diff options
| author | Taufan Aditya <toopay@taufanaditya.com> | 2012-05-15 16:52:53 +0200 |
|---|---|---|
| committer | Taufan Aditya <toopay@taufanaditya.com> | 2012-05-15 16:52:53 +0200 |
| commit | 8af88f3f729b7bcfd2a106f858b5445deafe5ed0 (patch) | |
| tree | f2b8489a4720d15d8a02fc19d95993e1d7c1b54e | |
| parent | 12f4c9b25ff366db05ebc4fa13b8f7ab0b1e3dae (diff) | |
Security Code coverage
| -rw-r--r-- | tests/Bootstrap.php | 3 | ||||
| -rw-r--r-- | tests/codeigniter/core/Security_test.php | 79 | ||||
| -rw-r--r-- | tests/mocks/core/security.php | 27 | ||||
| -rw-r--r-- | tests/mocks/libraries/table.php | 2 |
4 files changed, 110 insertions, 1 deletions
diff --git a/tests/Bootstrap.php b/tests/Bootstrap.php index 9f89d1be8..2bec364ef 100644 --- a/tests/Bootstrap.php +++ b/tests/Bootstrap.php @@ -12,6 +12,9 @@ define('BASEPATH', PROJECT_BASE.'system/'); define('APPPATH', PROJECT_BASE.'application/'); define('VIEWPATH', PROJECT_BASE.''); +// Set cookie for security test +$_COOKIE['ci_csrf_cookie'] = md5(uniqid(rand(), TRUE)); + // Prep our test environment require_once 'vfsStream/vfsStream.php'; include_once $dir.'/mocks/core/common.php'; diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php new file mode 100644 index 000000000..c3b526965 --- /dev/null +++ b/tests/codeigniter/core/Security_test.php @@ -0,0 +1,79 @@ +<?php + +class Security_test extends CI_TestCase { + + public function set_up() + { + $this->ci_set_config('csrf_protection', TRUE); + $this->ci_set_config('csrf_token_name', 'ci_csrf_token'); + // @see : ./Bootstrap.php Line 16 + $this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie'); + $this->ci_set_config('csrf_expire', 7200); + $this->ci_set_config('csrf_regenerate', TRUE); + $this->ci_set_config('csrf_exclude_uris', array()); + + $this->ci_set_config('cookie_prefix', ""); + $this->ci_set_config('cookie_domain', ""); + $this->ci_set_config('cookie_path', "/"); + $this->ci_set_config('cookie_secure', FALSE); + $this->ci_set_config('cookie_httponly', FALSE); + + $this->security = new Mock_Core_Security(); + } + + // -------------------------------------------------------------------- + + public function test_csrf_verify() + { + $_SERVER['REQUEST_METHOD'] = 'GET'; + + $this->assertInstanceOf('CI_Security', $this->security->csrf_verify()); + } + + // -------------------------------------------------------------------- + + public function test_csrf_verify_invalid() + { + // Without issuing $_POST[csrf_token_name], this request will triggering CSRF error + $_SERVER['REQUEST_METHOD'] = 'POST'; + + $this->setExpectedException('RuntimeException', 'CI Error: The action you have requested is not allowed'); + + $this->security->csrf_verify(); + } + + // -------------------------------------------------------------------- + + public function test_csrf_verify_valid() + { + $_SERVER['REQUEST_METHOD'] = 'POST'; + $_POST[$this->security->csrf_token_name] = $this->security->csrf_hash; + + $this->assertInstanceOf('CI_Security', $this->security->csrf_verify()); + } + + // -------------------------------------------------------------------- + + public function test_get_csrf_hash() + { + $this->assertEquals($this->security->csrf_hash, $this->security->get_csrf_hash()); + } + + // -------------------------------------------------------------------- + + public function test_get_csrf_token_name() + { + $this->assertEquals('ci_csrf_token', $this->security->get_csrf_token_name()); + } + + // -------------------------------------------------------------------- + + public function test_xss_clean() + { + $harm_string = "Hello, i try to <script>alert('Hack');</script> your site"; + + $harmless_string = $this->security->xss_clean($harm_string); + + $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_string); + } +}
\ No newline at end of file diff --git a/tests/mocks/core/security.php b/tests/mocks/core/security.php new file mode 100644 index 000000000..de8e44710 --- /dev/null +++ b/tests/mocks/core/security.php @@ -0,0 +1,27 @@ +<?php + +class Mock_Core_Security extends CI_Security { + + public function csrf_set_cookie() + { + return $this; + } + + // Overide inaccesible protected properties + public function __get($property) + { + return isset($this->{'_'.$property}) ? $this->{'_'.$property} : NULL; + } + + // Overide inaccesible protected method + public function __call($method, $params) + { + if (is_callable(array($this, '_'.$method))) + { + return call_user_func_array(array($this, '_'.$method), $params); + } + + throw new BadMethodCallException('Method '.$method.' was not found'); + } + +}
\ No newline at end of file diff --git a/tests/mocks/libraries/table.php b/tests/mocks/libraries/table.php index 1a6ff8d35..97fbb30bd 100644 --- a/tests/mocks/libraries/table.php +++ b/tests/mocks/libraries/table.php @@ -2,7 +2,7 @@ class Mock_Libraries_Table extends CI_Table { - // Overide inaccesible private or protected method + // Overide inaccesible protected method public function __call($method, $params) { if (is_callable(array($this, '_'.$method))) |