aboutsummaryrefslogtreecommitdiffstats
path: root/tests/lib/appframework/http
Commit message (Collapse)AuthorAgeFilesLines
* Move tests/ to PSR-4 (#24731)Joas Schilling2016-05-2014-3850/+0
| | | | | | | | | | | | | | | | | | | | * Move a-b to PSR-4 * Move c-d to PSR-4 * Move e+g to PSR-4 * Move h-l to PSR-4 * Move m-r to PSR-4 * Move s-u to PSR-4 * Move files/ to PSR-4 * Move remaining tests to PSR-4 * Remove Test\ from old autoloader
* Fix namespaces in AppFramework testsJoas Schilling2016-05-1813-13/+20
|
* fix unit testv1r0x2016-02-181-1/+1
|
* Add public API to give developers the possibility to adjust the global CSP ↵Lukas Reschke2016-01-282-17/+430
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
* Add new CSRF manager for unit testing purposesLukas Reschke2016-01-251-4/+86
| | | | This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
* Fix unit testsRoeland Jago Douma2016-01-111-8/+1
|
* Scrutinizer Auto-FixesScrutinizer Auto-Fixer2015-12-071-1/+0
| | | | This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
* Added tests.Mitar2015-11-271-0/+20
|
* Fix undefined HTTP_USER_AGENTThomas Müller2015-11-221-8/+25
|
* Remove dependency on ICrypto + use XORLukas Reschke2015-10-212-84/+6
|
* Merge pull request #19034 from owncloud/http-request-warningThomas Müller2015-10-081-0/+21
|\ | | | | Prevent warning decoding content
| * Unit test for preventing warning decoding contentRobin McCorkell2015-09-231-0/+21
| |
* | Add \OCP\IRequest::getHttpProtocolLukas Reschke2015-10-061-0/+51
| | | | | | | | | | | | Only allow valid HTTP protocols. Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
* | Merge pull request #19299 from owncloud/fixgetRawPathInfoThomas Müller2015-09-301-43/+44
|\ \ | | | | | | Fix get raw path info, always return a string
| * | use assertSame, add failing caseJörn Friedrich Dreyer2015-09-231-43/+44
| |/
* / Add blob: scheme to default CSP policyLukas Reschke2015-09-293-55/+55
|/ | | | Fixes https://github.com/owncloud/core/issues/19438
* Rename data provider to avoid risky test warningLukas Reschke2015-09-091-2/+2
| | | | | | | | | ``` 06:49:56 There was 1 risky test: 06:49:56 06:49:56 1) OC\AppFramework\Http\JSONResponseTest::testRenderProvider 06:49:56 This test did not perform any assertions ```
* Encode HTML tags in JSONLukas Reschke2015-09-031-6/+20
| | | | While not encoding the HTML tags in the JSON response is perfectly fine since we set the proper mimetype as well as disable content sniffing a lot of automated code scanner do report this as security bug. Encoding them leads to less discussions and a lot of saved time.
* Properly return 304Roeland Jago Douma2015-09-011-0/+8
| | | | | | | | The ETag set in the IF_NONE_MODIFIED header is wraped in quotes ("). However the ETag that is set in response is not (yet). Also we need to cast the ETag to a string. * Added unit test
* Add mitigation against BREACHLukas Reschke2015-08-142-15/+108
| | | | | | | | | | | | While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
* Merge pull request #18096 from sualko/patch-1Morris Jobke2015-08-103-55/+55
|\ | | | | add data: to allowed image domains
| * add more unit tests for data: as allowed image domainsualko2015-08-102-2/+2
| |
| * add unit test for data: as allowed image domainsualko2015-08-071-53/+53
| |
* | Merge pull request #18035 from owncloud/ocs-2.0Bernhard Posselt2015-08-051-3/+2
|\ \ | |/ |/| Adding ocs/v2.php with status code mapper
| * Remove duplicate and unused codeThomas Müller2015-08-031-3/+2
| |
* | Use StringUtils::equals on CSRF token and add unit testsLukas Reschke2015-08-041-0/+95
|/
* Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460Thomas Müller2015-07-161-4/+15
|
* Check if response could get generatedLukas Reschke2015-07-021-0/+11
| | | | | | | | `json_encode` fails hard on PHP >= 5.5 if a non UTF-8 value is specified by returning false. Older PHP versions just nullify the value which makes it at least somewhat usable. This leads to very confusing errors which are very hard to debug since developers are usually not aware of this. In this case I'd consider throwing a fatal exception – since it arguably is an error situation – is a fair solution since this makes developers and administrators aware of any occurence of the problem so that these bugs can get fixed. Fixes https://github.com/owncloud/core/issues/17265
* Fix undefined offsetLukas Reschke2015-06-221-2/+91
| | | | There are cases where no trusted host is specified such as when installing the instance, this lead to an undefined offset warning in the log right after installing. (when another domain than localhost or 127.0.0.1 was used)
* Add `no-store` to AppFrameworkLukas Reschke2015-06-151-1/+1
|
* Move the helpful method to the TestCase classJoas Schilling2015-06-031-2/+2
|
* Add support for disallowing domains to the ContentSecurityPolicyLukas Reschke2015-05-201-0/+216
| | | | | | For enhanced security it is important that there is also a way to disallow domains, including the default ones. With this commit every method gets added a new "disallow" function.
* Add support for 'child-src' directiveLukas Reschke2015-02-281-2/+17
| | | | | | This is required when working with stuff such as PDF.js in the files_pdfviewer application. Opt-in only. Master change only because the stable CSP policies has a failback that allows nearly anything :see_no_evil:
* AppFramework StreamResponseBernhard Posselt2015-02-271-0/+99
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First stab at the StreamResponse, see #12988 The idea is to use an interface ICallbackResponse (I'm not 100% happy with the name yet, suggestions?) that allow the response to output things in its own way, for instance stream the file using readfile Unittests are atm lacking, plan is to check if a mock of ICallbackResponse will be used by calling its callback (also unhappy with this name) method Usage is: $response = new StreamResponse('path/to/file'); rename io to output, add additional methods and handle error and not modified cases when using StreamResponse fix indention and uppercasing, also handle forbidden cases fix indention fix indention no forbidden, figuring out if a file is really readable is too complicated to get to work across OSes and streams remove useless import remove useless import fix intendation
* Get the real protocol behind several proxiesLukas Reschke2015-02-241-0/+21
| | | | | | X-Forwarded-Proto contains a list of protocols if ownCloud is behind multiple reverse proxies. This is a revival of https://github.com/owncloud/core/pull/11157 using the new IRequest public API.
* Merge pull request #13989 from owncloud/enhancment/security/11857Clark Tomlinson2015-02-183-3/+246
|\ | | | | Allow AppFramework applications to specify a custom CSP header
| * Rename to allowEvalLukas Reschke2015-02-161-2/+2
| |
| * Allow AppFramework applications to specify a custom CSP headerLukas Reschke2015-02-163-3/+246
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change allows AppFramework applications to specify a custom CSP header for example when the default policy is too strict. Furthermore this allows us to partially migrate away from CSS and allowed eval() in our JavaScript components. Legacy ownCloud components will still use the previous policy. Application developers can use this as following in their controllers: ```php $response = new TemplateResponse('activity', 'list', []); $cspHelper = new ContentSecurityPolicyHelper(); $cspHelper->addAllowedScriptDomain('www.owncloud.org'); $response->addHeader('Content-Security-Policy', $cspHelper->getPolicy()); return $response; ``` Fixes https://github.com/owncloud/core/issues/11857 which is a pre-requisite for https://github.com/owncloud/core/issues/13458 and https://github.com/owncloud/core/issues/11925
* | Refactor OC_Request into TrustedDomainHelper and IRequestLukas Reschke2015-02-162-27/+807
|/ | | | | | | | | | This changeset removes the static class `OC_Request` and moves the functions either into `IRequest` which is accessible via `\OC::$server::->getRequest()` or into a separated `TrustedDomainHelper` class for some helper methods which should not be publicly exposed. This changes only internal methods and nothing on the public API. Some public functions in `util.php` have been deprecated though in favour of the new non-static functions. Unfortunately some part of this code uses things like `__DIR__` and thus is not completely unit-testable. Where tests where possible they ahve been added though. Fixes https://github.com/owncloud/core/issues/13976 which was requested in https://github.com/owncloud/core/pull/13973#issuecomment-73492969
* Merge pull request #13921 from owncloud/ocs-afVincent Petry2015-02-091-0/+73
|\ | | | | Add a controller and reponse for ocs
| * add a controller and reponse for ocsBernhard Posselt2015-02-051-0/+73
| |
* | Respect `mod_unique_id` and refactor `OC_Request::getRequestId`Lukas Reschke2015-02-092-71/+129
|/ | | | | | | | | | | | | | When `mod_unique_id` is enabled the ID generated by it will be used for logging. This allows for correlation of the Apache logs and the ownCloud logs. Testplan: - [ ] When `mod_unique_id` is enabled the request ID equals the one generated by `mod_unique_id`. - [ ] When `mod_unique_id` is not available the request ID is a 20 character long random string - [ ] The generated Id is stable over the lifespan of one request Changeset looks a little bit larger since I had to adjust every unit test using the HTTP\Request class for proper DI. Fixes https://github.com/owncloud/core/issues/13366
* always set url parameters when they are available in the app dispatchBernhard Posselt2015-01-151-0/+17
| | | | | | prefer url parameters passed into the main method. If they are not present, use the containers urlParameters add space
* PHP < 5.4 is not supported anymore - see #12606Morris Jobke2014-12-041-8/+0
|
* Remove last traces of travis integrationMorris Jobke2014-12-041-2/+2
|
* Add functions to modify cookies to response classLukas Reschke2014-11-272-8/+94
| | | | | | | | | | | | | | | | Currently there is no AppFramework way to modify cookies, which makes it unusable for quite some use-cases or results in untestable code. This PR adds some basic functionalities to add and invalidate cookies. Usage: ```php $response = new TemplateResponse(...); $response->addCookie('foo', 'bar'); $response->invalidateCookie('foo'); $response->addCookie('bar', 'foo', new \DateTime('2015-01-01 00:00')); ``` Existing cookies can be accessed with the AppFramework using `$this->request->getCookie($name)`.
* Make remaining files extend the test baseJoas Schilling2014-11-199-13/+24
|
* fix typo in content typeBernhard Posselt2014-11-051-1/+1
|
* remove unnecessary require calls - the ownCloud class loader is supposed to ↵Thomas Müller2014-10-304-14/+12
| | | | take care of this
* add dataresponseBernhard Posselt2014-10-293-24/+163
| | | | | | | | | | | | | | fix docstrings adjust copyright date another copyright date update another header update implement third headers argument, fix indention, fix docstrings fix docstrings