mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 994 Wiki Activity
Browse Source

Add mitigation against BREACH 

While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
tags/v8.2beta1
Lukas Reschke 8 years ago
parent
1f96fb3352
commit
8313a3fcb3
16 changed files with 159 additions and 31 deletions
Split View Show Diff Stats
  1. 1
    12
      lib/base.php
  2. 21
    1
      lib/private/appframework/http/request.php
  3. 1
    0
      lib/private/server.php
  4. 6
    2
      lib/private/util.php
  5. 1
    0
      tests/lib/appframework/controller/ApiControllerTest.php
  6. 1
    0
      tests/lib/appframework/controller/ControllerTest.php
  7. 4
    0
      tests/lib/appframework/controller/OCSControllerTest.php
  8. 1
    0
      tests/lib/appframework/dependencyinjection/DIContainerTest.php
  9. 6
    0
      tests/lib/appframework/http/DispatcherTest.php
  10. 102
    15
      tests/lib/appframework/http/RequestTest.php
  11. 1
    0
      tests/lib/appframework/middleware/MiddlewareDispatcherTest.php
  12. 1
    0
      tests/lib/appframework/middleware/MiddlewareTest.php
  13. 10
    0
      tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
  14. 1
    0
      tests/lib/appframework/middleware/security/SecurityMiddlewareTest.php
  15. 1
    0
      tests/lib/appframework/middleware/sessionmiddlewaretest.php
  16. 1
    1
      tests/lib/util.php

+ 1
- 12
lib/base.php View File

@@ -134,18 +134,7 @@ class OC {
OC_Config::$object = new \OC\Config(self::$configDir);

OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen(OC::$SERVERROOT)));
/**
* FIXME: The following line is required because of a cyclic dependency
* on IRequest.
*/
$params = [
'server' => [
'SCRIPT_NAME' => $_SERVER['SCRIPT_NAME'],
'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'],
],
];
$fakeRequest = new \OC\AppFramework\Http\Request($params, null, new \OC\AllConfig(new \OC\SystemConfig()));
$scriptName = $fakeRequest->getScriptName();
$scriptName = $_SERVER['SCRIPT_NAME'];
if (substr($scriptName, -1) == '/') {
$scriptName .= 'index.php';
//make sure suburi follows the same rules as scriptName

+ 21
- 1
lib/private/appframework/http/request.php View File

@@ -32,6 +32,7 @@ namespace OC\AppFramework\Http;
use OC\Security\TrustedDomainHelper;
use OCP\IConfig;
use OCP\IRequest;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom;

/**
@@ -67,6 +68,8 @@ class Request implements \ArrayAccess, \Countable, IRequest {
protected $config;
/** @var string */
protected $requestId = '';
/** @var ICrypto */
protected $crypto;

/**
* @param array $vars An associative array with the following optional values:
@@ -80,17 +83,20 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* - string 'method' the request method (GET, POST etc)
* - string|false 'requesttoken' the requesttoken or false when not available
* @param ISecureRandom $secureRandom
* @param ICrypto $crypto
* @param IConfig $config
* @param string $stream
* @see http://www.php.net/manual/en/reserved.variables.php
*/
public function __construct(array $vars=array(),
ISecureRandom $secureRandom = null,
ICrypto $crypto,
IConfig $config,
$stream='php://input') {
$this->inputStream = $stream;
$this->items['params'] = array();
$this->secureRandom = $secureRandom;
$this->crypto = $crypto;
$this->config = $config;

if(!array_key_exists('method', $vars)) {
@@ -415,8 +421,22 @@ class Request implements \ArrayAccess, \Countable, IRequest {
return false;
}

// Decrypt token to prevent BREACH like attacks
$token = explode(':', $token);
if (count($token) !== 2) {
return false;
}

$encryptedToken = $token[0];
$secret = $token[1];
try {
$decryptedToken = $this->crypto->decrypt($encryptedToken, $secret);
} catch (\Exception $e) {
return false;
}

// Check if the token is valid
if(\OCP\Security\StringUtils::equals($token, $this->items['requesttoken'])) {
if(\OCP\Security\StringUtils::equals($decryptedToken, $this->items['requesttoken'])) {
return true;
} else {
return false;

+ 1
- 0
lib/private/server.php View File

@@ -409,6 +409,7 @@ class Server extends SimpleContainer implements IServerContainer {
'requesttoken' => $requestToken,
],
$this->getSecureRandom(),
$this->getCrypto(),
$this->getConfig(),
$stream
);

+ 6
- 2
lib/private/util.php View File

@@ -1057,7 +1057,8 @@ class OC_Util {
/**
* Register an get/post call. Important to prevent CSRF attacks.
*
* @return string Generated token.
* @return string The encrypted CSRF token, the shared secret is appended after the `:`.
*
* @description
* Creates a 'request token' (random) and stores it inside the session.
* Ever subsequent (ajax) request must use such a valid token to succeed,
@@ -1074,7 +1075,10 @@ class OC_Util {
// Valid token already exists, send it
$requestToken = \OC::$server->getSession()->get('requesttoken');
}
return ($requestToken);

// Encrypt the token to mitigate breach-like attacks
$sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
return \OC::$server->getCrypto()->encrypt($requestToken, $sharedSecret) . ':' . $sharedSecret;
}

/**

+ 1
- 0
tests/lib/appframework/controller/ApiControllerTest.php View File

@@ -38,6 +38,7 @@ class ApiControllerTest extends \Test\TestCase {
$request = new Request(
['server' => ['HTTP_ORIGIN' => 'test']],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->controller = new ChildApiController('app', $request, 'verbs',

+ 1
- 0
tests/lib/appframework/controller/ControllerTest.php View File

@@ -76,6 +76,7 @@ class ControllerTest extends \Test\TestCase {
'method' => 'hi',
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);


+ 4
- 0
tests/lib/appframework/controller/OCSControllerTest.php View File

@@ -43,6 +43,7 @@ class OCSControllerTest extends \Test\TestCase {
],
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$controller = new ChildOCSController('app', $request, 'verbs',
@@ -64,6 +65,7 @@ class OCSControllerTest extends \Test\TestCase {
$controller = new ChildOCSController('app', new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
));
$expected = "<?xml version=\"1.0\"?>\n" .
@@ -96,6 +98,7 @@ class OCSControllerTest extends \Test\TestCase {
$controller = new ChildOCSController('app', new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
));
$expected = "<?xml version=\"1.0\"?>\n" .
@@ -128,6 +131,7 @@ class OCSControllerTest extends \Test\TestCase {
$controller = new ChildOCSController('app', new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
));
$expected = '{"ocs":{"meta":{"status":"failure","statuscode":400,"message":"OK",' .

+ 1
- 0
tests/lib/appframework/dependencyinjection/DIContainerTest.php View File

@@ -74,6 +74,7 @@ class DIContainerTest extends \Test\TestCase {
$this->container['Request'] = new Request(
['method' => 'GET'],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$security = $this->container['SecurityMiddleware'];

+ 6
- 0
tests/lib/appframework/http/DispatcherTest.php View File

@@ -295,6 +295,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'POST'
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->dispatcher = new Dispatcher(
@@ -322,6 +323,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'POST',
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->dispatcher = new Dispatcher(
@@ -352,6 +354,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'GET'
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->dispatcher = new Dispatcher(
@@ -381,6 +384,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'GET'
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->dispatcher = new Dispatcher(
@@ -411,6 +415,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'PUT'
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->dispatcher = new Dispatcher(
@@ -443,6 +448,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'POST'
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->dispatcher = new Dispatcher(

+ 102
- 15
tests/lib/appframework/http/RequestTest.php View File

@@ -10,6 +10,7 @@

namespace OC\AppFramework\Http;

use OC\Security\Crypto;
use OCP\Security\ISecureRandom;
use OCP\IConfig;

@@ -53,6 +54,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -85,6 +87,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -96,8 +99,8 @@ class RequestTest extends \Test\TestCase {


/**
* @expectedException \RuntimeException
*/
* @expectedException \RuntimeException
*/
public function testImmutableArrayAccess() {
$vars = array(
'get' => array('name' => 'John Q. Public', 'nickname' => 'Joey'),
@@ -107,6 +110,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -115,8 +119,8 @@ class RequestTest extends \Test\TestCase {
}

/**
* @expectedException \RuntimeException
*/
* @expectedException \RuntimeException
*/
public function testImmutableMagicAccess() {
$vars = array(
'get' => array('name' => 'John Q. Public', 'nickname' => 'Joey'),
@@ -126,6 +130,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -134,8 +139,8 @@ class RequestTest extends \Test\TestCase {
}

/**
* @expectedException \LogicException
*/
* @expectedException \LogicException
*/
public function testGetTheMethodRight() {
$vars = array(
'get' => array('name' => 'John Q. Public', 'nickname' => 'Joey'),
@@ -145,6 +150,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -161,6 +167,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -182,6 +189,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -206,6 +214,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -230,6 +239,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -250,6 +260,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -274,6 +285,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -303,6 +315,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -324,6 +337,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
$vars,
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -347,6 +361,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -358,6 +373,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
\OC::$server->getSecureRandom(),
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -382,6 +398,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -410,6 +427,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -438,6 +456,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -470,6 +489,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -497,6 +517,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -506,10 +527,10 @@ class RequestTest extends \Test\TestCase {

public function testGetServerProtocolWithProtoValid() {
$this->config
->expects($this->exactly(2))
->method('getSystemValue')
->with('overwriteprotocol')
->will($this->returnValue(''));
->expects($this->exactly(2))
->method('getSystemValue')
->with('overwriteprotocol')
->will($this->returnValue(''));

$requestHttps = new Request(
[
@@ -518,6 +539,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -528,6 +550,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -551,6 +574,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -571,6 +595,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -587,6 +612,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -607,6 +633,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -628,6 +655,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -716,6 +744,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -732,6 +761,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -749,6 +779,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -766,6 +797,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -793,6 +825,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -814,6 +847,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -840,6 +874,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -866,6 +901,7 @@ class RequestTest extends \Test\TestCase {
],
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -882,6 +918,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -909,6 +946,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request(
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -924,6 +962,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -944,6 +983,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -964,6 +1004,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -986,6 +1027,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1008,6 +1050,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1030,6 +1073,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1052,6 +1096,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1105,6 +1150,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
);
@@ -1144,6 +1190,7 @@ class RequestTest extends \Test\TestCase {
]
],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
])
@@ -1157,17 +1204,25 @@ class RequestTest extends \Test\TestCase {
}

public function testPassesCSRFCheckWithGet() {
$crypto = $this->getMock('\OCP\Security\ICrypto');
$crypto
->expects($this->once())
->method('decrypt')
->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
->will($this->returnValue('MyStoredRequestToken'));

/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'get' => [
'requesttoken' => 'MyStoredRequestToken',
'requesttoken' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
$crypto,
$this->config,
$this->stream
])
@@ -1177,17 +1232,25 @@ class RequestTest extends \Test\TestCase {
}

public function testPassesCSRFCheckWithPost() {
$crypto = $this->getMock('\OCP\Security\ICrypto');
$crypto
->expects($this->once())
->method('decrypt')
->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
->will($this->returnValue('MyStoredRequestToken'));

/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'post' => [
'requesttoken' => 'MyStoredRequestToken',
'requesttoken' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
$crypto,
$this->config,
$this->stream
])
@@ -1197,17 +1260,24 @@ class RequestTest extends \Test\TestCase {
}

public function testPassesCSRFCheckWithHeader() {
$crypto = $this->getMock('\OCP\Security\ICrypto');
$crypto
->expects($this->once())
->method('decrypt')
->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
->will($this->returnValue('MyStoredRequestToken'));
/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
'HTTP_REQUESTTOKEN' => 'MyStoredRequestToken',
'HTTP_REQUESTTOKEN' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
$crypto,
$this->config,
$this->stream
])
@@ -1216,18 +1286,34 @@ class RequestTest extends \Test\TestCase {
$this->assertTrue($request->passesCSRFCheck());
}

public function testPassesCSRFCheckWithInvalidToken() {
public function invalidTokenDataProvider() {
return [
['InvalidSentToken'],
['InvalidSentToken:InvalidSecret'],
[null],
[''],
];
}

/**
* @dataProvider invalidTokenDataProvider
* @param string $invalidToken
*/
public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
$crypto = new Crypto($this->config, $this->secureRandom);

/** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName'])
->setConstructorArgs([
[
'server' => [
'HTTP_REQUESTTOKEN' => 'MyInvalidSentToken',
'HTTP_REQUESTTOKEN' => $invalidToken,
],
'requesttoken' => 'MyStoredRequestToken',
],
$this->secureRandom,
$crypto,
$this->config,
$this->stream
])
@@ -1243,6 +1329,7 @@ class RequestTest extends \Test\TestCase {
->setConstructorArgs([
[],
$this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config,
$this->stream
])

+ 1
- 0
tests/lib/appframework/middleware/MiddlewareDispatcherTest.php View File

@@ -133,6 +133,7 @@ class MiddlewareDispatcherTest extends \Test\TestCase {
new Request(
['method' => 'GET'],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
)
]

+ 1
- 0
tests/lib/appframework/middleware/MiddlewareTest.php View File

@@ -61,6 +61,7 @@ class MiddlewareTest extends \Test\TestCase {
new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
)
]

+ 10
- 0
tests/lib/appframework/middleware/security/CORSMiddlewareTest.php View File

@@ -42,6 +42,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
]
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->reflector->reflect($this, __FUNCTION__);
@@ -61,6 +62,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
]
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
@@ -78,6 +80,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$request = new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->reflector->reflect($this, __FUNCTION__);
@@ -101,6 +104,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
]
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->reflector->reflect($this, __FUNCTION__);
@@ -119,6 +123,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$request = new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->reflector->reflect($this, __FUNCTION__);
@@ -144,6 +149,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->session->expects($this->once())
@@ -169,6 +175,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->session->expects($this->once())
@@ -190,6 +197,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
@@ -206,6 +214,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);
@@ -226,6 +235,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass'
]],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$middleware = new CORSMiddleware($request, $this->reflector, $this->session);

+ 1
- 0
tests/lib/appframework/middleware/security/SecurityMiddlewareTest.php View File

@@ -322,6 +322,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
]
],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->middleware = $this->getMiddleware(true, true);

+ 1
- 0
tests/lib/appframework/middleware/sessionmiddlewaretest.php View File

@@ -36,6 +36,7 @@ class SessionMiddlewareTest extends \Test\TestCase {
$this->request = new Request(
[],
$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
);
$this->reflector = new ControllerMethodReflector();

+ 1
- 1
tests/lib/util.php View File

@@ -91,7 +91,7 @@ class Test_Util extends \Test\TestCase {

function testCallRegister() {
$result = strlen(OC_Util::callRegister());
$this->assertEquals(30, $result);
$this->assertEquals(221, $result);
}

function testSanitizeHTML() {

Write Preview
Loading…
Cancel
Save