test/WebRequest.cpp - Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

Unified Diff: test/WebRequest.cpp

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/

Patch Set: Reworked the testing. Addressed review comments. Created March 3, 2017, 4:05 a.m.

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: test/WebRequest.cpp

===================================================================

--- a/test/WebRequest.cpp

+++ b/test/WebRequest.cpp

@@ -46,16 +46,18 @@ namespace

BaseJsTest::SetUp();

jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T));

jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem));

}

};

typedef WebRequestTest<MockWebRequest> MockWebRequestTest;

typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest;

+ // This test doesn't need a real WebRequest.

+ typedef WebRequestTest<MockWebRequest> XMLHttpRequestTest;

}

TEST_F(MockWebRequestTest, BadCall)

{

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()"));

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})"));

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, function(){})"));

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', null, function(){})"));

@@ -112,16 +114,19 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq

{

AdblockPlus::Sleep(200);

} while (jsEngine->Evaluate("result")->IsUndefined());

ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel.status")->AsInt());

ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt());

ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsString());

ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content-Type').substr(0, 10)")->AsString());

+#if defined(HAVE_CURL)

+ ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encoding').substr(0, 4)")->AsString());

+#endif

ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNull());

}

#else

TEST_F(DefaultWebRequestTest, DummyWebRequest)

{

jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )");

{

@@ -152,8 +157,98 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq

} while (jsEngine->Evaluate("result")->IsUndefined());

ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("request.channel.status")->AsInt());

ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt());

ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString());

ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->IsNull());

}

#endif

+namespace

+ class CatchLogSystem : public AdblockPlus::LogSystem

+ {

+ public:

+ AdblockPlus::LogSystem::LogLevel lastLogLevel;

+ std::string lastMessage;

+ CatchLogSystem()

+ : AdblockPlus::LogSystem(),

+ lastLogLevel(AdblockPlus::LogSystem::LOG_LEVEL_TRACE)

+ {

+ }

+ void operator()(AdblockPlus::LogSystem::LogLevel logLevel,

+ const std::string& message, const std::string&)

+ {

+ lastLogLevel = logLevel;

+ lastMessage = message;

+ }

+ void clear()

+ {

+ lastLogLevel = AdblockPlus::LogSystem::LOG_LEVEL_TRACE;

+ lastMessage.clear();

+ }

+ };

+ typedef std::shared_ptr<CatchLogSystem> CatchLogSystemPtr;

+TEST_F(XMLHttpRequestTest, RequestHeaderValidation)

+ auto catchLogSystem = CatchLogSystemPtr(new CatchLogSystem);

+ jsEngine->SetLogSystem(catchLogSystem);

+ AdblockPlus::FilterEngine filterEngine(jsEngine);

+ const std::string msg = "Attempt to set a forbidden header was denied: ";

+ // The test will check that console.warn has been called when the

+ // header is rejected. While this is an implementation detail, we

+ // have no other way to check this

+ jsEngine->Evaluate("\

+ var request = new XMLHttpRequest();\

+ request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');");

+ // test 'Accept-Encoding' is rejected

+ catchLogSystem->clear();

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Accept-Encoding', 'gzip');");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "Accept-Encoding", catchLogSystem->lastMessage);

+ // test 'DNT' is rejected

+ catchLogSystem->clear();

+ jsEngine->Evaluate("\

+ request.setRequestHeader('DNT', '1');");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "DNT", catchLogSystem->lastMessage);

+ // test random 'X' header is accepted

+ catchLogSystem->clear();

+ jsEngine->Evaluate("\

+ request.setRequestHeader('X', 'y');");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel);

+ EXPECT_EQ("", catchLogSystem->lastMessage);

+ // test /^Proxy-/ is rejected.

+ catchLogSystem->clear();

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Proxy-foo', 'bar');");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "Proxy-foo", catchLogSystem->lastMessage);

+ // test /^Sec-/ is rejected.

+ catchLogSystem->clear();

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Sec-foo', 'bar');");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "Sec-foo", catchLogSystem->lastMessage);

+ // test 'Security' is accepted.

+ catchLogSystem->clear();

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Security', 'theater');");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel);

+ EXPECT_EQ("", catchLogSystem->lastMessage);

« lib/compat.js ('K') | « lib/compat.js ('k') | no next file » | no next file with comments »