diff options
Diffstat (limited to 'apps/settings/tests/SetupChecks/SecurityHeadersTest.php')
| -rw-r--r-- | apps/settings/tests/SetupChecks/SecurityHeadersTest.php | 39 |
1 files changed, 14 insertions, 25 deletions
diff --git a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php index d8bb51d47c6..1f75907d427 100644 --- a/apps/settings/tests/SetupChecks/SecurityHeadersTest.php +++ b/apps/settings/tests/SetupChecks/SecurityHeadersTest.php @@ -6,7 +6,7 @@ declare(strict_types=1); * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors * SPDX-License-Identifier: AGPL-3.0-or-later */ -namespace OCA\Settings\Tests; +namespace OCA\Settings\Tests\SetupChecks; use OCA\Settings\SetupChecks\SecurityHeaders; use OCP\Http\Client\IClientService; @@ -20,19 +20,17 @@ use Psr\Log\LoggerInterface; use Test\TestCase; class SecurityHeadersTest extends TestCase { - private IL10N|MockObject $l10n; - private IConfig|MockObject $config; - private IURLGenerator|MockObject $urlGenerator; - private IClientService|MockObject $clientService; - private LoggerInterface|MockObject $logger; - private SecurityHeaders|MockObject $setupcheck; + private IL10N&MockObject $l10n; + private IConfig&MockObject $config; + private IURLGenerator&MockObject $urlGenerator; + private IClientService&MockObject $clientService; + private LoggerInterface&MockObject $logger; + private SecurityHeaders&MockObject $setupcheck; protected function setUp(): void { parent::setUp(); - /** @var IL10N|MockObject */ - $this->l10n = $this->getMockBuilder(IL10N::class) - ->disableOriginalConstructor()->getMock(); + $this->l10n = $this->createMock(IL10N::class); $this->l10n->expects($this->any()) ->method('t') ->willReturnCallback(function ($message, array $replace) { @@ -86,17 +84,16 @@ class SecurityHeadersTest extends TestCase { $result = $this->setupcheck->run(); $this->assertEquals( - "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n", + "Some headers are not set correctly on your instance\n- The `X-Content-Type-Options` HTTP header is not set to `nosniff`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n", $result->getDescription() ); $this->assertEquals(SetupResult::WARNING, $result->getSeverity()); } - public function dataSuccess(): array { + public static function dataSuccess(): array { return [ // description => modifiedHeaders 'basic' => [[]], - 'extra-xss-protection' => [['X-XSS-Protection' => '1; mode=block; report=https://example.com']], 'no-space-in-x-robots' => [['X-Robots-Tag' => 'noindex,nofollow']], 'strict-origin-when-cross-origin' => [['Referrer-Policy' => 'strict-origin-when-cross-origin']], 'referrer-no-referrer-when-downgrade' => [['Referrer-Policy' => 'no-referrer-when-downgrade']], @@ -109,13 +106,10 @@ class SecurityHeadersTest extends TestCase { ]; } - /** - * @dataProvider dataSuccess - */ - public function testSuccess($headers): void { + #[\PHPUnit\Framework\Attributes\DataProvider('dataSuccess')] + public function testSuccess(array $headers): void { $headers = array_merge( [ - 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff', 'X-Robots-Tag' => 'noindex, nofollow', 'X-Frame-Options' => 'SAMEORIGIN', @@ -138,12 +132,10 @@ class SecurityHeadersTest extends TestCase { $this->assertEquals(SetupResult::SUCCESS, $result->getSeverity()); } - public function dataFailure(): array { + public static function dataFailure(): array { return [ // description => modifiedHeaders 'x-robots-none' => [['X-Robots-Tag' => 'none'], "- The `X-Robots-Tag` HTTP header is not set to `noindex,nofollow`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], - 'xss-protection-1' => [['X-XSS-Protection' => '1'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], - 'xss-protection-0' => [['X-XSS-Protection' => '0'], "- The `X-XSS-Protection` HTTP header does not contain `1; mode=block`. This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.\n"], 'referrer-origin' => [['Referrer-Policy' => 'origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-origin-when-cross-origin' => [['Referrer-Policy' => 'origin-when-cross-origin'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], 'referrer-unsafe-url' => [['Referrer-Policy' => 'unsafe-url'], "- The `Referrer-Policy` HTTP header is not set to `no-referrer`, `no-referrer-when-downgrade`, `strict-origin`, `strict-origin-when-cross-origin` or `same-origin`. This can leak referer information. See the {w3c-recommendation}.\n"], @@ -153,13 +145,10 @@ class SecurityHeadersTest extends TestCase { ]; } - /** - * @dataProvider dataFailure - */ + #[\PHPUnit\Framework\Attributes\DataProvider('dataFailure')] public function testFailure(array $headers, string $msg): void { $headers = array_merge( [ - 'X-XSS-Protection' => '1; mode=block', 'X-Content-Type-Options' => 'nosniff', 'X-Robots-Tag' => 'noindex, nofollow', 'X-Frame-Options' => 'SAMEORIGIN', |