File: SecurityTest.php

package info (click to toggle)
phpmyadmin 4%3A5.2.2-really%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 140,312 kB
  • sloc: javascript: 228,447; php: 166,904; xml: 17,847; sql: 504; sh: 275; makefile: 209; python: 205
file content (74 lines) | stat: -rw-r--r-- 2,418 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
<?php

declare(strict_types=1);

namespace PhpMyAdmin\Tests\Html;

use PhpMyAdmin\Template;
use PhpMyAdmin\Tests\AbstractTestCase;
use PhpMyAdmin\Url;

/**
 * @coversNothing
 */
#[\PHPUnit\Framework\Attributes\CoversNothing]
class SecurityTest extends AbstractTestCase
{
    /** @var Template */
    protected $template;

    protected function setUp(): void
    {
        parent::setUp();
        $this->template = new Template();
    }

    protected function tearDown(): void
    {
        parent::tearDown();
        unset($this->template);
    }

    public function testInjectCodeUsingTemplate(): void
    {
        $GLOBALS['lang'] = '';
        self::assertSame('?db=%3Cscript%3Ealert%28%27%26%3D%21%3A%3B%27%29%3B%3C%2Fscr'
        . 'ipt%3E&amp;table=%26mytable%3E1%3F&amp;server=12'
        . "\n"
        . '?db=%22%27%22%3E%3Ciframe+onload%3Dalert%281%29%3E%D1%88%D0%B5%D0%BB%D0%BB%D1%8B'
        . '&amp;table=%26mytable%3E1%3F&amp;server=12&amp;%3Cscript%3E%26%3D=%3C%2Fscript%3E'
        . "\n", $this->template->render('test/add_data', [
            'variable1' => Url::getCommon([
                'db' => '<script>alert(\'&=!:;\');</script>',
                'table' => '&mytable>1?',
                'server' => 12,
            ]),
            'variable2' => Url::getCommonRaw([
                'db' => '"\'"><iframe onload=alert(1)>шеллы',
                'table' => '&mytable>1?',
                'server' => 12,
                '<script>&=' => '</script>',
            ]),
        ]));
        $url1 = Url::getCommon([
            'db' => '<script>alert(\'&=!:;\');</script>',
            'table' => '&mytable>1?',
            'server' => 12,
        ]);
        self::assertSame('?db=%3Cscript%3Ealert%28%27%26%3D%21%3A%3B%27%29%3B%3C%2Fscr'
        . 'ipt%3E&table=%26mytable%3E1%3F&server=12', $url1);
        self::assertSame($url1
        . "\n"
        . '?db=%22%27%22%3E%3Ciframe+onload%3Dalert%281%29%3E%D1%88%D0%B5%D0%BB%D0%BB%D1%8B'
        . '&table=%26mytable%3E1%3F&server=12&%3Cscript%3E%26%3D=%3C%2Fscript%3E'
        . "\n", $this->template->render('test/raw_output', [
            'variable1' => $url1,
            'variable2' => Url::getCommonRaw([
                'db' => '"\'"><iframe onload=alert(1)>шеллы',
                'table' => '&mytable>1?',
                'server' => 12,
                '<script>&=' => '</script>',
            ]),
        ]));
    }
}