extending test cases to reproduce the issue from #396, causing the existing logic to now fail the tests

This commit is contained in:
El RIDO 2019-01-20 11:05:34 +01:00
parent 6bb599c81f
commit cc53d95ed1
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
3 changed files with 92 additions and 26 deletions

View File

@ -24,7 +24,9 @@ require('./privatebin');
// internal variables // internal variables
var a2zString = ['a','b','c','d','e','f','g','h','i','j','k','l','m', var a2zString = ['a','b','c','d','e','f','g','h','i','j','k','l','m',
'n','o','p','q','r','s','t','u','v','w','x','y','z'], 'n','o','p','q','r','s','t','u','v','w','x','y','z'],
alnumString = a2zString.concat(['0','1','2','3','4','5','6','7','8','9']), digitString = ['0','1','2','3','4','5','6','7','8','9'],
alnumString = a2zString.concat(digitString),
hexString = digitString.concat(['a','b','c','d','e','f']),
queryString = alnumString.concat(['+','%','&','.','*','-','_']), queryString = alnumString.concat(['+','%','&','.','*','-','_']),
hashString = queryString.concat(['!']), hashString = queryString.concat(['!']),
base64String = alnumString.concat(['+','/','=']).concat( base64String = alnumString.concat(['+','/','=']).concat(
@ -123,6 +125,11 @@ exports.jscAlnumString = function() {
return jsc.elements(alnumString); return jsc.elements(alnumString);
}; };
//provides random characters allowed in hexadecimal notation
exports.jscHexString = function() {
return jsc.elements(hexString);
};
// provides random characters allowed in GET queries // provides random characters allowed in GET queries
exports.jscQueryString = function() { exports.jscQueryString = function() {
return jsc.elements(queryString); return jsc.elements(queryString);

View File

@ -81,10 +81,15 @@ describe('Model', function () {
'returns the query string without separator, if any', 'returns the query string without separator, if any',
jsc.nearray(common.jscA2zString()), jsc.nearray(common.jscA2zString()),
jsc.nearray(common.jscA2zString()), jsc.nearray(common.jscA2zString()),
jsc.nearray(common.jscHashString()), jsc.tuple(new Array(16).fill(common.jscHexString)),
jsc.array(common.jscQueryString()),
jsc.array(common.jscQueryString()),
'string', 'string',
function (schema, address, query, fragment) { function (schema, address, pasteId, queryStart, queryEnd, fragment) {
var queryString = query.join(''), var pasteIdString = pasteId.join(''),
queryStartString = queryStart.join('') + (queryStart.length > 0 ? '&' : ''),
queryEndString = (queryEnd.length > 0 ? '&' : '') + queryEnd.join(''),
queryString = queryStartString + pasteIdString + queryEndString,
clean = jsdom('', { clean = jsdom('', {
url: schema.join('') + '://' + address.join('') + url: schema.join('') + '://' + address.join('') +
'/?' + queryString + '#' + fragment '/?' + queryString + '#' + fragment
@ -92,7 +97,7 @@ describe('Model', function () {
result = $.PrivateBin.Model.getPasteId(); result = $.PrivateBin.Model.getPasteId();
$.PrivateBin.Model.reset(); $.PrivateBin.Model.reset();
clean(); clean();
return queryString === result; return pasteIdString === result;
} }
); );
jsc.property( jsc.property(

View File

@ -21,6 +21,36 @@ class RequestTest extends PHPUnit_Framework_TestCase
$_POST = array(); $_POST = array();
} }
/**
* Returns 16 random hexadecimal characters.
*
* @access public
* @return string
*/
public function getRandomId()
{
// 8 binary bytes are 16 characters long in hex
return bin2hex(random_bytes(8));
}
/**
* Returns random query safe characters.
*
* @access public
* @return string
*/
public function getRandomQueryChars()
{
$queryChars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=';
$queryCharCount = strlen($queryChars) - 1;
$resultLength = random_int(1, 10);
$result = '';
for ($i = 0; $i < $resultLength; ++$i) {
$result .= $queryChars[random_int(0, $queryCharCount)];
}
return $result;
}
public function testView() public function testView()
{ {
$this->reset(); $this->reset();
@ -33,24 +63,26 @@ class RequestTest extends PHPUnit_Framework_TestCase
public function testRead() public function testRead()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$request = new Request; $request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call'); $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation()); $this->assertEquals('read', $request->getOperation());
} }
public function testDelete() public function testDelete()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_GET['pasteid'] = 'foo'; $_GET['pasteid'] = $id;
$_GET['deletetoken'] = 'bar'; $_GET['deletetoken'] = 'bar';
$request = new Request; $request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call'); $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
$this->assertEquals('delete', $request->getOperation()); $this->assertEquals('delete', $request->getOperation());
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('bar', $request->getParam('deletetoken')); $this->assertEquals('bar', $request->getParam('deletetoken'));
} }
@ -84,74 +116,96 @@ class RequestTest extends PHPUnit_Framework_TestCase
public function testApiRead() public function testApiRead()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'application/json, text/javascript, */*; q=0.01'; $_SERVER['HTTP_ACCEPT'] = 'application/json, text/javascript, */*; q=0.01';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$request = new Request; $request = new Request;
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call'); $this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation()); $this->assertEquals('read', $request->getOperation());
} }
public function testApiDelete() public function testApiDelete()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'POST'; $_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest'; $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$_POST['deletetoken'] = 'bar'; $_POST['deletetoken'] = 'bar';
$request = new Request; $request = new Request;
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call'); $this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
$this->assertEquals('delete', $request->getOperation()); $this->assertEquals('delete', $request->getOperation());
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('bar', $request->getParam('deletetoken')); $this->assertEquals('bar', $request->getParam('deletetoken'));
} }
public function testReadWithNegotiation() public function testReadWithNegotiation()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'text/html,text/html; charset=UTF-8,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json'; $_SERVER['HTTP_ACCEPT'] = 'text/html,text/html; charset=UTF-8,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$request = new Request; $request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call'); $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation()); $this->assertEquals('read', $request->getOperation());
} }
public function testReadWithXhtmlNegotiation() public function testReadWithXhtmlNegotiation()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'application/xhtml+xml,text/html,text/html; charset=UTF-8, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json'; $_SERVER['HTTP_ACCEPT'] = 'application/xhtml+xml,text/html,text/html; charset=UTF-8, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$request = new Request; $request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call'); $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation()); $this->assertEquals('read', $request->getOperation());
} }
public function testApiReadWithNegotiation() public function testApiReadWithNegotiation()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, application/json, text/html,text/html; charset=UTF-8,application/xhtml+xml, */*;q=0.8'; $_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, application/json, text/html,text/html; charset=UTF-8,application/xhtml+xml, */*;q=0.8';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$request = new Request; $request = new Request;
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call'); $this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation()); $this->assertEquals('read', $request->getOperation());
} }
public function testReadWithFailedNegotiation() public function testReadWithFailedNegotiation()
{ {
$this->reset(); $this->reset();
$id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET'; $_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, */*;q=0.8'; $_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, */*;q=0.8';
$_SERVER['QUERY_STRING'] = 'foo'; $_SERVER['QUERY_STRING'] = $id;
$request = new Request; $request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call'); $this->assertFalse($request->isJsonApiCall(), 'is HTML call');
$this->assertEquals('foo', $request->getParam('pasteid')); $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation()); $this->assertEquals('read', $request->getOperation());
} }
public function testPasteIdExtraction()
{
$this->reset();
$id = $this->getRandomId();
$queryParams = array($id);
$queryParamCount = random_int(1, 5);
for ($i = 0; $i < $queryParamCount; ++$i) {
array_push($queryParams, $this->getRandomQueryChars());
}
shuffle($queryParams);
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['QUERY_STRING'] = implode('&', $queryParams);
$request = new Request;
$this->assertEquals($id, $request->getParam('pasteid'));
}
} }