RequestTest.php 49 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144
  1. <?php
  2. /**
  3. * @copyright 2013 Thomas Tanghus (thomas@tanghus.net)
  4. * @copyright 2016 Lukas Reschke lukas@owncloud.com
  5. *
  6. * This file is licensed under the Affero General Public License version 3 or
  7. * later.
  8. * See the COPYING-README file.
  9. */
  10. namespace Test\AppFramework\Http;
  11. use OC\AppFramework\Http\Request;
  12. use OC\Security\CSRF\CsrfToken;
  13. use OC\Security\CSRF\CsrfTokenManager;
  14. use OCP\IConfig;
  15. use OCP\Security\ISecureRandom;
  16. /**
  17. * Class RequestTest
  18. *
  19. * @package OC\AppFramework\Http
  20. */
  21. class RequestTest extends \Test\TestCase {
  22. /** @var string */
  23. protected $stream = 'fakeinput://data';
  24. /** @var ISecureRandom */
  25. protected $secureRandom;
  26. /** @var IConfig */
  27. protected $config;
  28. /** @var CsrfTokenManager */
  29. protected $csrfTokenManager;
  30. protected function setUp(): void {
  31. parent::setUp();
  32. if (in_array('fakeinput', stream_get_wrappers())) {
  33. stream_wrapper_unregister('fakeinput');
  34. }
  35. stream_wrapper_register('fakeinput', 'Test\AppFramework\Http\RequestStream');
  36. $this->secureRandom = $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock();
  37. $this->config = $this->getMockBuilder(IConfig::class)->getMock();
  38. $this->csrfTokenManager = $this->getMockBuilder('\OC\Security\CSRF\CsrfTokenManager')
  39. ->disableOriginalConstructor()->getMock();
  40. }
  41. protected function tearDown(): void {
  42. stream_wrapper_unregister('fakeinput');
  43. parent::tearDown();
  44. }
  45. public function testRequestAccessors() {
  46. $vars = [
  47. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  48. 'method' => 'GET',
  49. ];
  50. $request = new Request(
  51. $vars,
  52. $this->secureRandom,
  53. $this->config,
  54. $this->csrfTokenManager,
  55. $this->stream
  56. );
  57. // Countable
  58. $this->assertSame(2, count($request));
  59. // Array access
  60. $this->assertSame('Joey', $request['nickname']);
  61. // "Magic" accessors
  62. $this->assertSame('Joey', $request->{'nickname'});
  63. $this->assertTrue(isset($request['nickname']));
  64. $this->assertTrue(isset($request->{'nickname'}));
  65. $this->assertFalse(isset($request->{'flickname'}));
  66. // Only testing 'get', but same approach for post, files etc.
  67. $this->assertSame('Joey', $request->get['nickname']);
  68. // Always returns null if variable not set.
  69. $this->assertSame(null, $request->{'flickname'});
  70. }
  71. // urlParams has precedence over POST which has precedence over GET
  72. public function testPrecedence() {
  73. $vars = [
  74. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  75. 'post' => ['name' => 'Jane Doe', 'nickname' => 'Janey'],
  76. 'urlParams' => ['user' => 'jw', 'name' => 'Johnny Weissmüller'],
  77. 'method' => 'GET'
  78. ];
  79. $request = new Request(
  80. $vars,
  81. $this->secureRandom,
  82. $this->config,
  83. $this->csrfTokenManager,
  84. $this->stream
  85. );
  86. $this->assertSame(3, count($request));
  87. $this->assertSame('Janey', $request->{'nickname'});
  88. $this->assertSame('Johnny Weissmüller', $request->{'name'});
  89. }
  90. public function testImmutableArrayAccess() {
  91. $this->expectException(\RuntimeException::class);
  92. $vars = [
  93. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  94. 'method' => 'GET'
  95. ];
  96. $request = new Request(
  97. $vars,
  98. $this->secureRandom,
  99. $this->config,
  100. $this->csrfTokenManager,
  101. $this->stream
  102. );
  103. $request['nickname'] = 'Janey';
  104. }
  105. public function testImmutableMagicAccess() {
  106. $this->expectException(\RuntimeException::class);
  107. $vars = [
  108. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  109. 'method' => 'GET'
  110. ];
  111. $request = new Request(
  112. $vars,
  113. $this->secureRandom,
  114. $this->config,
  115. $this->csrfTokenManager,
  116. $this->stream
  117. );
  118. $request->{'nickname'} = 'Janey';
  119. }
  120. public function testGetTheMethodRight() {
  121. $this->expectException(\LogicException::class);
  122. $vars = [
  123. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  124. 'method' => 'GET',
  125. ];
  126. $request = new Request(
  127. $vars,
  128. $this->secureRandom,
  129. $this->config,
  130. $this->csrfTokenManager,
  131. $this->stream
  132. );
  133. $request->post;
  134. }
  135. public function testTheMethodIsRight() {
  136. $vars = [
  137. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  138. 'method' => 'GET',
  139. ];
  140. $request = new Request(
  141. $vars,
  142. $this->secureRandom,
  143. $this->config,
  144. $this->csrfTokenManager,
  145. $this->stream
  146. );
  147. $this->assertSame('GET', $request->method);
  148. $result = $request->get;
  149. $this->assertSame('John Q. Public', $result['name']);
  150. $this->assertSame('Joey', $result['nickname']);
  151. }
  152. public function testJsonPost() {
  153. global $data;
  154. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  155. $vars = [
  156. 'method' => 'POST',
  157. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  158. ];
  159. $request = new Request(
  160. $vars,
  161. $this->secureRandom,
  162. $this->config,
  163. $this->csrfTokenManager,
  164. $this->stream
  165. );
  166. $this->assertSame('POST', $request->method);
  167. $result = $request->post;
  168. $this->assertSame('John Q. Public', $result['name']);
  169. $this->assertSame('Joey', $result['nickname']);
  170. $this->assertSame('Joey', $request->params['nickname']);
  171. $this->assertSame('Joey', $request['nickname']);
  172. }
  173. public function testNotJsonPost() {
  174. global $data;
  175. $data = 'this is not valid json';
  176. $vars = [
  177. 'method' => 'POST',
  178. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  179. ];
  180. $request = new Request(
  181. $vars,
  182. $this->secureRandom,
  183. $this->config,
  184. $this->csrfTokenManager,
  185. $this->stream
  186. );
  187. $this->assertEquals('POST', $request->method);
  188. $result = $request->post;
  189. // ensure there's no error attempting to decode the content
  190. }
  191. public function testPatch() {
  192. global $data;
  193. $data = http_build_query(['name' => 'John Q. Public', 'nickname' => 'Joey'], '', '&');
  194. $vars = [
  195. 'method' => 'PATCH',
  196. 'server' => ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'],
  197. ];
  198. $request = new Request(
  199. $vars,
  200. $this->secureRandom,
  201. $this->config,
  202. $this->csrfTokenManager,
  203. $this->stream
  204. );
  205. $this->assertSame('PATCH', $request->method);
  206. $result = $request->patch;
  207. $this->assertSame('John Q. Public', $result['name']);
  208. $this->assertSame('Joey', $result['nickname']);
  209. }
  210. public function testJsonPatchAndPut() {
  211. global $data;
  212. // PUT content
  213. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  214. $vars = [
  215. 'method' => 'PUT',
  216. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  217. ];
  218. $request = new Request(
  219. $vars,
  220. $this->secureRandom,
  221. $this->config,
  222. $this->csrfTokenManager,
  223. $this->stream
  224. );
  225. $this->assertSame('PUT', $request->method);
  226. $result = $request->put;
  227. $this->assertSame('John Q. Public', $result['name']);
  228. $this->assertSame('Joey', $result['nickname']);
  229. // PATCH content
  230. $data = '{"name": "John Q. Public", "nickname": null}';
  231. $vars = [
  232. 'method' => 'PATCH',
  233. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  234. ];
  235. $request = new Request(
  236. $vars,
  237. $this->secureRandom,
  238. $this->config,
  239. $this->csrfTokenManager,
  240. $this->stream
  241. );
  242. $this->assertSame('PATCH', $request->method);
  243. $result = $request->patch;
  244. $this->assertSame('John Q. Public', $result['name']);
  245. $this->assertSame(null, $result['nickname']);
  246. }
  247. public function testPutStream() {
  248. global $data;
  249. $data = file_get_contents(__DIR__ . '/../../../data/testimage.png');
  250. $vars = [
  251. 'put' => $data,
  252. 'method' => 'PUT',
  253. 'server' => [
  254. 'CONTENT_TYPE' => 'image/png',
  255. 'CONTENT_LENGTH' => (string)strlen($data)
  256. ],
  257. ];
  258. $request = new Request(
  259. $vars,
  260. $this->secureRandom,
  261. $this->config,
  262. $this->csrfTokenManager,
  263. $this->stream
  264. );
  265. $this->assertSame('PUT', $request->method);
  266. $resource = $request->put;
  267. $contents = stream_get_contents($resource);
  268. $this->assertSame($data, $contents);
  269. try {
  270. $resource = $request->put;
  271. } catch (\LogicException $e) {
  272. return;
  273. }
  274. $this->fail('Expected LogicException.');
  275. }
  276. public function testSetUrlParameters() {
  277. $vars = [
  278. 'post' => [],
  279. 'method' => 'POST',
  280. 'urlParams' => ['id' => '2'],
  281. ];
  282. $request = new Request(
  283. $vars,
  284. $this->secureRandom,
  285. $this->config,
  286. $this->csrfTokenManager,
  287. $this->stream
  288. );
  289. $newParams = ['id' => '3', 'test' => 'test2'];
  290. $request->setUrlParameters($newParams);
  291. $this->assertSame('test2', $request->getParam('test'));
  292. $this->assertEquals('3', $request->getParam('id'));
  293. $this->assertEquals('3', $request->getParams()['id']);
  294. }
  295. public function testGetIdWithModUnique() {
  296. $vars = [
  297. 'server' => [
  298. 'UNIQUE_ID' => 'GeneratedUniqueIdByModUnique'
  299. ],
  300. ];
  301. $request = new Request(
  302. $vars,
  303. $this->secureRandom,
  304. $this->config,
  305. $this->csrfTokenManager,
  306. $this->stream
  307. );
  308. $this->assertSame('GeneratedUniqueIdByModUnique', $request->getId());
  309. }
  310. public function testGetIdWithoutModUnique() {
  311. $this->secureRandom->expects($this->once())
  312. ->method('generate')
  313. ->with('20')
  314. ->willReturn('GeneratedByOwnCloudItself');
  315. $request = new Request(
  316. [],
  317. $this->secureRandom,
  318. $this->config,
  319. $this->csrfTokenManager,
  320. $this->stream
  321. );
  322. $this->assertSame('GeneratedByOwnCloudItself', $request->getId());
  323. }
  324. public function testGetIdWithoutModUniqueStable() {
  325. $request = new Request(
  326. [],
  327. \OC::$server->getSecureRandom(),
  328. $this->config,
  329. $this->csrfTokenManager,
  330. $this->stream
  331. );
  332. $firstId = $request->getId();
  333. $secondId = $request->getId();
  334. $this->assertSame($firstId, $secondId);
  335. }
  336. public function testGetRemoteAddressWithoutTrustedRemote() {
  337. $this->config
  338. ->expects($this->once())
  339. ->method('getSystemValue')
  340. ->with('trusted_proxies')
  341. ->willReturn([]);
  342. $request = new Request(
  343. [
  344. 'server' => [
  345. 'REMOTE_ADDR' => '10.0.0.2',
  346. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  347. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  348. ],
  349. ],
  350. $this->secureRandom,
  351. $this->config,
  352. $this->csrfTokenManager,
  353. $this->stream
  354. );
  355. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  356. }
  357. public function testGetRemoteAddressWithNoTrustedHeader() {
  358. $this->config
  359. ->expects($this->at(0))
  360. ->method('getSystemValue')
  361. ->with('trusted_proxies')
  362. ->willReturn(['10.0.0.2']);
  363. $this->config
  364. ->expects($this->at(1))
  365. ->method('getSystemValue')
  366. ->with('forwarded_for_headers')
  367. ->willReturn([]);
  368. $request = new Request(
  369. [
  370. 'server' => [
  371. 'REMOTE_ADDR' => '10.0.0.2',
  372. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  373. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  374. ],
  375. ],
  376. $this->secureRandom,
  377. $this->config,
  378. $this->csrfTokenManager,
  379. $this->stream
  380. );
  381. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  382. }
  383. public function testGetRemoteAddressWithSingleTrustedRemote() {
  384. $this->config
  385. ->expects($this->at(0))
  386. ->method('getSystemValue')
  387. ->with('trusted_proxies')
  388. ->willReturn(['10.0.0.2']);
  389. $this->config
  390. ->expects($this->at(1))
  391. ->method('getSystemValue')
  392. ->with('forwarded_for_headers')
  393. ->willReturn(['HTTP_X_FORWARDED']);
  394. $request = new Request(
  395. [
  396. 'server' => [
  397. 'REMOTE_ADDR' => '10.0.0.2',
  398. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  399. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  400. ],
  401. ],
  402. $this->secureRandom,
  403. $this->config,
  404. $this->csrfTokenManager,
  405. $this->stream
  406. );
  407. $this->assertSame('10.4.0.5', $request->getRemoteAddress());
  408. }
  409. public function testGetRemoteAddressIPv6WithSingleTrustedRemote() {
  410. $this->config
  411. ->expects($this->at(0))
  412. ->method('getSystemValue')
  413. ->with('trusted_proxies')
  414. ->willReturn(['2001:db8:85a3:8d3:1319:8a2e:370:7348']);
  415. $this->config
  416. ->expects($this->at(1))
  417. ->method('getSystemValue')
  418. ->with('forwarded_for_headers')
  419. ->willReturn(['HTTP_X_FORWARDED']);
  420. $request = new Request(
  421. [
  422. 'server' => [
  423. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  424. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  425. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  426. ],
  427. ],
  428. $this->secureRandom,
  429. $this->config,
  430. $this->csrfTokenManager,
  431. $this->stream
  432. );
  433. $this->assertSame('10.4.0.5', $request->getRemoteAddress());
  434. }
  435. public function testGetRemoteAddressVerifyPriorityHeader() {
  436. $this->config
  437. ->expects($this->at(0))
  438. ->method('getSystemValue')
  439. ->with('trusted_proxies')
  440. ->willReturn(['10.0.0.2']);
  441. $this->config
  442. ->expects($this->at(1))
  443. ->method('getSystemValue')
  444. ->with('forwarded_for_headers')
  445. ->willReturn([
  446. 'HTTP_CLIENT_IP',
  447. 'HTTP_X_FORWARDED_FOR',
  448. 'HTTP_X_FORWARDED'
  449. ]);
  450. $request = new Request(
  451. [
  452. 'server' => [
  453. 'REMOTE_ADDR' => '10.0.0.2',
  454. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  455. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  456. ],
  457. ],
  458. $this->secureRandom,
  459. $this->config,
  460. $this->csrfTokenManager,
  461. $this->stream
  462. );
  463. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  464. }
  465. public function testGetRemoteAddressIPv6VerifyPriorityHeader() {
  466. $this->config
  467. ->expects($this->at(0))
  468. ->method('getSystemValue')
  469. ->with('trusted_proxies')
  470. ->willReturn(['2001:db8:85a3:8d3:1319:8a2e:370:7348']);
  471. $this->config
  472. ->expects($this->at(1))
  473. ->method('getSystemValue')
  474. ->with('forwarded_for_headers')
  475. ->willReturn([
  476. 'HTTP_CLIENT_IP',
  477. 'HTTP_X_FORWARDED_FOR',
  478. 'HTTP_X_FORWARDED'
  479. ]);
  480. $request = new Request(
  481. [
  482. 'server' => [
  483. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  484. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  485. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  486. ],
  487. ],
  488. $this->secureRandom,
  489. $this->config,
  490. $this->csrfTokenManager,
  491. $this->stream
  492. );
  493. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  494. }
  495. public function testGetRemoteAddressWithMatchingCidrTrustedRemote() {
  496. $this->config
  497. ->expects($this->at(0))
  498. ->method('getSystemValue')
  499. ->with('trusted_proxies')
  500. ->willReturn(['192.168.2.0/24']);
  501. $this->config
  502. ->expects($this->at(1))
  503. ->method('getSystemValue')
  504. ->with('forwarded_for_headers')
  505. ->willReturn(['HTTP_X_FORWARDED_FOR']);
  506. $request = new Request(
  507. [
  508. 'server' => [
  509. 'REMOTE_ADDR' => '192.168.2.99',
  510. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  511. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  512. ],
  513. ],
  514. $this->secureRandom,
  515. $this->config,
  516. $this->csrfTokenManager,
  517. $this->stream
  518. );
  519. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  520. }
  521. public function testGetRemoteAddressWithNotMatchingCidrTrustedRemote() {
  522. $this->config
  523. ->expects($this->once())
  524. ->method('getSystemValue')
  525. ->with('trusted_proxies')
  526. ->willReturn(['192.168.2.0/24']);
  527. $request = new Request(
  528. [
  529. 'server' => [
  530. 'REMOTE_ADDR' => '192.168.3.99',
  531. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  532. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  533. ],
  534. ],
  535. $this->secureRandom,
  536. $this->config,
  537. $this->csrfTokenManager,
  538. $this->stream
  539. );
  540. $this->assertSame('192.168.3.99', $request->getRemoteAddress());
  541. }
  542. public function testGetRemoteAddressWithXForwardedForIPv6() {
  543. $this->config
  544. ->expects($this->at(0))
  545. ->method('getSystemValue')
  546. ->with('trusted_proxies')
  547. ->willReturn(['192.168.2.0/24']);
  548. $this->config
  549. ->expects($this->at(1))
  550. ->method('getSystemValue')
  551. ->with('forwarded_for_headers')
  552. ->willReturn(['HTTP_X_FORWARDED_FOR']);
  553. $request = new Request(
  554. [
  555. 'server' => [
  556. 'REMOTE_ADDR' => '192.168.2.99',
  557. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
  558. ],
  559. ],
  560. $this->secureRandom,
  561. $this->config,
  562. $this->csrfTokenManager,
  563. $this->stream
  564. );
  565. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  566. }
  567. /**
  568. * @return array
  569. */
  570. public function httpProtocolProvider() {
  571. return [
  572. // Valid HTTP 1.0
  573. ['HTTP/1.0', 'HTTP/1.0'],
  574. ['http/1.0', 'HTTP/1.0'],
  575. ['HTTp/1.0', 'HTTP/1.0'],
  576. // Valid HTTP 1.1
  577. ['HTTP/1.1', 'HTTP/1.1'],
  578. ['http/1.1', 'HTTP/1.1'],
  579. ['HTTp/1.1', 'HTTP/1.1'],
  580. // Valid HTTP 2.0
  581. ['HTTP/2', 'HTTP/2'],
  582. ['http/2', 'HTTP/2'],
  583. ['HTTp/2', 'HTTP/2'],
  584. // Invalid
  585. ['HTTp/394', 'HTTP/1.1'],
  586. ['InvalidProvider/1.1', 'HTTP/1.1'],
  587. [null, 'HTTP/1.1'],
  588. ['', 'HTTP/1.1'],
  589. ];
  590. }
  591. /**
  592. * @dataProvider httpProtocolProvider
  593. *
  594. * @param mixed $input
  595. * @param string $expected
  596. */
  597. public function testGetHttpProtocol($input, $expected) {
  598. $request = new Request(
  599. [
  600. 'server' => [
  601. 'SERVER_PROTOCOL' => $input,
  602. ],
  603. ],
  604. $this->secureRandom,
  605. $this->config,
  606. $this->csrfTokenManager,
  607. $this->stream
  608. );
  609. $this->assertSame($expected, $request->getHttpProtocol());
  610. }
  611. public function testGetServerProtocolWithOverride() {
  612. $this->config
  613. ->expects($this->at(0))
  614. ->method('getSystemValue')
  615. ->with('overwriteprotocol')
  616. ->willReturn('customProtocol');
  617. $this->config
  618. ->expects($this->at(1))
  619. ->method('getSystemValue')
  620. ->with('overwritecondaddr')
  621. ->willReturn('');
  622. $this->config
  623. ->expects($this->at(2))
  624. ->method('getSystemValue')
  625. ->with('overwriteprotocol')
  626. ->willReturn('customProtocol');
  627. $request = new Request(
  628. [],
  629. $this->secureRandom,
  630. $this->config,
  631. $this->csrfTokenManager,
  632. $this->stream
  633. );
  634. $this->assertSame('customProtocol', $request->getServerProtocol());
  635. }
  636. public function testGetServerProtocolWithProtoValid() {
  637. $this->config
  638. ->method('getSystemValue')
  639. ->willReturnCallback(function ($key, $default) {
  640. if ($key === 'trusted_proxies') {
  641. return ['1.2.3.4'];
  642. }
  643. return $default;
  644. });
  645. $requestHttps = new Request(
  646. [
  647. 'server' => [
  648. 'HTTP_X_FORWARDED_PROTO' => 'HtTpS',
  649. 'REMOTE_ADDR' => '1.2.3.4',
  650. ],
  651. ],
  652. $this->secureRandom,
  653. $this->config,
  654. $this->csrfTokenManager,
  655. $this->stream
  656. );
  657. $requestHttp = new Request(
  658. [
  659. 'server' => [
  660. 'HTTP_X_FORWARDED_PROTO' => 'HTTp',
  661. 'REMOTE_ADDR' => '1.2.3.4',
  662. ],
  663. ],
  664. $this->secureRandom,
  665. $this->config,
  666. $this->csrfTokenManager,
  667. $this->stream
  668. );
  669. $this->assertSame('https', $requestHttps->getServerProtocol());
  670. $this->assertSame('http', $requestHttp->getServerProtocol());
  671. }
  672. public function testGetServerProtocolWithHttpsServerValueOn() {
  673. $this->config
  674. ->method('getSystemValue')
  675. ->willReturnCallback(function ($key, $default) {
  676. return $default;
  677. });
  678. $request = new Request(
  679. [
  680. 'server' => [
  681. 'HTTPS' => 'on'
  682. ],
  683. ],
  684. $this->secureRandom,
  685. $this->config,
  686. $this->csrfTokenManager,
  687. $this->stream
  688. );
  689. $this->assertSame('https', $request->getServerProtocol());
  690. }
  691. public function testGetServerProtocolWithHttpsServerValueOff() {
  692. $this->config
  693. ->method('getSystemValue')
  694. ->willReturnCallback(function ($key, $default) {
  695. return $default;
  696. });
  697. $request = new Request(
  698. [
  699. 'server' => [
  700. 'HTTPS' => 'off'
  701. ],
  702. ],
  703. $this->secureRandom,
  704. $this->config,
  705. $this->csrfTokenManager,
  706. $this->stream
  707. );
  708. $this->assertSame('http', $request->getServerProtocol());
  709. }
  710. public function testGetServerProtocolWithHttpsServerValueEmpty() {
  711. $this->config
  712. ->method('getSystemValue')
  713. ->willReturnCallback(function ($key, $default) {
  714. return $default;
  715. });
  716. $request = new Request(
  717. [
  718. 'server' => [
  719. 'HTTPS' => ''
  720. ],
  721. ],
  722. $this->secureRandom,
  723. $this->config,
  724. $this->csrfTokenManager,
  725. $this->stream
  726. );
  727. $this->assertSame('http', $request->getServerProtocol());
  728. }
  729. public function testGetServerProtocolDefault() {
  730. $this->config
  731. ->method('getSystemValue')
  732. ->willReturnCallback(function ($key, $default) {
  733. return $default;
  734. });
  735. $request = new Request(
  736. [],
  737. $this->secureRandom,
  738. $this->config,
  739. $this->csrfTokenManager,
  740. $this->stream
  741. );
  742. $this->assertSame('http', $request->getServerProtocol());
  743. }
  744. public function testGetServerProtocolBehindLoadBalancers() {
  745. $this->config
  746. ->method('getSystemValue')
  747. ->willReturnCallback(function ($key, $default) {
  748. if ($key === 'trusted_proxies') {
  749. return ['1.2.3.4'];
  750. }
  751. return $default;
  752. });
  753. $request = new Request(
  754. [
  755. 'server' => [
  756. 'HTTP_X_FORWARDED_PROTO' => 'https,http,http',
  757. 'REMOTE_ADDR' => '1.2.3.4',
  758. ],
  759. ],
  760. $this->secureRandom,
  761. $this->config,
  762. $this->csrfTokenManager,
  763. $this->stream
  764. );
  765. $this->assertSame('https', $request->getServerProtocol());
  766. }
  767. /**
  768. * @dataProvider userAgentProvider
  769. * @param string $testAgent
  770. * @param array $userAgent
  771. * @param bool $matches
  772. */
  773. public function testUserAgent($testAgent, $userAgent, $matches) {
  774. $request = new Request(
  775. [
  776. 'server' => [
  777. 'HTTP_USER_AGENT' => $testAgent,
  778. ]
  779. ],
  780. $this->secureRandom,
  781. $this->config,
  782. $this->csrfTokenManager,
  783. $this->stream
  784. );
  785. $this->assertSame($matches, $request->isUserAgent($userAgent));
  786. }
  787. /**
  788. * @dataProvider userAgentProvider
  789. * @param string $testAgent
  790. * @param array $userAgent
  791. * @param bool $matches
  792. */
  793. public function testUndefinedUserAgent($testAgent, $userAgent, $matches) {
  794. $request = new Request(
  795. [],
  796. $this->secureRandom,
  797. $this->config,
  798. $this->csrfTokenManager,
  799. $this->stream
  800. );
  801. $this->assertFalse($request->isUserAgent($userAgent));
  802. }
  803. /**
  804. * @return array
  805. */
  806. public function userAgentProvider() {
  807. return [
  808. [
  809. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  810. [
  811. Request::USER_AGENT_IE
  812. ],
  813. true,
  814. ],
  815. [
  816. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  817. [
  818. Request::USER_AGENT_IE
  819. ],
  820. false,
  821. ],
  822. [
  823. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
  824. [
  825. Request::USER_AGENT_CHROME
  826. ],
  827. true,
  828. ],
  829. [
  830. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
  831. [
  832. Request::USER_AGENT_CHROME
  833. ],
  834. true,
  835. ],
  836. [
  837. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  838. [
  839. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  840. ],
  841. true,
  842. ],
  843. [
  844. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  845. [
  846. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  847. ],
  848. false,
  849. ],
  850. [
  851. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  852. [
  853. Request::USER_AGENT_IE,
  854. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  855. ],
  856. true,
  857. ],
  858. [
  859. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  860. [
  861. Request::USER_AGENT_IE,
  862. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  863. ],
  864. true,
  865. ],
  866. [
  867. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  868. [
  869. Request::USER_AGENT_FREEBOX
  870. ],
  871. false,
  872. ],
  873. [
  874. 'Mozilla/5.0',
  875. [
  876. Request::USER_AGENT_FREEBOX
  877. ],
  878. true,
  879. ],
  880. [
  881. 'Fake Mozilla/5.0',
  882. [
  883. Request::USER_AGENT_FREEBOX
  884. ],
  885. false,
  886. ],
  887. [
  888. 'Mozilla/5.0 (Android) ownCloud-android/2.0.0',
  889. [
  890. Request::USER_AGENT_CLIENT_ANDROID
  891. ],
  892. true,
  893. ],
  894. [
  895. 'Mozilla/5.0 (Android) Nextcloud-android/2.0.0',
  896. [
  897. Request::USER_AGENT_CLIENT_ANDROID
  898. ],
  899. true,
  900. ],
  901. [
  902. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.99 Safari/537.36 Vivaldi/2.9.1705.41',
  903. [
  904. Request::USER_AGENT_CHROME
  905. ],
  906. true
  907. ],
  908. [
  909. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75',
  910. [
  911. Request::USER_AGENT_CHROME
  912. ],
  913. true
  914. ],
  915. [
  916. 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67',
  917. [
  918. Request::USER_AGENT_CHROME
  919. ],
  920. true
  921. ]
  922. ];
  923. }
  924. public function testInsecureServerHostServerNameHeader() {
  925. $request = new Request(
  926. [
  927. 'server' => [
  928. 'SERVER_NAME' => 'from.server.name:8080',
  929. ]
  930. ],
  931. $this->secureRandom,
  932. $this->config,
  933. $this->csrfTokenManager,
  934. $this->stream
  935. );
  936. $this->assertSame('from.server.name:8080', $request->getInsecureServerHost());
  937. }
  938. public function testInsecureServerHostHttpHostHeader() {
  939. $request = new Request(
  940. [
  941. 'server' => [
  942. 'SERVER_NAME' => 'from.server.name:8080',
  943. 'HTTP_HOST' => 'from.host.header:8080',
  944. ]
  945. ],
  946. $this->secureRandom,
  947. $this->config,
  948. $this->csrfTokenManager,
  949. $this->stream
  950. );
  951. $this->assertSame('from.host.header:8080', $request->getInsecureServerHost());
  952. }
  953. public function testInsecureServerHostHttpFromForwardedHeaderSingle() {
  954. $this->config
  955. ->method('getSystemValue')
  956. ->willReturnCallback(function ($key, $default) {
  957. if ($key === 'trusted_proxies') {
  958. return ['1.2.3.4'];
  959. }
  960. return $default;
  961. });
  962. $request = new Request(
  963. [
  964. 'server' => [
  965. 'SERVER_NAME' => 'from.server.name:8080',
  966. 'HTTP_HOST' => 'from.host.header:8080',
  967. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host:8080',
  968. 'REMOTE_ADDR' => '1.2.3.4',
  969. ]
  970. ],
  971. $this->secureRandom,
  972. $this->config,
  973. $this->csrfTokenManager,
  974. $this->stream
  975. );
  976. $this->assertSame('from.forwarded.host:8080', $request->getInsecureServerHost());
  977. }
  978. public function testInsecureServerHostHttpFromForwardedHeaderStacked() {
  979. $this->config
  980. ->method('getSystemValue')
  981. ->willReturnCallback(function ($key, $default) {
  982. if ($key === 'trusted_proxies') {
  983. return ['1.2.3.4'];
  984. }
  985. return $default;
  986. });
  987. $request = new Request(
  988. [
  989. 'server' => [
  990. 'SERVER_NAME' => 'from.server.name:8080',
  991. 'HTTP_HOST' => 'from.host.header:8080',
  992. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host2:8080,another.one:9000',
  993. 'REMOTE_ADDR' => '1.2.3.4',
  994. ]
  995. ],
  996. $this->secureRandom,
  997. $this->config,
  998. $this->csrfTokenManager,
  999. $this->stream
  1000. );
  1001. $this->assertSame('from.forwarded.host2:8080', $request->getInsecureServerHost());
  1002. }
  1003. public function testGetServerHostWithOverwriteHost() {
  1004. $this->config
  1005. ->method('getSystemValue')
  1006. ->willReturnCallback(function ($key, $default) {
  1007. if ($key === 'overwritecondaddr') {
  1008. return '';
  1009. } elseif ($key === 'overwritehost') {
  1010. return 'my.overwritten.host';
  1011. }
  1012. return $default;
  1013. });
  1014. $request = new Request(
  1015. [],
  1016. $this->secureRandom,
  1017. $this->config,
  1018. $this->csrfTokenManager,
  1019. $this->stream
  1020. );
  1021. $this->assertSame('my.overwritten.host', $request->getServerHost());
  1022. }
  1023. public function testGetServerHostWithTrustedDomain() {
  1024. $this->config
  1025. ->method('getSystemValue')
  1026. ->willReturnCallback(function ($key, $default) {
  1027. if ($key === 'trusted_proxies') {
  1028. return ['1.2.3.4'];
  1029. } elseif ($key === 'trusted_domains') {
  1030. return ['my.trusted.host'];
  1031. }
  1032. return $default;
  1033. });
  1034. $request = new Request(
  1035. [
  1036. 'server' => [
  1037. 'HTTP_X_FORWARDED_HOST' => 'my.trusted.host',
  1038. 'REMOTE_ADDR' => '1.2.3.4',
  1039. ],
  1040. ],
  1041. $this->secureRandom,
  1042. $this->config,
  1043. $this->csrfTokenManager,
  1044. $this->stream
  1045. );
  1046. $this->assertSame('my.trusted.host', $request->getServerHost());
  1047. }
  1048. public function testGetServerHostWithUntrustedDomain() {
  1049. $this->config
  1050. ->method('getSystemValue')
  1051. ->willReturnCallback(function ($key, $default) {
  1052. if ($key === 'trusted_proxies') {
  1053. return ['1.2.3.4'];
  1054. } elseif ($key === 'trusted_domains') {
  1055. return ['my.trusted.host'];
  1056. }
  1057. return $default;
  1058. });
  1059. $request = new Request(
  1060. [
  1061. 'server' => [
  1062. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1063. 'REMOTE_ADDR' => '1.2.3.4',
  1064. ],
  1065. ],
  1066. $this->secureRandom,
  1067. $this->config,
  1068. $this->csrfTokenManager,
  1069. $this->stream
  1070. );
  1071. $this->assertSame('my.trusted.host', $request->getServerHost());
  1072. }
  1073. public function testGetServerHostWithNoTrustedDomain() {
  1074. $this->config
  1075. ->method('getSystemValue')
  1076. ->willReturnCallback(function ($key, $default) {
  1077. if ($key === 'trusted_proxies') {
  1078. return ['1.2.3.4'];
  1079. }
  1080. return $default;
  1081. });
  1082. $request = new Request(
  1083. [
  1084. 'server' => [
  1085. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1086. 'REMOTE_ADDR' => '1.2.3.4',
  1087. ],
  1088. ],
  1089. $this->secureRandom,
  1090. $this->config,
  1091. $this->csrfTokenManager,
  1092. $this->stream
  1093. );
  1094. $this->assertSame('', $request->getServerHost());
  1095. }
  1096. /**
  1097. * @return array
  1098. */
  1099. public function dataGetServerHostTrustedDomain() {
  1100. return [
  1101. 'is array' => ['my.trusted.host', ['my.trusted.host']],
  1102. 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
  1103. 'is string' => ['my.trusted.host', 'my.trusted.host'],
  1104. 'is null' => ['', null],
  1105. ];
  1106. }
  1107. /**
  1108. * @dataProvider dataGetServerHostTrustedDomain
  1109. * @param $expected
  1110. * @param $trustedDomain
  1111. */
  1112. public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
  1113. $this->config
  1114. ->method('getSystemValue')
  1115. ->willReturnCallback(function ($key, $default) use ($trustedDomain) {
  1116. if ($key === 'trusted_proxies') {
  1117. return ['1.2.3.4'];
  1118. }
  1119. if ($key === 'trusted_domains') {
  1120. return $trustedDomain;
  1121. }
  1122. return $default;
  1123. });
  1124. $request = new Request(
  1125. [
  1126. 'server' => [
  1127. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1128. 'REMOTE_ADDR' => '1.2.3.4',
  1129. ],
  1130. ],
  1131. $this->secureRandom,
  1132. $this->config,
  1133. $this->csrfTokenManager,
  1134. $this->stream
  1135. );
  1136. $this->assertSame($expected, $request->getServerHost());
  1137. }
  1138. public function testGetOverwriteHostDefaultNull() {
  1139. $this->config
  1140. ->expects($this->once())
  1141. ->method('getSystemValue')
  1142. ->with('overwritehost')
  1143. ->willReturn('');
  1144. $request = new Request(
  1145. [],
  1146. $this->secureRandom,
  1147. $this->config,
  1148. $this->csrfTokenManager,
  1149. $this->stream
  1150. );
  1151. $this->assertNull(self::invokePrivate($request, 'getOverwriteHost'));
  1152. }
  1153. public function testGetOverwriteHostWithOverwrite() {
  1154. $this->config
  1155. ->expects($this->at(0))
  1156. ->method('getSystemValue')
  1157. ->with('overwritehost')
  1158. ->willReturn('www.owncloud.org');
  1159. $this->config
  1160. ->expects($this->at(1))
  1161. ->method('getSystemValue')
  1162. ->with('overwritecondaddr')
  1163. ->willReturn('');
  1164. $this->config
  1165. ->expects($this->at(2))
  1166. ->method('getSystemValue')
  1167. ->with('overwritehost')
  1168. ->willReturn('www.owncloud.org');
  1169. $request = new Request(
  1170. [],
  1171. $this->secureRandom,
  1172. $this->config,
  1173. $this->csrfTokenManager,
  1174. $this->stream
  1175. );
  1176. $this->assertSame('www.owncloud.org', self::invokePrivate($request, 'getOverwriteHost'));
  1177. }
  1178. public function testGetPathInfoNotProcessible() {
  1179. $this->expectException(\Exception::class);
  1180. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1181. $request = new Request(
  1182. [
  1183. 'server' => [
  1184. 'REQUEST_URI' => '/foo.php',
  1185. 'SCRIPT_NAME' => '/var/www/index.php',
  1186. ]
  1187. ],
  1188. $this->secureRandom,
  1189. $this->config,
  1190. $this->csrfTokenManager,
  1191. $this->stream
  1192. );
  1193. $request->getPathInfo();
  1194. }
  1195. public function testGetRawPathInfoNotProcessible() {
  1196. $this->expectException(\Exception::class);
  1197. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1198. $request = new Request(
  1199. [
  1200. 'server' => [
  1201. 'REQUEST_URI' => '/foo.php',
  1202. 'SCRIPT_NAME' => '/var/www/index.php',
  1203. ]
  1204. ],
  1205. $this->secureRandom,
  1206. $this->config,
  1207. $this->csrfTokenManager,
  1208. $this->stream
  1209. );
  1210. $request->getRawPathInfo();
  1211. }
  1212. /**
  1213. * @dataProvider genericPathInfoProvider
  1214. * @param string $requestUri
  1215. * @param string $scriptName
  1216. * @param string $expected
  1217. */
  1218. public function testGetPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1219. $request = new Request(
  1220. [
  1221. 'server' => [
  1222. 'REQUEST_URI' => $requestUri,
  1223. 'SCRIPT_NAME' => $scriptName,
  1224. ]
  1225. ],
  1226. $this->secureRandom,
  1227. $this->config,
  1228. $this->csrfTokenManager,
  1229. $this->stream
  1230. );
  1231. $this->assertSame($expected, $request->getPathInfo());
  1232. }
  1233. /**
  1234. * @dataProvider genericPathInfoProvider
  1235. * @param string $requestUri
  1236. * @param string $scriptName
  1237. * @param string $expected
  1238. */
  1239. public function testGetRawPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1240. $request = new Request(
  1241. [
  1242. 'server' => [
  1243. 'REQUEST_URI' => $requestUri,
  1244. 'SCRIPT_NAME' => $scriptName,
  1245. ]
  1246. ],
  1247. $this->secureRandom,
  1248. $this->config,
  1249. $this->csrfTokenManager,
  1250. $this->stream
  1251. );
  1252. $this->assertSame($expected, $request->getRawPathInfo());
  1253. }
  1254. /**
  1255. * @dataProvider rawPathInfoProvider
  1256. * @param string $requestUri
  1257. * @param string $scriptName
  1258. * @param string $expected
  1259. */
  1260. public function testGetRawPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1261. $request = new Request(
  1262. [
  1263. 'server' => [
  1264. 'REQUEST_URI' => $requestUri,
  1265. 'SCRIPT_NAME' => $scriptName,
  1266. ]
  1267. ],
  1268. $this->secureRandom,
  1269. $this->config,
  1270. $this->csrfTokenManager,
  1271. $this->stream
  1272. );
  1273. $this->assertSame($expected, $request->getRawPathInfo());
  1274. }
  1275. /**
  1276. * @dataProvider pathInfoProvider
  1277. * @param string $requestUri
  1278. * @param string $scriptName
  1279. * @param string $expected
  1280. */
  1281. public function testGetPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1282. $request = new Request(
  1283. [
  1284. 'server' => [
  1285. 'REQUEST_URI' => $requestUri,
  1286. 'SCRIPT_NAME' => $scriptName,
  1287. ]
  1288. ],
  1289. $this->secureRandom,
  1290. $this->config,
  1291. $this->csrfTokenManager,
  1292. $this->stream
  1293. );
  1294. $this->assertSame($expected, $request->getPathInfo());
  1295. }
  1296. /**
  1297. * @return array
  1298. */
  1299. public function genericPathInfoProvider() {
  1300. return [
  1301. ['/core/index.php?XDEBUG_SESSION_START=14600', '/core/index.php', ''],
  1302. ['/index.php/apps/files/', 'index.php', '/apps/files/'],
  1303. ['/index.php/apps/files/../&amp;/&?someQueryParameter=QueryParam', 'index.php', '/apps/files/../&amp;/&'],
  1304. ['/remote.php/漢字編碼方法 / 汉字编码方法', 'remote.php', '/漢字編碼方法 / 汉字编码方法'],
  1305. ['///removeTrailin//gSlashes///', 'remote.php', '/removeTrailin/gSlashes/'],
  1306. ['/', '/', ''],
  1307. ['', '', ''],
  1308. ];
  1309. }
  1310. /**
  1311. * @return array
  1312. */
  1313. public function rawPathInfoProvider() {
  1314. return [
  1315. ['/foo%2Fbar/subfolder', '', 'foo%2Fbar/subfolder'],
  1316. ];
  1317. }
  1318. /**
  1319. * @return array
  1320. */
  1321. public function pathInfoProvider() {
  1322. return [
  1323. ['/foo%2Fbar/subfolder', '', 'foo/bar/subfolder'],
  1324. ];
  1325. }
  1326. public function testGetRequestUriWithoutOverwrite() {
  1327. $this->config
  1328. ->expects($this->once())
  1329. ->method('getSystemValue')
  1330. ->with('overwritewebroot')
  1331. ->willReturn('');
  1332. $request = new Request(
  1333. [
  1334. 'server' => [
  1335. 'REQUEST_URI' => '/test.php'
  1336. ]
  1337. ],
  1338. $this->secureRandom,
  1339. $this->config,
  1340. $this->csrfTokenManager,
  1341. $this->stream
  1342. );
  1343. $this->assertSame('/test.php', $request->getRequestUri());
  1344. }
  1345. public function providesGetRequestUriWithOverwriteData() {
  1346. return [
  1347. ['/scriptname.php/some/PathInfo', '/owncloud/', ''],
  1348. ['/scriptname.php/some/PathInfo', '/owncloud/', '123'],
  1349. ];
  1350. }
  1351. /**
  1352. * @dataProvider providesGetRequestUriWithOverwriteData
  1353. */
  1354. public function testGetRequestUriWithOverwrite($expectedUri, $overwriteWebRoot, $overwriteCondAddr) {
  1355. $this->config
  1356. ->expects($this->at(0))
  1357. ->method('getSystemValue')
  1358. ->with('overwritewebroot')
  1359. ->willReturn($overwriteWebRoot);
  1360. $this->config
  1361. ->expects($this->at(1))
  1362. ->method('getSystemValue')
  1363. ->with('overwritecondaddr')
  1364. ->willReturn($overwriteCondAddr);
  1365. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1366. ->setMethods(['getScriptName'])
  1367. ->setConstructorArgs([
  1368. [
  1369. 'server' => [
  1370. 'REQUEST_URI' => '/test.php/some/PathInfo',
  1371. 'SCRIPT_NAME' => '/test.php',
  1372. ]
  1373. ],
  1374. $this->secureRandom,
  1375. $this->config,
  1376. $this->csrfTokenManager,
  1377. $this->stream
  1378. ])
  1379. ->getMock();
  1380. $request
  1381. ->expects($this->once())
  1382. ->method('getScriptName')
  1383. ->willReturn('/scriptname.php');
  1384. $this->assertSame($expectedUri, $request->getRequestUri());
  1385. }
  1386. public function testPassesCSRFCheckWithGet() {
  1387. /** @var Request $request */
  1388. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1389. ->setMethods(['getScriptName'])
  1390. ->setConstructorArgs([
  1391. [
  1392. 'get' => [
  1393. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1394. ],
  1395. 'cookies' => [
  1396. 'nc_sameSiteCookiestrict' => 'true',
  1397. 'nc_sameSiteCookielax' => 'true',
  1398. ],
  1399. ],
  1400. $this->secureRandom,
  1401. $this->config,
  1402. $this->csrfTokenManager,
  1403. $this->stream
  1404. ])
  1405. ->getMock();
  1406. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1407. $this->csrfTokenManager
  1408. ->expects($this->once())
  1409. ->method('isTokenValid')
  1410. ->with($token)
  1411. ->willReturn(true);
  1412. $this->assertTrue($request->passesCSRFCheck());
  1413. }
  1414. public function testPassesCSRFCheckWithPost() {
  1415. /** @var Request $request */
  1416. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1417. ->setMethods(['getScriptName'])
  1418. ->setConstructorArgs([
  1419. [
  1420. 'post' => [
  1421. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1422. ],
  1423. 'cookies' => [
  1424. 'nc_sameSiteCookiestrict' => 'true',
  1425. 'nc_sameSiteCookielax' => 'true',
  1426. ],
  1427. ],
  1428. $this->secureRandom,
  1429. $this->config,
  1430. $this->csrfTokenManager,
  1431. $this->stream
  1432. ])
  1433. ->getMock();
  1434. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1435. $this->csrfTokenManager
  1436. ->expects($this->once())
  1437. ->method('isTokenValid')
  1438. ->with($token)
  1439. ->willReturn(true);
  1440. $this->assertTrue($request->passesCSRFCheck());
  1441. }
  1442. public function testPassesCSRFCheckWithHeader() {
  1443. /** @var Request $request */
  1444. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1445. ->setMethods(['getScriptName'])
  1446. ->setConstructorArgs([
  1447. [
  1448. 'server' => [
  1449. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1450. ],
  1451. 'cookies' => [
  1452. 'nc_sameSiteCookiestrict' => 'true',
  1453. 'nc_sameSiteCookielax' => 'true',
  1454. ],
  1455. ],
  1456. $this->secureRandom,
  1457. $this->config,
  1458. $this->csrfTokenManager,
  1459. $this->stream
  1460. ])
  1461. ->getMock();
  1462. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1463. $this->csrfTokenManager
  1464. ->expects($this->once())
  1465. ->method('isTokenValid')
  1466. ->with($token)
  1467. ->willReturn(true);
  1468. $this->assertTrue($request->passesCSRFCheck());
  1469. }
  1470. public function testPassesCSRFCheckWithGetAndWithoutCookies() {
  1471. /** @var Request $request */
  1472. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1473. ->setMethods(['getScriptName'])
  1474. ->setConstructorArgs([
  1475. [
  1476. 'get' => [
  1477. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1478. ],
  1479. ],
  1480. $this->secureRandom,
  1481. $this->config,
  1482. $this->csrfTokenManager,
  1483. $this->stream
  1484. ])
  1485. ->getMock();
  1486. $this->csrfTokenManager
  1487. ->expects($this->once())
  1488. ->method('isTokenValid')
  1489. ->willReturn(true);
  1490. $this->assertTrue($request->passesCSRFCheck());
  1491. }
  1492. public function testPassesCSRFCheckWithPostAndWithoutCookies() {
  1493. /** @var Request $request */
  1494. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1495. ->setMethods(['getScriptName'])
  1496. ->setConstructorArgs([
  1497. [
  1498. 'post' => [
  1499. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1500. ],
  1501. ],
  1502. $this->secureRandom,
  1503. $this->config,
  1504. $this->csrfTokenManager,
  1505. $this->stream
  1506. ])
  1507. ->getMock();
  1508. $this->csrfTokenManager
  1509. ->expects($this->once())
  1510. ->method('isTokenValid')
  1511. ->willReturn(true);
  1512. $this->assertTrue($request->passesCSRFCheck());
  1513. }
  1514. public function testPassesCSRFCheckWithHeaderAndWithoutCookies() {
  1515. /** @var Request $request */
  1516. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1517. ->setMethods(['getScriptName'])
  1518. ->setConstructorArgs([
  1519. [
  1520. 'server' => [
  1521. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1522. ],
  1523. ],
  1524. $this->secureRandom,
  1525. $this->config,
  1526. $this->csrfTokenManager,
  1527. $this->stream
  1528. ])
  1529. ->getMock();
  1530. $this->csrfTokenManager
  1531. ->expects($this->once())
  1532. ->method('isTokenValid')
  1533. ->willReturn(true);
  1534. $this->assertTrue($request->passesCSRFCheck());
  1535. }
  1536. public function testFailsCSRFCheckWithHeaderAndNotAllChecksPassing() {
  1537. /** @var Request $request */
  1538. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1539. ->setMethods(['getScriptName'])
  1540. ->setConstructorArgs([
  1541. [
  1542. 'server' => [
  1543. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1544. ],
  1545. 'cookies' => [
  1546. session_name() => 'asdf',
  1547. 'nc_sameSiteCookiestrict' => 'true',
  1548. ],
  1549. ],
  1550. $this->secureRandom,
  1551. $this->config,
  1552. $this->csrfTokenManager,
  1553. $this->stream
  1554. ])
  1555. ->getMock();
  1556. $this->csrfTokenManager
  1557. ->expects($this->never())
  1558. ->method('isTokenValid');
  1559. $this->assertFalse($request->passesCSRFCheck());
  1560. }
  1561. public function testPassesStrictCookieCheckWithAllCookiesAndStrict() {
  1562. /** @var Request $request */
  1563. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1564. ->setMethods(['getScriptName', 'getCookieParams'])
  1565. ->setConstructorArgs([
  1566. [
  1567. 'server' => [
  1568. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1569. ],
  1570. 'cookies' => [
  1571. session_name() => 'asdf',
  1572. '__Host-nc_sameSiteCookiestrict' => 'true',
  1573. '__Host-nc_sameSiteCookielax' => 'true',
  1574. ],
  1575. ],
  1576. $this->secureRandom,
  1577. $this->config,
  1578. $this->csrfTokenManager,
  1579. $this->stream
  1580. ])
  1581. ->getMock();
  1582. $request
  1583. ->expects($this->any())
  1584. ->method('getCookieParams')
  1585. ->willReturn([
  1586. 'secure' => true,
  1587. 'path' => '/',
  1588. ]);
  1589. $this->assertTrue($request->passesStrictCookieCheck());
  1590. }
  1591. public function testFailsStrictCookieCheckWithAllCookiesAndMissingStrict() {
  1592. /** @var Request $request */
  1593. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1594. ->setMethods(['getScriptName', 'getCookieParams'])
  1595. ->setConstructorArgs([
  1596. [
  1597. 'server' => [
  1598. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1599. ],
  1600. 'cookies' => [
  1601. session_name() => 'asdf',
  1602. 'nc_sameSiteCookiestrict' => 'true',
  1603. 'nc_sameSiteCookielax' => 'true',
  1604. ],
  1605. ],
  1606. $this->secureRandom,
  1607. $this->config,
  1608. $this->csrfTokenManager,
  1609. $this->stream
  1610. ])
  1611. ->getMock();
  1612. $request
  1613. ->expects($this->any())
  1614. ->method('getCookieParams')
  1615. ->willReturn([
  1616. 'secure' => true,
  1617. 'path' => '/',
  1618. ]);
  1619. $this->assertFalse($request->passesStrictCookieCheck());
  1620. }
  1621. public function testGetCookieParams() {
  1622. /** @var Request $request */
  1623. $request = $this->getMockBuilder(Request::class)
  1624. ->setMethods(['getScriptName'])
  1625. ->setConstructorArgs([
  1626. [],
  1627. $this->secureRandom,
  1628. $this->config,
  1629. $this->csrfTokenManager,
  1630. $this->stream
  1631. ])
  1632. ->getMock();
  1633. $actual = $request->getCookieParams();
  1634. $this->assertSame(session_get_cookie_params(), $actual);
  1635. }
  1636. public function testPassesStrictCookieCheckWithAllCookies() {
  1637. /** @var Request $request */
  1638. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1639. ->setMethods(['getScriptName'])
  1640. ->setConstructorArgs([
  1641. [
  1642. 'server' => [
  1643. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1644. ],
  1645. 'cookies' => [
  1646. session_name() => 'asdf',
  1647. 'nc_sameSiteCookiestrict' => 'true',
  1648. 'nc_sameSiteCookielax' => 'true',
  1649. ],
  1650. ],
  1651. $this->secureRandom,
  1652. $this->config,
  1653. $this->csrfTokenManager,
  1654. $this->stream
  1655. ])
  1656. ->getMock();
  1657. $this->assertTrue($request->passesStrictCookieCheck());
  1658. }
  1659. public function testPassesStrictCookieCheckWithRandomCookies() {
  1660. /** @var Request $request */
  1661. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1662. ->setMethods(['getScriptName'])
  1663. ->setConstructorArgs([
  1664. [
  1665. 'server' => [
  1666. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1667. ],
  1668. 'cookies' => [
  1669. 'RandomCookie' => 'asdf',
  1670. ],
  1671. ],
  1672. $this->secureRandom,
  1673. $this->config,
  1674. $this->csrfTokenManager,
  1675. $this->stream
  1676. ])
  1677. ->getMock();
  1678. $this->assertTrue($request->passesStrictCookieCheck());
  1679. }
  1680. public function testFailsStrictCookieCheckWithSessionCookie() {
  1681. /** @var Request $request */
  1682. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1683. ->setMethods(['getScriptName'])
  1684. ->setConstructorArgs([
  1685. [
  1686. 'server' => [
  1687. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1688. ],
  1689. 'cookies' => [
  1690. session_name() => 'asdf',
  1691. ],
  1692. ],
  1693. $this->secureRandom,
  1694. $this->config,
  1695. $this->csrfTokenManager,
  1696. $this->stream
  1697. ])
  1698. ->getMock();
  1699. $this->assertFalse($request->passesStrictCookieCheck());
  1700. }
  1701. public function testFailsStrictCookieCheckWithRememberMeCookie() {
  1702. /** @var Request $request */
  1703. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1704. ->setMethods(['getScriptName'])
  1705. ->setConstructorArgs([
  1706. [
  1707. 'server' => [
  1708. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1709. ],
  1710. 'cookies' => [
  1711. 'nc_token' => 'asdf',
  1712. ],
  1713. ],
  1714. $this->secureRandom,
  1715. $this->config,
  1716. $this->csrfTokenManager,
  1717. $this->stream
  1718. ])
  1719. ->getMock();
  1720. $this->assertFalse($request->passesStrictCookieCheck());
  1721. }
  1722. public function testFailsCSRFCheckWithPostAndWithCookies() {
  1723. /** @var Request $request */
  1724. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1725. ->setMethods(['getScriptName'])
  1726. ->setConstructorArgs([
  1727. [
  1728. 'post' => [
  1729. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1730. ],
  1731. 'cookies' => [
  1732. session_name() => 'asdf',
  1733. 'foo' => 'bar',
  1734. ],
  1735. ],
  1736. $this->secureRandom,
  1737. $this->config,
  1738. $this->csrfTokenManager,
  1739. $this->stream
  1740. ])
  1741. ->getMock();
  1742. $this->csrfTokenManager
  1743. ->expects($this->never())
  1744. ->method('isTokenValid');
  1745. $this->assertFalse($request->passesCSRFCheck());
  1746. }
  1747. public function testFailStrictCookieCheckWithOnlyLaxCookie() {
  1748. /** @var Request $request */
  1749. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1750. ->setMethods(['getScriptName'])
  1751. ->setConstructorArgs([
  1752. [
  1753. 'server' => [
  1754. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1755. ],
  1756. 'cookies' => [
  1757. session_name() => 'asdf',
  1758. 'nc_sameSiteCookielax' => 'true',
  1759. ],
  1760. ],
  1761. $this->secureRandom,
  1762. $this->config,
  1763. $this->csrfTokenManager,
  1764. $this->stream
  1765. ])
  1766. ->getMock();
  1767. $this->assertFalse($request->passesStrictCookieCheck());
  1768. }
  1769. public function testFailStrictCookieCheckWithOnlyStrictCookie() {
  1770. /** @var Request $request */
  1771. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1772. ->setMethods(['getScriptName'])
  1773. ->setConstructorArgs([
  1774. [
  1775. 'server' => [
  1776. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1777. ],
  1778. 'cookies' => [
  1779. session_name() => 'asdf',
  1780. 'nc_sameSiteCookiestrict' => 'true',
  1781. ],
  1782. ],
  1783. $this->secureRandom,
  1784. $this->config,
  1785. $this->csrfTokenManager,
  1786. $this->stream
  1787. ])
  1788. ->getMock();
  1789. $this->assertFalse($request->passesStrictCookieCheck());
  1790. }
  1791. public function testPassesLaxCookieCheck() {
  1792. /** @var Request $request */
  1793. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1794. ->setMethods(['getScriptName'])
  1795. ->setConstructorArgs([
  1796. [
  1797. 'server' => [
  1798. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1799. ],
  1800. 'cookies' => [
  1801. session_name() => 'asdf',
  1802. 'nc_sameSiteCookielax' => 'true',
  1803. ],
  1804. ],
  1805. $this->secureRandom,
  1806. $this->config,
  1807. $this->csrfTokenManager,
  1808. $this->stream
  1809. ])
  1810. ->getMock();
  1811. $this->assertTrue($request->passesLaxCookieCheck());
  1812. }
  1813. public function testFailsLaxCookieCheckWithOnlyStrictCookie() {
  1814. /** @var Request $request */
  1815. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1816. ->setMethods(['getScriptName'])
  1817. ->setConstructorArgs([
  1818. [
  1819. 'server' => [
  1820. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1821. ],
  1822. 'cookies' => [
  1823. session_name() => 'asdf',
  1824. 'nc_sameSiteCookiestrict' => 'true',
  1825. ],
  1826. ],
  1827. $this->secureRandom,
  1828. $this->config,
  1829. $this->csrfTokenManager,
  1830. $this->stream
  1831. ])
  1832. ->getMock();
  1833. $this->assertFalse($request->passesLaxCookieCheck());
  1834. }
  1835. public function testSkipCookieCheckForOCSRequests() {
  1836. /** @var Request $request */
  1837. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1838. ->setMethods(['getScriptName'])
  1839. ->setConstructorArgs([
  1840. [
  1841. 'server' => [
  1842. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1843. 'HTTP_OCS_APIREQUEST' => 'true',
  1844. ],
  1845. 'cookies' => [
  1846. session_name() => 'asdf',
  1847. 'nc_sameSiteCookiestrict' => 'false',
  1848. ],
  1849. ],
  1850. $this->secureRandom,
  1851. $this->config,
  1852. $this->csrfTokenManager,
  1853. $this->stream
  1854. ])
  1855. ->getMock();
  1856. $this->assertTrue($request->passesStrictCookieCheck());
  1857. }
  1858. /**
  1859. * @return array
  1860. */
  1861. public function invalidTokenDataProvider() {
  1862. return [
  1863. ['InvalidSentToken'],
  1864. ['InvalidSentToken:InvalidSecret'],
  1865. [''],
  1866. ];
  1867. }
  1868. /**
  1869. * @dataProvider invalidTokenDataProvider
  1870. * @param string $invalidToken
  1871. */
  1872. public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
  1873. /** @var Request $request */
  1874. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1875. ->setMethods(['getScriptName'])
  1876. ->setConstructorArgs([
  1877. [
  1878. 'server' => [
  1879. 'HTTP_REQUESTTOKEN' => $invalidToken,
  1880. ],
  1881. ],
  1882. $this->secureRandom,
  1883. $this->config,
  1884. $this->csrfTokenManager,
  1885. $this->stream
  1886. ])
  1887. ->getMock();
  1888. $token = new CsrfToken($invalidToken);
  1889. $this->csrfTokenManager
  1890. ->expects($this->any())
  1891. ->method('isTokenValid')
  1892. ->with($token)
  1893. ->willReturn(false);
  1894. $this->assertFalse($request->passesCSRFCheck());
  1895. }
  1896. public function testPassesCSRFCheckWithoutTokenFail() {
  1897. /** @var Request $request */
  1898. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1899. ->setMethods(['getScriptName'])
  1900. ->setConstructorArgs([
  1901. [],
  1902. $this->secureRandom,
  1903. $this->config,
  1904. $this->csrfTokenManager,
  1905. $this->stream
  1906. ])
  1907. ->getMock();
  1908. $this->assertFalse($request->passesCSRFCheck());
  1909. }
  1910. }