCSRFCheckWithHeaderAndWithoutCookies() {
  1626. /** @var Request $request */
  1627. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1628. ->setMethods(['getScriptName'])
  1629. ->setConstructorArgs([
  1630. [
  1631. 'server' => [
  1632. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1633. ],
  1634. ],
  1635. $this->requestId,
  1636. $this->config,
  1637. $this->csrfTokenManager,
  1638. $this->stream
  1639. ])
  1640. ->getMock();
  1641. $this->csrfTokenManager
  1642. ->expects($this->once())
  1643. ->method('isTokenValid')
  1644. ->willReturn(true);
  1645. $this->assertTrue($request->passesCSRFCheck());
  1646. }
  1647. public function testFailsCSRFCheckWithHeaderAndNotAllChecksPassing() {
  1648. /** @var Request $request */
  1649. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1650. ->setMethods(['getScriptName'])
  1651. ->setConstructorArgs([
  1652. [
  1653. 'server' => [
  1654. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1655. ],
  1656. 'cookies' => [
  1657. session_name() => 'asdf',
  1658. 'nc_sameSiteCookiestrict' => 'true',
  1659. ],
  1660. ],
  1661. $this->requestId,
  1662. $this->config,
  1663. $this->csrfTokenManager,
  1664. $this->stream
  1665. ])
  1666. ->getMock();
  1667. $this->csrfTokenManager
  1668. ->expects($this->never())
  1669. ->method('isTokenValid');
  1670. $this->assertFalse($request->passesCSRFCheck());
  1671. }
  1672. public function testPassesStrictCookieCheckWithAllCookiesAndStrict() {
  1673. /** @var Request $request */
  1674. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1675. ->setMethods(['getScriptName', 'getCookieParams'])
  1676. ->setConstructorArgs([
  1677. [
  1678. 'server' => [
  1679. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1680. ],
  1681. 'cookies' => [
  1682. session_name() => 'asdf',
  1683. '__Host-nc_sameSiteCookiestrict' => 'true',
  1684. '__Host-nc_sameSiteCookielax' => 'true',
  1685. ],
  1686. ],
  1687. $this->requestId,
  1688. $this->config,
  1689. $this->csrfTokenManager,
  1690. $this->stream
  1691. ])
  1692. ->getMock();
  1693. $request
  1694. ->expects($this->any())
  1695. ->method('getCookieParams')
  1696. ->willReturn([
  1697. 'secure' => true,
  1698. 'path' => '/',
  1699. ]);
  1700. $this->assertTrue($request->passesStrictCookieCheck());
  1701. }
  1702. public function testFailsStrictCookieCheckWithAllCookiesAndMissingStrict() {
  1703. /** @var Request $request */
  1704. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1705. ->setMethods(['getScriptName', 'getCookieParams'])
  1706. ->setConstructorArgs([
  1707. [
  1708. 'server' => [
  1709. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1710. ],
  1711. 'cookies' => [
  1712. session_name() => 'asdf',
  1713. 'nc_sameSiteCookiestrict' => 'true',
  1714. 'nc_sameSiteCookielax' => 'true',
  1715. ],
  1716. ],
  1717. $this->requestId,
  1718. $this->config,
  1719. $this->csrfTokenManager,
  1720. $this->stream
  1721. ])
  1722. ->getMock();
  1723. $request
  1724. ->expects($this->any())
  1725. ->method('getCookieParams')
  1726. ->willReturn([
  1727. 'secure' => true,
  1728. 'path' => '/',
  1729. ]);
  1730. $this->assertFalse($request->passesStrictCookieCheck());
  1731. }
  1732. public function testGetCookieParams() {
  1733. /** @var Request $request */
  1734. $request = $this->getMockBuilder(Request::class)
  1735. ->setMethods(['getScriptName'])
  1736. ->setConstructorArgs([
  1737. [],
  1738. $this->requestId,
  1739. $this->config,
  1740. $this->csrfTokenManager,
  1741. $this->stream
  1742. ])
  1743. ->getMock();
  1744. $actual = $request->getCookieParams();
  1745. $this->assertSame(session_get_cookie_params(), $actual);
  1746. }
  1747. public function testPassesStrictCookieCheckWithAllCookies() {
  1748. /** @var Request $request */
  1749. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1750. ->setMethods(['getScriptName'])
  1751. ->setConstructorArgs([
  1752. [
  1753. 'server' => [
  1754. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1755. ],
  1756. 'cookies' => [
  1757. session_name() => 'asdf',
  1758. 'nc_sameSiteCookiestrict' => 'true',
  1759. 'nc_sameSiteCookielax' => 'true',
  1760. ],
  1761. ],
  1762. $this->requestId,
  1763. $this->config,
  1764. $this->csrfTokenManager,
  1765. $this->stream
  1766. ])
  1767. ->getMock();
  1768. $this->assertTrue($request->passesStrictCookieCheck());
  1769. }
  1770. public function testPassesStrictCookieCheckWithRandomCookies() {
  1771. /** @var Request $request */
  1772. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1773. ->setMethods(['getScriptName'])
  1774. ->setConstructorArgs([
  1775. [
  1776. 'server' => [
  1777. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1778. ],
  1779. 'cookies' => [
  1780. 'RandomCookie' => 'asdf',
  1781. ],
  1782. ],
  1783. $this->requestId,
  1784. $this->config,
  1785. $this->csrfTokenManager,
  1786. $this->stream
  1787. ])
  1788. ->getMock();
  1789. $this->assertTrue($request->passesStrictCookieCheck());
  1790. }
  1791. public function testFailsStrictCookieCheckWithSessionCookie() {
  1792. /** @var Request $request */
  1793. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1794. ->setMethods(['getScriptName'])
  1795. ->setConstructorArgs([
  1796. [
  1797. 'server' => [
  1798. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1799. ],
  1800. 'cookies' => [
  1801. session_name() => 'asdf',
  1802. ],
  1803. ],
  1804. $this->requestId,
  1805. $this->config,
  1806. $this->csrfTokenManager,
  1807. $this->stream
  1808. ])
  1809. ->getMock();
  1810. $this->assertFalse($request->passesStrictCookieCheck());
  1811. }
  1812. public function testFailsStrictCookieCheckWithRememberMeCookie() {
  1813. /** @var Request $request */
  1814. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1815. ->setMethods(['getScriptName'])
  1816. ->setConstructorArgs([
  1817. [
  1818. 'server' => [
  1819. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1820. ],
  1821. 'cookies' => [
  1822. 'nc_token' => 'asdf',
  1823. ],
  1824. ],
  1825. $this->requestId,
  1826. $this->config,
  1827. $this->csrfTokenManager,
  1828. $this->stream
  1829. ])
  1830. ->getMock();
  1831. $this->assertFalse($request->passesStrictCookieCheck());
  1832. }
  1833. public function testFailsCSRFCheckWithPostAndWithCookies() {
  1834. /** @var Request $request */
  1835. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1836. ->setMethods(['getScriptName'])
  1837. ->setConstructorArgs([
  1838. [
  1839. 'post' => [
  1840. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1841. ],
  1842. 'cookies' => [
  1843. session_name() => 'asdf',
  1844. 'foo' => 'bar',
  1845. ],
  1846. ],
  1847. $this->requestId,
  1848. $this->config,
  1849. $this->csrfTokenManager,
  1850. $this->stream
  1851. ])
  1852. ->getMock();
  1853. $this->csrfTokenManager
  1854. ->expects($this->never())
  1855. ->method('isTokenValid');
  1856. $this->assertFalse($request->passesCSRFCheck());
  1857. }
  1858. public function testFailStrictCookieCheckWithOnlyLaxCookie() {
  1859. /** @var Request $request */
  1860. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1861. ->setMethods(['getScriptName'])
  1862. ->setConstructorArgs([
  1863. [
  1864. 'server' => [
  1865. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1866. ],
  1867. 'cookies' => [
  1868. session_name() => 'asdf',
  1869. 'nc_sameSiteCookielax' => 'true',
  1870. ],
  1871. ],
  1872. $this->requestId,
  1873. $this->config,
  1874. $this->csrfTokenManager,
  1875. $this->stream
  1876. ])
  1877. ->getMock();
  1878. $this->assertFalse($request->passesStrictCookieCheck());
  1879. }
  1880. public function testFailStrictCookieCheckWithOnlyStrictCookie() {
  1881. /** @var Request $request */
  1882. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1883. ->setMethods(['getScriptName'])
  1884. ->setConstructorArgs([
  1885. [
  1886. 'server' => [
  1887. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1888. ],
  1889. 'cookies' => [
  1890. session_name() => 'asdf',
  1891. 'nc_sameSiteCookiestrict' => 'true',
  1892. ],
  1893. ],
  1894. $this->requestId,
  1895. $this->config,
  1896. $this->csrfTokenManager,
  1897. $this->stream
  1898. ])
  1899. ->getMock();
  1900. $this->assertFalse($request->passesStrictCookieCheck());
  1901. }
  1902. public function testPassesLaxCookieCheck() {
  1903. /** @var Request $request */
  1904. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1905. ->setMethods(['getScriptName'])
  1906. ->setConstructorArgs([
  1907. [
  1908. 'server' => [
  1909. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1910. ],
  1911. 'cookies' => [
  1912. session_name() => 'asdf',
  1913. 'nc_sameSiteCookielax' => 'true',
  1914. ],
  1915. ],
  1916. $this->requestId,
  1917. $this->config,
  1918. $this->csrfTokenManager,
  1919. $this->stream
  1920. ])
  1921. ->getMock();
  1922. $this->assertTrue($request->passesLaxCookieCheck());
  1923. }
  1924. public function testFailsLaxCookieCheckWithOnlyStrictCookie() {
  1925. /** @var Request $request */
  1926. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1927. ->setMethods(['getScriptName'])
  1928. ->setConstructorArgs([
  1929. [
  1930. 'server' => [
  1931. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1932. ],
  1933. 'cookies' => [
  1934. session_name() => 'asdf',
  1935. 'nc_sameSiteCookiestrict' => 'true',
  1936. ],
  1937. ],
  1938. $this->requestId,
  1939. $this->config,
  1940. $this->csrfTokenManager,
  1941. $this->stream
  1942. ])
  1943. ->getMock();
  1944. $this->assertFalse($request->passesLaxCookieCheck());
  1945. }
  1946. public function testSkipCookieCheckForOCSRequests() {
  1947. /** @var Request $request */
  1948. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1949. ->setMethods(['getScriptName'])
  1950. ->setConstructorArgs([
  1951. [
  1952. 'server' => [
  1953. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1954. 'HTTP_OCS_APIREQUEST' => 'true',
  1955. ],
  1956. 'cookies' => [
  1957. session_name() => 'asdf',
  1958. 'nc_sameSiteCookiestrict' => 'false',
  1959. ],
  1960. ],
  1961. $this->requestId,
  1962. $this->config,
  1963. $this->csrfTokenManager,
  1964. $this->stream
  1965. ])
  1966. ->getMock();
  1967. $this->assertTrue($request->passesStrictCookieCheck());
  1968. }
  1969. /**
  1970. * @return array
  1971. */
  1972. public function invalidTokenDataProvider() {
  1973. return [
  1974. ['InvalidSentToken'],
  1975. ['InvalidSentToken:InvalidSecret'],
  1976. [''],
  1977. ];
  1978. }
  1979. /**
  1980. * @dataProvider invalidTokenDataProvider
  1981. * @param string $invalidToken
  1982. */
  1983. public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
  1984. /** @var Request $request */
  1985. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1986. ->setMethods(['getScriptName'])
  1987. ->setConstructorArgs([
  1988. [
  1989. 'server' => [
  1990. 'HTTP_REQUESTTOKEN' => $invalidToken,
  1991. ],
  1992. ],
  1993. $this->requestId,
  1994. $this->config,
  1995. $this->csrfTokenManager,
  1996. $this->stream
  1997. ])
  1998. ->getMock();
  1999. $token = new CsrfToken($invalidToken);
  2000. $this->csrfTokenManager
  2001. ->expects($this->any())
  2002. ->method('isTokenValid')
  2003. ->with($token)
  2004. ->willReturn(false);
  2005. $this->assertFalse($request->passesCSRFCheck());
  2006. }
  2007. public function testPassesCSRFCheckWithoutTokenFail() {
  2008. /** @var Request $request */
  2009. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2010. ->setMethods(['getScriptName'])
  2011. ->setConstructorArgs([
  2012. [],
  2013. $this->requestId,
  2014. $this->config,
  2015. $this->csrfTokenManager,
  2016. $this->stream
  2017. ])
  2018. ->getMock();
  2019. $this->assertFalse($request->passesCSRFCheck());
  2020. }
  2021. public function testPassesCSRFCheckWithOCSAPIRequestHeader() {
  2022. /** @var Request $request */
  2023. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2024. ->setMethods(['getScriptName'])
  2025. ->setConstructorArgs([
  2026. [
  2027. 'server' => [
  2028. 'HTTP_OCS_APIREQUEST' => 'true',
  2029. ],
  2030. ],
  2031. $this->requestId,
  2032. $this->config,
  2033. $this->csrfTokenManager,
  2034. $this->stream
  2035. ])
  2036. ->getMock();
  2037. $this->assertTrue($request->passesCSRFCheck());
  2038. }
  2039. }