Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code

Unified Diff: test/WebRequest.cpp

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: Initial changes Created March 2, 2017, 9:39 p.m.
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« lib/compat.js ('K') | « lib/compat.js ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/WebRequest.cpp
===================================================================
--- a/test/WebRequest.cpp
+++ b/test/WebRequest.cpp
@@ -46,16 +46,18 @@ namespace
BaseJsTest::SetUp();
jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T));
jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem));
}
};
typedef WebRequestTest<MockWebRequest> MockWebRequestTest;
typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest;
+ // This test doesn't need a real WebRequest.
+ typedef WebRequestTest<MockWebRequest> XMLHttpRequestTest;
}
TEST_F(MockWebRequestTest, BadCall)
{
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()"));
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})"));
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, function(){})"));
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', null, function(){})"));
@@ -112,16 +114,19 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq
do
{
AdblockPlus::Sleep(200);
} while (jsEngine->Evaluate("result")->IsUndefined());
ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel.status")->AsInt());
ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt());
ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsString());
ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content-Type').substr(0, 10)")->AsString());
+#if defined(HAVE_CURL)
+ ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encoding').substr(0, 4)")->AsString());
+#endif
ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNull());
}
#else
TEST_F(DefaultWebRequestTest, DummyWebRequest)
{
jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )");
do
{
@@ -152,8 +157,63 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq
} while (jsEngine->Evaluate("result")->IsUndefined());
ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("request.channel.status")->AsInt());
ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt());
ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString());
ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->IsNull());
}
#endif
+
+TEST_F(XMLHttpRequestTest, RequestHeaderValidation)
+{
+ AdblockPlus::FilterEngine filterEngine(jsEngine);
+
+ const std::string msg = "Attempt to set a forbidden header was denied: ";
+ // The test will override console.warning so that the
sergei 2017/03/02 22:25:31 I think we should rather check in WebRequest::GET
hub 2017/03/02 23:30:13 I didn't realize there was LogSystem to check for
sergei 2017/03/03 08:38:59 What about check in WebRequest::GET?
+ // header rejection cause result to be set.
+ // While this is an implementation detail, since the DOM API
sergei 2017/03/02 22:25:31 Could you please remove "DOM" because it's not a D
hub 2017/03/02 23:30:13 Acknowledged.
+ // doesn't seem to return anything, we have no other way to check
+ // the failure.
+ jsEngine->Evaluate("\
+ var result;\
+ console.warning = function(msg) { result = msg; };\
+ var request = new XMLHttpRequest();\
+ request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');");
+
+ // test 'Accept-Encoding' is rejected
sergei 2017/03/02 22:25:31 What about having several tests, at least checking
+ jsEngine->Evaluate("\
+ result = undefined;\
+ request.setRequestHeader('Accept-Encoding', 'gzip');");
+ auto value = jsEngine->Evaluate("result");
+ ASSERT_FALSE(value->IsUndefined());
+ ASSERT_EQ(msg + "Accept-Encoding", value->AsString());
+
+ // test random 'X' header is accepted
+ jsEngine->Evaluate("\
+ result = undefined;\
+ request.setRequestHeader('X', 'y');");
+ value = value = jsEngine->Evaluate("result");
sergei 2017/03/02 22:25:31 value = value =
hub 2017/03/02 23:30:13 Acknowledged. Cut&paste error. I missed it.
+ ASSERT_TRUE(value->IsUndefined());
sergei 2017/03/02 22:25:31 I think we should use EXPECT_* when the test can c
hub 2017/03/02 23:30:12 Acknowledged.
+
+ // test /^Proxy-/ is rejected.
+ jsEngine->Evaluate("\
+ result = undefined;\
+ request.setRequestHeader('Proxy-foo', 'bar');");
+ value = value = jsEngine->Evaluate("result");
+ ASSERT_FALSE(value->IsUndefined());
+ ASSERT_EQ(msg + "Proxy-foo", value->AsString());
+
+ // test /^Sec-/ is rejected.
+ jsEngine->Evaluate("\
+ result = undefined;\
+ request.setRequestHeader('Sec-foo', 'bar');");
+ value = value = jsEngine->Evaluate("result");
+ ASSERT_FALSE(value->IsUndefined());
+ ASSERT_EQ(msg + "Sec-foo", value->AsString());
+
+ // test 'Security' is rejected.
+ jsEngine->Evaluate("\
+ result = undefined;\
+ request.setRequestHeader('Security', 'theater');");
+ value = value = jsEngine->Evaluate("result");
+ ASSERT_TRUE(value->IsUndefined());
+}
« lib/compat.js ('K') | « lib/compat.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld