summaryrefslogtreecommitdiffstats
path: root/tests/lib/appframework
Commit message (Collapse)AuthorAgeFilesLines
* Move tests/ to PSR-4 (#24731)Joas Schilling2016-05-2030-7152/+0
| | | | | | | | | | | | | | | | | | | | * Move a-b to PSR-4 * Move c-d to PSR-4 * Move e+g to PSR-4 * Move h-l to PSR-4 * Move m-r to PSR-4 * Move s-u to PSR-4 * Move files/ to PSR-4 * Move remaining tests to PSR-4 * Remove Test\ from old autoloader
* Fix namespaces in AppFramework testsJoas Schilling2016-05-1826-38/+58
|
* Fix inconsistent nameing of AppFrameworkRoeland Jago Douma2016-04-222-6/+4
|
* Move login form into controllerLukas Reschke2016-04-151-4/+9
| | | | First step on getting the authorisation stuff cleaned up. This is only for the login form, all other stuff is still where it is.
* Fix mappertestRoeland Jago Douma2016-04-081-3/+4
|
* Use IQueryBuilder::PARAM_* instead of \PDO::PARAM_*Joas Schilling2016-02-291-1/+1
|
* fix unit testv1r0x2016-02-181-1/+1
|
* Make sure tests don't leave a stray directory behindJoas Schilling2016-02-031-3/+3
|
* Add public API to give developers the possibility to adjust the global CSP ↵Lukas Reschke2016-01-283-19/+465
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | defaults Allows to inject something into the default content policy. This is for example useful when you're injecting Javascript code into a view belonging to another controller and cannot modify its Content-Security-Policy itself. Note that the adjustment is only applied to applications that use AppFramework controllers. To use this from your `app.php` use `\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy)`, $policy has to be of type `\OCP\AppFramework\Http\ContentSecurityPolicy`. To test this add something like the following into an `app.php` of any enabled app: ``` $manager = \OC::$server->getContentSecurityPolicyManager(); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('asdf'); $policy->addAllowedScriptDomain('yolo.com'); $policy->allowInlineScript(false); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFontDomain('yolo.com'); $manager->addDefaultPolicy($policy); $policy = new \OCP\AppFramework\Http\ContentSecurityPolicy(false); $policy->addAllowedFrameDomain('banana.com'); $manager->addDefaultPolicy($policy); ``` If you now open the files app the policy should be: ``` Content-Security-Policy:default-src 'none';script-src yolo.com 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src yolo.com 'self';connect-src 'self';media-src 'self';frame-src asdf banana.com 'self' ```
* Add new CSRF manager for unit testing purposesLukas Reschke2016-01-251-4/+86
| | | | This adds a new CSRF manager for unit testing purposes, it's interface is based upon https://github.com/symfony/security-csrf. Due to some of our required custom changes it is however not possible to use the Symfony component directly.
* Fix unit testsRoeland Jago Douma2016-01-111-8/+1
|
* Fix unit testRoeland Jago Douma2015-12-241-2/+6
|
* prefer scalar type hints over phpdoc annotationBernhard Posselt2015-12-241-0/+19
| | | | | | use method exists lookup to be safe and not break on old hhvm versions add test that checks if type hint is preferred over annotation
* Scrutinizer Auto-FixesScrutinizer Auto-Fixer2015-12-071-1/+0
| | | | This commit consists of patches automatically generated for this project on https://scrutinizer-ci.com
* Merge pull request #20807 from ↵Thomas Müller2015-12-032-35/+105
|\ | | | | | | | | owncloud/dont-append-redirect-url-if-user-is-already-logged-in Don't append redirect URL if user is logged-in
| * Show error templateLukas Reschke2015-11-302-35/+105
| | | | | | | | Otherwise this leads to an endless redirection in case of a CSRF exception. Also sets user expectation right.
* | Mock DIContainer to not hit the databaseThomas Müller2015-11-301-1/+3
| |
* | Apply DB group annotation ...Thomas Müller2015-11-301-0/+1
|/
* Merge pull request #20788 from owncloud/catch-missing-routeThomas Müller2015-11-301-3/+3
|\ | | | | Dont die when we're missing a route
| * fix testsRobin Appelman2015-11-271-3/+3
| |
* | Added tests.Mitar2015-11-271-0/+20
|/
* Fix undefined HTTP_USER_AGENTThomas Müller2015-11-221-8/+25
|
* Remove dependency on ICrypto + use XORLukas Reschke2015-10-2111-105/+6
|
* Merge pull request #19034 from owncloud/http-request-warningThomas Müller2015-10-081-0/+21
|\ | | | | Prevent warning decoding content
| * Unit test for preventing warning decoding contentRobin McCorkell2015-09-231-0/+21
| |
* | Add \OCP\IRequest::getHttpProtocolLukas Reschke2015-10-061-0/+51
| | | | | | | | | | | | Only allow valid HTTP protocols. Ref https://github.com/owncloud/core/pull/19537#discussion_r41252333 + https://github.com/owncloud/security-tracker/issues/119
* | Merge pull request #19299 from owncloud/fixgetRawPathInfoThomas Müller2015-09-301-43/+44
|\ \ | | | | | | Fix get raw path info, always return a string
| * | use assertSame, add failing caseJörn Friedrich Dreyer2015-09-231-43/+44
| |/
* / Add blob: scheme to default CSP policyLukas Reschke2015-09-294-56/+56
|/ | | | Fixes https://github.com/owncloud/core/issues/19438
* Rename data provider to avoid risky test warningLukas Reschke2015-09-091-2/+2
| | | | | | | | | ``` 06:49:56 There was 1 risky test: 06:49:56 06:49:56 1) OC\AppFramework\Http\JSONResponseTest::testRenderProvider 06:49:56 This test did not perform any assertions ```
* Encode HTML tags in JSONLukas Reschke2015-09-031-6/+20
| | | | While not encoding the HTML tags in the JSON response is perfectly fine since we set the proper mimetype as well as disable content sniffing a lot of automated code scanner do report this as security bug. Encoding them leads to less discussions and a lot of saved time.
* Properly return 304Roeland Jago Douma2015-09-011-0/+8
| | | | | | | | The ETag set in the IF_NONE_MODIFIED header is wraped in quotes ("). However the ETag that is set in response is not (yet). Also we need to cast the ETag to a string. * Added unit test
* Add mitigation against BREACHLukas Reschke2015-08-1411-15/+129
| | | | | | | | | | | | While BREACH requires the following three factors to be effectively exploitable we should add another mitigation: 1. Application must support HTTP compression 2. Response most reflect user-controlled input 3. Response should contain sensitive data Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed. To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
* Merge pull request #17982 from owncloud/appframework-sanitize-nameThomas Müller2015-08-121-0/+19
|\ | | | | Sanitize class names before registerService/query
| * Sanitize class names before registerService/queryRobin McCorkell2015-07-301-0/+19
| | | | | | | | | | Leading backslashes are removed, so a `registerService('\\OC\\Foo')` can still be resolved with `query('OC\\Foo')`.
* | Merge pull request #17852 from owncloud/register-alias-factoryRobin McCorkell2015-08-112-14/+47
|\ \ | | | | | | Add test for factories
| * | add test for factoriesBernhard Posselt2015-07-252-14/+47
| |/ | | | | | | | | | | | | | | | | | | use ref for factory test use a factory for registerAlias Ensure we construct SimpleContainer Use single instance of DIContainer in routing tests
* | Merge pull request #18096 from sualko/patch-1Morris Jobke2015-08-104-56/+56
|\ \ | | | | | | add data: to allowed image domains
| * | add more unit tests for data: as allowed image domainsualko2015-08-103-3/+3
| | |
| * | add unit test for data: as allowed image domainsualko2015-08-071-53/+53
| | |
* | | Merge pull request #18035 from owncloud/ocs-2.0Bernhard Posselt2015-08-052-7/+10
|\ \ \ | |/ / |/| | Adding ocs/v2.php with status code mapper
| * | Fix unit test within OCSControllerThomas Müller2015-08-031-4/+8
| | |
| * | Remove duplicate and unused codeThomas Müller2015-08-031-3/+2
| | |
* | | Use StringUtils::equals on CSRF token and add unit testsLukas Reschke2015-08-041-0/+95
|/ /
* / Fix incorrect test namingRobin McCorkell2015-07-301-4/+2
|/ | | | | | `tesOverrideService()` was incorrect and wasn't getting called by PHPUnit. Also, the unit test itself was wrong, but went unnoticed because of point 1.
* Merge pull request #17755 from owncloud/alias-container-aliveThomas Müller2015-07-241-0/+13
|\ | | | | Add registerAlias method to shortcut interface registration #17714
| * add registerAlias method to shorcut interface registrationBernhard Posselt2015-07-181-0/+13
| | | | | | | | | | | | | | | | remove unused import add since tag fix typo
* | Return proper status code in case of a CORS exceptionLukas Reschke2015-07-201-0/+51
|/ | | | | | When returning a 500 statuscode external applications may interpret this as an error instead of handling this more gracefully. This will now make return a 401 thus. Fixes https://github.com/owncloud/core/issues/17742
* Fixing 'Undefined index: REMOTE_ADDR' - fixes #17460Thomas Müller2015-07-161-4/+15
|
* Check if response could get generatedLukas Reschke2015-07-021-0/+11
| | | | | | | | `json_encode` fails hard on PHP >= 5.5 if a non UTF-8 value is specified by returning false. Older PHP versions just nullify the value which makes it at least somewhat usable. This leads to very confusing errors which are very hard to debug since developers are usually not aware of this. In this case I'd consider throwing a fatal exception – since it arguably is an error situation – is a fair solution since this makes developers and administrators aware of any occurence of the problem so that these bugs can get fixed. Fixes https://github.com/owncloud/core/issues/17265
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-13 21:38:56 +0000