From 5fc715a9e2d2284751b46a928ab402ec28c7ca08 Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Fri, 6 Sep 2024 14:39:32 +0200 Subject: fix: Adjust unit tests and protect against XSS Signed-off-by: Ferdinand Thiessen --- .../Sabre/BlockLegacyClientPluginTest.php | 54 ++++++++++++++++++---- 1 file changed, 45 insertions(+), 9 deletions(-) (limited to 'apps/dav/tests') diff --git a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php index ff928d46a35..c44f52ec713 100644 --- a/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php +++ b/apps/dav/tests/unit/Connector/Sabre/BlockLegacyClientPluginTest.php @@ -10,6 +10,7 @@ declare(strict_types=1); namespace OCA\DAV\Tests\unit\Connector\Sabre; use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin; +use OCA\Theming\ThemingDefaults; use OCP\IConfig; use PHPUnit\Framework\MockObject\MockObject; use Sabre\HTTP\RequestInterface; @@ -21,19 +22,23 @@ use Test\TestCase; * @package OCA\DAV\Tests\unit\Connector\Sabre */ class BlockLegacyClientPluginTest extends TestCase { - /** @var IConfig|MockObject */ - private $config; - /** @var BlockLegacyClientPlugin */ - private $blockLegacyClientVersionPlugin; + + private IConfig&MockObject $config; + private ThemingDefaults&MockObject $themingDefaults; + private BlockLegacyClientPlugin $blockLegacyClientVersionPlugin; protected function setUp(): void { parent::setUp(); $this->config = $this->createMock(IConfig::class); - $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin($this->config); + $this->themingDefaults = $this->createMock(ThemingDefaults::class); + $this->blockLegacyClientVersionPlugin = new BlockLegacyClientPlugin( + $this->config, + $this->themingDefaults, + ); } - public function oldDesktopClientProvider(): array { + public static function oldDesktopClientProvider(): array { return [ ['Mozilla/5.0 (Windows) mirall/1.5.0'], ['Mozilla/5.0 (Bogus Text) mirall/1.6.9'], @@ -46,10 +51,9 @@ class BlockLegacyClientPluginTest extends TestCase { public function testBeforeHandlerException(string $userAgent): void { $this->expectException(\Sabre\DAV\Exception\Forbidden::class); - $this->config + $this->themingDefaults ->expects($this->once()) - ->method('getSystemValue') - ->with('customclient_desktop', 'https://nextcloud.com/install/#install-clients') + ->method('getSyncClientUrl') ->willReturn('https://nextcloud.com/install/#install-clients'); $this->config @@ -72,6 +76,38 @@ class BlockLegacyClientPluginTest extends TestCase { $this->blockLegacyClientVersionPlugin->beforeHandler($request); } + /** + * Ensure that there is no room for XSS attack through configured URL / version + * @dataProvider oldDesktopClientProvider + */ + public function testBeforeHandlerExceptionPreventXSSAttack(string $userAgent): void { + $this->expectException(\Sabre\DAV\Exception\Forbidden::class); + + $this->themingDefaults + ->expects($this->once()) + ->method('getSyncClientUrl') + ->willReturn('https://example.com">'); + + $this->config + ->expects($this->once()) + ->method('getSystemValue') + ->with('minimum.supported.desktop.version', '2.3.0') + ->willReturn('1.7.0 '); + + $this->expectExceptionMessage('This version of the client is unsupported. Upgrade to version 1.7.0 <script>alert("unsafe")</script> or later.'); + + /** @var RequestInterface|MockObject $request */ + $request = $this->createMock('\Sabre\HTTP\RequestInterface'); + $request + ->expects($this->once()) + ->method('getHeader') + ->with('User-Agent') + ->willReturn($userAgent); + + + $this->blockLegacyClientVersionPlugin->beforeHandler($request); + } + public function newAndAlternateDesktopClientProvider(): array { return [ ['Mozilla/5.0 (Windows) mirall/1.7.0'], -- cgit v1.2.3