File: 03-XSS-protection.t

package info (click to toggle)
lemonldap-ng 0.9.4.1-3
  • links: PTS
  • area: main
  • in suites: squeeze
  • size: 3,840 kB
  • ctags: 1,187
  • sloc: perl: 10,032; makefile: 478; xml: 93; sh: 73; sql: 69
file content (112 lines) | stat: -rw-r--r-- 3,025 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Before `make install' is performed this script should be runnable with
# `make test'. After `make install' it should work as `perl Lemonldap-NG-Portal.t'

#########################

# change 'tests => 1' to 'tests => last_test_to_print';

package My::Portal;
use strict;
use Test::More tests => 16;
BEGIN { use_ok( 'Lemonldap::NG::Portal::Simple', ':all' ) }

#use Lemonldap::NG::Portal::Simple;

our @ISA = 'Lemonldap::NG::Portal::Simple';
my ( $url, $result, $logout );
$logout = 0;
my @h = (

    '' => PE_OK, 'Empty',

    # http://test.example.com/
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20v' => PE_OK, 'Protected virtual host',

    # http://test.example.com
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20v' => PE_OK, 'Missing / in URL',

    # http://test.example.com:8000/test
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMC90ZXN0' => PE_OK, 'Non default port',

    # http://test.example.com:8000
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMA==' => PE_OK,
    'Non default port with missing /',

    # http://t.example2.com/test
    'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => PE_OK,
    'Undeclared virtual host in trusted domain',

    # http://t.example.com/test
    'aHR0cDovL3QuZXhhbXBsZS5jb20vdGVzdA==' => PE_BADURL,
    'Undeclared virtual host in (untrusted) protected domain',

    'http://test.com/' => PE_BADURL, 'Non base64 encoded characters',

    # http://test.example.com:8000V
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMFY=' => PE_BADURL,
    'Non number in port',

    # http://t.ex.com/test
    'aHR0cDovL3QuZXguY29tL3Rlc3Q=' => PE_BADURL,
    'Undeclared virtual host in an other domain',

    # http://test.example.com/%00
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vJTAw' => PE_BADURL, 'Base64 encoded \0',

    # http://test.example.com/test\0
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdAA=' => PE_BADURL,
    'Base64 and url encoded \0',

    'XX%00' => PE_BADURL, 'Non base64 encoded \0 ',

    # http://test.example.com/test?<script>alert()</script>
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdD88c2NyaXB0PmFsZXJ0KCk8L3NjcmlwdD4='
      => PE_BADURL,
    'base64 encoded HTML tags',
);

sub param {
    shift;
    my $p = shift;
    if ( $p and $p eq 'url' ) {
        return $url;
    }
    else {
        return $logout;
    }
}

my $p;

# CGI Environment
$ENV{SCRIPT_NAME}     = '/test.pl';
$ENV{SCRIPT_FILENAME} = '/tmp/test.pl';
$ENV{REQUEST_METHOD}  = 'GET';
$ENV{REQUEST_URI}     = "/test.pl";
$ENV{QUERY_STRING}    = "";

ok(
    $p = My::Portal->new(
        {
            globalStorage  => 'Apache::Session::File',
            domain         => 'example.com',
            authentication => 'LDAP test=1',
            domain         => 'example.com',
            trustedDomains => 'example2.com',
        }
    ),
    'Portal object'
);

$p->{reVHosts} = '(?:test\.example\.com)';

while ( defined( $url = shift(@h) ) ) {
    $result = shift @h;
    my $text = shift @h;

    ok( $p->controlUrlOrigin() == $result, $text );

    #print ($p->controlUrlOrigin() == $result ? "OK" : "NOK");
    #print " $url\n";
}