test/WebRequest.cpp - Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

Side by Side Diff: test/WebRequest.cpp

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/

Patch Set: Reworked the testing. Addressed review comments. Created March 3, 2017, 4:05 a.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-2016 Eyeo GmbH	3 * Copyright (C) 2006-2016 Eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

(...skipping 33 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
44 void SetUp()	44 void SetUp()

45 {	45 {

46 BaseJsTest::SetUp();	46 BaseJsTest::SetUp();

47 jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T));	47 jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T));

48 jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem));	48 jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem));

49 }	49 }

50 };	50 };

51	51

52 typedef WebRequestTest<MockWebRequest> MockWebRequestTest;	52 typedef WebRequestTest<MockWebRequest> MockWebRequestTest;

53 typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest;	53 typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest;

	54 // This test doesn't need a real WebRequest.

	55 typedef WebRequestTest<MockWebRequest> XMLHttpRequestTest;

54 }	56 }

55	57

56 TEST_F(MockWebRequestTest, BadCall)	58 TEST_F(MockWebRequestTest, BadCall)

57 {	59 {

58 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()"));	60 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()"));

59 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})"));	61 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})"));

60 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, fu nction(){})"));	62 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, fu nction(){})"));

61 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', nu ll, function(){})"));	63 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', nu ll, function(){})"));

62 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', {} , null)"));	64 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', {} , null)"));

63 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', {} , function(){}, 0)"));	65 ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', {} , function(){}, 0)"));

(...skipping 46 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
110 request.addEventListener('error', function() {result = 'error';}, false);\	112 request.addEventListener('error', function() {result = 'error';}, false);\

111 request.send(null);");	113 request.send(null);");

112 do	114 do

113 {	115 {

114 AdblockPlus::Sleep(200);	116 AdblockPlus::Sleep(200);

115 } while (jsEngine->Evaluate("result")->IsUndefined());	117 } while (jsEngine->Evaluate("result")->IsUndefined());

116 ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel. status")->AsInt());	118 ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel. status")->AsInt());

117 ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt());	119 ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt());

118 ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsStri ng());	120 ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsStri ng());

119 ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content -Type').substr(0, 10)")->AsString());	121 ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content -Type').substr(0, 10)")->AsString());

	122 #if defined(HAVE_CURL)

	123 ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encod ing').substr(0, 4)")->AsString());

	124 #endif

120 ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNul l());	125 ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNul l());

121 }	126 }

122 #else	127 #else

123 TEST_F(DefaultWebRequestTest, DummyWebRequest)	128 TEST_F(DefaultWebRequestTest, DummyWebRequest)

124 {	129 {

125 jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.or g/easylist.txt', {}, function(result) {foo = result;} )");	130 jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.or g/easylist.txt', {}, function(result) {foo = result;} )");

126 do	131 do

127 {	132 {

128 AdblockPlus::Sleep(200);	133 AdblockPlus::Sleep(200);

129 } while (jsEngine->Evaluate("this.foo")->IsUndefined());	134 } while (jsEngine->Evaluate("this.foo")->IsUndefined());

(...skipping 20 matching lines...) Expand all Loading...
150 {	155 {

151 AdblockPlus::Sleep(200);	156 AdblockPlus::Sleep(200);

152 } while (jsEngine->Evaluate("result")->IsUndefined());	157 } while (jsEngine->Evaluate("result")->IsUndefined());

153 ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("reque st.channel.status")->AsInt());	158 ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("reque st.channel.status")->AsInt());

154 ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt());	159 ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt());

155 ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString());	160 ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString());

156 ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->I sNull());	161 ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->I sNull());

157 }	162 }

158	163

159 #endif	164 #endif

	165

	166 namespace

	167 {

	168 class CatchLogSystem : public AdblockPlus::LogSystem

	169 {

	170 public:

	171 AdblockPlus::LogSystem::LogLevel lastLogLevel;

	172 std::string lastMessage;

	173

	174 CatchLogSystem()

	175 : AdblockPlus::LogSystem(),

	176 lastLogLevel(AdblockPlus::LogSystem::LOG_LEVEL_TRACE)

	177 {

	178 }

	179

	180 void operator()(AdblockPlus::LogSystem::LogLevel logLevel,

	181 const std::string& message, const std::string&)

	182 {

	183 lastLogLevel = logLevel;

	184 lastMessage = message;

	185 }

	186

	187 void clear()

	188 {

	189 lastLogLevel = AdblockPlus::LogSystem::LOG_LEVEL_TRACE;

	190 lastMessage.clear();

	191 }

	192 };

	193

	194 typedef std::shared_ptr<CatchLogSystem> CatchLogSystemPtr;

	195 }

	196

	197 TEST_F(XMLHttpRequestTest, RequestHeaderValidation)

	198 {

	199 auto catchLogSystem = CatchLogSystemPtr(new CatchLogSystem);

	200 jsEngine->SetLogSystem(catchLogSystem);

	201

	202 AdblockPlus::FilterEngine filterEngine(jsEngine);

	203 const std::string msg = "Attempt to set a forbidden header was denied: ";

	204

	205 // The test will check that console.warn has been called when the

	206 // header is rejected. While this is an implementation detail, we

	207 // have no other way to check this

	208

	209 jsEngine->Evaluate("\

	210 var request = new XMLHttpRequest();\

	211 request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt ');");

	212

	213 // test 'Accept-Encoding' is rejected

	214 catchLogSystem->clear();

	215 jsEngine->Evaluate("\

	216 request.setRequestHeader('Accept-Encoding', 'gzip');");

	217 EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel );

	218 EXPECT_EQ(msg + "Accept-Encoding", catchLogSystem->lastMessage);

	219

	220 // test 'DNT' is rejected

	221 catchLogSystem->clear();

	222 jsEngine->Evaluate("\

	223 request.setRequestHeader('DNT', '1');");

	224 EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel );

	225 EXPECT_EQ(msg + "DNT", catchLogSystem->lastMessage);

	226

	227 // test random 'X' header is accepted

	228 catchLogSystem->clear();

	229 jsEngine->Evaluate("\

	230 request.setRequestHeader('X', 'y');");

	231 EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLeve l);

	232 EXPECT_EQ("", catchLogSystem->lastMessage);

	233

	234 // test /^Proxy-/ is rejected.

	235 catchLogSystem->clear();

	236 jsEngine->Evaluate("\

	237 request.setRequestHeader('Proxy-foo', 'bar');");

	238 EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel );

	239 EXPECT_EQ(msg + "Proxy-foo", catchLogSystem->lastMessage);

	240

	241 // test /^Sec-/ is rejected.

	242 catchLogSystem->clear();

	243 jsEngine->Evaluate("\

	244 request.setRequestHeader('Sec-foo', 'bar');");

	245 EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel );

	246 EXPECT_EQ(msg + "Sec-foo", catchLogSystem->lastMessage);

	247

	248 // test 'Security' is accepted.

	249 catchLogSystem->clear();

	250 jsEngine->Evaluate("\

	251 request.setRequestHeader('Security', 'theater');");

	252 EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLeve l);

	253 EXPECT_EQ("", catchLogSystem->lastMessage);

	254 }

OLD	NEW

« lib/compat.js ('K') | « lib/compat.js ('k') | no next file » | no next file with comments »