Unified Diff: test/WebRequest.cpp
Issue 29377825:
Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed)
Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: Forgot one more change from the review feedback.
Created March 6, 2017, 5:56 p.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« lib/compat.js ('k')
|
no next file »
|
no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: test/WebRequest.cpp |
| =================================================================== |
| --- a/test/WebRequest.cpp |
| +++ b/test/WebRequest.cpp |
| @@ -21,41 +21,55 @@ |
| namespace |
| { |
| class MockWebRequest : public AdblockPlus::WebRequest |
| { |
| public: |
| AdblockPlus::ServerResponse GET(const std::string& url, const AdblockPlus::HeaderList& requestHeaders) const |
| { |
| + lastRequestHeaders.clear(); |
| + for (auto header : requestHeaders) |
| + { |
| + lastRequestHeaders.insert(header.first); |
| + } |
| + |
| AdblockPlus::Sleep(50); |
| AdblockPlus::ServerResponse result; |
| result.status = NS_OK; |
| result.responseStatus = 123; |
| result.responseHeaders.push_back(std::pair<std::string, std::string>("Foo", "Bar")); |
| - result.responseText = url + "\n" + requestHeaders[0].first + "\n" + requestHeaders[0].second; |
| + result.responseText = url + "\n"; |
| + if (!requestHeaders.empty()) |
| + { |
| + result.responseText += requestHeaders[0].first + "\n" + requestHeaders[0].second; |
| + } |
| return result; |
| } |
| + |
| + // mutable. Very Ugly. But we are testing and need to change this in GET which is const. |
| + mutable std::set<std::string> lastRequestHeaders; |
| }; |
| template<class T> |
| class WebRequestTest : public BaseJsTest |
| { |
| protected: |
| void SetUp() |
| { |
| BaseJsTest::SetUp(); |
| jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T)); |
| jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem)); |
| } |
| }; |
| typedef WebRequestTest<MockWebRequest> MockWebRequestTest; |
| typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest; |
| + typedef WebRequestTest<MockWebRequest> XMLHttpRequestTest; |
| } |
| TEST_F(MockWebRequestTest, BadCall) |
| { |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()")); |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})")); |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, function(){})")); |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', null, function(){})")); |
| @@ -112,16 +126,19 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq |
| do |
| { |
| AdblockPlus::Sleep(200); |
| } while (jsEngine->Evaluate("result")->IsUndefined()); |
| ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel.status")->AsInt()); |
| ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt()); |
| ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsString()); |
| ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content-Type').substr(0, 10)")->AsString()); |
| +#if defined(HAVE_CURL) |
| + ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encoding').substr(0, 4)")->AsString()); |
| +#endif |
| ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNull()); |
| } |
| #else |
| TEST_F(DefaultWebRequestTest, DummyWebRequest) |
| { |
| jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )"); |
| do |
| { |
| @@ -152,8 +169,136 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq |
| } while (jsEngine->Evaluate("result")->IsUndefined()); |
| ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("request.channel.status")->AsInt()); |
| ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt()); |
| ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString()); |
| ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->IsNull()); |
| } |
| #endif |
| + |
| +namespace |
| +{ |
| + class CatchLogSystem : public AdblockPlus::LogSystem |
| + { |
| + public: |
| + AdblockPlus::LogSystem::LogLevel lastLogLevel; |
| + std::string lastMessage; |
| + |
| + CatchLogSystem() |
| + : AdblockPlus::LogSystem(), |
| + lastLogLevel(AdblockPlus::LogSystem::LOG_LEVEL_TRACE) |
| + { |
| + } |
| + |
| + void operator()(AdblockPlus::LogSystem::LogLevel logLevel, |
| + const std::string& message, const std::string&) |
| + { |
| + lastLogLevel = logLevel; |
| + lastMessage = message; |
| + } |
| + |
| + void clear() |
| + { |
| + lastLogLevel = AdblockPlus::LogSystem::LOG_LEVEL_TRACE; |
| + lastMessage.clear(); |
| + } |
| + }; |
| + |
| + typedef std::shared_ptr<CatchLogSystem> CatchLogSystemPtr; |
| + |
| + void |
| + ResetTestXHR(const AdblockPlus::JsEnginePtr& jsEngine, const CatchLogSystemPtr& logger) |
| + { |
| + jsEngine->Evaluate("\ |
| + var result;\ |
| + var request = new XMLHttpRequest();\ |
| + request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');\ |
| + request.overrideMimeType('text/plain');\ |
| + request.addEventListener('load', function() {result = request.responseText;}, false);\ |
| + request.addEventListener('error', function() {result = 'error';}, false);\ |
| + "); |
| + logger->clear(); |
| + } |
| +} |
| + |
| +TEST_F(XMLHttpRequestTest, RequestHeaderValidation) |
| +{ |
| + #define WAIT_FOR_XHR_RESULT do\ |
| + {\ |
| + AdblockPlus::Sleep(200);\ |
| + } while (jsEngine->Evaluate("result")->IsUndefined()) |
| + |
| + auto catchLogSystem = CatchLogSystemPtr(new CatchLogSystem); |
| + jsEngine->SetLogSystem(catchLogSystem); |
| + |
| + AdblockPlus::FilterEngine filterEngine(jsEngine); |
| + auto webRequest = |
| + std::static_pointer_cast<MockWebRequest>(jsEngine->GetWebRequest()); |
| + |
| + ASSERT_TRUE(webRequest); |
| + |
| + const std::string msg = "Attempt to set a forbidden header was denied: "; |
| + |
| + // The test will check that console.warn has been called when the |
| + // header is rejected. While this is an implementation detail, we |
| + // have no other way to check this |
| + |
| + // test 'Accept-Encoding' is rejected |
| + ResetTestXHR(jsEngine, catchLogSystem); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Accept-Encoding', 'gzip');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "Accept-Encoding", catchLogSystem->lastMessage); |
| + WAIT_FOR_XHR_RESULT; |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Accept-Encoding")); |
| + |
| + // test 'DNT' is rejected |
| + ResetTestXHR(jsEngine, catchLogSystem); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('DNT', '1');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "DNT", catchLogSystem->lastMessage); |
| + WAIT_FOR_XHR_RESULT; |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("DNT")); |
| + |
| + // test random 'X' header is accepted |
| + ResetTestXHR(jsEngine, catchLogSystem); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('X', 'y');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ("", catchLogSystem->lastMessage); |
| + WAIT_FOR_XHR_RESULT; |
| + EXPECT_FALSE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("X")); |
| + |
| + // test /^Proxy-/ is rejected. |
| + ResetTestXHR(jsEngine, catchLogSystem); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Proxy-foo', 'bar');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "Proxy-foo", catchLogSystem->lastMessage); |
| + WAIT_FOR_XHR_RESULT; |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Proxy-foo")); |
| + |
| + // test /^Sec-/ is rejected. |
| + ResetTestXHR(jsEngine, catchLogSystem); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Sec-foo', 'bar');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "Sec-foo", catchLogSystem->lastMessage); |
| + WAIT_FOR_XHR_RESULT; |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Sec-foo")); |
| + |
| + // test 'Security' is accepted. |
| + ResetTestXHR(jsEngine, catchLogSystem); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Security', 'theater');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ("", catchLogSystem->lastMessage); |
| + WAIT_FOR_XHR_RESULT; |
| + EXPECT_FALSE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Security")); |
| +} |
« no previous file with comments
|
« lib/compat.js ('k')
|
no next file »
|
no next file with comments »
