mirrors
/
nextcloud
mirror of https://github.com/nextcloud/server.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 1010 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
74957 Commits
388 Branches
Tree: da8e1c192d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'da8e1c192d'
${ noResults }
nextcloud/apps/settings/tests/SetupChecks/SecurityHeadersTest.php

SecurityHeadersTest.php 8.7KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207 
  1. <?php

  2. 

  3. declare(strict_types=1);

  4. 

  5. /**

  6.  * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors

  7.  * SPDX-License-Identifier: AGPL-3.0-or-later

  8.  */

  9. namespace OCA\Settings\Tests;

  10. 

  11. use OCA\Settings\SetupChecks\SecurityHeaders;

  12. use OCP\Http\Client\IClientService;

  13. use OCP\Http\Client\IResponse;

  14. use OCP\IConfig;

  15. use OCP\IL10N;

  16. use OCP\IURLGenerator;

  17. use OCP\SetupCheck\SetupResult;

  18. use PHPUnit\Framework\MockObject\MockObject;

  19. use Psr\Log\LoggerInterface;

  20. use Test\TestCase;

  21. 

  22. class SecurityHeadersTest extends TestCase {

  23. 	private IL10N|MockObject $l10n;

  24. 	private IConfig|MockObject $config;

  25. 	private IURLGenerator|MockObject $urlGenerator;

  26. 	private IClientService|MockObject $clientService;

  27. 	private LoggerInterface|MockObject $logger;

  28. 	private SecurityHeaders|MockObject $setupcheck;

  29. 

  30. 	protected function setUp(): void {

  31. 		parent::setUp();

  32. 

  33. 		/** @var IL10N|MockObject */

  34. 		$this->l10n = $this->getMockBuilder(IL10N::class)

  35. 			->disableOriginalConstructor()->getMock();

  36. 		$this->l10n->expects($this->any())

  37. 			->method('t')

  38. 			->willReturnCallback(function ($message, array $replace) {

  39. 				return vsprintf($message, $replace);

  40. 			});

  41. 

  42. 		$this->config = $this->createMock(IConfig::class);

  43. 		$this->urlGenerator = $this->createMock(IURLGenerator::class);

  44. 		$this->clientService = $this->createMock(IClientService::class);

  45. 		$this->logger = $this->createMock(LoggerInterface::class);

  46. 

  47. 		$this->setupcheck = $this->getMockBuilder(SecurityHeaders::class)

  48. 			->onlyMethods(['runRequest'])

  49. 			->setConstructorArgs([

  50. 				$this->l10n,

  51. 				$this->config,

  52. 				$this->urlGenerator,

  53. 				$this->clientService,

  54. 				$this->logger,

  55. 			])

  56. 			->getMock();

  57. 	}

  58. 

  59. 	public function testInvalidStatusCode(): void {

  60. 		$this->setupResponse(500, []);

  61. 

  62. 		$result = $this->setupcheck->run();

  63. 		$this->assertMatchesRegularExpression('/^Could not check that your web server serves security headers correctly/', $result->getDescription());

  64. 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());

  65. 	}

  66. 

  67. 	public function testAllHeadersMissing(): void {

  68. 		$this->setupResponse(200, []);

  69. 

  70. 		$result = $this->setupcheck->run();

  71. 		$this->assertMatchesRegularExpression('/^Some headers are not set correctly on your instance/', $result->getDescription());

  72. 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());

  73. 	}

  74. 

  75. 	public function testSomeHeadersMissing(): void {

  76. 		$this->setupResponse(

  77. 			200,

  78. 			[

  79. 				'X-Robots-Tag' => 'noindex, nofollow',

  80. 				'X-Frame-Options' => 'SAMEORIGIN',

  81. 				'Strict-Transport-Security' => 'max-age=15768000;preload',

  82. 				'X-Permitted-Cross-Domain-Policies' => 'none',

  83. 				'Referrer-Policy' => 'no-referrer',

  84. 			]

  85. 		);

  86. 

  87. 		$result = $this->setupcheck->run();

  88. 		$this->assertEquals(

  89. 			"Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n",

  90. 			$result->getDescription()

  91. 		);

  92. 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());

  93. 	}

  94. 

  95. 	public function dataSuccess(): array {

  96. 		return [

  97. 			// description => modifiedHeaders

  98. 			'basic' => [[]],

  99. 			'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']],

  100. 			'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']],

  101. 			'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],

  102. 			'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']],

  103. 			'referrer-strict-origin' => [['Referrer-Policy' => 'strict-origin']],

  104. 			'referrer-strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']],

  105. 			'referrer-same-origin' => [['Referrer-Policy' => 'same-origin']],

  106. 			'hsts-minimum' => [['Strict-Transport-Security' => 'max-age=15552000']],

  107. 			'hsts-include-subdomains' => [['Strict-Transport-Security' => 'max-age=99999999; includeSubDomains']],

  108. 			'hsts-include-subdomains-preload' => [['Strict-Transport-Security' => 'max-age=99999999; preload; includeSubDomains']],

  109. 		];

  110. 	}

  111. 

  112. 	/**

  113. 	 * @dataProvider dataSuccess

  114. 	 */

  115. 	public function testSuccess($headers): void {

  116. 		$headers = array_merge(

  117. 			[

  118. 				'X-XSS-Protection' => '1; mode=block',

  119. 				'X-Content-Type-Options' => 'nosniff',

  120. 				'X-Robots-Tag' => 'noindex, nofollow',

  121. 				'X-Frame-Options' => 'SAMEORIGIN',

  122. 				'Strict-Transport-Security' => 'max-age=15768000',

  123. 				'X-Permitted-Cross-Domain-Policies' => 'none',

  124. 				'Referrer-Policy' => 'no-referrer',

  125. 			],

  126. 			$headers

  127. 		);

  128. 		$this->setupResponse(

  129. 			200,

  130. 			$headers

  131. 		);

  132. 

  133. 		$result = $this->setupcheck->run();

  134. 		$this->assertEquals(

  135. 			'Your server is correctly configured to send security headers.',

  136. 			$result->getDescription()

  137. 		);

  138. 		$this->assertEquals(SetupResult::SUCCESS, $result->getSeverity());

  139. 	}

  140. 

  141. 	public function dataFailure(): array {

  142. 		return [

  143. 			// description => modifiedHeaders

  144. 			'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],

  145. 			'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],

  146. 			'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"],

  147. 			'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],

  148. 			'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],

  149. 			'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"],

  150. 			'hsts-missing' => [['Strict-Transport-Security' => ''], "- The `Strict-Transport-Security` HTTP header is not set (should be at least `15552000` seconds). For enhanced security, it is recommended to enable HSTS.\n"],

  151. 			'hsts-too-low' => [['Strict-Transport-Security' => 'max-age=15551999'], "- The `Strict-Transport-Security` HTTP header is not set to at least `15552000` seconds (current value: `15551999`). For enhanced security, it is recommended to use a long HSTS policy.\n"],

  152. 			'hsts-malformed' => [['Strict-Transport-Security' => 'iAmABogusHeader342'], "- The `Strict-Transport-Security` HTTP header is malformed: `iAmABogusHeader342`. For enhanced security, it is recommended to enable HSTS.\n"],

  153. 		];

  154. 	}

  155. 

  156. 	/**

  157. 	 * @dataProvider dataFailure

  158. 	 */

  159. 	public function testFailure(array $headers, string $msg): void {

  160. 		$headers = array_merge(

  161. 			[

  162. 				'X-XSS-Protection' => '1; mode=block',

  163. 				'X-Content-Type-Options' => 'nosniff',

  164. 				'X-Robots-Tag' => 'noindex, nofollow',

  165. 				'X-Frame-Options' => 'SAMEORIGIN',

  166. 				'Strict-Transport-Security' => 'max-age=15768000',

  167. 				'X-Permitted-Cross-Domain-Policies' => 'none',

  168. 				'Referrer-Policy' => 'no-referrer',

  169. 			],

  170. 			$headers

  171. 		);

  172. 		$this->setupResponse(

  173. 			200,

  174. 			$headers

  175. 		);

  176. 

  177. 		$result = $this->setupcheck->run();

  178. 		$this->assertEquals(

  179. 			'Some headers are not set correctly on your instance'."\n$msg",

  180. 			$result->getDescription()

  181. 		);

  182. 		$this->assertEquals(SetupResult::WARNING, $result->getSeverity());

  183. 	}

  184. 

  185. 	protected function setupResponse(int $statuscode, array $headers): void {

  186. 		$response = $this->createMock(IResponse::class);

  187. 		$response->expects($this->atLeastOnce())->method('getStatusCode')->willReturn($statuscode);

  188. 		$response->expects($this->any())->method('getHeader')

  189. 			->willReturnCallback(

  190. 				fn (string $header): string => $headers[$header] ?? ''

  191. 			);

  192. 

  193. 		$this->setupcheck

  194. 			->expects($this->atLeastOnce())

  195. 			->method('runRequest')

  196. 			->willReturnOnConsecutiveCalls($this->generate([$response]));

  197. 	}

  198. 

  199. 	/**

  200. 	 * Helper function creates a nicer interface for mocking Generator behavior

  201. 	 */

  202. 	protected function generate(array $yield_values) {

  203. 		return $this->returnCallback(function () use ($yield_values) {

  204. 			yield from $yield_values;

  205. 		});

  206. 	}

  207. }