diff options
Diffstat (limited to 'apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php')
| -rw-r--r-- | apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php | 148 |
1 files changed, 100 insertions, 48 deletions
diff --git a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php index cecd115710d..366c9475b1b 100644 --- a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php +++ b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php @@ -1,70 +1,122 @@ <?php declare(strict_types=1); + /** - * @copyright Copyright (c) 2016, ownCloud, Inc. - * - * @author Christoph Wurst <christoph@winzerhof-wurst.at> - * @author Joas Schilling <coding@schilljs.com> - * @author Lukas Reschke <lukas@statuscode.ch> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Roeland Jago Douma <roeland@famdouma.nl> - * @author Thomas Müller <thomas.mueller@tmit.eu> - * - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * + * SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors + * SPDX-FileCopyrightText: 2016 ownCloud, Inc. + * SPDX-License-Identifier: AGPL-3.0-only */ namespace OCA\DAV\Tests\unit\Connector\Sabre; use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin; +use OCA\Theming\ThemingDefaults; use OCP\IConfig; use PHPUnit\Framework\MockObject\MockObject; use Sabre\HTTP\RequestInterface; use Test\TestCase; +enum ERROR_TYPE { + case MIN_ERROR; + case MAX_ERROR; + case NONE; +} + /** * Class BlockLegacyClientPluginTest * * @package OCA\DAV\Tests\unit\Connector\Sabre */ class BlockLegacyClientPluginTest extends TestCase { - /** @var IConfig|MockObject */ - private $config; - /** @var BlockLegacyClientPlugin */ - private $blockLegacyClientVersionPlugin; + + private IConfig&MockObject $config; + private ThemingDefaults&MockObject $themingDefaults; + private BlockLegacyClientPlugin $blockLegacyClientVersionPlugin; protected function setUp(): void { parent::setUp(); $this->config = $this->createMock(IConfig::class); - $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin($this->config); + $this->themingDefaults = $this->createMock(ThemingDefaults::class); + $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin( + $this->config, + $this->themingDefaults, + ); } - public function oldDesktopClientProvider(): array { + public static function oldDesktopClientProvider(): array { return [ - ['Mozilla/5.0 (Windows) mirall/1.5.0'], - ['Mozilla/5.0 (Bogus Text) mirall/1.6.9'], + ['Mozilla/5.0 (Windows) mirall/1.5.0', ERROR_TYPE::MIN_ERROR], + ['Mozilla/5.0 (Bogus Text) mirall/1.6.9', ERROR_TYPE::MIN_ERROR], + ['Mozilla/5.0 (Windows) mirall/2.5.0', ERROR_TYPE::MAX_ERROR], + ['Mozilla/5.0 (Bogus Text) mirall/2.0.1', ERROR_TYPE::MAX_ERROR], + ['Mozilla/5.0 (Windows) mirall/2.0.0', ERROR_TYPE::NONE], + ['Mozilla/5.0 (Bogus Text) mirall/2.0.0', ERROR_TYPE::NONE], ]; } + #[\PHPUnit\Framework\Attributes\DataProvider('oldDesktopClientProvider')] + public function testBeforeHandlerException(string $userAgent, ERROR_TYPE $errorType): void { + $this->themingDefaults + ->expects($this->atMost(1)) + ->method('getSyncClientUrl') + ->willReturn('https://nextcloud.com/install/#install-clients'); + + $this->config + ->expects($this->exactly(2)) + ->method('getSystemValueString') + ->willReturnCallback(function (string $key) { + if ($key === 'minimum.supported.desktop.version') { + return '1.7.0'; + } + return '2.0.0'; + }); + + if ($errorType !== ERROR_TYPE::NONE) { + $errorString = $errorType === ERROR_TYPE::MIN_ERROR + ? 'This version of the client is unsupported. Upgrade to <a href="https://nextcloud.com/install/#install-clients">version 1.7.0 or later</a>.' + : 'This version of the client is unsupported. Downgrade to <a href="https://nextcloud.com/install/#install-clients">version 2.0.0 or earlier</a>.'; + $this->expectException(\Sabre\DAV\Exception\Forbidden::class); + $this->expectExceptionMessage($errorString); + } + + /** @var RequestInterface|MockObject $request */ + $request = $this->createMock(RequestInterface::class); + $request + ->expects($this->once()) + ->method('getHeader') + ->with('User-Agent') + ->willReturn($userAgent); + + $this->blockLegacyClientVersionPlugin->beforeHandler($request); + } + /** - * @dataProvider oldDesktopClientProvider + * Ensure that there is no room for XSS attack through configured URL / version */ - public function testBeforeHandlerException(string $userAgent): void { + #[\PHPUnit\Framework\Attributes\DataProvider('oldDesktopClientProvider')] + public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent, ERROR_TYPE $errorType): void { $this->expectException(\Sabre\DAV\Exception\Forbidden::class); - $this->expectExceptionMessage('Unsupported client version.'); + + $this->themingDefaults + ->expects($this->atMost(1)) + ->method('getSyncClientUrl') + ->willReturn('https://example.com"><script>alter("hacked");</script>'); + + $this->config + ->expects($this->exactly(2)) + ->method('getSystemValueString') + ->willReturnCallback(function (string $key) { + if ($key === 'minimum.supported.desktop.version') { + return '1.7.0 <script>alert("unsafe")</script>'; + } + return '2.0.0 <script>alert("unsafe")</script>'; + }); + + $errorString = $errorType === ERROR_TYPE::MIN_ERROR + ? 'This version of the client is unsupported. Upgrade to <a href="https://example.com"><script>alter("hacked");</script>">version 1.7.0 <script>alert("unsafe")</script> or later</a>.' + : 'This version of the client is unsupported. Downgrade to <a href="https://example.com"><script>alter("hacked");</script>">version 2.0.0 <script>alert("unsafe")</script> or earlier</a>.'; + $this->expectExceptionMessage($errorString); /** @var RequestInterface|MockObject $request */ $request = $this->createMock('\Sabre\HTTP\RequestInterface'); @@ -74,26 +126,21 @@ class BlockLegacyClientPluginTest extends TestCase { ->with('User-Agent') ->willReturn($userAgent); - $this->config - ->expects($this->once()) - ->method('getSystemValue') - ->with('minimum.supported.desktop.version', '2.3.0') - ->willReturn('1.7.0'); - $this->blockLegacyClientVersionPlugin->beforeHandler($request); } - public function newAndAlternateDesktopClientProvider(): array { + public static function newAndAlternateDesktopClientProvider(): array { return [ ['Mozilla/5.0 (Windows) mirall/1.7.0'], ['Mozilla/5.0 (Bogus Text) mirall/1.9.3'], ['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/1.1.0'], + ['Mozilla/5.0 (Windows) mirall/4.7.0'], + ['Mozilla/5.0 (Bogus Text) mirall/3.9.3'], + ['Mozilla/5.0 (Not Our Client But Old Version) LegacySync/45.0.0'], ]; } - /** - * @dataProvider newAndAlternateDesktopClientProvider - */ + #[\PHPUnit\Framework\Attributes\DataProvider('newAndAlternateDesktopClientProvider')] public function testBeforeHandlerSuccess(string $userAgent): void { /** @var RequestInterface|MockObject $request */ $request = $this->createMock(RequestInterface::class); @@ -104,10 +151,14 @@ class BlockLegacyClientPluginTest extends TestCase { ->willReturn($userAgent); $this->config - ->expects($this->once()) - ->method('getSystemValue') - ->with('minimum.supported.desktop.version', '2.3.0') - ->willReturn('1.7.0'); + ->expects($this->exactly(2)) + ->method('getSystemValueString') + ->willReturnCallback(function (string $key) { + if ($key === 'minimum.supported.desktop.version') { + return '1.7.0'; + } + return '10.0.0'; + }); $this->blockLegacyClientVersionPlugin->beforeHandler($request); } @@ -120,6 +171,7 @@ class BlockLegacyClientPluginTest extends TestCase { ->method('getHeader') ->with('User-Agent') ->willReturn(null); + $this->blockLegacyClientVersionPlugin->beforeHandler($request); } } |