mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #18254 from owncloud/mitigate-breach 

Add mitigation against BREACH
This commit is contained in:
Morris Jobke 2015-08-24 09:14:27 +02:00
parent 510010e774 df2ce8a075
commit 40b1054530
17 changed files with 160 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/templates/layout.user.php
View File

@ -100,7 +100,7 @@
<?php p($l->t('Search'));?> <?php p($l->t('Search'));?>
</label> </label>
<input id="searchbox" class="svg" type="search" name="query" <input id="searchbox" class="svg" type="search" name="query"
value="<?php if(isset($_POST['query'])) {p($_POST['query']);};?>" value=""
autocomplete="off" tabindex="5"> autocomplete="off" tabindex="5">
</form> </form>
</div></header> </div></header>

13
lib/base.php
View File

@ -134,18 +134,7 @@ class OC {
OC_Config::$object = new \OC\Config(self::$configDir); OC_Config::$object = new \OC\Config(self::$configDir);
OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen(OC::$SERVERROOT))); OC::$SUBURI = str_replace("\\", "/", substr(realpath($_SERVER["SCRIPT_FILENAME"]), strlen(OC::$SERVERROOT)));
/** $scriptName = $_SERVER['SCRIPT_NAME'];
* FIXME: The following line is required because of a cyclic dependency
* on IRequest.
*/
$params = [
'server' => [
'SCRIPT_NAME' => $_SERVER['SCRIPT_NAME'],
'SCRIPT_FILENAME' => $_SERVER['SCRIPT_FILENAME'],
],
];
$fakeRequest = new \OC\AppFramework\Http\Request($params, null, new \OC\AllConfig(new \OC\SystemConfig()));
$scriptName = $fakeRequest->getScriptName();
if (substr($scriptName, -1) == '/') { if (substr($scriptName, -1) == '/') {
$scriptName .= 'index.php'; $scriptName .= 'index.php';
//make sure suburi follows the same rules as scriptName //make sure suburi follows the same rules as scriptName

22
lib/private/appframework/http/request.php
View File

@ -32,6 +32,7 @@ namespace OC\AppFramework\Http;
use OC\Security\TrustedDomainHelper; use OC\Security\TrustedDomainHelper;
use OCP\IConfig; use OCP\IConfig;
use OCP\IRequest; use OCP\IRequest;
use OCP\Security\ICrypto;
use OCP\Security\ISecureRandom; use OCP\Security\ISecureRandom;
/** /**
@ -67,6 +68,8 @@ class Request implements \ArrayAccess, \Countable, IRequest {
protected $config; protected $config;
/** @var string */ /** @var string */
protected $requestId = ''; protected $requestId = '';
/** @var ICrypto */
protected $crypto;
/** /**
* @param array $vars An associative array with the following optional values: * @param array $vars An associative array with the following optional values:
@ -80,17 +83,20 @@ class Request implements \ArrayAccess, \Countable, IRequest {
* - string 'method' the request method (GET, POST etc) * - string 'method' the request method (GET, POST etc)
* - string|false 'requesttoken' the requesttoken or false when not available * - string|false 'requesttoken' the requesttoken or false when not available
* @param ISecureRandom $secureRandom * @param ISecureRandom $secureRandom
* @param ICrypto $crypto
* @param IConfig $config * @param IConfig $config
* @param string $stream * @param string $stream
* @see http://www.php.net/manual/en/reserved.variables.php * @see http://www.php.net/manual/en/reserved.variables.php
*/ */
public function __construct(array $vars=array(), public function __construct(array $vars=array(),
ISecureRandom $secureRandom = null, ISecureRandom $secureRandom = null,
ICrypto $crypto,
IConfig $config, IConfig $config,
$stream='php://input') { $stream='php://input') {
$this->inputStream = $stream; $this->inputStream = $stream;
$this->items['params'] = array(); $this->items['params'] = array();
$this->secureRandom = $secureRandom; $this->secureRandom = $secureRandom;
$this->crypto = $crypto;
$this->config = $config; $this->config = $config;
if(!array_key_exists('method', $vars)) { if(!array_key_exists('method', $vars)) {
@ -415,8 +421,22 @@ class Request implements \ArrayAccess, \Countable, IRequest {
return false; return false;
} }
// Decrypt token to prevent BREACH like attacks
$token = explode(':', $token);
if (count($token) !== 2) {
return false;
}
$encryptedToken = $token[0];
$secret = $token[1];
try {
$decryptedToken = $this->crypto->decrypt($encryptedToken, $secret);
} catch (\Exception $e) {
return false;
}
// Check if the token is valid // Check if the token is valid
if(\OCP\Security\StringUtils::equals($token, $this->items['requesttoken'])) { if(\OCP\Security\StringUtils::equals($decryptedToken, $this->items['requesttoken'])) {
return true; return true;
} else { } else {
return false; return false;

1
lib/private/server.php
View File

@ -410,6 +410,7 @@ class Server extends SimpleContainer implements IServerContainer {
'requesttoken' => $requestToken, 'requesttoken' => $requestToken,
], ],
$this->getSecureRandom(), $this->getSecureRandom(),
$this->getCrypto(),
$this->getConfig(), $this->getConfig(),
$stream $stream
); );

8
lib/private/util.php
View File

@ -1057,7 +1057,8 @@ class OC_Util {
/** /**
* Register an get/post call. Important to prevent CSRF attacks. * Register an get/post call. Important to prevent CSRF attacks.
* *
* @return string Generated token. * @return string The encrypted CSRF token, the shared secret is appended after the `:`.
*
* @description * @description
* Creates a 'request token' (random) and stores it inside the session. * Creates a 'request token' (random) and stores it inside the session.
* Ever subsequent (ajax) request must use such a valid token to succeed, * Ever subsequent (ajax) request must use such a valid token to succeed,
@ -1074,7 +1075,10 @@ class OC_Util {
// Valid token already exists, send it // Valid token already exists, send it
$requestToken = \OC::$server->getSession()->get('requesttoken'); $requestToken = \OC::$server->getSession()->get('requesttoken');
} }
return ($requestToken);
// Encrypt the token to mitigate breach-like attacks
$sharedSecret = \OC::$server->getSecureRandom()->getMediumStrengthGenerator()->generate(10);
return \OC::$server->getCrypto()->encrypt($requestToken, $sharedSecret) . ':' . $sharedSecret;
} }
/** /**

1
tests/lib/appframework/controller/ApiControllerTest.php
View File

@ -38,6 +38,7 @@ class ApiControllerTest extends \Test\TestCase {
$request = new Request( $request = new Request(
['server' => ['HTTP_ORIGIN' => 'test']], ['server' => ['HTTP_ORIGIN' => 'test']],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->controller = new ChildApiController('app', $request, 'verbs', $this->controller = new ChildApiController('app', $request, 'verbs',

1
tests/lib/appframework/controller/ControllerTest.php
View File

@ -76,6 +76,7 @@ class ControllerTest extends \Test\TestCase {
'method' => 'hi', 'method' => 'hi',
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );

4
tests/lib/appframework/controller/OCSControllerTest.php
View File

@ -43,6 +43,7 @@ class OCSControllerTest extends \Test\TestCase {
], ],
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$controller = new ChildOCSController('app', $request, 'verbs', $controller = new ChildOCSController('app', $request, 'verbs',
@ -64,6 +65,7 @@ class OCSControllerTest extends \Test\TestCase {
$controller = new ChildOCSController('app', new Request( $controller = new ChildOCSController('app', new Request(
[], [],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
)); ));
$expected = "<?xml version=\"1.0\"?>\n" . $expected = "<?xml version=\"1.0\"?>\n" .
@ -96,6 +98,7 @@ class OCSControllerTest extends \Test\TestCase {
$controller = new ChildOCSController('app', new Request( $controller = new ChildOCSController('app', new Request(
[], [],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
)); ));
$expected = "<?xml version=\"1.0\"?>\n" . $expected = "<?xml version=\"1.0\"?>\n" .
@ -128,6 +131,7 @@ class OCSControllerTest extends \Test\TestCase {
$controller = new ChildOCSController('app', new Request( $controller = new ChildOCSController('app', new Request(
[], [],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
)); ));
$expected = '{"ocs":{"meta":{"status":"failure","statuscode":400,"message":"OK",' . $expected = '{"ocs":{"meta":{"status":"failure","statuscode":400,"message":"OK",' .

1
tests/lib/appframework/dependencyinjection/DIContainerTest.php
View File

@ -74,6 +74,7 @@ class DIContainerTest extends \Test\TestCase {
$this->container['Request'] = new Request( $this->container['Request'] = new Request(
['method' => 'GET'], ['method' => 'GET'],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$security = $this->container['SecurityMiddleware']; $security = $this->container['SecurityMiddleware'];

6
tests/lib/appframework/http/DispatcherTest.php
View File

@ -295,6 +295,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'POST' 'method' => 'POST'
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->dispatcher = new Dispatcher( $this->dispatcher = new Dispatcher(
@ -322,6 +323,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'POST', 'method' => 'POST',
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->dispatcher = new Dispatcher( $this->dispatcher = new Dispatcher(
@ -352,6 +354,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'GET' 'method' => 'GET'
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->dispatcher = new Dispatcher( $this->dispatcher = new Dispatcher(
@ -381,6 +384,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'GET' 'method' => 'GET'
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->dispatcher = new Dispatcher( $this->dispatcher = new Dispatcher(
@ -411,6 +415,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'PUT' 'method' => 'PUT'
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->dispatcher = new Dispatcher( $this->dispatcher = new Dispatcher(
@ -443,6 +448,7 @@ class DispatcherTest extends \Test\TestCase {
'method' => 'POST' 'method' => 'POST'
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->dispatcher = new Dispatcher( $this->dispatcher = new Dispatcher(

97
tests/lib/appframework/http/RequestTest.php
View File

@ -10,6 +10,7 @@
namespace OC\AppFramework\Http; namespace OC\AppFramework\Http;
use OC\Security\Crypto;
use OCP\Security\ISecureRandom; use OCP\Security\ISecureRandom;
use OCP\IConfig; use OCP\IConfig;
@ -53,6 +54,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -85,6 +87,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -107,6 +110,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -126,6 +130,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -145,6 +150,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -161,6 +167,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -182,6 +189,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -206,6 +214,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -230,6 +239,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -250,6 +260,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -274,6 +285,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -303,6 +315,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -324,6 +337,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
$vars, $vars,
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -347,6 +361,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -358,6 +373,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
\OC::$server->getSecureRandom(), \OC::$server->getSecureRandom(),
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -382,6 +398,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -410,6 +427,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -438,6 +456,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -470,6 +489,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -497,6 +517,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -518,6 +539,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -528,6 +550,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -551,6 +574,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -571,6 +595,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -587,6 +612,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -607,6 +633,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -628,6 +655,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -716,6 +744,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -732,6 +761,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -749,6 +779,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -766,6 +797,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -793,6 +825,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -814,6 +847,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -840,6 +874,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -866,6 +901,7 @@ class RequestTest extends \Test\TestCase {
], ],
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -882,6 +918,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -909,6 +946,7 @@ class RequestTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -924,6 +962,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -944,6 +983,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -964,6 +1004,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -986,6 +1027,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -1008,6 +1050,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -1030,6 +1073,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -1052,6 +1096,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -1105,6 +1150,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
); );
@ -1144,6 +1190,7 @@ class RequestTest extends \Test\TestCase {
] ]
], ],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
]) ])
@ -1157,17 +1204,25 @@ class RequestTest extends \Test\TestCase {
} }
public function testPassesCSRFCheckWithGet() { public function testPassesCSRFCheckWithGet() {
$crypto = $this->getMock('\OCP\Security\ICrypto');
$crypto
->expects($this->once())
->method('decrypt')
->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
->will($this->returnValue('MyStoredRequestToken'));
/** @var Request $request */ /** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request') $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName']) ->setMethods(['getScriptName'])
->setConstructorArgs([ ->setConstructorArgs([
[ [
'get' => [ 'get' => [
'requesttoken' => 'MyStoredRequestToken', 'requesttoken' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
], ],
'requesttoken' => 'MyStoredRequestToken', 'requesttoken' => 'MyStoredRequestToken',
], ],
$this->secureRandom, $this->secureRandom,
$crypto,
$this->config, $this->config,
$this->stream $this->stream
]) ])
@ -1177,17 +1232,25 @@ class RequestTest extends \Test\TestCase {
} }
public function testPassesCSRFCheckWithPost() { public function testPassesCSRFCheckWithPost() {
$crypto = $this->getMock('\OCP\Security\ICrypto');
$crypto
->expects($this->once())
->method('decrypt')
->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
->will($this->returnValue('MyStoredRequestToken'));
/** @var Request $request */ /** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request') $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName']) ->setMethods(['getScriptName'])
->setConstructorArgs([ ->setConstructorArgs([
[ [
'post' => [ 'post' => [
'requesttoken' => 'MyStoredRequestToken', 'requesttoken' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
], ],
'requesttoken' => 'MyStoredRequestToken', 'requesttoken' => 'MyStoredRequestToken',
], ],
$this->secureRandom, $this->secureRandom,
$crypto,
$this->config, $this->config,
$this->stream $this->stream
]) ])
@ -1197,17 +1260,24 @@ class RequestTest extends \Test\TestCase {
} }
public function testPassesCSRFCheckWithHeader() { public function testPassesCSRFCheckWithHeader() {
$crypto = $this->getMock('\OCP\Security\ICrypto');
$crypto
->expects($this->once())
->method('decrypt')
->with('1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4', 'secret')
->will($this->returnValue('MyStoredRequestToken'));
/** @var Request $request */ /** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request') $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName']) ->setMethods(['getScriptName'])
->setConstructorArgs([ ->setConstructorArgs([
[ [
'server' => [ 'server' => [
'HTTP_REQUESTTOKEN' => 'MyStoredRequestToken', 'HTTP_REQUESTTOKEN' => '1c637c4147e40a8a8f09428ec2059cebea3480c27b402b4e793c69710a731513|wlXxNUaFqHuQnZr5|e6ab49c9e0e20c8d3607e02f1d8e6ec17ad6020ae10b7d64ab4b0a6318c0875940943a6aa303dc090fea0b4cd5b9fb8bcbecac4308a2bd15d9f369cdc22121a4:secret',
], ],
'requesttoken' => 'MyStoredRequestToken', 'requesttoken' => 'MyStoredRequestToken',
], ],
$this->secureRandom, $this->secureRandom,
$crypto,
$this->config, $this->config,
$this->stream $this->stream
]) ])
@ -1216,18 +1286,34 @@ class RequestTest extends \Test\TestCase {
$this->assertTrue($request->passesCSRFCheck()); $this->assertTrue($request->passesCSRFCheck());
} }
public function testPassesCSRFCheckWithInvalidToken() { public function invalidTokenDataProvider() {
return [
['InvalidSentToken'],
['InvalidSentToken:InvalidSecret'],
[null],
[''],
];
}
/**
* @dataProvider invalidTokenDataProvider
* @param string $invalidToken
*/
public function testPassesCSRFCheckWithInvalidToken($invalidToken) {
$crypto = new Crypto($this->config, $this->secureRandom);
/** @var Request $request */ /** @var Request $request */
$request = $this->getMockBuilder('\OC\AppFramework\Http\Request') $request = $this->getMockBuilder('\OC\AppFramework\Http\Request')
->setMethods(['getScriptName']) ->setMethods(['getScriptName'])
->setConstructorArgs([ ->setConstructorArgs([
[ [
'server' => [ 'server' => [
'HTTP_REQUESTTOKEN' => 'MyInvalidSentToken', 'HTTP_REQUESTTOKEN' => $invalidToken,
], ],
'requesttoken' => 'MyStoredRequestToken', 'requesttoken' => 'MyStoredRequestToken',
], ],
$this->secureRandom, $this->secureRandom,
$crypto,
$this->config, $this->config,
$this->stream $this->stream
]) ])
@ -1243,6 +1329,7 @@ class RequestTest extends \Test\TestCase {
->setConstructorArgs([ ->setConstructorArgs([
[], [],
$this->secureRandom, $this->secureRandom,
$this->getMock('\OCP\Security\ICrypto'),
$this->config, $this->config,
$this->stream $this->stream
]) ])

1
tests/lib/appframework/middleware/MiddlewareDispatcherTest.php
View File

@ -133,6 +133,7 @@ class MiddlewareDispatcherTest extends \Test\TestCase {
new Request( new Request(
['method' => 'GET'], ['method' => 'GET'],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
) )
] ]

1
tests/lib/appframework/middleware/MiddlewareTest.php
View File

@ -61,6 +61,7 @@ class MiddlewareTest extends \Test\TestCase {
new Request( new Request(
[], [],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
) )
] ]

10
tests/lib/appframework/middleware/security/CORSMiddlewareTest.php
View File

@ -42,6 +42,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
] ]
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
@ -61,6 +62,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
] ]
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session);
@ -78,6 +80,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
@ -101,6 +104,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
] ]
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
@ -119,6 +123,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
$request = new Request( $request = new Request(
[], [],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->reflector->reflect($this, __FUNCTION__); $this->reflector->reflect($this, __FUNCTION__);
@ -144,6 +149,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass' 'PHP_AUTH_PW' => 'pass'
]], ]],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->session->expects($this->once()) $this->session->expects($this->once())
@ -169,6 +175,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass' 'PHP_AUTH_PW' => 'pass'
]], ]],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->session->expects($this->once()) $this->session->expects($this->once())
@ -190,6 +197,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass' 'PHP_AUTH_PW' => 'pass'
]], ]],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session);
@ -206,6 +214,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass' 'PHP_AUTH_PW' => 'pass'
]], ]],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session);
@ -226,6 +235,7 @@ class CORSMiddlewareTest extends \Test\TestCase {
'PHP_AUTH_PW' => 'pass' 'PHP_AUTH_PW' => 'pass'
]], ]],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$middleware = new CORSMiddleware($request, $this->reflector, $this->session); $middleware = new CORSMiddleware($request, $this->reflector, $this->session);

1
tests/lib/appframework/middleware/security/SecurityMiddlewareTest.php
View File

@ -322,6 +322,7 @@ class SecurityMiddlewareTest extends \Test\TestCase {
] ]
], ],
$this->getMock('\OCP\Security\ISecureRandom'), $this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->middleware = $this->getMiddleware(true, true); $this->middleware = $this->getMiddleware(true, true);

1
tests/lib/appframework/middleware/sessionmiddlewaretest.php
View File

@ -36,6 +36,7 @@ class SessionMiddlewareTest extends \Test\TestCase {
$this->request = new Request( $this->request = new Request(
[], [],
$this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(), $this->getMockBuilder('\OCP\Security\ISecureRandom')->getMock(),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig') $this->getMock('\OCP\IConfig')
); );
$this->reflector = new ControllerMethodReflector(); $this->reflector = new ControllerMethodReflector();

2
tests/lib/util.php
View File

@ -91,7 +91,7 @@ class Test_Util extends \Test\TestCase {
function testCallRegister() { function testCallRegister() {
$result = strlen(OC_Util::callRegister()); $result = strlen(OC_Util::callRegister());
$this->assertEquals(30, $result); $this->assertEquals(221, $result);
} }
function testSanitizeHTML() { function testSanitizeHTML() {