Select Git revision
CsrfProtectionTest.php
Forked from
Stud.IP / Stud.IP
4519 commits behind the upstream repository.

Elmar Ludwig authored
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
CsrfProtectionTest.php 3.45 KiB
<?php
/*
* csrf_protection_test.php - unit tests for the Request class
*
* Copyright (c) 2011 mlunzena
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*/
class CSRFProtectionTokenTest extends \Codeception\Test\Unit
{
function setUp()
{
if (session_id() === '') {
session_id("test-session");
}
$this->original_session = $_SESSION;
$_SESSION = [];
}
function tearDown()
{
$_SESSION = $this->original_session;
}
function testTokenGeneration()
{
$this->assertEquals(sizeof($_SESSION), 0);
CSRFProtection::token();
$this->assertEquals(sizeof($_SESSION), 1);
}
function testTokenIdentity()
{
$this->assertEquals(CSRFProtection::token(), CSRFProtection::token());
}
function testTokenSessionDifference()
{
$token1 = CSRFProtection::token();
$_SESSION = [];
$token2 = CSRFProtection::token();
$this->assertNotEquals($token1, $token2);
}
function testTokenIsAString()
{
$token = CSRFProtection::token();
$this->assertInternalType("string", $token);
}
function testTokenTag()
{
$token = CSRFProtection::token();
$this->assertTrue(mb_strpos(CSRFProtection::tokenTag(), $token) !== FALSE);
}
}
class CSRFRequestTest extends \Codeception\Test\Unit
{
function setUp()
{
if (session_id() === '') {
session_id("test-session");
}
$this->original_state = [$_SESSION, $_POST, $_SERVER];
$_SESSION = [];
$_POST = [];
$this->token = CSRFProtection::token();
$_SERVER['HTTP_X_REQUESTED_WITH'] = null;
}
function tearDown()
{
list($_SESSION, $_POST, $_SERVER) = $this->original_state;
}
function testInvalidUnsafeRequest()
{
$this->expectException(InvalidSecurityTokenException::class);
$_SERVER['REQUEST_METHOD'] = 'POST';
CSRFProtection::verifyUnsafeRequest();
}
function testValidUnsafeRequest()
{
$_SERVER['REQUEST_METHOD'] = 'POST';
$_POST['security_token'] = $this->token;
CSRFProtection::verifyUnsafeRequest();
$this->assertTrue(true);
}
function testSafeRequest()
{
$_SERVER['REQUEST_METHOD'] = 'GET';
$this->expectException(MethodNotAllowedException::class);
CSRFProtection::verifyUnsafeRequest();
}
function testSafeXHR()
{
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'XmlHttpRequest';
$this->expectException(MethodNotAllowedException::class);
CSRFProtection::verifyUnsafeRequest();
}
function testUnsafeXHRWithoutToken()
{
$_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'XmlHttpRequest';
unset($_POST['security_token']);
$this->expectException(InvalidSecurityTokenException::class);
CSRFProtection::verifyUnsafeRequest();
}
function testUnsafeXHRWithToken()
{
$_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'XmlHttpRequest';
$_POST['security_token'] = $this->token;
CSRFProtection::verifyUnsafeRequest();
$this->assertTrue(true);
}
}