1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
package sockjs
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
)
func TestHandler_jsonpNoCallback(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("GET", "/server/session/jsonp", nil)
h.jsonp(rw, req)
if rw.Code != http.StatusInternalServerError {
t.Errorf("Unexpected response code, got '%d', expected '%d'", rw.Code, http.StatusInternalServerError)
}
expectedContentType := "text/plain; charset=utf-8"
if rw.Header().Get("content-type") != expectedContentType {
t.Errorf("Unexpected content type, got '%s', expected '%s'", rw.Header().Get("content-type"), expectedContentType)
}
}
func TestHandler_jsonp(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("GET", "/server/session/jsonp?c=testCallback", nil)
h.jsonp(rw, req)
expectedContentType := "application/javascript; charset=UTF-8"
if rw.Header().Get("content-type") != expectedContentType {
t.Errorf("Unexpected content type, got '%s', expected '%s'", rw.Header().Get("content-type"), expectedContentType)
}
expectedBody := "testCallback(\"o\");\r\n"
if rw.Body.String() != expectedBody {
t.Errorf("Unexpected body, got '%s', expected '%s'", rw.Body, expectedBody)
}
}
func TestHandler_jsonpSendNoPayload(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("POST", "/server/session/jsonp_send", nil)
h.jsonpSend(rw, req)
if rw.Code != http.StatusInternalServerError {
t.Errorf("Unexpected response code, got '%d', expected '%d'", rw.Code, http.StatusInternalServerError)
}
}
func TestHandler_jsonpSendWrongPayload(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("POST", "/server/session/jsonp_send", strings.NewReader("wrong payload"))
h.jsonpSend(rw, req)
if rw.Code != http.StatusInternalServerError {
t.Errorf("Unexpected response code, got '%d', expected '%d'", rw.Code, http.StatusInternalServerError)
}
}
func TestHandler_jsonpSendNoSession(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("POST", "/server/session/jsonp_send", strings.NewReader("[\"message\"]"))
h.jsonpSend(rw, req)
if rw.Code != http.StatusNotFound {
t.Errorf("Unexpected response code, got '%d', expected '%d'", rw.Code, http.StatusNotFound)
}
}
func TestHandler_jsonpSend(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("POST", "/server/session/jsonp_send", strings.NewReader("[\"message\"]"))
sess := newSession(req, "session", time.Second, time.Second)
h.sessions["session"] = sess
var done = make(chan struct{})
go func() {
h.jsonpSend(rw, req)
close(done)
}()
msg, _ := sess.Recv()
if msg != "message" {
t.Errorf("Incorrect message in the channel, should be '%s', was '%s'", "some message", msg)
}
<-done
if rw.Code != http.StatusOK {
t.Errorf("Wrong response status received %d, should be %d", rw.Code, http.StatusOK)
}
if rw.Header().Get("content-type") != "text/plain; charset=UTF-8" {
t.Errorf("Wrong content type received '%s'", rw.Header().Get("content-type"))
}
if rw.Body.String() != "ok" {
t.Errorf("Unexpected body, got '%s', expected 'ok'", rw.Body)
}
}
func TestHandler_jsonpCannotIntoXSS(t *testing.T) {
h := newTestHandler()
rw := httptest.NewRecorder()
req, _ := http.NewRequest("GET", "/server/session/jsonp?c=%3Chtml%3E%3Chead%3E%3Cscript%3Ealert(5520)%3C%2Fscript%3E", nil)
h.jsonp(rw, req)
if rw.Code != http.StatusBadRequest {
t.Errorf("JsonP forwarded an exploitable response.")
}
}
|
