aboutsummaryrefslogtreecommitdiffstats
path: root/apps/dav/tests/unit
diff options
context:
space:
mode:
authorFerdinand Thiessen <opensource@fthiessen.de>2024-09-06 14:39:32 +0200
committerFerdinand Thiessen <opensource@fthiessen.de>2024-09-06 17:16:10 +0200
commit5fc715a9e2d2284751b46a928ab402ec28c7ca08 (patch)
tree84fe68ce559ed677dcf5d66afc6aebaf6d253a84 /apps/dav/tests/unit
parent0a72756d96cb1d85b6c0fd26189c341b75ec4f0d (diff)
downloadnextcloud-server-5fc715a9e2d2284751b46a928ab402ec28c7ca08.tar.gz
nextcloud-server-5fc715a9e2d2284751b46a928ab402ec28c7ca08.zip
fix: Adjust unit tests and protect against XSS
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps/dav/tests/unit')
-rw-r--r--apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php54
1 files changed, 45 insertions, 9 deletions
diff --git a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php
index ff928d46a35..c44f52ec713 100644
--- a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php
@@ -10,6 +10,7 @@ declare(strict_types=1);
namespace OCA\DAV\Tests\unit\Connector\Sabre;
use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
+use OCA\Theming\ThemingDefaults;
use OCP\IConfig;
use PHPUnit\Framework\MockObject\MockObject;
use Sabre\HTTP\RequestInterface;
@@ -21,19 +22,23 @@ use Test\TestCase;
* @package OCA\DAV\Tests\unit\Connector\Sabre
*/
class BlockLegacyClientPluginTest extends TestCase {
- /** @var IConfig|MockObject */
- private $config;
- /** @var BlockLegacyClientPlugin */
- private $blockLegacyClientVersionPlugin;
+
+ private IConfig&MockObject $config;
+ private ThemingDefaults&MockObject $themingDefaults;
+ private BlockLegacyClientPlugin $blockLegacyClientVersionPlugin;
protected function setUp(): void {
parent::setUp();
$this->config = $this->createMock(IConfig::class);
- $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin($this->config);
+ $this->themingDefaults = $this->createMock(ThemingDefaults::class);
+ $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin(
+ $this->config,
+ $this->themingDefaults,
+ );
}
- public function oldDesktopClientProvider(): array {
+ public static function oldDesktopClientProvider(): array {
return [
['Mozilla/5.0 (Windows) mirall/1.5.0'],
['Mozilla/5.0 (Bogus Text) mirall/1.6.9'],
@@ -46,10 +51,9 @@ class BlockLegacyClientPluginTest extends TestCase {
public function testBeforeHandlerException(string $userAgent): void {
$this->expectException(\Sabre\DAV\Exception\Forbidden::class);
- $this->config
+ $this->themingDefaults
->expects($this->once())
- ->method('getSystemValue')
- ->with('customclient_desktop', 'https://nextcloud.com/install/#install-clients')
+ ->method('getSyncClientUrl')
->willReturn('https://nextcloud.com/install/#install-clients');
$this->config
@@ -72,6 +76,38 @@ class BlockLegacyClientPluginTest extends TestCase {
$this->blockLegacyClientVersionPlugin->beforeHandler($request);
}
+ /**
+ * Ensure that there is no room for XSS attack through configured URL / version
+ * @dataProvider oldDesktopClientProvider
+ */
+ public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent): void {
+ $this->expectException(\Sabre\DAV\Exception\Forbidden::class);
+
+ $this->themingDefaults
+ ->expects($this->once())
+ ->method('getSyncClientUrl')
+ ->willReturn('https://example.com"><script>alter("hacked");</script>');
+
+ $this->config
+ ->expects($this->once())
+ ->method('getSystemValue')
+ ->with('minimum.supported.desktop.version', '2.3.0')
+ ->willReturn('1.7.0 <script>alert("unsafe")</script>');
+
+ $this->expectExceptionMessage('This version of the client is unsupported. Upgrade to <a href="https://example.com&quot;&gt;&lt;script&gt;alter(&quot;hacked&quot;);&lt;/script&gt;">version 1.7.0 &lt;script&gt;alert(&quot;unsafe&quot;)&lt;/script&gt; or later</a>.');
+
+ /** @var RequestInterface|MockObject $request */
+ $request = $this->createMock('\Sabre\HTTP\RequestInterface');
+ $request
+ ->expects($this->once())
+ ->method('getHeader')
+ ->with('User-Agent')
+ ->willReturn($userAgent);
+
+
+ $this->blockLegacyClientVersionPlugin->beforeHandler($request);
+ }
+
public function newAndAlternateDesktopClientProvider(): array {
return [
['Mozilla/5.0 (Windows) mirall/1.7.0'],