ci_set_config('csrf_protection', TRUE); $this->ci_set_config('csrf_token_name', 'ci_csrf_token'); $this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie'); $this->security = new Mock_Core_Security(); } // -------------------------------------------------------------------- public function test_csrf_verify() { $_SERVER['REQUEST_METHOD'] = 'GET'; $this->assertInstanceOf('CI_Security', $this->security->csrf_verify()); } // -------------------------------------------------------------------- public function test_csrf_verify_invalid() { // Without issuing $_POST[csrf_token_name], this request will triggering CSRF error $_SERVER['REQUEST_METHOD'] = 'POST'; $this->setExpectedException('RuntimeException', 'CI Error: The action you have requested is not allowed'); $this->security->csrf_verify(); } // -------------------------------------------------------------------- public function test_csrf_verify_valid() { $_SERVER['REQUEST_METHOD'] = 'POST'; $_POST[$this->security->csrf_token_name] = $this->security->csrf_hash; $this->assertInstanceOf('CI_Security', $this->security->csrf_verify()); } // -------------------------------------------------------------------- public function test_get_csrf_hash() { $this->assertEquals($this->security->csrf_hash, $this->security->get_csrf_hash()); } // -------------------------------------------------------------------- public function test_get_csrf_token_name() { $this->assertEquals('ci_csrf_token', $this->security->get_csrf_token_name()); } // -------------------------------------------------------------------- public function test_xss_clean() { $harm_string = "Hello, i try to your site"; $harmless_string = $this->security->xss_clean($harm_string); $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_string); } // -------------------------------------------------------------------- public function test_xss_clean_string_array() { $harm_strings = array( "Hello, i try to your site", "Simple clean string", "Hello, i try to your site" ); $harmless_strings = $this->security->xss_clean($harm_strings); $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_strings[0]); $this->assertEquals("Simple clean string", $harmless_strings[1]); $this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_strings[2]); } // -------------------------------------------------------------------- public function test_xss_clean_image_valid() { $harm_string = ''; $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); // $this->assertTrue($xss_clean_return); } // -------------------------------------------------------------------- public function test_xss_clean_image_invalid() { $harm_string = ''; $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); $this->assertFalse($xss_clean_return); } // -------------------------------------------------------------------- public function test_xss_clean_entity_double_encoded() { $input = 'Clickhere'; $this->assertEquals('Clickhere', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- public function text_xss_clean_js_link_removal() { // This one is to prevent a false positive $this->assertEquals( "", $this->security->xss_clean("") ); } // -------------------------------------------------------------------- public function test_xss_clean_js_img_removal() { $input = 'Clickhere'; $this->assertEquals('', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- public function test_xss_clean_sanitize_naughty_html_tags() { $this->assertEquals('<unclosedTag', $this->security->xss_clean('assertEquals('<blink>', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals( ' src="x">', $this->security->xss_clean(' src="x">') ); $this->assertEquals( 'on=">"x onerror="alert(1)">', $this->security->xss_clean('on=">"x onerror="alert(1)">') ); } // -------------------------------------------------------------------- public function test_xss_clean_sanitize_naughty_html_attributes() { $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('onOutsideOfTag=test', $this->security->xss_clean('onOutsideOfTag=test')); $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals( '\' [removed]>', $this->security->xss_clean('\' onAfterGreaterThan="quotes">') ); $this->assertEquals( '\' [removed]>', $this->security->xss_clean('\' onAfterGreaterThan=noQuotes>') ); $this->assertEquals( ' on=<svg> onerror=alert(1)>', $this->security->xss_clean(' on= onerror=alert(1)>') ); $this->assertEquals( '"<svg> onerror=alert(1) onmouseover=alert(1)>', $this->security->xss_clean('" onerror=alert(1) onmouseover=alert(1)>') ); $this->assertEquals( ' on=\'x\' onerror=``,alert(1)>', $this->security->xss_clean(' on=\'x\' onerror=``,alert(1)>') ); $this->assertEquals( '', $this->security->xss_clean('') ); $this->assertEquals( ' on=\'x\' onerror=,xssm()>', $this->security->xss_clean(' on=\'x\' onerror=,xssm()>') ); $this->assertEquals( '', $this->security->xss_clean('') ); $this->assertEquals( '', $this->security->xss_clean('') ); } // -------------------------------------------------------------------- /** * @depends test_xss_clean_sanitize_naughty_html_tags * @depends test_xss_clean_sanitize_naughty_html_attributes */ public function test_naughty_html_plus_evil_attributes() { $this->assertEquals( '<svg', $this->security->xss_clean(' src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">') ); } // -------------------------------------------------------------------- public function test_xss_hash() { $this->assertEmpty($this->security->xss_hash); // Perform hash $this->security->xss_hash(); $this->assertTrue(preg_match('#^[0-9a-f]{32}$#iS', $this->security->xss_hash) === 1); } // -------------------------------------------------------------------- public function test_get_random_bytes() { $length = "invalid"; $this->assertFalse($this->security->get_random_bytes($length)); $length = 10; $this->assertNotEmpty($this->security->get_random_bytes($length)); } // -------------------------------------------------------------------- public function test_entity_decode() { $encoded = '<div>Hello <b>Booya</b></div>'; $decoded = $this->security->entity_decode($encoded); $this->assertEquals('
Hello Booya
', $decoded); // Issue #3057 (https://github.com/bcit-ci/CodeIgniter/issues/3057) $this->assertEquals( '&foo should not include a semicolon', $this->security->entity_decode('&foo should not include a semicolon') ); } // -------------------------------------------------------------------- public function test_sanitize_filename() { $filename = './'; $safe_filename = $this->security->sanitize_filename($filename); $this->assertEquals('foo', $safe_filename); } // -------------------------------------------------------------------- public function test_strip_image_tags() { $imgtags = array( 'Smiley face', 'Smiley face', '', '', 'MD Logo', '', '', '' ); $urls = array( 'smiley.gif', 'smiley.gif', 'http://www.w3schools.com/images/w3schools_green.jpg', '/img/sunset.gif', 'mdn-logo-sm.png', '', '', '' ); for ($i = 0; $i < count($imgtags); $i++) { $this->assertEquals($urls[$i], $this->security->strip_image_tags($imgtags[$i])); } } // -------------------------------------------------------------------- public function test_csrf_set_hash() { // Set cookie for security test $_COOKIE['ci_csrf_cookie'] = md5(uniqid(mt_rand(), TRUE)); // Set config for Security class $this->ci_set_config('csrf_protection', TRUE); $this->ci_set_config('csrf_token_name', 'ci_csrf_token'); // leave csrf_cookie_name as blank to test _csrf_set_hash function $this->ci_set_config('csrf_cookie_name', ''); $this->security = new Mock_Core_Security(); $this->assertNotEmpty($this->security->get_csrf_hash()); } }