From 5a224ee0c92d1639395d6a0c629316ae64226125 Mon Sep 17 00:00:00 2001 From: xXx-caillou-xXx Date: Fri, 24 Nov 2017 14:03:37 +0100 Subject: Implement anti csrf measures This is done by using the "samesite" cookie attribute.--- src/tests/broken_conf_no_cookie_action.phpt | 9 ++++ src/tests/broken_conf_no_cookie_name.phpt | 2 +- src/tests/broken_conf_samesite.phpt | 9 ++++ src/tests/broken_conf_weird_keyword.phpt | 2 +- src/tests/config/broken_conf_cookie_action.ini | 1 + src/tests/config/broken_conf_cookie_samesite.ini | 1 + src/tests/config/broken_conf_line_empty_string.ini | 2 +- src/tests/config/broken_conf_line_no_closing.ini | 2 +- src/tests/config/broken_conf_lots_of_quotes.ini | 2 +- src/tests/config/broken_conf_wrong_quotes.ini | 2 +- src/tests/config/config_encrypted_cookies.ini | 2 +- .../config/config_encrypted_cookies_empty_env.ini | 2 +- .../config/config_encrypted_cookies_noname.ini | 2 +- src/tests/config/config_samesite_cookies.ini | 5 ++ src/tests/config/encrypt_cookies_no_env.ini | 2 +- src/tests/config/encrypt_cookies_no_key.ini | 2 +- src/tests/samesite_cookies.phpt | 61 ++++++++++++++++++++++ 17 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 src/tests/broken_conf_no_cookie_action.phpt create mode 100644 src/tests/broken_conf_samesite.phpt create mode 100644 src/tests/config/broken_conf_cookie_action.ini create mode 100644 src/tests/config/broken_conf_cookie_samesite.ini create mode 100644 src/tests/config/config_samesite_cookies.ini create mode 100644 src/tests/samesite_cookies.phpt (limited to 'src/tests') diff --git a/src/tests/broken_conf_no_cookie_action.phpt b/src/tests/broken_conf_no_cookie_action.phpt new file mode 100644 index 0000000..49be31e --- /dev/null +++ b/src/tests/broken_conf_no_cookie_action.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bad config, invalid action. +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/broken_conf_cookie_action.ini +--FILE-- +--EXPECT-- +[snuffleupagus][0.0.0.0][config][error] You must specify a at least one action to a cookie on line 1. diff --git a/src/tests/broken_conf_no_cookie_name.phpt b/src/tests/broken_conf_no_cookie_name.phpt index feaf6ca..4616f12 100644 --- a/src/tests/broken_conf_no_cookie_name.phpt +++ b/src/tests/broken_conf_no_cookie_name.phpt @@ -6,4 +6,4 @@ Borken configuration - encrypted cookie with no name sp.configuration_file={PWD}/config/config_encrypted_cookies_noname.ini --FILE-- --EXPECT-- -[snuffleupagus][0.0.0.0][config][error] You must specify a cookie name to encrypt on line 2. +[snuffleupagus][0.0.0.0][config][error] You must specify a cookie name on line 2. diff --git a/src/tests/broken_conf_samesite.phpt b/src/tests/broken_conf_samesite.phpt new file mode 100644 index 0000000..26e525c --- /dev/null +++ b/src/tests/broken_conf_samesite.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bad config, invalid samesite type. +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/broken_conf_cookie_samesite.ini +--FILE-- +--EXPECT-- +[snuffleupagus][0.0.0.0][config][error] nop is an invalid value to samesite (expected Lax or Strict) on line 1. diff --git a/src/tests/broken_conf_weird_keyword.phpt b/src/tests/broken_conf_weird_keyword.phpt index 17de7fe..464800a 100644 --- a/src/tests/broken_conf_weird_keyword.phpt +++ b/src/tests/broken_conf_weird_keyword.phpt @@ -6,4 +6,4 @@ Bad config, unknown keyword sp.configuration_file={PWD}/config/broken_conf_weird_keyword.ini --FILE-- --EXPECT-- -[snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");' on line 1. \ No newline at end of file +[snuffleupagus][0.0.0.0][config][error] Trailing chars '.not_a_valid_keyword("test");' at the end of '.enable().not_a_valid_keyword("test");' on line 1. diff --git a/src/tests/config/broken_conf_cookie_action.ini b/src/tests/config/broken_conf_cookie_action.ini new file mode 100644 index 0000000..5f07c28 --- /dev/null +++ b/src/tests/config/broken_conf_cookie_action.ini @@ -0,0 +1 @@ +sp.cookie.name("my_cookie_name"); diff --git a/src/tests/config/broken_conf_cookie_samesite.ini b/src/tests/config/broken_conf_cookie_samesite.ini new file mode 100644 index 0000000..acc4aa0 --- /dev/null +++ b/src/tests/config/broken_conf_cookie_samesite.ini @@ -0,0 +1 @@ +sp.cookie.name("my_cookie_name").samesite("nop"); diff --git a/src/tests/config/broken_conf_line_empty_string.ini b/src/tests/config/broken_conf_line_empty_string.ini index c130384..dfa5520 100644 --- a/src/tests/config/broken_conf_line_empty_string.ini +++ b/src/tests/config/broken_conf_line_empty_string.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie( +sp.cookie.name( diff --git a/src/tests/config/broken_conf_line_no_closing.ini b/src/tests/config/broken_conf_line_no_closing.ini index 24dc3f0..6a8c922 100644 --- a/src/tests/config/broken_conf_line_no_closing.ini +++ b/src/tests/config/broken_conf_line_no_closing.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie("123" +sp.cookie.name("123" diff --git a/src/tests/config/broken_conf_lots_of_quotes.ini b/src/tests/config/broken_conf_lots_of_quotes.ini index 310bce5..189a10d 100644 --- a/src/tests/config/broken_conf_lots_of_quotes.ini +++ b/src/tests/config/broken_conf_lots_of_quotes.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie("this\"is a weird\"\"\"cookie\"name""); +sp.cookie.name("this\"is a weird\"\"\"cookie\"name""); diff --git a/src/tests/config/broken_conf_wrong_quotes.ini b/src/tests/config/broken_conf_wrong_quotes.ini index 1c13e96..ff41f93 100644 --- a/src/tests/config/broken_conf_wrong_quotes.ini +++ b/src/tests/config/broken_conf_wrong_quotes.ini @@ -1 +1 @@ -sp.cookie_encryption.cookie("\) +sp.cookie.name("\) diff --git a/src/tests/config/config_encrypted_cookies.ini b/src/tests/config/config_encrypted_cookies.ini index 977d27f..4b50440 100644 --- a/src/tests/config/config_encrypted_cookies.ini +++ b/src/tests/config/config_encrypted_cookies.ini @@ -1,3 +1,3 @@ sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/config/config_encrypted_cookies_empty_env.ini b/src/tests/config/config_encrypted_cookies_empty_env.ini index ac1f840..8c7c779 100644 --- a/src/tests/config/config_encrypted_cookies_empty_env.ini +++ b/src/tests/config/config_encrypted_cookies_empty_env.ini @@ -1,2 +1,2 @@ sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); diff --git a/src/tests/config/config_encrypted_cookies_noname.ini b/src/tests/config/config_encrypted_cookies_noname.ini index 27773e3..048e404 100644 --- a/src/tests/config/config_encrypted_cookies_noname.ini +++ b/src/tests/config/config_encrypted_cookies_noname.ini @@ -1,3 +1,3 @@ sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); -sp.cookie_encryption.cookie(""); +sp.cookie.name("").encrypt(); sp.auto_cookie_secure.enable(); diff --git a/src/tests/config/config_samesite_cookies.ini b/src/tests/config/config_samesite_cookies.ini new file mode 100644 index 0000000..9fb5f25 --- /dev/null +++ b/src/tests/config/config_samesite_cookies.ini @@ -0,0 +1,5 @@ +sp.global.secret_key("abcdef").cookie_env_var("REMOTE_ADDR"); +sp.cookie.name("super_cookie").samesite("Lax"); +sp.cookie.name("awful_cookie").samesite("strict").encrypt(); +sp.cookie.name("nice_cookie").samesite("STRICT"); +sp.auto_cookie_secure.enable(); diff --git a/src/tests/config/encrypt_cookies_no_env.ini b/src/tests/config/encrypt_cookies_no_env.ini index 9e1c025..845bd02 100644 --- a/src/tests/config/encrypt_cookies_no_env.ini +++ b/src/tests/config/encrypt_cookies_no_env.ini @@ -1,2 +1,2 @@ sp.global.secret_key("abcdef"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); diff --git a/src/tests/config/encrypt_cookies_no_key.ini b/src/tests/config/encrypt_cookies_no_key.ini index 1b5cf83..a585e12 100644 --- a/src/tests/config/encrypt_cookies_no_key.ini +++ b/src/tests/config/encrypt_cookies_no_key.ini @@ -1,2 +1,2 @@ sp.global.cookie_env_var("TEST"); -sp.cookie_encryption.cookie("super_cookie"); +sp.cookie.name("super_cookie").encrypt(); diff --git a/src/tests/samesite_cookies.phpt b/src/tests/samesite_cookies.phpt new file mode 100644 index 0000000..70fe10c --- /dev/null +++ b/src/tests/samesite_cookies.phpt @@ -0,0 +1,61 @@ +--TEST-- +Cookie samesite +--SKIPIF-- + +--INI-- +sp.configuration_file={PWD}/config/config_samesite_cookies.ini +--COOKIE-- +super_cookie=if_there_is_no_cookie_here_there_is_no_header_list +--ENV-- +return << count($headers)) +{ + echo "Fewer headers are being sent than expected - aborting"; + return; +} + +do +{ + if (strncmp(current($headers), 'Set-Cookie:', 11) !== 0) + { + continue; + } + + if (current($headers) === current($expected)) + { + $i--; + } + else + { + echo "Header mismatch:\n\tExpected: " + .current($expected) + ."\n\tReceived: ".current($headers)."\n"; + } + + next($expected); +} +while (next($headers) !== FALSE); + +echo ($i === 0) + ? 'OK' + : 'A total of '.$i.' errors found.'; +?> +--EXPECT-- +OK -- cgit v1.3