diff options
| author | xXx-caillou-xXx | 2017-11-24 14:03:37 +0100 |
|---|---|---|
| committer | jvoisin | 2017-11-24 14:03:37 +0100 |
| commit | 5a224ee0c92d1639395d6a0c629316ae64226125 (patch) | |
| tree | 8925d27e2bbfa877e9fb1fc20868fbef3d009b04 /src/tests | |
| parent | 79304a29661476dc75bba07c5a83133122bbcb5c (diff) | |
Implement anti csrf measures
This is done by using the "samesite" cookie attribute.
Diffstat (limited to 'src/tests')
| -rw-r--r-- | src/tests/broken_conf_no_cookie_action.phpt | 9 | ||||
| -rw-r--r-- | src/tests/broken_conf_no_cookie_name.phpt | 2 | ||||
| -rw-r--r-- | src/tests/broken_conf_samesite.phpt | 9 | ||||
| -rw-r--r-- | src/tests/broken_conf_weird_keyword.phpt | 2 | ||||
| -rw-r--r-- | src/tests/config/broken_conf_cookie_action.ini | 1 | ||||
| -rw-r--r-- | src/tests/config/broken_conf_cookie_samesite.ini | 1 | ||||
| -rw-r--r-- | src/tests/config/broken_conf_line_empty_string.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/broken_conf_line_no_closing.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/broken_conf_lots_of_quotes.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/broken_conf_wrong_quotes.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/config_encrypted_cookies.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/config_encrypted_cookies_empty_env.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/config_encrypted_cookies_noname.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/config_samesite_cookies.ini | 5 | ||||
| -rw-r--r-- | src/tests/config/encrypt_cookies_no_env.ini | 2 | ||||
| -rw-r--r-- | src/tests/config/encrypt_cookies_no_key.ini | 2 | ||||
| -rw-r--r-- | src/tests/samesite_cookies.phpt | 61 |
17 files changed, 97 insertions, 11 deletions
diff --git a/src/tests/broken_conf_no_cookie_action.phpt b/src/tests/broken_conf_no_cookie_action.phpt new file mode 100644 index 0000000..49be31e --- /dev/null +++ b/src/tests/broken_conf_no_cookie_action.phpt | |||
| @@ -0,0 +1,9 @@ | |||
| 1 | --TEST-- | ||
| 2 | Bad config, invalid action. | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?> | ||
| 5 | --INI-- | ||
| 6 | sp.configuration_file={PWD}/config/broken_conf_cookie_action.ini | ||
| 7 | --FILE-- | ||
| 8 | --EXPECT-- | ||
| 9 | [snuffleupagus][0.0.0.0][config][error] You must specify a at least one action to a cookie on line 1. | ||
diff --git a/src/tests/broken_conf_no_cookie_name.phpt b/src/tests/broken_conf_no_cookie_name.phpt index feaf6ca..4616f12 100644 --- a/src/tests/broken_conf_no_cookie_name.phpt +++ b/src/tests/broken_conf_no_cookie_name.phpt | |||
| @@ -6,4 +6,4 @@ Borken configuration - encrypted cookie with no name | |||
| 6 | sp.configuration_file={PWD}/config/config_encrypted_cookies_noname.ini | 6 | sp.configuration_file={PWD}/config/config_encrypted_cookies_noname.ini |
| 7 | --FILE-- | 7 | --FILE-- |
| 8 | --EXPECT-- | 8 | --EXPECT-- |
| 9 | [snuffleupagus][0.0.0.0][config][error] You must specify a cookie name to encrypt on line 2. | 9 | [snuffleupagus][0.0.0.0][config][error] You must specify a cookie name on line 2. |
diff --git a/src/tests/broken_conf_samesite.phpt b/src/tests/broken_conf_samesite.phpt new file mode 100644 index 0000000..26e525c --- /dev/null +++ b/src/tests/broken_conf_samesite.phpt | |||
| @@ -0,0 +1,9 @@ | |||
| 1 | --TEST-- | ||
| 2 | Bad config, invalid samesite type. | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php if (!extension_loaded("snuffleupagus")) print "skip"; ?> | ||
| 5 | --INI-- | ||
| 6 | sp.configuration_file={PWD}/config/broken_conf_cookie_samesite.ini | ||
| 7 | --FILE-- | ||
| 8 | --EXPECT-- | ||
| 9 | [snuffleupagus][0.0.0.0][config][error] nop is an invalid value to samesite (expected Lax or Strict) on line 1. | ||
diff --git a/src/tests/broken_conf_weird_keyword.phpt b/src/tests/broken_conf_weird_keyword.phpt index 17de7fe..464800a 100644 --- a/src/tests/broken_conf_weird_keyword.phpt +++ b/src/tests/broken_conf_weird_keyword.phpt | |||
| @@ -6,4 +6,4 @@ Bad config, unknown keyword | |||
| 6 | sp.configuration_file={PWD}/config/broken_conf_weird_keyword.ini | 6 | sp.configuration_file={PWD}/config/broken_conf_weird_keyword.ini |
| 7 | --FILE-- | 7 | --FILE-- |
| 8 | --EXPECT-- | 8 | --EXPECT-- |
| 9 | [snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");' on line 1. \ No newline at end of file | 9 | [snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");' on line 1. |
diff --git a/src/tests/config/broken_conf_cookie_action.ini b/src/tests/config/broken_conf_cookie_action.ini new file mode 100644 index 0000000..5f07c28 --- /dev/null +++ b/src/tests/config/broken_conf_cookie_action.ini | |||
| @@ -0,0 +1 @@ | |||
| sp.cookie.name("my_cookie_name"); | |||
diff --git a/src/tests/config/broken_conf_cookie_samesite.ini b/src/tests/config/broken_conf_cookie_samesite.ini new file mode 100644 index 0000000..acc4aa0 --- /dev/null +++ b/src/tests/config/broken_conf_cookie_samesite.ini | |||
| @@ -0,0 +1 @@ | |||
| sp.cookie.name("my_cookie_name").samesite("nop"); | |||
diff --git a/src/tests/config/broken_conf_line_empty_string.ini b/src/tests/config/broken_conf_line_empty_string.ini index c130384..dfa5520 100644 --- a/src/tests/config/broken_conf_line_empty_string.ini +++ b/src/tests/config/broken_conf_line_empty_string.ini | |||
| @@ -1 +1 @@ | |||
| sp.cookie_encryption.cookie( | sp.cookie.name( | ||
diff --git a/src/tests/config/broken_conf_line_no_closing.ini b/src/tests/config/broken_conf_line_no_closing.ini index 24dc3f0..6a8c922 100644 --- a/src/tests/config/broken_conf_line_no_closing.ini +++ b/src/tests/config/broken_conf_line_no_closing.ini | |||
| @@ -1 +1 @@ | |||
| sp.cookie_encryption.cookie("123" | sp.cookie.name("123" | ||
diff --git a/src/tests/config/broken_conf_lots_of_quotes.ini b/src/tests/config/broken_conf_lots_of_quotes.ini index 310bce5..189a10d 100644 --- a/src/tests/config/broken_conf_lots_of_quotes.ini +++ b/src/tests/config/broken_conf_lots_of_quotes.ini | |||
| @@ -1 +1 @@ | |||
| sp.cookie_encryption.cookie("this\"is a weird\"\"\"cookie\"name""); | sp.cookie.name("this\"is a weird\"\"\"cookie\"name""); | ||
diff --git a/src/tests/config/broken_conf_wrong_quotes.ini b/src/tests/config/broken_conf_wrong_quotes.ini index 1c13e96..ff41f93 100644 --- a/src/tests/config/broken_conf_wrong_quotes.ini +++ b/src/tests/config/broken_conf_wrong_quotes.ini | |||
| @@ -1 +1 @@ | |||
| sp.cookie_encryption.cookie("\) | sp.cookie.name("\) | ||
diff --git a/src/tests/config/config_encrypted_cookies.ini b/src/tests/config/config_encrypted_cookies.ini index 977d27f..4b50440 100644 --- a/src/tests/config/config_encrypted_cookies.ini +++ b/src/tests/config/config_encrypted_cookies.ini | |||
| @@ -1,3 +1,3 @@ | |||
| 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); | 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); |
| 2 | sp.cookie_encryption.cookie("super_cookie"); | 2 | sp.cookie.name("super_cookie").encrypt(); |
| 3 | sp.auto_cookie_secure.enable(); | 3 | sp.auto_cookie_secure.enable(); |
diff --git a/src/tests/config/config_encrypted_cookies_empty_env.ini b/src/tests/config/config_encrypted_cookies_empty_env.ini index ac1f840..8c7c779 100644 --- a/src/tests/config/config_encrypted_cookies_empty_env.ini +++ b/src/tests/config/config_encrypted_cookies_empty_env.ini | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); | 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); |
| 2 | sp.cookie_encryption.cookie("super_cookie"); | 2 | sp.cookie.name("super_cookie").encrypt(); |
diff --git a/src/tests/config/config_encrypted_cookies_noname.ini b/src/tests/config/config_encrypted_cookies_noname.ini index 27773e3..048e404 100644 --- a/src/tests/config/config_encrypted_cookies_noname.ini +++ b/src/tests/config/config_encrypted_cookies_noname.ini | |||
| @@ -1,3 +1,3 @@ | |||
| 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); | 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); |
| 2 | sp.cookie_encryption.cookie(""); | 2 | sp.cookie.name("").encrypt(); |
| 3 | sp.auto_cookie_secure.enable(); | 3 | sp.auto_cookie_secure.enable(); |
diff --git a/src/tests/config/config_samesite_cookies.ini b/src/tests/config/config_samesite_cookies.ini new file mode 100644 index 0000000..9fb5f25 --- /dev/null +++ b/src/tests/config/config_samesite_cookies.ini | |||
| @@ -0,0 +1,5 @@ | |||
| 1 | sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); | ||
| 2 | sp.cookie.name("super_cookie").samesite("Lax"); | ||
| 3 | sp.cookie.name("awful_cookie").samesite("strict").encrypt(); | ||
| 4 | sp.cookie.name("nice_cookie").samesite("STRICT"); | ||
| 5 | sp.auto_cookie_secure.enable(); | ||
diff --git a/src/tests/config/encrypt_cookies_no_env.ini b/src/tests/config/encrypt_cookies_no_env.ini index 9e1c025..845bd02 100644 --- a/src/tests/config/encrypt_cookies_no_env.ini +++ b/src/tests/config/encrypt_cookies_no_env.ini | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | sp.global.secret_key("abcdef"); | 1 | sp.global.secret_key("abcdef"); |
| 2 | sp.cookie_encryption.cookie("super_cookie"); | 2 | sp.cookie.name("super_cookie").encrypt(); |
diff --git a/src/tests/config/encrypt_cookies_no_key.ini b/src/tests/config/encrypt_cookies_no_key.ini index 1b5cf83..a585e12 100644 --- a/src/tests/config/encrypt_cookies_no_key.ini +++ b/src/tests/config/encrypt_cookies_no_key.ini | |||
| @@ -1,2 +1,2 @@ | |||
| 1 | sp.global.cookie_env_var("TEST"); | 1 | sp.global.cookie_env_var("TEST"); |
| 2 | sp.cookie_encryption.cookie("super_cookie"); | 2 | sp.cookie.name("super_cookie").encrypt(); |
diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt new file mode 100644 index 0000000..70fe10c --- /dev/null +++ b/src/tests/samesite_cookies.phpt | |||
| @@ -0,0 +1,61 @@ | |||
| 1 | --TEST-- | ||
| 2 | Cookie samesite | ||
| 3 | --SKIPIF-- | ||
| 4 | <?php if (!extension_loaded("snuffleupagus")) die "skip"; ?> | ||
| 5 | --INI-- | ||
| 6 | sp.configuration_file={PWD}/config/config_samesite_cookies.ini | ||
| 7 | --COOKIE-- | ||
| 8 | super_cookie=if_there_is_no_cookie_here_there_is_no_header_list | ||
| 9 | --ENV-- | ||
| 10 | return <<<EOF | ||
| 11 | REMOTE_ADDR=2001:0db8:0000:0000:0000:fe00:0042:8329 | ||
| 12 | HTTP_USER_AGENT=Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/59.0.3071.109 Chrome/59.0.3071.109 Safari/537.36 | ||
| 13 | HTTPS=1 | ||
| 14 | EOF; | ||
| 15 | --FILE-- | ||
| 16 | <?php | ||
| 17 | setcookie("super_cookie", "super_value"); | ||
| 18 | setcookie("awful_cookie", "awful_value"); | ||
| 19 | setcookie("nice_cookie", "nice_value", 1, "1", "1", true, true); | ||
| 20 | |||
| 21 | $expected = array( | ||
| 22 | 'Set-Cookie: super_cookie=super_value; path=; samesite=Lax', | ||
| 23 | 'Set-Cookie: awful_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFyZcYjfEskB0AU0V3%2BvwazcRuU%2Ft6KpcUahvxw%3D; path=; samesite=Strict; HttpOnly', | ||
| 24 | 'Set-Cookie: nice_cookie=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJ8ko%2ByA4y%2Bmw5MGBx8fgc3TWOAvhIu%2BfF%2Bx2g%3D%3D; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=1; samesite=Strict; domain=1; secure; HttpOnly', | ||
| 25 | ); | ||
| 26 | |||
| 27 | $headers = headers_list(); | ||
| 28 | if (($i = count($expected)) > count($headers)) | ||
| 29 | { | ||
| 30 | echo "Fewer headers are being sent than expected - aborting"; | ||
| 31 | return; | ||
| 32 | } | ||
| 33 | |||
| 34 | do | ||
| 35 | { | ||
| 36 | if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0) | ||
| 37 | { | ||
| 38 | continue; | ||
| 39 | } | ||
| 40 | |||
| 41 | if (current($headers) === current($expected)) | ||
| 42 | { | ||
| 43 | $i--; | ||
| 44 | } | ||
| 45 | else | ||
| 46 | { | ||
| 47 | echo "Header mismatch:\n\tExpected: " | ||
| 48 | .current($expected) | ||
| 49 | ."\n\tReceived: ".current($headers)."\n"; | ||
| 50 | } | ||
| 51 | |||
| 52 | next($expected); | ||
| 53 | } | ||
| 54 | while (next($headers) !== FALSE); | ||
| 55 | |||
| 56 | echo ($i === 0) | ||
| 57 | ? 'OK' | ||
| 58 | : 'A total of '.$i.' errors found.'; | ||
| 59 | ?> | ||
| 60 | --EXPECT-- | ||
| 61 | OK | ||