RequestTest.php 54 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349
  1. <?php
  2. /**
  3. * @copyright 2013 Thomas Tanghus (thomas@tanghus.net)
  4. * @copyright 2016 Lukas Reschke lukas@owncloud.com
  5. * @copyright 2022 Stanimir Bozhilov (stanimir@audriga.com)
  6. *
  7. * This file is licensed under the Affero General Public License version 3 or
  8. * later.
  9. * See the COPYING-README file.
  10. */
  11. namespace Test\AppFramework\Http;
  12. use OC\AppFramework\Http\Request;
  13. use OC\Security\CSRF\CsrfToken;
  14. use OC\Security\CSRF\CsrfTokenManager;
  15. use OCP\IConfig;
  16. use OCP\IRequestId;
  17. /**
  18. * Class RequestTest
  19. *
  20. * @package OC\AppFramework\Http
  21. */
  22. class RequestTest extends \Test\TestCase {
  23. /** @var string */
  24. protected $stream = 'fakeinput://data';
  25. /** @var IRequestId */
  26. protected $requestId;
  27. /** @var IConfig */
  28. protected $config;
  29. /** @var CsrfTokenManager */
  30. protected $csrfTokenManager;
  31. protected function setUp(): void {
  32. parent::setUp();
  33. if (in_array('fakeinput', stream_get_wrappers())) {
  34. stream_wrapper_unregister('fakeinput');
  35. }
  36. stream_wrapper_register('fakeinput', 'Test\AppFramework\Http\RequestStream');
  37. $this->requestId = $this->createMock(IRequestId::class);
  38. $this->config = $this->createMock(IConfig::class);
  39. $this->csrfTokenManager = $this->getMockBuilder(CsrfTokenManager::class)
  40. ->disableOriginalConstructor()
  41. ->getMock();
  42. }
  43. protected function tearDown(): void {
  44. stream_wrapper_unregister('fakeinput');
  45. parent::tearDown();
  46. }
  47. public function testRequestAccessors() {
  48. $vars = [
  49. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  50. 'method' => 'GET',
  51. ];
  52. $request = new Request(
  53. $vars,
  54. $this->requestId,
  55. $this->config,
  56. $this->csrfTokenManager,
  57. $this->stream
  58. );
  59. // Countable
  60. $this->assertSame(2, count($request));
  61. // Array access
  62. $this->assertSame('Joey', $request['nickname']);
  63. // "Magic" accessors
  64. $this->assertSame('Joey', $request->{'nickname'});
  65. $this->assertTrue(isset($request['nickname']));
  66. $this->assertTrue(isset($request->{'nickname'}));
  67. $this->assertFalse(isset($request->{'flickname'}));
  68. // Only testing 'get', but same approach for post, files etc.
  69. $this->assertSame('Joey', $request->get['nickname']);
  70. // Always returns null if variable not set.
  71. $this->assertSame(null, $request->{'flickname'});
  72. }
  73. // urlParams has precedence over POST which has precedence over GET
  74. public function testPrecedence() {
  75. $vars = [
  76. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  77. 'post' => ['name' => 'Jane Doe', 'nickname' => 'Janey'],
  78. 'urlParams' => ['user' => 'jw', 'name' => 'Johnny Weissmüller'],
  79. 'method' => 'GET'
  80. ];
  81. $request = new Request(
  82. $vars,
  83. $this->requestId,
  84. $this->config,
  85. $this->csrfTokenManager,
  86. $this->stream
  87. );
  88. $this->assertSame(3, count($request));
  89. $this->assertSame('Janey', $request->{'nickname'});
  90. $this->assertSame('Johnny Weissmüller', $request->{'name'});
  91. }
  92. public function testImmutableArrayAccess() {
  93. $this->expectException(\RuntimeException::class);
  94. $vars = [
  95. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  96. 'method' => 'GET'
  97. ];
  98. $request = new Request(
  99. $vars,
  100. $this->requestId,
  101. $this->config,
  102. $this->csrfTokenManager,
  103. $this->stream
  104. );
  105. $request['nickname'] = 'Janey';
  106. }
  107. public function testImmutableMagicAccess() {
  108. $this->expectException(\RuntimeException::class);
  109. $vars = [
  110. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  111. 'method' => 'GET'
  112. ];
  113. $request = new Request(
  114. $vars,
  115. $this->requestId,
  116. $this->config,
  117. $this->csrfTokenManager,
  118. $this->stream
  119. );
  120. $request->{'nickname'} = 'Janey';
  121. }
  122. public function testGetTheMethodRight() {
  123. $this->expectException(\LogicException::class);
  124. $vars = [
  125. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  126. 'method' => 'GET',
  127. ];
  128. $request = new Request(
  129. $vars,
  130. $this->requestId,
  131. $this->config,
  132. $this->csrfTokenManager,
  133. $this->stream
  134. );
  135. $request->post;
  136. }
  137. public function testTheMethodIsRight() {
  138. $vars = [
  139. 'get' => ['name' => 'John Q. Public', 'nickname' => 'Joey'],
  140. 'method' => 'GET',
  141. ];
  142. $request = new Request(
  143. $vars,
  144. $this->requestId,
  145. $this->config,
  146. $this->csrfTokenManager,
  147. $this->stream
  148. );
  149. $this->assertSame('GET', $request->method);
  150. $result = $request->get;
  151. $this->assertSame('John Q. Public', $result['name']);
  152. $this->assertSame('Joey', $result['nickname']);
  153. }
  154. public function testJsonPost() {
  155. global $data;
  156. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  157. $vars = [
  158. 'method' => 'POST',
  159. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  160. ];
  161. $request = new Request(
  162. $vars,
  163. $this->requestId,
  164. $this->config,
  165. $this->csrfTokenManager,
  166. $this->stream
  167. );
  168. $this->assertSame('POST', $request->method);
  169. $result = $request->post;
  170. $this->assertSame('John Q. Public', $result['name']);
  171. $this->assertSame('Joey', $result['nickname']);
  172. $this->assertSame('Joey', $request->params['nickname']);
  173. $this->assertSame('Joey', $request['nickname']);
  174. }
  175. public function testScimJsonPost() {
  176. global $data;
  177. $data = '{"userName":"testusername", "displayName":"Example User"}';
  178. $vars = [
  179. 'method' => 'POST',
  180. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  181. ];
  182. $request = new Request(
  183. $vars,
  184. $this->requestId,
  185. $this->config,
  186. $this->csrfTokenManager,
  187. $this->stream
  188. );
  189. $this->assertSame('POST', $request->method);
  190. $result = $request->post;
  191. $this->assertSame('testusername', $result['userName']);
  192. $this->assertSame('Example User', $result['displayName']);
  193. $this->assertSame('Example User', $request->params['displayName']);
  194. $this->assertSame('Example User', $request['displayName']);
  195. }
  196. public function testCustomJsonPost() {
  197. global $data;
  198. $data = '{"propertyA":"sometestvalue", "propertyB":"someothertestvalue"}';
  199. // Note: the content type used here is fictional and intended to check if the regex for JSON content types works fine
  200. $vars = [
  201. 'method' => 'POST',
  202. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  203. ];
  204. $request = new Request(
  205. $vars,
  206. $this->requestId,
  207. $this->config,
  208. $this->csrfTokenManager,
  209. $this->stream
  210. );
  211. $this->assertSame('POST', $request->method);
  212. $result = $request->post;
  213. $this->assertSame('sometestvalue', $result['propertyA']);
  214. $this->assertSame('someothertestvalue', $result['propertyB']);
  215. }
  216. public function notJsonDataProvider() {
  217. return [
  218. ['this is not valid json'],
  219. ['"just a string"'],
  220. ['{"just a string"}'],
  221. ];
  222. }
  223. /**
  224. * @dataProvider notJsonDataProvider
  225. */
  226. public function testNotJsonPost($testData) {
  227. global $data;
  228. $data = $testData;
  229. $vars = [
  230. 'method' => 'POST',
  231. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8']
  232. ];
  233. $request = new Request(
  234. $vars,
  235. $this->requestId,
  236. $this->config,
  237. $this->csrfTokenManager,
  238. $this->stream
  239. );
  240. $this->assertEquals('POST', $request->method);
  241. $result = $request->post;
  242. // ensure there's no error attempting to decode the content
  243. }
  244. public function testNotScimJsonPost() {
  245. global $data;
  246. $data = 'this is not valid scim json';
  247. $vars = [
  248. 'method' => 'POST',
  249. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8']
  250. ];
  251. $request = new Request(
  252. $vars,
  253. $this->requestId,
  254. $this->config,
  255. $this->csrfTokenManager,
  256. $this->stream
  257. );
  258. $this->assertEquals('POST', $request->method);
  259. $result = $request->post;
  260. // ensure there's no error attempting to decode the content
  261. }
  262. public function testNotCustomJsonPost() {
  263. global $data;
  264. $data = 'this is not valid json';
  265. $vars = [
  266. 'method' => 'POST',
  267. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8']
  268. ];
  269. $request = new Request(
  270. $vars,
  271. $this->requestId,
  272. $this->config,
  273. $this->csrfTokenManager,
  274. $this->stream
  275. );
  276. $this->assertEquals('POST', $request->method);
  277. $result = $request->post;
  278. // ensure there's no error attempting to decode the content
  279. }
  280. public function testPatch() {
  281. global $data;
  282. $data = http_build_query(['name' => 'John Q. Public', 'nickname' => 'Joey'], '', '&');
  283. $vars = [
  284. 'method' => 'PATCH',
  285. 'server' => ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'],
  286. ];
  287. $request = new Request(
  288. $vars,
  289. $this->requestId,
  290. $this->config,
  291. $this->csrfTokenManager,
  292. $this->stream
  293. );
  294. $this->assertSame('PATCH', $request->method);
  295. $result = $request->patch;
  296. $this->assertSame('John Q. Public', $result['name']);
  297. $this->assertSame('Joey', $result['nickname']);
  298. }
  299. public function testJsonPatchAndPut() {
  300. global $data;
  301. // PUT content
  302. $data = '{"name": "John Q. Public", "nickname": "Joey"}';
  303. $vars = [
  304. 'method' => 'PUT',
  305. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  306. ];
  307. $request = new Request(
  308. $vars,
  309. $this->requestId,
  310. $this->config,
  311. $this->csrfTokenManager,
  312. $this->stream
  313. );
  314. $this->assertSame('PUT', $request->method);
  315. $result = $request->put;
  316. $this->assertSame('John Q. Public', $result['name']);
  317. $this->assertSame('Joey', $result['nickname']);
  318. // PATCH content
  319. $data = '{"name": "John Q. Public", "nickname": null}';
  320. $vars = [
  321. 'method' => 'PATCH',
  322. 'server' => ['CONTENT_TYPE' => 'application/json; utf-8'],
  323. ];
  324. $request = new Request(
  325. $vars,
  326. $this->requestId,
  327. $this->config,
  328. $this->csrfTokenManager,
  329. $this->stream
  330. );
  331. $this->assertSame('PATCH', $request->method);
  332. $result = $request->patch;
  333. $this->assertSame('John Q. Public', $result['name']);
  334. $this->assertSame(null, $result['nickname']);
  335. }
  336. public function testScimJsonPatchAndPut() {
  337. global $data;
  338. // PUT content
  339. $data = '{"userName": "sometestusername", "displayName": "Example User"}';
  340. $vars = [
  341. 'method' => 'PUT',
  342. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  343. ];
  344. $request = new Request(
  345. $vars,
  346. $this->requestId,
  347. $this->config,
  348. $this->csrfTokenManager,
  349. $this->stream
  350. );
  351. $this->assertSame('PUT', $request->method);
  352. $result = $request->put;
  353. $this->assertSame('sometestusername', $result['userName']);
  354. $this->assertSame('Example User', $result['displayName']);
  355. // PATCH content
  356. $data = '{"userName": "sometestusername", "displayName": null}';
  357. $vars = [
  358. 'method' => 'PATCH',
  359. 'server' => ['CONTENT_TYPE' => 'application/scim+json; utf-8'],
  360. ];
  361. $request = new Request(
  362. $vars,
  363. $this->requestId,
  364. $this->config,
  365. $this->csrfTokenManager,
  366. $this->stream
  367. );
  368. $this->assertSame('PATCH', $request->method);
  369. $result = $request->patch;
  370. $this->assertSame('sometestusername', $result['userName']);
  371. $this->assertSame(null, $result['displayName']);
  372. }
  373. public function testCustomJsonPatchAndPut() {
  374. global $data;
  375. // PUT content
  376. $data = '{"propertyA": "sometestvalue", "propertyB": "someothertestvalue"}';
  377. $vars = [
  378. 'method' => 'PUT',
  379. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  380. ];
  381. $request = new Request(
  382. $vars,
  383. $this->requestId,
  384. $this->config,
  385. $this->csrfTokenManager,
  386. $this->stream
  387. );
  388. $this->assertSame('PUT', $request->method);
  389. $result = $request->put;
  390. $this->assertSame('sometestvalue', $result['propertyA']);
  391. $this->assertSame('someothertestvalue', $result['propertyB']);
  392. // PATCH content
  393. $data = '{"propertyA": "sometestvalue", "propertyB": null}';
  394. $vars = [
  395. 'method' => 'PATCH',
  396. 'server' => ['CONTENT_TYPE' => 'application/custom-type+json; utf-8'],
  397. ];
  398. $request = new Request(
  399. $vars,
  400. $this->requestId,
  401. $this->config,
  402. $this->csrfTokenManager,
  403. $this->stream
  404. );
  405. $this->assertSame('PATCH', $request->method);
  406. $result = $request->patch;
  407. $this->assertSame('sometestvalue', $result['propertyA']);
  408. $this->assertSame(null, $result['propertyB']);
  409. }
  410. public function testPutStream() {
  411. global $data;
  412. $data = file_get_contents(__DIR__ . '/../../../data/testimage.png');
  413. $vars = [
  414. 'put' => $data,
  415. 'method' => 'PUT',
  416. 'server' => [
  417. 'CONTENT_TYPE' => 'image/png',
  418. 'CONTENT_LENGTH' => (string)strlen($data)
  419. ],
  420. ];
  421. $request = new Request(
  422. $vars,
  423. $this->requestId,
  424. $this->config,
  425. $this->csrfTokenManager,
  426. $this->stream
  427. );
  428. $this->assertSame('PUT', $request->method);
  429. $resource = $request->put;
  430. $contents = stream_get_contents($resource);
  431. $this->assertSame($data, $contents);
  432. try {
  433. $resource = $request->put;
  434. } catch (\LogicException $e) {
  435. return;
  436. }
  437. $this->fail('Expected LogicException.');
  438. }
  439. public function testSetUrlParameters() {
  440. $vars = [
  441. 'post' => [],
  442. 'method' => 'POST',
  443. 'urlParams' => ['id' => '2'],
  444. ];
  445. $request = new Request(
  446. $vars,
  447. $this->requestId,
  448. $this->config,
  449. $this->csrfTokenManager,
  450. $this->stream
  451. );
  452. $newParams = ['id' => '3', 'test' => 'test2'];
  453. $request->setUrlParameters($newParams);
  454. $this->assertSame('test2', $request->getParam('test'));
  455. $this->assertEquals('3', $request->getParam('id'));
  456. $this->assertEquals('3', $request->getParams()['id']);
  457. }
  458. public function testGetRemoteAddressWithoutTrustedRemote() {
  459. $this->config
  460. ->expects($this->once())
  461. ->method('getSystemValue')
  462. ->with('trusted_proxies')
  463. ->willReturn([]);
  464. $request = new Request(
  465. [
  466. 'server' => [
  467. 'REMOTE_ADDR' => '10.0.0.2',
  468. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  469. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  470. ],
  471. ],
  472. $this->requestId,
  473. $this->config,
  474. $this->csrfTokenManager,
  475. $this->stream
  476. );
  477. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  478. }
  479. public function testGetRemoteAddressWithNoTrustedHeader() {
  480. $this->config
  481. ->expects($this->exactly(2))
  482. ->method('getSystemValue')
  483. ->withConsecutive(
  484. ['trusted_proxies'],
  485. ['forwarded_for_headers'],
  486. )->willReturnOnConsecutiveCalls(
  487. ['10.0.0.2'],
  488. []
  489. );
  490. $request = new Request(
  491. [
  492. 'server' => [
  493. 'REMOTE_ADDR' => '10.0.0.2',
  494. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  495. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  496. ],
  497. ],
  498. $this->requestId,
  499. $this->config,
  500. $this->csrfTokenManager,
  501. $this->stream
  502. );
  503. $this->assertSame('10.0.0.2', $request->getRemoteAddress());
  504. }
  505. public function testGetRemoteAddressWithSingleTrustedRemote() {
  506. $this->config
  507. ->expects($this->exactly(2))
  508. ->method('getSystemValue')
  509. ->withConsecutive(
  510. ['trusted_proxies'],
  511. ['forwarded_for_headers'],
  512. )-> willReturnOnConsecutiveCalls(
  513. ['10.0.0.2'],
  514. ['HTTP_X_FORWARDED'],
  515. );
  516. $request = new Request(
  517. [
  518. 'server' => [
  519. 'REMOTE_ADDR' => '10.0.0.2',
  520. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  521. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  522. ],
  523. ],
  524. $this->requestId,
  525. $this->config,
  526. $this->csrfTokenManager,
  527. $this->stream
  528. );
  529. $this->assertSame('10.4.0.5', $request->getRemoteAddress());
  530. }
  531. public function testGetRemoteAddressIPv6WithSingleTrustedRemote() {
  532. $this->config
  533. ->expects($this->exactly(2))
  534. ->method('getSystemValue')
  535. ->withConsecutive(
  536. ['trusted_proxies'],
  537. ['forwarded_for_headers'],
  538. )-> willReturnOnConsecutiveCalls(
  539. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  540. ['HTTP_X_FORWARDED'],
  541. );
  542. $request = new Request(
  543. [
  544. 'server' => [
  545. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  546. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  547. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  548. ],
  549. ],
  550. $this->requestId,
  551. $this->config,
  552. $this->csrfTokenManager,
  553. $this->stream
  554. );
  555. $this->assertSame('10.4.0.5', $request->getRemoteAddress());
  556. }
  557. public function testGetRemoteAddressVerifyPriorityHeader() {
  558. $this->config
  559. ->expects($this->exactly(2))
  560. ->method('getSystemValue')
  561. ->withConsecutive(
  562. ['trusted_proxies'],
  563. ['forwarded_for_headers'],
  564. )-> willReturnOnConsecutiveCalls(
  565. ['10.0.0.2'],
  566. [
  567. 'HTTP_CLIENT_IP',
  568. 'HTTP_X_FORWARDED_FOR',
  569. 'HTTP_X_FORWARDED',
  570. ],
  571. );
  572. $request = new Request(
  573. [
  574. 'server' => [
  575. 'REMOTE_ADDR' => '10.0.0.2',
  576. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  577. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  578. ],
  579. ],
  580. $this->requestId,
  581. $this->config,
  582. $this->csrfTokenManager,
  583. $this->stream
  584. );
  585. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  586. }
  587. public function testGetRemoteAddressIPv6VerifyPriorityHeader() {
  588. $this->config
  589. ->expects($this->exactly(2))
  590. ->method('getSystemValue')
  591. ->withConsecutive(
  592. ['trusted_proxies'],
  593. ['forwarded_for_headers'],
  594. )-> willReturnOnConsecutiveCalls(
  595. ['2001:db8:85a3:8d3:1319:8a2e:370:7348'],
  596. [
  597. 'HTTP_CLIENT_IP',
  598. 'HTTP_X_FORWARDED_FOR',
  599. 'HTTP_X_FORWARDED'
  600. ],
  601. );
  602. $request = new Request(
  603. [
  604. 'server' => [
  605. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  606. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  607. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  608. ],
  609. ],
  610. $this->requestId,
  611. $this->config,
  612. $this->csrfTokenManager,
  613. $this->stream
  614. );
  615. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  616. }
  617. public function testGetRemoteAddressWithMatchingCidrTrustedRemote() {
  618. $this->config
  619. ->expects($this->exactly(2))
  620. ->method('getSystemValue')
  621. ->withConsecutive(
  622. ['trusted_proxies'],
  623. ['forwarded_for_headers'],
  624. )-> willReturnOnConsecutiveCalls(
  625. ['192.168.2.0/24'],
  626. ['HTTP_X_FORWARDED_FOR'],
  627. );
  628. $request = new Request(
  629. [
  630. 'server' => [
  631. 'REMOTE_ADDR' => '192.168.2.99',
  632. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  633. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  634. ],
  635. ],
  636. $this->requestId,
  637. $this->config,
  638. $this->csrfTokenManager,
  639. $this->stream
  640. );
  641. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  642. }
  643. public function testGetRemoteAddressWithNotMatchingCidrTrustedRemote() {
  644. $this->config
  645. ->expects($this->once())
  646. ->method('getSystemValue')
  647. ->with('trusted_proxies')
  648. ->willReturn(['192.168.2.0/24']);
  649. $request = new Request(
  650. [
  651. 'server' => [
  652. 'REMOTE_ADDR' => '192.168.3.99',
  653. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  654. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  655. ],
  656. ],
  657. $this->requestId,
  658. $this->config,
  659. $this->csrfTokenManager,
  660. $this->stream
  661. );
  662. $this->assertSame('192.168.3.99', $request->getRemoteAddress());
  663. }
  664. public function testGetRemoteIpv6AddressWithMatchingIpv6CidrTrustedRemote() {
  665. $this->config
  666. ->expects($this->exactly(2))
  667. ->method('getSystemValue')
  668. ->withConsecutive(
  669. ['trusted_proxies'],
  670. ['forwarded_for_headers']
  671. )->willReturnOnConsecutiveCalls(
  672. ['2001:db8:85a3:8d3:1319:8a20::/95'],
  673. ['HTTP_X_FORWARDED_FOR']
  674. );
  675. $request = new Request(
  676. [
  677. 'server' => [
  678. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a21:370:7348',
  679. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  680. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  681. ],
  682. ],
  683. $this->requestId,
  684. $this->config,
  685. $this->csrfTokenManager,
  686. $this->stream
  687. );
  688. $this->assertSame('192.168.0.233', $request->getRemoteAddress());
  689. }
  690. public function testGetRemoteAddressIpv6WithNotMatchingCidrTrustedRemote() {
  691. $this->config
  692. ->expects($this->once())
  693. ->method('getSystemValue')
  694. ->with('trusted_proxies')
  695. ->willReturn(['fd::/8']);
  696. $request = new Request(
  697. [
  698. 'server' => [
  699. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  700. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  701. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  702. ],
  703. ],
  704. $this->requestId,
  705. $this->config,
  706. $this->csrfTokenManager,
  707. $this->stream
  708. );
  709. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  710. }
  711. public function testGetRemoteAddressIpv6WithInvalidTrustedProxy() {
  712. $this->config
  713. ->expects($this->once())
  714. ->method('getSystemValue')
  715. ->with('trusted_proxies')
  716. ->willReturn(['fx::/8']);
  717. $request = new Request(
  718. [
  719. 'server' => [
  720. 'REMOTE_ADDR' => '2001:db8:85a3:8d3:1319:8a2e:370:7348',
  721. 'HTTP_X_FORWARDED' => '10.4.0.5, 10.4.0.4',
  722. 'HTTP_X_FORWARDED_FOR' => '192.168.0.233'
  723. ],
  724. ],
  725. $this->requestId,
  726. $this->config,
  727. $this->csrfTokenManager,
  728. $this->stream
  729. );
  730. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  731. }
  732. public function testGetRemoteAddressWithXForwardedForIPv6() {
  733. $this->config
  734. ->expects($this->exactly(2))
  735. ->method('getSystemValue')
  736. ->withConsecutive(
  737. ['trusted_proxies'],
  738. ['forwarded_for_headers'],
  739. )-> willReturnOnConsecutiveCalls(
  740. ['192.168.2.0/24'],
  741. ['HTTP_X_FORWARDED_FOR'],
  742. );
  743. $request = new Request(
  744. [
  745. 'server' => [
  746. 'REMOTE_ADDR' => '192.168.2.99',
  747. 'HTTP_X_FORWARDED_FOR' => '[2001:db8:85a3:8d3:1319:8a2e:370:7348]',
  748. ],
  749. ],
  750. $this->requestId,
  751. $this->config,
  752. $this->csrfTokenManager,
  753. $this->stream
  754. );
  755. $this->assertSame('2001:db8:85a3:8d3:1319:8a2e:370:7348', $request->getRemoteAddress());
  756. }
  757. /**
  758. * @return array
  759. */
  760. public function httpProtocolProvider() {
  761. return [
  762. // Valid HTTP 1.0
  763. ['HTTP/1.0', 'HTTP/1.0'],
  764. ['http/1.0', 'HTTP/1.0'],
  765. ['HTTp/1.0', 'HTTP/1.0'],
  766. // Valid HTTP 1.1
  767. ['HTTP/1.1', 'HTTP/1.1'],
  768. ['http/1.1', 'HTTP/1.1'],
  769. ['HTTp/1.1', 'HTTP/1.1'],
  770. // Valid HTTP 2.0
  771. ['HTTP/2', 'HTTP/2'],
  772. ['http/2', 'HTTP/2'],
  773. ['HTTp/2', 'HTTP/2'],
  774. // Invalid
  775. ['HTTp/394', 'HTTP/1.1'],
  776. ['InvalidProvider/1.1', 'HTTP/1.1'],
  777. [null, 'HTTP/1.1'],
  778. ['', 'HTTP/1.1'],
  779. ];
  780. }
  781. /**
  782. * @dataProvider httpProtocolProvider
  783. *
  784. * @param mixed $input
  785. * @param string $expected
  786. */
  787. public function testGetHttpProtocol($input, $expected) {
  788. $request = new Request(
  789. [
  790. 'server' => [
  791. 'SERVER_PROTOCOL' => $input,
  792. ],
  793. ],
  794. $this->requestId,
  795. $this->config,
  796. $this->csrfTokenManager,
  797. $this->stream
  798. );
  799. $this->assertSame($expected, $request->getHttpProtocol());
  800. }
  801. public function testGetServerProtocolWithOverride() {
  802. $this->config
  803. ->expects($this->exactly(3))
  804. ->method('getSystemValueString')
  805. ->willReturnMap([
  806. ['overwriteprotocol', '', 'customProtocol'],
  807. ['overwritecondaddr', '', ''],
  808. ]);
  809. $request = new Request(
  810. [],
  811. $this->requestId,
  812. $this->config,
  813. $this->csrfTokenManager,
  814. $this->stream
  815. );
  816. $this->assertSame('customProtocol', $request->getServerProtocol());
  817. }
  818. public function testGetServerProtocolWithProtoValid() {
  819. $this->config
  820. ->method('getSystemValue')
  821. ->willReturnCallback(function ($key, $default) {
  822. if ($key === 'trusted_proxies') {
  823. return ['1.2.3.4'];
  824. }
  825. return $default;
  826. });
  827. $requestHttps = new Request(
  828. [
  829. 'server' => [
  830. 'HTTP_X_FORWARDED_PROTO' => 'HtTpS',
  831. 'REMOTE_ADDR' => '1.2.3.4',
  832. ],
  833. ],
  834. $this->requestId,
  835. $this->config,
  836. $this->csrfTokenManager,
  837. $this->stream
  838. );
  839. $requestHttp = new Request(
  840. [
  841. 'server' => [
  842. 'HTTP_X_FORWARDED_PROTO' => 'HTTp',
  843. 'REMOTE_ADDR' => '1.2.3.4',
  844. ],
  845. ],
  846. $this->requestId,
  847. $this->config,
  848. $this->csrfTokenManager,
  849. $this->stream
  850. );
  851. $this->assertSame('https', $requestHttps->getServerProtocol());
  852. $this->assertSame('http', $requestHttp->getServerProtocol());
  853. }
  854. public function testGetServerProtocolWithHttpsServerValueOn() {
  855. $this->config
  856. ->method('getSystemValue')
  857. ->willReturnCallback(function ($key, $default) {
  858. return $default;
  859. });
  860. $request = new Request(
  861. [
  862. 'server' => [
  863. 'HTTPS' => 'on'
  864. ],
  865. ],
  866. $this->requestId,
  867. $this->config,
  868. $this->csrfTokenManager,
  869. $this->stream
  870. );
  871. $this->assertSame('https', $request->getServerProtocol());
  872. }
  873. public function testGetServerProtocolWithHttpsServerValueOff() {
  874. $this->config
  875. ->method('getSystemValue')
  876. ->willReturnCallback(function ($key, $default) {
  877. return $default;
  878. });
  879. $request = new Request(
  880. [
  881. 'server' => [
  882. 'HTTPS' => 'off'
  883. ],
  884. ],
  885. $this->requestId,
  886. $this->config,
  887. $this->csrfTokenManager,
  888. $this->stream
  889. );
  890. $this->assertSame('http', $request->getServerProtocol());
  891. }
  892. public function testGetServerProtocolWithHttpsServerValueEmpty() {
  893. $this->config
  894. ->method('getSystemValue')
  895. ->willReturnCallback(function ($key, $default) {
  896. return $default;
  897. });
  898. $request = new Request(
  899. [
  900. 'server' => [
  901. 'HTTPS' => ''
  902. ],
  903. ],
  904. $this->requestId,
  905. $this->config,
  906. $this->csrfTokenManager,
  907. $this->stream
  908. );
  909. $this->assertSame('http', $request->getServerProtocol());
  910. }
  911. public function testGetServerProtocolDefault() {
  912. $this->config
  913. ->method('getSystemValue')
  914. ->willReturnCallback(function ($key, $default) {
  915. return $default;
  916. });
  917. $request = new Request(
  918. [],
  919. $this->requestId,
  920. $this->config,
  921. $this->csrfTokenManager,
  922. $this->stream
  923. );
  924. $this->assertSame('http', $request->getServerProtocol());
  925. }
  926. public function testGetServerProtocolBehindLoadBalancers() {
  927. $this->config
  928. ->method('getSystemValue')
  929. ->willReturnCallback(function ($key, $default) {
  930. if ($key === 'trusted_proxies') {
  931. return ['1.2.3.4'];
  932. }
  933. return $default;
  934. });
  935. $request = new Request(
  936. [
  937. 'server' => [
  938. 'HTTP_X_FORWARDED_PROTO' => 'https,http,http',
  939. 'REMOTE_ADDR' => '1.2.3.4',
  940. ],
  941. ],
  942. $this->requestId,
  943. $this->config,
  944. $this->csrfTokenManager,
  945. $this->stream
  946. );
  947. $this->assertSame('https', $request->getServerProtocol());
  948. }
  949. /**
  950. * @dataProvider userAgentProvider
  951. * @param string $testAgent
  952. * @param array $userAgent
  953. * @param bool $matches
  954. */
  955. public function testUserAgent($testAgent, $userAgent, $matches) {
  956. $request = new Request(
  957. [
  958. 'server' => [
  959. 'HTTP_USER_AGENT' => $testAgent,
  960. ]
  961. ],
  962. $this->requestId,
  963. $this->config,
  964. $this->csrfTokenManager,
  965. $this->stream
  966. );
  967. $this->assertSame($matches, $request->isUserAgent($userAgent));
  968. }
  969. /**
  970. * @dataProvider userAgentProvider
  971. * @param string $testAgent
  972. * @param array $userAgent
  973. * @param bool $matches
  974. */
  975. public function testUndefinedUserAgent($testAgent, $userAgent, $matches) {
  976. $request = new Request(
  977. [],
  978. $this->requestId,
  979. $this->config,
  980. $this->csrfTokenManager,
  981. $this->stream
  982. );
  983. $this->assertFalse($request->isUserAgent($userAgent));
  984. }
  985. /**
  986. * @return array
  987. */
  988. public function userAgentProvider() {
  989. return [
  990. [
  991. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  992. [
  993. Request::USER_AGENT_IE
  994. ],
  995. true,
  996. ],
  997. [
  998. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  999. [
  1000. Request::USER_AGENT_IE
  1001. ],
  1002. false,
  1003. ],
  1004. [
  1005. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36',
  1006. [
  1007. Request::USER_AGENT_CHROME
  1008. ],
  1009. true,
  1010. ],
  1011. [
  1012. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/53.0.2785.143 Chrome/53.0.2785.143 Safari/537.36',
  1013. [
  1014. Request::USER_AGENT_CHROME
  1015. ],
  1016. true,
  1017. ],
  1018. [
  1019. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  1020. [
  1021. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  1022. ],
  1023. true,
  1024. ],
  1025. [
  1026. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1027. [
  1028. Request::USER_AGENT_ANDROID_MOBILE_CHROME
  1029. ],
  1030. false,
  1031. ],
  1032. [
  1033. 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)',
  1034. [
  1035. Request::USER_AGENT_IE,
  1036. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  1037. ],
  1038. true,
  1039. ],
  1040. [
  1041. 'Mozilla/5.0 (Linux; Android 4.4; Nexus 4 Build/KRT16S) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.59 Mobile Safari/537.36',
  1042. [
  1043. Request::USER_AGENT_IE,
  1044. Request::USER_AGENT_ANDROID_MOBILE_CHROME,
  1045. ],
  1046. true,
  1047. ],
  1048. [
  1049. 'Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Firefox/24.0',
  1050. [
  1051. Request::USER_AGENT_FREEBOX
  1052. ],
  1053. false,
  1054. ],
  1055. [
  1056. 'Mozilla/5.0',
  1057. [
  1058. Request::USER_AGENT_FREEBOX
  1059. ],
  1060. true,
  1061. ],
  1062. [
  1063. 'Fake Mozilla/5.0',
  1064. [
  1065. Request::USER_AGENT_FREEBOX
  1066. ],
  1067. false,
  1068. ],
  1069. [
  1070. 'Mozilla/5.0 (Android) ownCloud-android/2.0.0',
  1071. [
  1072. Request::USER_AGENT_CLIENT_ANDROID
  1073. ],
  1074. true,
  1075. ],
  1076. [
  1077. 'Mozilla/5.0 (Android) Nextcloud-android/2.0.0',
  1078. [
  1079. Request::USER_AGENT_CLIENT_ANDROID
  1080. ],
  1081. true,
  1082. ],
  1083. [
  1084. 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.99 Safari/537.36 Vivaldi/2.9.1705.41',
  1085. [
  1086. Request::USER_AGENT_CHROME
  1087. ],
  1088. true
  1089. ],
  1090. [
  1091. 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75',
  1092. [
  1093. Request::USER_AGENT_CHROME
  1094. ],
  1095. true
  1096. ],
  1097. [
  1098. 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 OPR/50.0.2762.67',
  1099. [
  1100. Request::USER_AGENT_CHROME
  1101. ],
  1102. true
  1103. ]
  1104. ];
  1105. }
  1106. public function testInsecureServerHostServerNameHeader() {
  1107. $request = new Request(
  1108. [
  1109. 'server' => [
  1110. 'SERVER_NAME' => 'from.server.name:8080',
  1111. ]
  1112. ],
  1113. $this->requestId,
  1114. $this->config,
  1115. $this->csrfTokenManager,
  1116. $this->stream
  1117. );
  1118. $this->assertSame('from.server.name:8080', $request->getInsecureServerHost());
  1119. }
  1120. public function testInsecureServerHostHttpHostHeader() {
  1121. $request = new Request(
  1122. [
  1123. 'server' => [
  1124. 'SERVER_NAME' => 'from.server.name:8080',
  1125. 'HTTP_HOST' => 'from.host.header:8080',
  1126. ]
  1127. ],
  1128. $this->requestId,
  1129. $this->config,
  1130. $this->csrfTokenManager,
  1131. $this->stream
  1132. );
  1133. $this->assertSame('from.host.header:8080', $request->getInsecureServerHost());
  1134. }
  1135. public function testInsecureServerHostHttpFromForwardedHeaderSingle() {
  1136. $this->config
  1137. ->method('getSystemValue')
  1138. ->willReturnCallback(function ($key, $default) {
  1139. if ($key === 'trusted_proxies') {
  1140. return ['1.2.3.4'];
  1141. }
  1142. return $default;
  1143. });
  1144. $request = new Request(
  1145. [
  1146. 'server' => [
  1147. 'SERVER_NAME' => 'from.server.name:8080',
  1148. 'HTTP_HOST' => 'from.host.header:8080',
  1149. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host:8080',
  1150. 'REMOTE_ADDR' => '1.2.3.4',
  1151. ]
  1152. ],
  1153. $this->requestId,
  1154. $this->config,
  1155. $this->csrfTokenManager,
  1156. $this->stream
  1157. );
  1158. $this->assertSame('from.forwarded.host:8080', $request->getInsecureServerHost());
  1159. }
  1160. public function testInsecureServerHostHttpFromForwardedHeaderStacked() {
  1161. $this->config
  1162. ->method('getSystemValue')
  1163. ->willReturnCallback(function ($key, $default) {
  1164. if ($key === 'trusted_proxies') {
  1165. return ['1.2.3.4'];
  1166. }
  1167. return $default;
  1168. });
  1169. $request = new Request(
  1170. [
  1171. 'server' => [
  1172. 'SERVER_NAME' => 'from.server.name:8080',
  1173. 'HTTP_HOST' => 'from.host.header:8080',
  1174. 'HTTP_X_FORWARDED_HOST' => 'from.forwarded.host2:8080,another.one:9000',
  1175. 'REMOTE_ADDR' => '1.2.3.4',
  1176. ]
  1177. ],
  1178. $this->requestId,
  1179. $this->config,
  1180. $this->csrfTokenManager,
  1181. $this->stream
  1182. );
  1183. $this->assertSame('from.forwarded.host2:8080', $request->getInsecureServerHost());
  1184. }
  1185. public function testGetServerHostWithOverwriteHost() {
  1186. $this->config
  1187. ->method('getSystemValueString')
  1188. ->willReturnCallback(function ($key, $default) {
  1189. if ($key === 'overwritecondaddr') {
  1190. return '';
  1191. } elseif ($key === 'overwritehost') {
  1192. return 'my.overwritten.host';
  1193. }
  1194. return $default;
  1195. });
  1196. $request = new Request(
  1197. [],
  1198. $this->requestId,
  1199. $this->config,
  1200. $this->csrfTokenManager,
  1201. $this->stream
  1202. );
  1203. $this->assertSame('my.overwritten.host', $request->getServerHost());
  1204. }
  1205. public function testGetServerHostWithTrustedDomain() {
  1206. $this->config
  1207. ->method('getSystemValue')
  1208. ->willReturnCallback(function ($key, $default) {
  1209. if ($key === 'trusted_proxies') {
  1210. return ['1.2.3.4'];
  1211. } elseif ($key === 'trusted_domains') {
  1212. return ['my.trusted.host'];
  1213. }
  1214. return $default;
  1215. });
  1216. $request = new Request(
  1217. [
  1218. 'server' => [
  1219. 'HTTP_X_FORWARDED_HOST' => 'my.trusted.host',
  1220. 'REMOTE_ADDR' => '1.2.3.4',
  1221. ],
  1222. ],
  1223. $this->requestId,
  1224. $this->config,
  1225. $this->csrfTokenManager,
  1226. $this->stream
  1227. );
  1228. $this->assertSame('my.trusted.host', $request->getServerHost());
  1229. }
  1230. public function testGetServerHostWithUntrustedDomain() {
  1231. $this->config
  1232. ->method('getSystemValue')
  1233. ->willReturnCallback(function ($key, $default) {
  1234. if ($key === 'trusted_proxies') {
  1235. return ['1.2.3.4'];
  1236. } elseif ($key === 'trusted_domains') {
  1237. return ['my.trusted.host'];
  1238. }
  1239. return $default;
  1240. });
  1241. $request = new Request(
  1242. [
  1243. 'server' => [
  1244. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1245. 'REMOTE_ADDR' => '1.2.3.4',
  1246. ],
  1247. ],
  1248. $this->requestId,
  1249. $this->config,
  1250. $this->csrfTokenManager,
  1251. $this->stream
  1252. );
  1253. $this->assertSame('my.trusted.host', $request->getServerHost());
  1254. }
  1255. public function testGetServerHostWithNoTrustedDomain() {
  1256. $this->config
  1257. ->method('getSystemValue')
  1258. ->willReturnCallback(function ($key, $default) {
  1259. if ($key === 'trusted_proxies') {
  1260. return ['1.2.3.4'];
  1261. }
  1262. return $default;
  1263. });
  1264. $request = new Request(
  1265. [
  1266. 'server' => [
  1267. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1268. 'REMOTE_ADDR' => '1.2.3.4',
  1269. ],
  1270. ],
  1271. $this->requestId,
  1272. $this->config,
  1273. $this->csrfTokenManager,
  1274. $this->stream
  1275. );
  1276. $this->assertSame('', $request->getServerHost());
  1277. }
  1278. /**
  1279. * @return array
  1280. */
  1281. public function dataGetServerHostTrustedDomain() {
  1282. return [
  1283. 'is array' => ['my.trusted.host', ['my.trusted.host']],
  1284. 'is array but undefined index 0' => ['my.trusted.host', [2 => 'my.trusted.host']],
  1285. 'is string' => ['my.trusted.host', 'my.trusted.host'],
  1286. 'is null' => ['', null],
  1287. ];
  1288. }
  1289. /**
  1290. * @dataProvider dataGetServerHostTrustedDomain
  1291. * @param $expected
  1292. * @param $trustedDomain
  1293. */
  1294. public function testGetServerHostTrustedDomain($expected, $trustedDomain) {
  1295. $this->config
  1296. ->method('getSystemValue')
  1297. ->willReturnCallback(function ($key, $default) use ($trustedDomain) {
  1298. if ($key === 'trusted_proxies') {
  1299. return ['1.2.3.4'];
  1300. }
  1301. if ($key === 'trusted_domains') {
  1302. return $trustedDomain;
  1303. }
  1304. return $default;
  1305. });
  1306. $request = new Request(
  1307. [
  1308. 'server' => [
  1309. 'HTTP_X_FORWARDED_HOST' => 'my.untrusted.host',
  1310. 'REMOTE_ADDR' => '1.2.3.4',
  1311. ],
  1312. ],
  1313. $this->requestId,
  1314. $this->config,
  1315. $this->csrfTokenManager,
  1316. $this->stream
  1317. );
  1318. $this->assertSame($expected, $request->getServerHost());
  1319. }
  1320. public function testGetOverwriteHostDefaultNull() {
  1321. $this->config
  1322. ->expects($this->once())
  1323. ->method('getSystemValueString')
  1324. ->with('overwritehost')
  1325. ->willReturn('');
  1326. $request = new Request(
  1327. [],
  1328. $this->requestId,
  1329. $this->config,
  1330. $this->csrfTokenManager,
  1331. $this->stream
  1332. );
  1333. $this->assertNull(self::invokePrivate($request, 'getOverwriteHost'));
  1334. }
  1335. public function testGetOverwriteHostWithOverwrite() {
  1336. $this->config
  1337. ->expects($this->exactly(3))
  1338. ->method('getSystemValueString')
  1339. ->willReturnMap([
  1340. ['overwritehost', '', 'www.owncloud.org'],
  1341. ['overwritecondaddr', '', ''],
  1342. ]);
  1343. $request = new Request(
  1344. [],
  1345. $this->requestId,
  1346. $this->config,
  1347. $this->csrfTokenManager,
  1348. $this->stream
  1349. );
  1350. $this->assertSame('www.owncloud.org', self::invokePrivate($request, 'getOverwriteHost'));
  1351. }
  1352. public function testGetPathInfoNotProcessible() {
  1353. $this->expectException(\Exception::class);
  1354. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1355. $request = new Request(
  1356. [
  1357. 'server' => [
  1358. 'REQUEST_URI' => '/foo.php',
  1359. 'SCRIPT_NAME' => '/var/www/index.php',
  1360. ]
  1361. ],
  1362. $this->requestId,
  1363. $this->config,
  1364. $this->csrfTokenManager,
  1365. $this->stream
  1366. );
  1367. $request->getPathInfo();
  1368. }
  1369. public function testGetRawPathInfoNotProcessible() {
  1370. $this->expectException(\Exception::class);
  1371. $this->expectExceptionMessage('The requested uri(/foo.php) cannot be processed by the script \'/var/www/index.php\')');
  1372. $request = new Request(
  1373. [
  1374. 'server' => [
  1375. 'REQUEST_URI' => '/foo.php',
  1376. 'SCRIPT_NAME' => '/var/www/index.php',
  1377. ]
  1378. ],
  1379. $this->requestId,
  1380. $this->config,
  1381. $this->csrfTokenManager,
  1382. $this->stream
  1383. );
  1384. $request->getRawPathInfo();
  1385. }
  1386. /**
  1387. * @dataProvider genericPathInfoProvider
  1388. * @param string $requestUri
  1389. * @param string $scriptName
  1390. * @param string $expected
  1391. */
  1392. public function testGetPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1393. $request = new Request(
  1394. [
  1395. 'server' => [
  1396. 'REQUEST_URI' => $requestUri,
  1397. 'SCRIPT_NAME' => $scriptName,
  1398. ]
  1399. ],
  1400. $this->requestId,
  1401. $this->config,
  1402. $this->csrfTokenManager,
  1403. $this->stream
  1404. );
  1405. $this->assertSame($expected, $request->getPathInfo());
  1406. }
  1407. /**
  1408. * @dataProvider genericPathInfoProvider
  1409. * @param string $requestUri
  1410. * @param string $scriptName
  1411. * @param string $expected
  1412. */
  1413. public function testGetRawPathInfoWithoutSetEnvGeneric($requestUri, $scriptName, $expected) {
  1414. $request = new Request(
  1415. [
  1416. 'server' => [
  1417. 'REQUEST_URI' => $requestUri,
  1418. 'SCRIPT_NAME' => $scriptName,
  1419. ]
  1420. ],
  1421. $this->requestId,
  1422. $this->config,
  1423. $this->csrfTokenManager,
  1424. $this->stream
  1425. );
  1426. $this->assertSame($expected, $request->getRawPathInfo());
  1427. }
  1428. /**
  1429. * @dataProvider rawPathInfoProvider
  1430. * @param string $requestUri
  1431. * @param string $scriptName
  1432. * @param string $expected
  1433. */
  1434. public function testGetRawPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1435. $request = new Request(
  1436. [
  1437. 'server' => [
  1438. 'REQUEST_URI' => $requestUri,
  1439. 'SCRIPT_NAME' => $scriptName,
  1440. ]
  1441. ],
  1442. $this->requestId,
  1443. $this->config,
  1444. $this->csrfTokenManager,
  1445. $this->stream
  1446. );
  1447. $this->assertSame($expected, $request->getRawPathInfo());
  1448. }
  1449. /**
  1450. * @dataProvider pathInfoProvider
  1451. * @param string $requestUri
  1452. * @param string $scriptName
  1453. * @param string $expected
  1454. */
  1455. public function testGetPathInfoWithoutSetEnv($requestUri, $scriptName, $expected) {
  1456. $request = new Request(
  1457. [
  1458. 'server' => [
  1459. 'REQUEST_URI' => $requestUri,
  1460. 'SCRIPT_NAME' => $scriptName,
  1461. ]
  1462. ],
  1463. $this->requestId,
  1464. $this->config,
  1465. $this->csrfTokenManager,
  1466. $this->stream
  1467. );
  1468. $this->assertSame($expected, $request->getPathInfo());
  1469. }
  1470. /**
  1471. * @return array
  1472. */
  1473. public function genericPathInfoProvider() {
  1474. return [
  1475. ['/core/index.php?XDEBUG_SESSION_START=14600', '/core/index.php', ''],
  1476. ['/index.php/apps/files/', 'index.php', '/apps/files/'],
  1477. ['/index.php/apps/files/../&amp;/&?someQueryParameter=QueryParam', 'index.php', '/apps/files/../&amp;/&'],
  1478. ['/remote.php/漢字編碼方法 / 汉字编码方法', 'remote.php', '/漢字編碼方法 / 汉字编码方法'],
  1479. ['///removeTrailin//gSlashes///', 'remote.php', '/removeTrailin/gSlashes/'],
  1480. ['/', '/', ''],
  1481. ['', '', ''],
  1482. ];
  1483. }
  1484. /**
  1485. * @return array
  1486. */
  1487. public function rawPathInfoProvider() {
  1488. return [
  1489. ['/foo%2Fbar/subfolder', '', 'foo%2Fbar/subfolder'],
  1490. ];
  1491. }
  1492. /**
  1493. * @return array
  1494. */
  1495. public function pathInfoProvider() {
  1496. return [
  1497. ['/foo%2Fbar/subfolder', '', 'foo/bar/subfolder'],
  1498. ];
  1499. }
  1500. public function testGetRequestUriWithoutOverwrite() {
  1501. $this->config
  1502. ->expects($this->once())
  1503. ->method('getSystemValueString')
  1504. ->with('overwritewebroot')
  1505. ->willReturn('');
  1506. $request = new Request(
  1507. [
  1508. 'server' => [
  1509. 'REQUEST_URI' => '/test.php'
  1510. ]
  1511. ],
  1512. $this->requestId,
  1513. $this->config,
  1514. $this->csrfTokenManager,
  1515. $this->stream
  1516. );
  1517. $this->assertSame('/test.php', $request->getRequestUri());
  1518. }
  1519. public function providesGetRequestUriWithOverwriteData() {
  1520. return [
  1521. ['/scriptname.php/some/PathInfo', '/owncloud/', ''],
  1522. ['/scriptname.php/some/PathInfo', '/owncloud/', '123'],
  1523. ];
  1524. }
  1525. /**
  1526. * @dataProvider providesGetRequestUriWithOverwriteData
  1527. */
  1528. public function testGetRequestUriWithOverwrite($expectedUri, $overwriteWebRoot, $overwriteCondAddr) {
  1529. $this->config
  1530. ->expects($this->exactly(2))
  1531. ->method('getSystemValueString')
  1532. ->willReturnMap([
  1533. ['overwritewebroot', '', $overwriteWebRoot],
  1534. ['overwritecondaddr', '', $overwriteCondAddr],
  1535. ]);
  1536. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1537. ->setMethods(['getScriptName'])
  1538. ->setConstructorArgs([
  1539. [
  1540. 'server' => [
  1541. 'REQUEST_URI' => '/test.php/some/PathInfo',
  1542. 'SCRIPT_NAME' => '/test.php',
  1543. ]
  1544. ],
  1545. $this->requestId,
  1546. $this->config,
  1547. $this->csrfTokenManager,
  1548. $this->stream
  1549. ])
  1550. ->getMock();
  1551. $request
  1552. ->expects($this->once())
  1553. ->method('getScriptName')
  1554. ->willReturn('/scriptname.php');
  1555. $this->assertSame($expectedUri, $request->getRequestUri());
  1556. }
  1557. public function testPassesCSRFCheckWithGet() {
  1558. /** @var Request $request */
  1559. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1560. ->setMethods(['getScriptName'])
  1561. ->setConstructorArgs([
  1562. [
  1563. 'get' => [
  1564. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1565. ],
  1566. 'cookies' => [
  1567. 'nc_sameSiteCookiestrict' => 'true',
  1568. 'nc_sameSiteCookielax' => 'true',
  1569. ],
  1570. ],
  1571. $this->requestId,
  1572. $this->config,
  1573. $this->csrfTokenManager,
  1574. $this->stream
  1575. ])
  1576. ->getMock();
  1577. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1578. $this->csrfTokenManager
  1579. ->expects($this->once())
  1580. ->method('isTokenValid')
  1581. ->with($token)
  1582. ->willReturn(true);
  1583. $this->assertTrue($request->passesCSRFCheck());
  1584. }
  1585. public function testPassesCSRFCheckWithPost() {
  1586. /** @var Request $request */
  1587. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1588. ->setMethods(['getScriptName'])
  1589. ->setConstructorArgs([
  1590. [
  1591. 'post' => [
  1592. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1593. ],
  1594. 'cookies' => [
  1595. 'nc_sameSiteCookiestrict' => 'true',
  1596. 'nc_sameSiteCookielax' => 'true',
  1597. ],
  1598. ],
  1599. $this->requestId,
  1600. $this->config,
  1601. $this->csrfTokenManager,
  1602. $this->stream
  1603. ])
  1604. ->getMock();
  1605. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1606. $this->csrfTokenManager
  1607. ->expects($this->once())
  1608. ->method('isTokenValid')
  1609. ->with($token)
  1610. ->willReturn(true);
  1611. $this->assertTrue($request->passesCSRFCheck());
  1612. }
  1613. public function testPassesCSRFCheckWithHeader() {
  1614. /** @var Request $request */
  1615. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1616. ->setMethods(['getScriptName'])
  1617. ->setConstructorArgs([
  1618. [
  1619. 'server' => [
  1620. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1621. ],
  1622. 'cookies' => [
  1623. 'nc_sameSiteCookiestrict' => 'true',
  1624. 'nc_sameSiteCookielax' => 'true',
  1625. ],
  1626. ],
  1627. $this->requestId,
  1628. $this->config,
  1629. $this->csrfTokenManager,
  1630. $this->stream
  1631. ])
  1632. ->getMock();
  1633. $token = new CsrfToken('AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds');
  1634. $this->csrfTokenManager
  1635. ->expects($this->once())
  1636. ->method('isTokenValid')
  1637. ->with($token)
  1638. ->willReturn(true);
  1639. $this->assertTrue($request->passesCSRFCheck());
  1640. }
  1641. public function testPassesCSRFCheckWithGetAndWithoutCookies() {
  1642. /** @var Request $request */
  1643. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1644. ->setMethods(['getScriptName'])
  1645. ->setConstructorArgs([
  1646. [
  1647. 'get' => [
  1648. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1649. ],
  1650. ],
  1651. $this->requestId,
  1652. $this->config,
  1653. $this->csrfTokenManager,
  1654. $this->stream
  1655. ])
  1656. ->getMock();
  1657. $this->csrfTokenManager
  1658. ->expects($this->once())
  1659. ->method('isTokenValid')
  1660. ->willReturn(true);
  1661. $this->assertTrue($request->passesCSRFCheck());
  1662. }
  1663. public function testPassesCSRFCheckWithPostAndWithoutCookies() {
  1664. /** @var Request $request */
  1665. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1666. ->setMethods(['getScriptName'])
  1667. ->setConstructorArgs([
  1668. [
  1669. 'post' => [
  1670. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1671. ],
  1672. ],
  1673. $this->requestId,
  1674. $this->config,
  1675. $this->csrfTokenManager,
  1676. $this->stream
  1677. ])
  1678. ->getMock();
  1679. $this->csrfTokenManager
  1680. ->expects($this->once())
  1681. ->method('isTokenValid')
  1682. ->willReturn(true);
  1683. $this->assertTrue($request->passesCSRFCheck());
  1684. }
  1685. public function testPassesCSRFCheckWithHeaderAndWithoutCookies() {
  1686. /** @var Request $request */
  1687. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1688. ->setMethods(['getScriptName'])
  1689. ->setConstructorArgs([
  1690. [
  1691. 'server' => [
  1692. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1693. ],
  1694. ],
  1695. $this->requestId,
  1696. $this->config,
  1697. $this->csrfTokenManager,
  1698. $this->stream
  1699. ])
  1700. ->getMock();
  1701. $this->csrfTokenManager
  1702. ->expects($this->once())
  1703. ->method('isTokenValid')
  1704. ->willReturn(true);
  1705. $this->assertTrue($request->passesCSRFCheck());
  1706. }
  1707. public function testFailsCSRFCheckWithHeaderAndNotAllChecksPassing() {
  1708. /** @var Request $request */
  1709. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1710. ->setMethods(['getScriptName'])
  1711. ->setConstructorArgs([
  1712. [
  1713. 'server' => [
  1714. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1715. ],
  1716. 'cookies' => [
  1717. session_name() => 'asdf',
  1718. 'nc_sameSiteCookiestrict' => 'true',
  1719. ],
  1720. ],
  1721. $this->requestId,
  1722. $this->config,
  1723. $this->csrfTokenManager,
  1724. $this->stream
  1725. ])
  1726. ->getMock();
  1727. $this->csrfTokenManager
  1728. ->expects($this->never())
  1729. ->method('isTokenValid');
  1730. $this->assertFalse($request->passesCSRFCheck());
  1731. }
  1732. public function testPassesStrictCookieCheckWithAllCookiesAndStrict() {
  1733. /** @var Request $request */
  1734. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1735. ->setMethods(['getScriptName', 'getCookieParams'])
  1736. ->setConstructorArgs([
  1737. [
  1738. 'server' => [
  1739. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1740. ],
  1741. 'cookies' => [
  1742. session_name() => 'asdf',
  1743. '__Host-nc_sameSiteCookiestrict' => 'true',
  1744. '__Host-nc_sameSiteCookielax' => 'true',
  1745. ],
  1746. ],
  1747. $this->requestId,
  1748. $this->config,
  1749. $this->csrfTokenManager,
  1750. $this->stream
  1751. ])
  1752. ->getMock();
  1753. $request
  1754. ->expects($this->any())
  1755. ->method('getCookieParams')
  1756. ->willReturn([
  1757. 'secure' => true,
  1758. 'path' => '/',
  1759. ]);
  1760. $this->assertTrue($request->passesStrictCookieCheck());
  1761. }
  1762. public function testFailsStrictCookieCheckWithAllCookiesAndMissingStrict() {
  1763. /** @var Request $request */
  1764. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1765. ->setMethods(['getScriptName', 'getCookieParams'])
  1766. ->setConstructorArgs([
  1767. [
  1768. 'server' => [
  1769. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1770. ],
  1771. 'cookies' => [
  1772. session_name() => 'asdf',
  1773. 'nc_sameSiteCookiestrict' => 'true',
  1774. 'nc_sameSiteCookielax' => 'true',
  1775. ],
  1776. ],
  1777. $this->requestId,
  1778. $this->config,
  1779. $this->csrfTokenManager,
  1780. $this->stream
  1781. ])
  1782. ->getMock();
  1783. $request
  1784. ->expects($this->any())
  1785. ->method('getCookieParams')
  1786. ->willReturn([
  1787. 'secure' => true,
  1788. 'path' => '/',
  1789. ]);
  1790. $this->assertFalse($request->passesStrictCookieCheck());
  1791. }
  1792. public function testGetCookieParams() {
  1793. /** @var Request $request */
  1794. $request = $this->getMockBuilder(Request::class)
  1795. ->setMethods(['getScriptName'])
  1796. ->setConstructorArgs([
  1797. [],
  1798. $this->requestId,
  1799. $this->config,
  1800. $this->csrfTokenManager,
  1801. $this->stream
  1802. ])
  1803. ->getMock();
  1804. $actual = $request->getCookieParams();
  1805. $this->assertSame(session_get_cookie_params(), $actual);
  1806. }
  1807. public function testPassesStrictCookieCheckWithAllCookies() {
  1808. /** @var Request $request */
  1809. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1810. ->setMethods(['getScriptName'])
  1811. ->setConstructorArgs([
  1812. [
  1813. 'server' => [
  1814. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1815. ],
  1816. 'cookies' => [
  1817. session_name() => 'asdf',
  1818. 'nc_sameSiteCookiestrict' => 'true',
  1819. 'nc_sameSiteCookielax' => 'true',
  1820. ],
  1821. ],
  1822. $this->requestId,
  1823. $this->config,
  1824. $this->csrfTokenManager,
  1825. $this->stream
  1826. ])
  1827. ->getMock();
  1828. $this->assertTrue($request->passesStrictCookieCheck());
  1829. }
  1830. public function testPassesStrictCookieCheckWithRandomCookies() {
  1831. /** @var Request $request */
  1832. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1833. ->setMethods(['getScriptName'])
  1834. ->setConstructorArgs([
  1835. [
  1836. 'server' => [
  1837. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1838. ],
  1839. 'cookies' => [
  1840. 'RandomCookie' => 'asdf',
  1841. ],
  1842. ],
  1843. $this->requestId,
  1844. $this->config,
  1845. $this->csrfTokenManager,
  1846. $this->stream
  1847. ])
  1848. ->getMock();
  1849. $this->assertTrue($request->passesStrictCookieCheck());
  1850. }
  1851. public function testFailsStrictCookieCheckWithSessionCookie() {
  1852. /** @var Request $request */
  1853. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1854. ->setMethods(['getScriptName'])
  1855. ->setConstructorArgs([
  1856. [
  1857. 'server' => [
  1858. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1859. ],
  1860. 'cookies' => [
  1861. session_name() => 'asdf',
  1862. ],
  1863. ],
  1864. $this->requestId,
  1865. $this->config,
  1866. $this->csrfTokenManager,
  1867. $this->stream
  1868. ])
  1869. ->getMock();
  1870. $this->assertFalse($request->passesStrictCookieCheck());
  1871. }
  1872. public function testFailsStrictCookieCheckWithRememberMeCookie() {
  1873. /** @var Request $request */
  1874. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1875. ->setMethods(['getScriptName'])
  1876. ->setConstructorArgs([
  1877. [
  1878. 'server' => [
  1879. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1880. ],
  1881. 'cookies' => [
  1882. 'nc_token' => 'asdf',
  1883. ],
  1884. ],
  1885. $this->requestId,
  1886. $this->config,
  1887. $this->csrfTokenManager,
  1888. $this->stream
  1889. ])
  1890. ->getMock();
  1891. $this->assertFalse($request->passesStrictCookieCheck());
  1892. }
  1893. public function testFailsCSRFCheckWithPostAndWithCookies() {
  1894. /** @var Request $request */
  1895. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1896. ->setMethods(['getScriptName'])
  1897. ->setConstructorArgs([
  1898. [
  1899. 'post' => [
  1900. 'requesttoken' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1901. ],
  1902. 'cookies' => [
  1903. session_name() => 'asdf',
  1904. 'foo' => 'bar',
  1905. ],
  1906. ],
  1907. $this->requestId,
  1908. $this->config,
  1909. $this->csrfTokenManager,
  1910. $this->stream
  1911. ])
  1912. ->getMock();
  1913. $this->csrfTokenManager
  1914. ->expects($this->never())
  1915. ->method('isTokenValid');
  1916. $this->assertFalse($request->passesCSRFCheck());
  1917. }
  1918. public function testFailStrictCookieCheckWithOnlyLaxCookie() {
  1919. /** @var Request $request */
  1920. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1921. ->setMethods(['getScriptName'])
  1922. ->setConstructorArgs([
  1923. [
  1924. 'server' => [
  1925. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1926. ],
  1927. 'cookies' => [
  1928. session_name() => 'asdf',
  1929. 'nc_sameSiteCookielax' => 'true',
  1930. ],
  1931. ],
  1932. $this->requestId,
  1933. $this->config,
  1934. $this->csrfTokenManager,
  1935. $this->stream
  1936. ])
  1937. ->getMock();
  1938. $this->assertFalse($request->passesStrictCookieCheck());
  1939. }
  1940. public function testFailStrictCookieCheckWithOnlyStrictCookie() {
  1941. /** @var Request $request */
  1942. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1943. ->setMethods(['getScriptName'])
  1944. ->setConstructorArgs([
  1945. [
  1946. 'server' => [
  1947. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1948. ],
  1949. 'cookies' => [
  1950. session_name() => 'asdf',
  1951. 'nc_sameSiteCookiestrict' => 'true',
  1952. ],
  1953. ],
  1954. $this->requestId,
  1955. $this->config,
  1956. $this->csrfTokenManager,
  1957. $this->stream
  1958. ])
  1959. ->getMock();
  1960. $this->assertFalse($request->passesStrictCookieCheck());
  1961. }
  1962. public function testPassesLaxCookieCheck() {
  1963. /** @var Request $request */
  1964. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1965. ->setMethods(['getScriptName'])
  1966. ->setConstructorArgs([
  1967. [
  1968. 'server' => [
  1969. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1970. ],
  1971. 'cookies' => [
  1972. session_name() => 'asdf',
  1973. 'nc_sameSiteCookielax' => 'true',
  1974. ],
  1975. ],
  1976. $this->requestId,
  1977. $this->config,
  1978. $this->csrfTokenManager,
  1979. $this->stream
  1980. ])
  1981. ->getMock();
  1982. $this->assertTrue($request->passesLaxCookieCheck());
  1983. }
  1984. public function testFailsLaxCookieCheckWithOnlyStrictCookie() {
  1985. /** @var Request $request */
  1986. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  1987. ->setMethods(['getScriptName'])
  1988. ->setConstructorArgs([
  1989. [
  1990. 'server' => [
  1991. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  1992. ],
  1993. 'cookies' => [
  1994. session_name() => 'asdf',
  1995. 'nc_sameSiteCookiestrict' => 'true',
  1996. ],
  1997. ],
  1998. $this->requestId,
  1999. $this->config,
  2000. $this->csrfTokenManager,
  2001. $this->stream
  2002. ])
  2003. ->getMock();
  2004. $this->assertFalse($request->passesLaxCookieCheck());
  2005. }
  2006. public function testSkipCookieCheckForOCSRequests() {
  2007. /** @var Request $request */
  2008. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2009. ->setMethods(['getScriptName'])
  2010. ->setConstructorArgs([
  2011. [
  2012. 'server' => [
  2013. 'HTTP_REQUESTTOKEN' => 'AAAHGxsTCTc3BgMQESAcNR0OAR0=:MyTotalSecretShareds',
  2014. 'HTTP_OCS_APIREQUEST' => 'true',
  2015. ],
  2016. 'cookies' => [
  2017. session_name() => 'asdf',
  2018. 'nc_sameSiteCookiestrict' => 'false',
  2019. ],
  2020. ],
  2021. $this->requestId,
  2022. $this->config,
  2023. $this->csrfTokenManager,
  2024. $this->stream
  2025. ])
  2026. ->getMock();
  2027. $this->assertTrue($request->passesStrictCookieCheck());
  2028. }
  2029. /**
  2030. * @return array
  2031. */
  2032. public function invalidTokenDataProvider() {
  2033. return [
  2034. ['InvalidSentToken'],
  2035. ['InvalidSentToken:InvalidSecret'],
  2036. [''],
  2037. ];
  2038. }
  2039. /**
  2040. * @dataProvider invalidTokenDataProvider
  2041. * @param string $invalidToken
  2042. */
  2043. public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
  2044. /** @var Request $request */
  2045. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2046. ->setMethods(['getScriptName'])
  2047. ->setConstructorArgs([
  2048. [
  2049. 'server' => [
  2050. 'HTTP_REQUESTTOKEN' => $invalidToken,
  2051. ],
  2052. ],
  2053. $this->requestId,
  2054. $this->config,
  2055. $this->csrfTokenManager,
  2056. $this->stream
  2057. ])
  2058. ->getMock();
  2059. $token = new CsrfToken($invalidToken);
  2060. $this->csrfTokenManager
  2061. ->expects($this->any())
  2062. ->method('isTokenValid')
  2063. ->with($token)
  2064. ->willReturn(false);
  2065. $this->assertFalse($request->passesCSRFCheck());
  2066. }
  2067. public function testPassesCSRFCheckWithoutTokenFail() {
  2068. /** @var Request $request */
  2069. $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
  2070. ->setMethods(['getScriptName'])
  2071. ->setConstructorArgs([
  2072. [],
  2073. $this->requestId,
  2074. $this->config,
  2075. $this->csrfTokenManager,
  2076. $this->stream
  2077. ])
  2078. ->getMock();
  2079. $this->assertFalse($request->passesCSRFCheck());
  2080. }
  2081. }