* Copyright (C) 2023 Alexandre Janniaux * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . * or see https://www.gnu.org/ */ /** * \file test/phpunit/SecurityTest.php * \ingroup test * \brief PHPUnit test * \remarks To run this script as CLI: phpunit filename.php */ global $conf,$user,$langs,$db; //define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver //require_once 'PHPUnit/Autoload.php'; if (! defined('NOREQUIRESOC')) { define('NOREQUIRESOC', '1'); } if (! defined('NOCSRFCHECK')) { define('NOCSRFCHECK', '1'); } if (! defined('NOTOKENRENEWAL')) { define('NOTOKENRENEWAL', '1'); } if (! defined('NOREQUIREMENU')) { define('NOREQUIREMENU', '1'); // If there is no menu to show } if (! defined('NOREQUIREHTML')) { define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php } if (! defined('NOREQUIREAJAX')) { define('NOREQUIREAJAX', '1'); } if (! defined("NOLOGIN")) { define("NOLOGIN", '1'); // If this page is public (can be called outside logged session) } if (! defined("NOSESSION")) { define("NOSESSION", '1'); } require_once dirname(__FILE__).'/../../htdocs/main.inc.php'; // We force include of main.inc.php instead of master.inc.php even if we are in CLI mode because it contains a lot of security components we want to test. require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php'; require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php'; require_once dirname(__FILE__).'/CommonClassTest.class.php'; if (empty($user->id)) { print "Load permissions for admin user nb 1\n"; $user->fetch(1); $user->getrights(); } $conf->global->MAIN_DISABLE_ALL_MAILS = 1; /** * Class for PHPUnit tests * * @backupGlobals disabled * @backupStaticAttributes enabled * @remarks backupGlobals must be disabled to have db,conf,user and lang not erased. */ class SecurityTest extends CommonClassTest { /** * testSetLang * * @return string */ public function testSetLang() { global $conf; $conf = $this->savconf; $tmplangs = new Translate('', $conf); $_SERVER['HTTP_ACCEPT_LANGUAGE'] = "' malicious text with quote"; $tmplangs->setDefaultLang('auto'); print __METHOD__.' $tmplangs->defaultlang='.$tmplangs->defaultlang."\n"; $this->assertEquals($tmplangs->defaultlang, 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE'); } /** * testSqlAndScriptInjectWithPHPUnit * * @return void */ public function testSqlAndScriptInjectWithPHPUnit() { // Run tests // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet // Should be OK $expectedresult = 0; /* $test = ''; $result=testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual(0, $result, 'Error on testSqlAndScriptInject kkk'); */ $_SERVER["PHP_SELF"] = '/DIR WITH SPACE/htdocs/admin/index.php'; $result = testSqlAndScriptInject($_SERVER["PHP_SELF"], 2); $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should be ok'); $test = 'This is a < inside string with < and > also and tag like before the >'; $result = testSqlAndScriptInject($test, 0); $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0b'); $test = 'This is the union of all for the selection of the best'; $result = testSqlAndScriptInject($test, 0); $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0c'); $test = '/user/perms.php?id=1&action=addrights&entity=1&rights=123&confirm=yes&token=123456789&updatedmodulename=lmscoursetracking'; $result = testSqlAndScriptInject($test, 1); print "test=".$test." result=".$result."\n"; $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject with a valid url'); // Should detect attack $expectedresult = 1; $_SERVER["PHP_SELF"] = '/DIR WITH SPACE/htdocs/admin/index.php/"; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa1'); $test = ""; $result = testSqlAndScriptInject($test, 2); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa2'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa3'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa4'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa5'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa6'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa7'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject bbb'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ccc'); $test = ''; $result = testSqlAndScriptInject($test, 1); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ddd'); $test = '">'; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee'); $test = ' '; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee'); $test = ""; // Is locked by some browser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer. $test = ""; // Same $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject fff1'); $test = ''; $result = testSqlAndScriptInject($test, 0); $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject fff2'); // This case seems to be filtered by browsers now. $test = ''; //$result=testSqlAndScriptInject($test, 0); //$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ggg'); $test = '