Skip to content
Snippets Groups Projects
Select Git revision
  • 2cc8b70e0d8c8acddbb9561a53505531a6607c96
  • main default protected
  • Robinyyy-main-patch-80908
  • biest-1982
  • step-01354
  • 1965-umstellung-der-adminseite-fur-veranstaltungen-auf-vue-js
  • 5.0
  • 5.1
  • 5.2
  • step-1800
  • step-1327
  • biest-1978
  • biest-1609
  • 1969-courseware-edit-modus-hangt-zu-hoch
  • biest-1877
  • step-1559
  • biest-1270
  • biest-1874
  • biest-1916
  • 1908-hauptordner-der-veranstaltung-optional-fur-studierende-sperren
  • biest-01748
  • v5.2
  • v5.1.1
  • v5.0.3
  • v5.1
  • v5.0.2
  • v5.0.1
  • v5.0
28 results

CsrfProtectionTest.php

  • Forked from Stud.IP / Stud.IP
    4519 commits behind the upstream repository.
    Code owners
    Assign users and groups as approvers for specific file changes. Learn more.
    CsrfProtectionTest.php 3.45 KiB
    <?php
    /*
     * csrf_protection_test.php - unit tests for the Request class
     *
     * Copyright (c) 2011 mlunzena
     *
     * This program is free software; you can redistribute it and/or
     * modify it under the terms of the GNU General Public License as
     * published by the Free Software Foundation; either version 2 of
     * the License, or (at your option) any later version.
     */
    
    class CSRFProtectionTokenTest extends \Codeception\Test\Unit
    {
        function setUp()
        {
            if (session_id() === '') {
                session_id("test-session");
            }
            $this->original_session = $_SESSION;
            $_SESSION = [];
        }
    
        function tearDown()
        {
            $_SESSION = $this->original_session;
        }
    
        function testTokenGeneration()
        {
            $this->assertEquals(sizeof($_SESSION), 0);
            CSRFProtection::token();
            $this->assertEquals(sizeof($_SESSION), 1);
        }
    
        function testTokenIdentity()
        {
            $this->assertEquals(CSRFProtection::token(), CSRFProtection::token());
        }
    
        function testTokenSessionDifference()
        {
            $token1 = CSRFProtection::token();
    
            $_SESSION = [];
    
            $token2 = CSRFProtection::token();
    
            $this->assertNotEquals($token1, $token2);
        }
    
        function testTokenIsAString()
        {
            $token = CSRFProtection::token();
            $this->assertInternalType("string", $token);
        }
    
        function testTokenTag()
        {
            $token = CSRFProtection::token();
            $this->assertTrue(mb_strpos(CSRFProtection::tokenTag(), $token) !== FALSE);
        }
    }
    
    class CSRFRequestTest extends \Codeception\Test\Unit
    {
    
        function setUp()
        {
            if (session_id() === '') {
                session_id("test-session");
            }
            $this->original_state = [$_SESSION, $_POST, $_SERVER];
            $_SESSION = [];
            $_POST = [];
            $this->token = CSRFProtection::token();
            $_SERVER['HTTP_X_REQUESTED_WITH'] = null;
        }
    
        function tearDown()
        {
            list($_SESSION, $_POST, $_SERVER) = $this->original_state;
        }
    
        function testInvalidUnsafeRequest()
        {
            $this->expectException(InvalidSecurityTokenException::class);
            $_SERVER['REQUEST_METHOD'] = 'POST';
            CSRFProtection::verifyUnsafeRequest();
        }
    
        function testValidUnsafeRequest()
        {
            $_SERVER['REQUEST_METHOD'] = 'POST';
            $_POST['security_token'] = $this->token;
            CSRFProtection::verifyUnsafeRequest();
            $this->assertTrue(true);
        }
    
        function testSafeRequest()
        {
            $_SERVER['REQUEST_METHOD'] = 'GET';
            $this->expectException(MethodNotAllowedException::class);
            CSRFProtection::verifyUnsafeRequest();
        }
    
        function testSafeXHR()
        {
            $_SERVER['REQUEST_METHOD'] = 'GET';
            $_SERVER['HTTP_X_REQUESTED_WITH'] = 'XmlHttpRequest';
            $this->expectException(MethodNotAllowedException::class);
            CSRFProtection::verifyUnsafeRequest();
        }
    
        function testUnsafeXHRWithoutToken()
        {
            $_SERVER['REQUEST_METHOD'] = 'POST';
            $_SERVER['HTTP_X_REQUESTED_WITH'] = 'XmlHttpRequest';
            unset($_POST['security_token']);
            $this->expectException(InvalidSecurityTokenException::class);
            CSRFProtection::verifyUnsafeRequest();
        }
    
        function testUnsafeXHRWithToken()
        {
            $_SERVER['REQUEST_METHOD'] = 'POST';
            $_SERVER['HTTP_X_REQUESTED_WITH'] = 'XmlHttpRequest';
            $_POST['security_token'] = $this->token;
            CSRFProtection::verifyUnsafeRequest();
            $this->assertTrue(true);
        }
    }