Unified Diff: test/WebRequest.cpp
Issue 29377825:
Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed)
Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: Updated based on the feedback.
Created March 8, 2017, 4:15 a.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« lib/compat.js ('k')
|
no next file »
|
no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: test/WebRequest.cpp |
| =================================================================== |
| --- a/test/WebRequest.cpp |
| +++ b/test/WebRequest.cpp |
| @@ -21,41 +21,77 @@ |
| namespace |
| { |
| class MockWebRequest : public AdblockPlus::WebRequest |
| { |
| public: |
| AdblockPlus::ServerResponse GET(const std::string& url, const AdblockPlus::HeaderList& requestHeaders) const |
| { |
| + lastRequestHeaders.clear(); |
|
sergei
2017/03/13 09:56:57
Sorry, I forgot to say it again when my comments h
sergei
2017/03/16 11:08:25
What about this point? Actually I find it very imp
|
| + for (auto header : requestHeaders) |
| + { |
| + lastRequestHeaders.insert(header.first); |
| + } |
| + |
| AdblockPlus::Sleep(50); |
| AdblockPlus::ServerResponse result; |
| result.status = NS_OK; |
| result.responseStatus = 123; |
| result.responseHeaders.push_back(std::pair<std::string, std::string>("Foo", "Bar")); |
| - result.responseText = url + "\n" + requestHeaders[0].first + "\n" + requestHeaders[0].second; |
| + result.responseText = url + "\n"; |
| + if (!requestHeaders.empty()) |
| + { |
| + result.responseText += requestHeaders[0].first + "\n" + requestHeaders[0].second; |
| + } |
| return result; |
| } |
| + |
| + // mutable. Very Ugly. But we are testing and need to change this in GET which is const. |
| + mutable std::set<std::string> lastRequestHeaders; |
| }; |
| template<class T> |
| class WebRequestTest : public BaseJsTest |
| { |
| protected: |
| void SetUp() |
| { |
| BaseJsTest::SetUp(); |
| jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T)); |
| jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem)); |
| } |
| }; |
| typedef WebRequestTest<MockWebRequest> MockWebRequestTest; |
| typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest; |
| + typedef WebRequestTest<MockWebRequest> XMLHttpRequestTest; |
| + |
| + void |
|
Felix Dahlke
2017/03/09 15:10:58
Nit: Why the new line? Not really consistent with
hub
2017/03/09 15:33:02
probably habit. I'll remove it when I send you the
sergei
2017/03/13 09:56:56
Just in case for future, I would rather prefer to
|
| + ResetTestXHR(const AdblockPlus::JsEnginePtr& jsEngine) |
| + { |
| + jsEngine->Evaluate("\ |
| + var result;\ |
| + var request = new XMLHttpRequest();\ |
| + request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');\ |
| + request.overrideMimeType('text/plain');\ |
| + request.addEventListener('load', function() {result = request.responseText;}, false);\ |
| + request.addEventListener('error', function() {result = 'error';}, false);\ |
| + "); |
| + } |
| + |
| + void WaitForVariable(const std::string& variable, const AdblockPlus::JsEnginePtr& jsEngine) |
| + { |
| + do |
| + { |
| + AdblockPlus::Sleep(60); |
|
sergei
2017/03/13 09:56:56
Since we touched it here I would say that I person
hub
2017/03/13 14:16:51
I'll file an issue for that.
hub
2017/03/13 14:29:32
filed https://issues.adblockplus.org/ticket/4983
|
| + } while (jsEngine->Evaluate(variable)->IsUndefined()); |
| + } |
| + |
| } |
| TEST_F(MockWebRequestTest, BadCall) |
| { |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()")); |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})")); |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, function(){})")); |
| ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', null, function(){})")); |
| @@ -75,85 +111,181 @@ TEST_F(MockWebRequestTest, SuccessfulReq |
| } |
| #if defined(HAVE_CURL) || defined(_WIN32) |
| TEST_F(DefaultWebRequestTest, RealWebRequest) |
| { |
| // This URL should redirect to easylist-downloads.adblockplus.org and we |
| // should get the actual filter list back. |
| jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )"); |
| - do |
| - { |
| - AdblockPlus::Sleep(200); |
| - } while (jsEngine->Evaluate("this.foo")->IsUndefined()); |
| + WaitForVariable("this.foo", jsEngine); |
| ASSERT_EQ("text/plain", jsEngine->Evaluate("foo.responseHeaders['content-type'].substr(0, 10)")->AsString()); |
| ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("foo.status")->AsInt()); |
| ASSERT_EQ(200, jsEngine->Evaluate("foo.responseStatus")->AsInt()); |
| ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("foo.responseText.substr(0, 14)")->AsString()); |
| ASSERT_EQ("text/plain", jsEngine->Evaluate("foo.responseHeaders['content-type'].substr(0, 10)")->AsString()); |
| #if defined(HAVE_CURL) |
| ASSERT_EQ("gzip", jsEngine->Evaluate("foo.responseHeaders['content-encoding'].substr(0, 4)")->AsString()); |
| #endif |
| ASSERT_TRUE(jsEngine->Evaluate("foo.responseHeaders['location']")->IsUndefined()); |
| } |
| TEST_F(DefaultWebRequestTest, XMLHttpRequest) |
| { |
| AdblockPlus::FilterEngine filterEngine(jsEngine); |
| + ResetTestXHR(jsEngine); |
| jsEngine->Evaluate("\ |
| - var result;\ |
| - var request = new XMLHttpRequest();\ |
| - request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');\ |
| request.setRequestHeader('X', 'Y');\ |
| request.setRequestHeader('X2', 'Y2');\ |
| - request.overrideMimeType('text/plain');\ |
| - request.addEventListener('load', function() {result = request.responseText;}, false);\ |
| - request.addEventListener('error', function() {result = 'error';}, false);\ |
| request.send(null);"); |
| - do |
| - { |
| - AdblockPlus::Sleep(200); |
| - } while (jsEngine->Evaluate("result")->IsUndefined()); |
| + WaitForVariable("result", jsEngine); |
| ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel.status")->AsInt()); |
| ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt()); |
| ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsString()); |
| ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content-Type').substr(0, 10)")->AsString()); |
| +#if defined(HAVE_CURL) |
|
sergei
2017/03/13 09:56:56
It seems, it should be in commit https://github.co
|
| + ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encoding').substr(0, 4)")->AsString()); |
| +#endif |
| ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNull()); |
| } |
| #else |
| TEST_F(DefaultWebRequestTest, DummyWebRequest) |
| { |
| jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )"); |
| - do |
| - { |
| - AdblockPlus::Sleep(200); |
| - } while (jsEngine->Evaluate("this.foo")->IsUndefined()); |
| + WaitForVariable("this.foo", jsEngine); |
| ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("foo.status")->AsInt()); |
| ASSERT_EQ(0, jsEngine->Evaluate("foo.responseStatus")->AsInt()); |
| ASSERT_EQ("", jsEngine->Evaluate("foo.responseText")->AsString()); |
| ASSERT_EQ("{}", jsEngine->Evaluate("JSON.stringify(foo.responseHeaders)")->AsString()); |
| } |
| TEST_F(DefaultWebRequestTest, XMLHttpRequest) |
| { |
| AdblockPlus::FilterEngine filterEngine(jsEngine); |
| + ResetTestXHR(jsEngine); |
| jsEngine->Evaluate("\ |
| - var result;\ |
| - var request = new XMLHttpRequest();\ |
| - request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');\ |
| request.setRequestHeader('X', 'Y');\ |
| - request.overrideMimeType('text/plain');\ |
| - request.addEventListener('load', function() {result = request.responseText;}, false);\ |
| - request.addEventListener('error', function() {result = 'error';}, false);\ |
| request.send(null);"); |
| - do |
| - { |
| - AdblockPlus::Sleep(200); |
| - } while (jsEngine->Evaluate("result")->IsUndefined()); |
| + WaitForVariable("result", jsEngine); |
| ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("request.channel.status")->AsInt()); |
| ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt()); |
| ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString()); |
| ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->IsNull()); |
| } |
| #endif |
| + |
| +namespace |
| +{ |
| + class CatchLogSystem : public AdblockPlus::LogSystem |
| + { |
| + public: |
| + AdblockPlus::LogSystem::LogLevel lastLogLevel; |
| + std::string lastMessage; |
| + |
| + CatchLogSystem() |
| + : AdblockPlus::LogSystem(), |
| + lastLogLevel(AdblockPlus::LogSystem::LOG_LEVEL_TRACE) |
| + { |
| + } |
| + |
| + void operator()(AdblockPlus::LogSystem::LogLevel logLevel, |
| + const std::string& message, const std::string&) |
| + { |
| + lastLogLevel = logLevel; |
| + lastMessage = message; |
| + } |
| + |
| + void clear() |
| + { |
| + lastLogLevel = AdblockPlus::LogSystem::LOG_LEVEL_TRACE; |
| + lastMessage.clear(); |
| + } |
| + }; |
| + |
| + typedef std::shared_ptr<CatchLogSystem> CatchLogSystemPtr; |
| +} |
| + |
| +TEST_F(XMLHttpRequestTest, RequestHeaderValidation) |
| +{ |
| + auto catchLogSystem = CatchLogSystemPtr(new CatchLogSystem); |
|
sergei
2017/03/13 09:56:56
Could we please always use either () or {} for con
sergei
2017/03/13 09:56:57
I would prefer to have std::make_shared<CatchLogSy
Felix Dahlke
2017/03/13 10:05:47
I definitely prefer omitting these when not necess
sergei
2017/03/13 10:31:02
It seems Mozilla's coding style does not mention i
Felix Dahlke
2017/03/13 11:05:42
We are talking a bout `new CatchLogSystem` vs `new
sergei
2017/03/13 11:39:16
Yes.
Felix Dahlke
2017/03/13 11:55:06
I see - rusty after all :P Looking at our existing
sergei
2017/03/13 12:19:58
On 2017/03/13 11:55:06, Felix Dahlke wrote:
...
hub
2017/03/13 14:16:51
I see two occurences, line 60 and 61 of this file.
hub
2017/03/13 14:16:51
I did submit a follow up patch to address these. I
|
| + jsEngine->SetLogSystem(catchLogSystem); |
| + |
| + AdblockPlus::FilterEngine filterEngine(jsEngine); |
| + auto webRequest = |
| + std::static_pointer_cast<MockWebRequest>(jsEngine->GetWebRequest()); |
|
sergei
2017/03/13 09:56:56
Although it's fine here, I would rather prefer to
|
| + |
| + ASSERT_TRUE(webRequest); |
| + |
| + const std::string msg = "Attempt to set a forbidden header was denied: "; |
| + |
| + // The test will check that console.warn has been called when the |
| + // header is rejected. While this is an implementation detail, we |
| + // have no other way to check this |
| + |
| + // test 'Accept-Encoding' is rejected |
| + catchLogSystem->clear(); |
| + ResetTestXHR(jsEngine); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Accept-Encoding', 'gzip');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "Accept-Encoding", catchLogSystem->lastMessage); |
| + WaitForVariable("result", jsEngine); |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Accept-Encoding")); |
| + |
| + // test 'DNT' is rejected |
| + catchLogSystem->clear(); |
| + ResetTestXHR(jsEngine); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('DNT', '1');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "DNT", catchLogSystem->lastMessage); |
| + WaitForVariable("result", jsEngine); |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("DNT")); |
| + |
| + // test random 'X' header is accepted |
| + catchLogSystem->clear(); |
| + ResetTestXHR(jsEngine); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('X', 'y');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ("", catchLogSystem->lastMessage); |
| + WaitForVariable("result", jsEngine); |
| + EXPECT_FALSE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("X")); |
| + |
| + // test /^Proxy-/ is rejected. |
| + catchLogSystem->clear(); |
| + ResetTestXHR(jsEngine); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Proxy-foo', 'bar');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "Proxy-foo", catchLogSystem->lastMessage); |
| + WaitForVariable("result", jsEngine); |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Proxy-foo")); |
| + |
| + // test /^Sec-/ is rejected. |
| + catchLogSystem->clear(); |
| + ResetTestXHR(jsEngine); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Sec-foo', 'bar');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ(msg + "Sec-foo", catchLogSystem->lastMessage); |
| + WaitForVariable("result", jsEngine); |
| + EXPECT_TRUE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Sec-foo")); |
| + |
| + // test 'Security' is accepted. |
| + catchLogSystem->clear(); |
| + ResetTestXHR(jsEngine); |
| + jsEngine->Evaluate("\ |
| + request.setRequestHeader('Security', 'theater');\nrequest.send();"); |
| + EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel); |
| + EXPECT_EQ("", catchLogSystem->lastMessage); |
| + WaitForVariable("result", jsEngine); |
| + EXPECT_FALSE(webRequest->lastRequestHeaders.cend() == |
| + webRequest->lastRequestHeaders.find("Security")); |
| +} |
« no previous file with comments
|
« lib/compat.js ('k')
|
no next file »
|
no next file with comments »
