diff options
author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-09-06 14:39:32 +0200 |
---|---|---|
committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-09-06 17:16:10 +0200 |
commit | 5fc715a9e2d2284751b46a928ab402ec28c7ca08 (patch) | |
tree | 84fe68ce559ed677dcf5d66afc6aebaf6d253a84 /apps/dav/tests/unit | |
parent | 0a72756d96cb1d85b6c0fd26189c341b75ec4f0d (diff) | |
download | nextcloud-server-5fc715a9e2d2284751b46a928ab402ec28c7ca08.tar.gz nextcloud-server-5fc715a9e2d2284751b46a928ab402ec28c7ca08.zip |
fix: Adjust unit tests and protect against XSS
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps/dav/tests/unit')
-rw-r--r-- | apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php | 54 |
1 files changed, 45 insertions, 9 deletions
diff --git a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php index ff928d46a35..c44f52ec713 100644 --- a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php +++ b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php @@ -10,6 +10,7 @@ declare(strict_types=1); namespace OCA\DAV\Tests\unit\Connector\Sabre; use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin; +use OCA\Theming\ThemingDefaults; use OCP\IConfig; use PHPUnit\Framework\MockObject\MockObject; use Sabre\HTTP\RequestInterface; @@ -21,19 +22,23 @@ use Test\TestCase; * @package OCA\DAV\Tests\unit\Connector\Sabre */ class BlockLegacyClientPluginTest extends TestCase { - /** @var IConfig|MockObject */ - private $config; - /** @var BlockLegacyClientPlugin */ - private $blockLegacyClientVersionPlugin; + + private IConfig&MockObject $config; + private ThemingDefaults&MockObject $themingDefaults; + private BlockLegacyClientPlugin $blockLegacyClientVersionPlugin; protected function setUp(): void { parent::setUp(); $this->config = $this->createMock(IConfig::class); - $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin($this->config); + $this->themingDefaults = $this->createMock(ThemingDefaults::class); + $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin( + $this->config, + $this->themingDefaults, + ); } - public function oldDesktopClientProvider(): array { + public static function oldDesktopClientProvider(): array { return [ ['Mozilla/5.0 (Windows) mirall/1.5.0'], ['Mozilla/5.0 (Bogus Text) mirall/1.6.9'], @@ -46,10 +51,9 @@ class BlockLegacyClientPluginTest extends TestCase { public function testBeforeHandlerException(string $userAgent): void { $this->expectException(\Sabre\DAV\Exception\Forbidden::class); - $this->config + $this->themingDefaults ->expects($this->once()) - ->method('getSystemValue') - ->with('customclient_desktop', 'https://nextcloud.com/install/#install-clients') + ->method('getSyncClientUrl') ->willReturn('https://nextcloud.com/install/#install-clients'); $this->config @@ -72,6 +76,38 @@ class BlockLegacyClientPluginTest extends TestCase { $this->blockLegacyClientVersionPlugin->beforeHandler($request); } + /** + * Ensure that there is no room for XSS attack through configured URL / version + * @dataProvider oldDesktopClientProvider + */ + public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent): void { + $this->expectException(\Sabre\DAV\Exception\Forbidden::class); + + $this->themingDefaults + ->expects($this->once()) + ->method('getSyncClientUrl') + ->willReturn('https://example.com"><script>alter("hacked");</script>'); + + $this->config + ->expects($this->once()) + ->method('getSystemValue') + ->with('minimum.supported.desktop.version', '2.3.0') + ->willReturn('1.7.0 <script>alert("unsafe")</script>'); + + $this->expectExceptionMessage('This version of the client is unsupported. Upgrade to <a href="https://example.com"><script>alter("hacked");</script>">version 1.7.0 <script>alert("unsafe")</script> or later</a>.'); + + /** @var RequestInterface|MockObject $request */ + $request = $this->createMock('\Sabre\HTTP\RequestInterface'); + $request + ->expects($this->once()) + ->method('getHeader') + ->with('User-Agent') + ->willReturn($userAgent); + + + $this->blockLegacyClientVersionPlugin->beforeHandler($request); + } + public function newAndAlternateDesktopClientProvider(): array { return [ ['Mozilla/5.0 (Windows) mirall/1.7.0'], |