summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorTaufan Aditya <toopay@taufanaditya.com>2012-05-15 16:52:53 +0200
committerTaufan Aditya <toopay@taufanaditya.com>2012-05-15 16:52:53 +0200
commit8af88f3f729b7bcfd2a106f858b5445deafe5ed0 (patch)
treef2b8489a4720d15d8a02fc19d95993e1d7c1b54e /tests
parent12f4c9b25ff366db05ebc4fa13b8f7ab0b1e3dae (diff)
Security Code coverage
Diffstat (limited to 'tests')
-rw-r--r--tests/Bootstrap.php3
-rw-r--r--tests/codeigniter/core/Security_test.php79
-rw-r--r--tests/mocks/core/security.php27
-rw-r--r--tests/mocks/libraries/table.php2
4 files changed, 110 insertions, 1 deletions
diff --git a/tests/Bootstrap.php b/tests/Bootstrap.php
index 9f89d1be8..2bec364ef 100644
--- a/tests/Bootstrap.php
+++ b/tests/Bootstrap.php
@@ -12,6 +12,9 @@ define('BASEPATH', PROJECT_BASE.'system/');
define('APPPATH', PROJECT_BASE.'application/');
define('VIEWPATH', PROJECT_BASE.'');
+// Set cookie for security test
+$_COOKIE['ci_csrf_cookie'] = md5(uniqid(rand(), TRUE));
+
// Prep our test environment
require_once 'vfsStream/vfsStream.php';
include_once $dir.'/mocks/core/common.php';
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
new file mode 100644
index 000000000..c3b526965
--- /dev/null
+++ b/tests/codeigniter/core/Security_test.php
@@ -0,0 +1,79 @@
+<?php
+
+class Security_test extends CI_TestCase {
+
+ public function set_up()
+ {
+ $this->ci_set_config('csrf_protection', TRUE);
+ $this->ci_set_config('csrf_token_name', 'ci_csrf_token');
+ // @see : ./Bootstrap.php Line 16
+ $this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie');
+ $this->ci_set_config('csrf_expire', 7200);
+ $this->ci_set_config('csrf_regenerate', TRUE);
+ $this->ci_set_config('csrf_exclude_uris', array());
+
+ $this->ci_set_config('cookie_prefix', "");
+ $this->ci_set_config('cookie_domain', "");
+ $this->ci_set_config('cookie_path', "/");
+ $this->ci_set_config('cookie_secure', FALSE);
+ $this->ci_set_config('cookie_httponly', FALSE);
+
+ $this->security = new Mock_Core_Security();
+ }
+
+ // --------------------------------------------------------------------
+
+ public function test_csrf_verify()
+ {
+ $_SERVER['REQUEST_METHOD'] = 'GET';
+
+ $this->assertInstanceOf('CI_Security', $this->security->csrf_verify());
+ }
+
+ // --------------------------------------------------------------------
+
+ public function test_csrf_verify_invalid()
+ {
+ // Without issuing $_POST[csrf_token_name], this request will triggering CSRF error
+ $_SERVER['REQUEST_METHOD'] = 'POST';
+
+ $this->setExpectedException('RuntimeException', 'CI Error: The action you have requested is not allowed');
+
+ $this->security->csrf_verify();
+ }
+
+ // --------------------------------------------------------------------
+
+ public function test_csrf_verify_valid()
+ {
+ $_SERVER['REQUEST_METHOD'] = 'POST';
+ $_POST[$this->security->csrf_token_name] = $this->security->csrf_hash;
+
+ $this->assertInstanceOf('CI_Security', $this->security->csrf_verify());
+ }
+
+ // --------------------------------------------------------------------
+
+ public function test_get_csrf_hash()
+ {
+ $this->assertEquals($this->security->csrf_hash, $this->security->get_csrf_hash());
+ }
+
+ // --------------------------------------------------------------------
+
+ public function test_get_csrf_token_name()
+ {
+ $this->assertEquals('ci_csrf_token', $this->security->get_csrf_token_name());
+ }
+
+ // --------------------------------------------------------------------
+
+ public function test_xss_clean()
+ {
+ $harm_string = "Hello, i try to <script>alert('Hack');</script> your site";
+
+ $harmless_string = $this->security->xss_clean($harm_string);
+
+ $this->assertEquals("Hello, i try to [removed]alert&#40;'Hack'&#41;;[removed] your site", $harmless_string);
+ }
+} \ No newline at end of file
diff --git a/tests/mocks/core/security.php b/tests/mocks/core/security.php
new file mode 100644
index 000000000..de8e44710
--- /dev/null
+++ b/tests/mocks/core/security.php
@@ -0,0 +1,27 @@
+<?php
+
+class Mock_Core_Security extends CI_Security {
+
+ public function csrf_set_cookie()
+ {
+ return $this;
+ }
+
+ // Overide inaccesible protected properties
+ public function __get($property)
+ {
+ return isset($this->{'_'.$property}) ? $this->{'_'.$property} : NULL;
+ }
+
+ // Overide inaccesible protected method
+ public function __call($method, $params)
+ {
+ if (is_callable(array($this, '_'.$method)))
+ {
+ return call_user_func_array(array($this, '_'.$method), $params);
+ }
+
+ throw new BadMethodCallException('Method '.$method.' was not found');
+ }
+
+} \ No newline at end of file
diff --git a/tests/mocks/libraries/table.php b/tests/mocks/libraries/table.php
index 1a6ff8d35..97fbb30bd 100644
--- a/tests/mocks/libraries/table.php
+++ b/tests/mocks/libraries/table.php
@@ -2,7 +2,7 @@
class Mock_Libraries_Table extends CI_Table {
- // Overide inaccesible private or protected method
+ // Overide inaccesible protected method
public function __call($method, $params)
{
if (is_callable(array($this, '_'.$method)))