search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'MDL-58454-master' of git://github.com/junpataleta/moodle
[moodle.git] / lib / tests / curl_security_helper_test.php
blobf2691b7dfcf48f425d1e5167b723005d1d0f3c29
1 <?php
2 // This file is part of Moodle - http://moodle.org/
3 //
4 // Moodle is free software: you can redistribute it and/or modify
5 // it under the terms of the GNU General Public License as published by
6 // the Free Software Foundation, either version 3 of the License, or
7 // (at your option) any later version.
8 //
9 // Moodle is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
13 //
14 // You should have received a copy of the GNU General Public License
15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
17 /**
18 * Unit tests for /lib/classes/curl/curl_security_helper.php.
19 *
20 * @package core
21 * @copyright 2016 Jake Dallimore <jrhdallimore@gmail.com>
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23 */
24
25 defined('MOODLE_INTERNAL') || die();
26
27 /**
28 * cURL security test suite.
29 *
30 * Note: The curl_security_helper class performs forward and reverse DNS look-ups in some cases. This class will not attempt to test
31 * this functionality as look-ups can vary from machine to machine. Instead, human testing with known inputs/outputs is recommended.
32 *
33 * @package core
34 * @copyright 2016 Jake Dallimore <jrhdallimore@gmail.com>
35 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
36 */
37 class core_curl_security_helper_testcase extends advanced_testcase {
38 /**
39 * Test for \core\files\curl_security_helper::url_is_blocked().
40 *
41 * @param array $dns a mapping between hosts and IPs to be used instead of a real DNS lookup. The values must be arrays.
42 * @param string $url the url to validate.
43 * @param string $blockedhosts the list of blocked hosts.
44 * @param string $allowedports the list of allowed ports.
45 * @param bool $expected the expected result.
46 * @dataProvider curl_security_url_data_provider
47 */
48 public function test_curl_security_helper_url_is_blocked($dns, $url, $blockedhosts, $allowedports, $expected) {
49 $this->resetAfterTest(true);
50 $helper = $this->getMockBuilder('\core\files\curl_security_helper')
51 ->setMethods(['get_host_list_by_name'])
52 ->getMock();
53
54 // Override the get host list method to return hard coded values based on a mapping provided by $dns.
55 $helper->method('get_host_list_by_name')
56 ->will(
57 $this->returnCallback(
58 function($host) use ($dns) {
59 return isset($dns[$host]) ? $dns[$host] : [];
60 }
61 )
62 );
63
64 set_config('curlsecurityblockedhosts', $blockedhosts);
65 set_config('curlsecurityallowedport', $allowedports);
66 $this->assertEquals($expected, $helper->url_is_blocked($url));
67 }
68
69 /**
70 * Data provider for test_curl_security_helper_url_is_blocked().
71 *
72 * @return array
73 */
74 public function curl_security_url_data_provider() {
75 $simpledns = ['localhost' => ['127.0.0.1']];
76 $multiplerecorddns = [
77 'sub.example.com' => ['1.2.3.4', '5.6.7.8']
78 ];
79 // Format: url, blocked hosts, allowed ports, expected result.
80 return [
81 // Base set without the blacklist enabled - no checking takes place.
82 [$simpledns, "http://localhost/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http).
83 [$simpledns, "http://localhost:80/x.png", "", "", false], // IP=127.0.0.1, Port=80 (specific port overrides http scheme).
84 [$simpledns, "https://localhost/x.png", "", "", false], // IP=127.0.0.1, Port=443 (port inferred from https).
85 [$simpledns, "http://localhost:443/x.png", "", "", false], // IP=127.0.0.1, Port=443 (specific port overrides http scheme).
86 [$simpledns, "localhost/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http fallback).
87 [$simpledns, "localhost:443/x.png", "", "", false], // IP=127.0.0.1, Port=443 (port hard specified, despite http fallback).
88 [$simpledns, "http://127.0.0.1/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http).
89 [$simpledns, "127.0.0.1/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http fallback).
90 [$simpledns, "http://localhost:8080/x.png", "", "", false], // IP=127.0.0.1, Port=8080 (port hard specified).
91 [$simpledns, "http://192.168.1.10/x.png", "", "", false], // IP=192.168.1.10, Port=80 (port inferred from http).
92 [$simpledns, "https://192.168.1.10/x.png", "", "", false], // IP=192.168.1.10, Port=443 (port inferred from https).
93 [$simpledns, "http://sub.example.com/x.png", "", "", false], // IP=::1, Port = 80 (port inferred from http).
94 [$simpledns, "http://s-1.d-1.com/x.png", "", "", false], // IP=::1, Port = 80 (port inferred from http).
95
96 // Test set using domain name filters but with all ports allowed (empty).
97 [$simpledns, "http://localhost/x.png", "localhost", "", true],
98 [$simpledns, "localhost/x.png", "localhost", "", true],
99 [$simpledns, "localhost:0/x.png", "localhost", "", true],
100 [$simpledns, "ftp://localhost/x.png", "localhost", "", true],
101 [$simpledns, "http://sub.example.com/x.png", "localhost", "", false],
102 [$simpledns, "http://example.com/x.png", "example.com", "", true],
103 [$simpledns, "http://sub.example.com/x.png", "example.com", "", false],
104
105 // Test set using wildcard domain name filters but with all ports allowed (empty).
106 [$simpledns, "http://sub.example.com/x.png", "*.com", "", true],
107 [$simpledns, "http://example.com/x.png", "*.example.com", "", false],
108 [$simpledns, "http://sub.example.com/x.png", "*.example.com", "", true],
109 [$simpledns, "http://sub.example.com/x.png", "*.sub.example.com", "", false],
110 [$simpledns, "http://sub.example.com/x.png", "*.example", "", false],
111
112 // Test set using IP address filters but with all ports allowed (empty).
113 [$simpledns, "http://localhost/x.png", "127.0.0.1", "", true],
114 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.1", "", true],
115
116 // Test set using CIDR IP range filters but with all ports allowed (empty).
117 [$simpledns, "http://localhost/x.png", "127.0.0.0/24", "", true],
118 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.0/24", "", true],
119
120 // Test set using last-group range filters but with all ports allowed (empty).
121 [$simpledns, "http://localhost/x.png", "127.0.0.0-30", "", true],
122 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.0-30", "", true],
123
124 // Test set using port filters but with all hosts allowed (empty).
125 [$simpledns, "http://localhost/x.png", "", "80\n443", false],
126 [$simpledns, "http://localhost:80/x.png", "", "80\n443", false],
127 [$simpledns, "https://localhost/x.png", "", "80\n443", false],
128 [$simpledns, "http://localhost:443/x.png", "", "80\n443", false],
129 [$simpledns, "http://sub.example.com:8080/x.png", "", "80\n443", true],
130 [$simpledns, "http://sub.example.com:-80/x.png", "", "80\n443", true],
131 [$simpledns, "http://sub.example.com:aaa/x.png", "", "80\n443", true],
132
133 // Test set using port filters and hosts filters.
134 [$simpledns, "http://localhost/x.png", "127.0.0.1", "80\n443", true],
135 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.1", "80\n443", true],
136
137 // Test using multiple A records.
138 // Multiple record DNS gives two IPs for the same host, we want to make
139 // sure that if we blacklist one of those (doesn't matter which one)
140 // the request is blocked.
141 [$multiplerecorddns, "http://sub.example.com", '1.2.3.4', "", true],
142 [$multiplerecorddns, "http://sub.example.com", '5.6.7.8', "", true],
143
144 // Test when DNS resolution fails.
145 [[], "http://example.com", "127.0.0.1", "", true],
146
147 // Test some freaky deaky Unicode domains. Should be blocked always.
148 [$simpledns, "http://169。254。169。254/", "127.0.0.1", "", true],
149 [$simpledns, "http://169。254。169。254/", "1.2.3.4", "", true],
150 [$simpledns, "http://169。254。169。254/", "127.0.0.1", "80\n443", true]
151
152 // Note on testing URLs using IPv6 notation:
153 // At present, the curl_security_helper class doesn't support IPv6 url notation.
154 // E.g. http://[ad34::dddd]:port/resource
155 // This is because it uses clean_param(x, PARAM_URL) as part of parsing, which won't validate urls having IPv6 notation.
156 // The underlying IPv6 address and range support is in place, however, so if clean_param is changed in future,
157 // please add the following test sets.
158 // 1. ["http://[::1]/x.png", "", "", false]
159 // 2. ["http://[::1]/x.png", "::1", "", true]
160 // 3. ["http://[::1]/x.png", "::1/64", "", true]
161 // 4. ["http://[fe80::dddd]/x.png", "fe80::cccc-eeee", "", true]
162 // 5. ["http://[fe80::dddd]/x.png", "fe80::dddd/128", "", true].
163 ];
164 }
165
166 /**
167 * Test for \core\files\curl_security_helper->is_enabled().
168 *
169 * @param string $blockedhosts the list of blocked hosts.
170 * @param string $allowedports the list of allowed ports.
171 * @param bool $expected the expected result.
172 * @dataProvider curl_security_settings_data_provider
173 */
174 public function test_curl_security_helper_is_enabled($blockedhosts, $allowedports, $expected) {
175 $this->resetAfterTest(true);
176 $helper = new \core\files\curl_security_helper();
177 set_config('curlsecurityblockedhosts', $blockedhosts);
178 set_config('curlsecurityallowedport', $allowedports);
179 $this->assertEquals($expected, $helper->is_enabled());
180 }
181
182 /**
183 * Data provider for test_curl_security_helper_is_enabled().
184 *
185 * @return array
186 */
187 public function curl_security_settings_data_provider() {
188 // Format: blocked hosts, allowed ports, expected result.
189 return [
190 ["", "", false],
191 ["127.0.0.1", "", true],
192 ["localhost", "", true],
193 ["127.0.0.0/24\n192.0.0.0/24", "", true],
194 ["", "80\n443", true],
195 ];
196 }
197
198 /**
199 * Test for \core\files\curl_security_helper::host_is_blocked().
200 *
201 * @param string $host the host to validate.
202 * @param string $blockedhosts the list of blocked hosts.
203 * @param bool $expected the expected result.
204 * @dataProvider curl_security_host_data_provider
205 */
206 public function test_curl_security_helper_host_is_blocked($host, $blockedhosts, $expected) {
207 $this->resetAfterTest(true);
208 $helper = new \core\files\curl_security_helper();
209 set_config('curlsecurityblockedhosts', $blockedhosts);
210 $this->assertEquals($expected, phpunit_util::call_internal_method($helper, 'host_is_blocked', [$host],
211 '\core\files\curl_security_helper'));
212 }
213
214 /**
215 * Data provider for test_curl_security_helper_host_is_blocked().
216 *
217 * @return array
218 */
219 public function curl_security_host_data_provider() {
220 return [
221 // IPv4 hosts.
222 ["127.0.0.1", "127.0.0.1", true],
223 ["127.0.0.1", "127.0.0.0/24", true],
224 ["127.0.0.1", "127.0.0.0-40", true],
225 ["", "127.0.0.0/24", false],
226
227 // IPv6 hosts.
228 // Note: ["::", "::", true], - should match but 'address_in_subnet()' has trouble with fully collapsed IPv6 addresses.
229 ["::1", "::1", true],
230 ["::1", "::0-cccc", true],
231 ["::1", "::0/64", true],
232 ["FE80:0000:0000:0000:0000:0000:0000:0000", "fe80::/128", true],
233 ["fe80::eeee", "fe80::ddde/64", true],
234 ["fe80::dddd", "fe80::cccc-eeee", true],
235 ["fe80::dddd", "fe80::ddde-eeee", false],
236
237 // Domain name hosts.
238 ["example.com", "example.com", true],
239 ["sub.example.com", "example.com", false],
240 ["example.com", "*.com", true],
241 ["example.com", "*.example.com", false],
242 ["sub.example.com", "*.example.com", true],
243 ["sub.sub.example.com", "*.example.com", true],
244 ["sub.example.com", "*example.com", false],
245 ["sub.example.com", "*.example", false],
246
247 // International domain name hosts.
248 ["xn--nw2a.xn--j6w193g", "xn--nw2a.xn--j6w193g", true], // The domain 見.香港 is ace-encoded to xn--nw2a.xn--j6w193g.
249 ];
250 }
251
252 /**
253 * Test for \core\files\curl_security_helper->port_is_blocked().
254 *
255 * @param int|string $port the port to validate.
256 * @param string $allowedports the list of allowed ports.
257 * @param bool $expected the expected result.
258 * @dataProvider curl_security_port_data_provider
259 */
260 public function test_curl_security_helper_port_is_blocked($port, $allowedports, $expected) {
261 $this->resetAfterTest(true);
262 $helper = new \core\files\curl_security_helper();
263 set_config('curlsecurityallowedport', $allowedports);
264 $this->assertEquals($expected, phpunit_util::call_internal_method($helper, 'port_is_blocked', [$port],
265 '\core\files\curl_security_helper'));
266 }
267
268 /**
269 * Data provider for test_curl_security_helper_port_is_blocked().
270 *
271 * @return array
272 */
273 public function curl_security_port_data_provider() {
274 return [
275 ["", "80\n443", true],
276 [" ", "80\n443", true],
277 ["-1", "80\n443", true],
278 [-1, "80\n443", true],
279 ["n", "80\n443", true],
280 [0, "80\n443", true],
281 ["0", "80\n443", true],
282 [8080, "80\n443", true],
283 ["8080", "80\n443", true],
284 ["80", "80\n443", false],
285 [80, "80\n443", false],
286 [443, "80\n443", false],
287 [0, "", true], // Port 0 and below are always invalid, even when the admin hasn't set whitelist entries.
288 [-1, "", true], // Port 0 and below are always invalid, even when the admin hasn't set whitelist entries.
289 [null, "", true], // Non-string, non-int values are invalid.
290 ];
291 }
292
293 /**
294 * Test for \core\files\curl_security_helper::get_blocked_url_string().
295 */
296 public function test_curl_security_helper_get_blocked_url_string() {
297 $helper = new \core\files\curl_security_helper();
298 $this->assertEquals(get_string('curlsecurityurlblocked', 'admin'), $helper->get_blocked_url_string());
299 }
300 }
Read-only mirror of the Moodle CVS