test/WebRequest.cpp - Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th…

Unified Diff: test/WebRequest.cpp

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/

Patch Set: improve tests following feedback. Created March 3, 2017, 7:04 p.m.

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: test/WebRequest.cpp

===================================================================

--- a/test/WebRequest.cpp

+++ b/test/WebRequest.cpp

@@ -32,30 +32,53 @@ namespace

result.status = NS_OK;

result.responseStatus = 123;

result.responseHeaders.push_back(std::pair<std::string, std::string>("Foo", "Bar"));

result.responseText = url + "\n" + requestHeaders[0].first + "\n" + requestHeaders[0].second;

return result;

}

};

+ class XHRTestWebRequest : public AdblockPlus::WebRequest

Felix Dahlke 2017/03/06 16:51:07 IMHO it'd make more sense to add lastRequestHeader

hub 2017/03/06 17:26:05 I can do that too. I was trying to avoid side effe

+ {

+ public:

+ AdblockPlus::ServerResponse GET(const std::string& url, const AdblockPlus::HeaderList& requestHeaders) const

+ {

+ lastRequestHeaders.clear();

+ for (auto header : requestHeaders)

+ {

+ lastRequestHeaders.insert(header.first);

+ }

+ AdblockPlus::ServerResponse result;

+ result.status = NS_OK;

+ result.responseStatus = 123;

+ result.responseHeaders.push_back(std::pair<std::string, std::string>("Foo", "Bar"));

+ return result;

+ }

+ // mutable. Very Ugly. But we are testing.

+ mutable std::set<std::string> lastRequestHeaders;

+ };

template<class T>

class WebRequestTest : public BaseJsTest

{

protected:

void SetUp()

{

BaseJsTest::SetUp();

jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T));

jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem));

}

};

typedef WebRequestTest<MockWebRequest> MockWebRequestTest;

typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest;

+ typedef WebRequestTest<XHRTestWebRequest> XMLHttpRequestTest;

}

TEST_F(MockWebRequestTest, BadCall)

{

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()"));

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})"));

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, function(){})"));

ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', null, function(){})"));

@@ -112,16 +135,19 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq

{

AdblockPlus::Sleep(200);

} while (jsEngine->Evaluate("result")->IsUndefined());

ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel.status")->AsInt());

ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt());

ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsString());

ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content-Type').substr(0, 10)")->AsString());

+#if defined(HAVE_CURL)

+ ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encoding').substr(0, 4)")->AsString());

+#endif

ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNull());

}

#else

TEST_F(DefaultWebRequestTest, DummyWebRequest)

{

jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )");

{

@@ -152,8 +178,136 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq

} while (jsEngine->Evaluate("result")->IsUndefined());

ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("request.channel.status")->AsInt());

ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt());

ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString());

ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->IsNull());

}

#endif

+namespace

+ class CatchLogSystem : public AdblockPlus::LogSystem

+ {

+ public:

+ AdblockPlus::LogSystem::LogLevel lastLogLevel;

+ std::string lastMessage;

+ CatchLogSystem()

+ : AdblockPlus::LogSystem(),

+ lastLogLevel(AdblockPlus::LogSystem::LOG_LEVEL_TRACE)

+ {

+ }

+ void operator()(AdblockPlus::LogSystem::LogLevel logLevel,

+ const std::string& message, const std::string&)

+ {

+ lastLogLevel = logLevel;

+ lastMessage = message;

+ }

+ void clear()

+ {

+ lastLogLevel = AdblockPlus::LogSystem::LOG_LEVEL_TRACE;

+ lastMessage.clear();

+ }

+ };

+ typedef std::shared_ptr<CatchLogSystem> CatchLogSystemPtr;

+ void

+ ResetTestXHR(const AdblockPlus::JsEnginePtr & jsEngine, const CatchLogSystemPtr & logger)

Felix Dahlke 2017/03/06 16:51:07 Nit: `AdblockPlus::JsEnginePtr &` -> `AdblockPlus:

hub 2017/03/06 17:26:05 Acknowledged.

+ {

+ jsEngine->Evaluate("\

+ var result;\

+ var request = new XMLHttpRequest();\

+ request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');\

+ request.overrideMimeType('text/plain');\

+ request.addEventListener('load', function() {result = request.responseText;}, false);\

+ request.addEventListener('error', function() {result = 'error';}, false);\

+ ");

+ logger->clear();

+ }

+TEST_F(XMLHttpRequestTest, RequestHeaderValidation)

+ #define WAIT_FOR_XHR_RESULT do\

+ {\

+ AdblockPlus::Sleep(60);\

+ } while (jsEngine->Evaluate("result")->IsUndefined())

Felix Dahlke 2017/03/06 16:51:08 This is a bit of a footgun, wouldn't it work to ju

hub 2017/03/06 17:26:05 The only difference I see is that we'll check afte

Felix Dahlke 2017/03/07 07:44:22 Oh sorry, it seems I didn't get what I meant here

hub 2017/03/07 15:52:32 The other test have a similar loop. That's where I

Felix Dahlke 2017/03/07 17:03:42 Oh indeed, for some reason I missed that. Like I s

+ auto catchLogSystem = CatchLogSystemPtr(new CatchLogSystem);

+ jsEngine->SetLogSystem(catchLogSystem);

+ AdblockPlus::FilterEngine filterEngine(jsEngine);

+ auto webRequest =

+ std::static_pointer_cast<XHRTestWebRequest>(jsEngine->GetWebRequest());

+ ASSERT_TRUE(webRequest);

+ const std::string msg = "Attempt to set a forbidden header was denied: ";

+ // The test will check that console.warn has been called when the

+ // header is rejected. While this is an implementation detail, we

+ // have no other way to check this

+ // test 'Accept-Encoding' is rejected

+ ResetTestXHR(jsEngine, catchLogSystem);

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Accept-Encoding', 'gzip');\nrequest.send();");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "Accept-Encoding", catchLogSystem->lastMessage);

+ WAIT_FOR_XHR_RESULT;

+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==

+ webRequest->lastRequestHeaders.find("Accept-Encoding"));

+ // test 'DNT' is rejected

+ ResetTestXHR(jsEngine, catchLogSystem);

+ jsEngine->Evaluate("\

+ request.setRequestHeader('DNT', '1');\nrequest.send();");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "DNT", catchLogSystem->lastMessage);

+ WAIT_FOR_XHR_RESULT;

+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==

+ webRequest->lastRequestHeaders.find("DNT"));

+ // test random 'X' header is accepted

+ ResetTestXHR(jsEngine, catchLogSystem);

+ jsEngine->Evaluate("\

+ request.setRequestHeader('X', 'y');\nrequest.send();");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel);

+ EXPECT_EQ("", catchLogSystem->lastMessage);

+ WAIT_FOR_XHR_RESULT;

+ EXPECT_FALSE(webRequest->lastRequestHeaders.cend() ==

+ webRequest->lastRequestHeaders.find("X"));

+ // test /^Proxy-/ is rejected.

+ ResetTestXHR(jsEngine, catchLogSystem);

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Proxy-foo', 'bar');\nrequest.send();");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "Proxy-foo", catchLogSystem->lastMessage);

+ WAIT_FOR_XHR_RESULT;

+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==

+ webRequest->lastRequestHeaders.find("Proxy-foo"));

+ // test /^Sec-/ is rejected.

+ ResetTestXHR(jsEngine, catchLogSystem);

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Sec-foo', 'bar');\nrequest.send();");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);

+ EXPECT_EQ(msg + "Sec-foo", catchLogSystem->lastMessage);

+ WAIT_FOR_XHR_RESULT;

+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==

+ webRequest->lastRequestHeaders.find("Sec-foo"));

+ // test 'Security' is accepted.

+ ResetTestXHR(jsEngine, catchLogSystem);

+ jsEngine->Evaluate("\

+ request.setRequestHeader('Security', 'theater');\nrequest.send();");

+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel);

+ EXPECT_EQ("", catchLogSystem->lastMessage);

+ WAIT_FOR_XHR_RESULT;

+ EXPECT_FALSE(webRequest->lastRequestHeaders.cend() ==

+ webRequest->lastRequestHeaders.find("Security"));

« no previous file with comments | « lib/compat.js ('k') | no next file » | no next file with comments »