search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Replace `global` keyword with `$GLOBALS`
[phpmyadmin.git] / test / classes / CoreTest.php
blob489acfcab7b3f6b9db6cd761b88f387d2a0586df
1 <?php
2
3 declare(strict_types=1);
4
5 namespace PhpMyAdmin\Tests;
6
7 use PhpMyAdmin\Core;
8 use PhpMyAdmin\Http\ServerRequest;
9 use PhpMyAdmin\ResponseRenderer;
10 use PhpMyAdmin\Sanitize;
11 use PhpMyAdmin\Url;
12 use stdClass;
13
14 use function __;
15 use function _pgettext;
16 use function hash;
17 use function htmlspecialchars;
18 use function mb_strpos;
19 use function ob_end_clean;
20 use function ob_get_contents;
21 use function ob_start;
22 use function preg_quote;
23 use function serialize;
24 use function str_repeat;
25
26 /**
27 * @covers \PhpMyAdmin\Core
28 */
29 class CoreTest extends AbstractNetworkTestCase
30 {
31 /**
32 * Setup for test cases
33 */
34 protected function setUp(): void
35 {
36 parent::setUp();
37 parent::setTheme();
38 parent::setLanguage();
39
40 $GLOBALS['server'] = 0;
41 $GLOBALS['db'] = '';
42 $GLOBALS['table'] = '';
43 $GLOBALS['PMA_PHP_SELF'] = 'http://example.net/';
44 $GLOBALS['config']->set('URLQueryEncryption', false);
45 }
46
47 /**
48 * Test for Core::arrayRead
49 */
50 public function testArrayRead(): void
51 {
52 $arr = [
53 'int' => 1,
54 'str' => 'str_val',
55 'arr' => [
56 'val1',
57 'val2',
58 'val3',
59 ],
60 'sarr' => [
61 'arr1' => [
62 1,
63 2,
64 3,
65 ],
66 [
67 3,
68 [
69 'a',
70 'b',
71 'c',
72 ],
73 4,
74 ],
75 ],
76 ];
77
78 $this->assertEquals(
79 Core::arrayRead('int', $arr),
80 $arr['int']
81 );
82
83 $this->assertEquals(
84 Core::arrayRead('str', $arr),
85 $arr['str']
86 );
87
88 $this->assertEquals(
89 Core::arrayRead('arr/0', $arr),
90 $arr['arr'][0]
91 );
92
93 $this->assertEquals(
94 Core::arrayRead('arr/1', $arr),
95 $arr['arr'][1]
96 );
97
98 $this->assertEquals(
99 Core::arrayRead('arr/2', $arr),
100 $arr['arr'][2]
101 );
102
103 $this->assertEquals(
104 Core::arrayRead('sarr/arr1/0', $arr),
105 $arr['sarr']['arr1'][0]
106 );
107
108 $this->assertEquals(
109 Core::arrayRead('sarr/arr1/1', $arr),
110 $arr['sarr']['arr1'][1]
111 );
112
113 $this->assertEquals(
114 Core::arrayRead('sarr/arr1/2', $arr),
115 $arr['sarr']['arr1'][2]
116 );
117
118 $this->assertEquals(
119 Core::arrayRead('sarr/0/0', $arr),
120 $arr['sarr'][0][0]
121 );
122
123 $this->assertEquals(
124 Core::arrayRead('sarr/0/1', $arr),
125 $arr['sarr'][0][1]
126 );
127
128 $this->assertEquals(
129 Core::arrayRead('sarr/0/1/2', $arr),
130 $arr['sarr'][0][1][2]
131 );
132
133 $this->assertEquals(
134 Core::arrayRead('sarr/not_exiting/1', $arr),
135 null
136 );
137
138 $this->assertEquals(
139 Core::arrayRead('sarr/not_exiting/1', $arr, 0),
140 0
141 );
142
143 $this->assertEquals(
144 Core::arrayRead('sarr/not_exiting/1', $arr, 'default_val'),
145 'default_val'
146 );
147 }
148
149 /**
150 * Test for Core::arrayWrite
151 */
152 public function testArrayWrite(): void
153 {
154 $arr = [
155 'int' => 1,
156 'str' => 'str_val',
157 'arr' => [
158 'val1',
159 'val2',
160 'val3',
161 ],
162 'sarr' => [
163 'arr1' => [
164 1,
165 2,
166 3,
167 ],
168 [
169 3,
170 [
171 'a',
172 'b',
173 'c',
174 ],
175 4,
176 ],
177 ],
178 ];
179
180 Core::arrayWrite('int', $arr, 5);
181 $this->assertEquals($arr['int'], 5);
182
183 Core::arrayWrite('str', $arr, '_str');
184 $this->assertEquals($arr['str'], '_str');
185
186 Core::arrayWrite('arr/0', $arr, 'val_arr_0');
187 $this->assertEquals($arr['arr'][0], 'val_arr_0');
188
189 Core::arrayWrite('arr/1', $arr, 'val_arr_1');
190 $this->assertEquals($arr['arr'][1], 'val_arr_1');
191
192 Core::arrayWrite('arr/2', $arr, 'val_arr_2');
193 $this->assertEquals($arr['arr'][2], 'val_arr_2');
194
195 Core::arrayWrite('sarr/arr1/0', $arr, 'val_sarr_arr_0');
196 $this->assertEquals($arr['sarr']['arr1'][0], 'val_sarr_arr_0');
197
198 Core::arrayWrite('sarr/arr1/1', $arr, 'val_sarr_arr_1');
199 $this->assertEquals($arr['sarr']['arr1'][1], 'val_sarr_arr_1');
200
201 Core::arrayWrite('sarr/arr1/2', $arr, 'val_sarr_arr_2');
202 $this->assertEquals($arr['sarr']['arr1'][2], 'val_sarr_arr_2');
203
204 Core::arrayWrite('sarr/0/0', $arr, 5);
205 $this->assertEquals($arr['sarr'][0][0], 5);
206
207 Core::arrayWrite('sarr/0/1/0', $arr, 'e');
208 $this->assertEquals($arr['sarr'][0][1][0], 'e');
209
210 Core::arrayWrite('sarr/not_existing/1', $arr, 'some_val');
211 $this->assertEquals($arr['sarr']['not_existing'][1], 'some_val');
212
213 Core::arrayWrite('sarr/0/2', $arr, null);
214 $this->assertNull($arr['sarr'][0][2]);
215 }
216
217 /**
218 * Test for Core::arrayRemove
219 */
220 public function testArrayRemove(): void
221 {
222 $arr = [
223 'int' => 1,
224 'str' => 'str_val',
225 'arr' => [
226 'val1',
227 'val2',
228 'val3',
229 ],
230 'sarr' => [
231 'arr1' => [
232 1,
233 2,
234 3,
235 ],
236 [
237 3,
238 [
239 'a',
240 'b',
241 'c',
242 ],
243 4,
244 ],
245 ],
246 ];
247
248 Core::arrayRemove('int', $arr);
249 $this->assertArrayNotHasKey('int', $arr);
250
251 Core::arrayRemove('str', $arr);
252 $this->assertArrayNotHasKey('str', $arr);
253
254 Core::arrayRemove('arr/0', $arr);
255 $this->assertArrayNotHasKey(0, $arr['arr']);
256
257 Core::arrayRemove('arr/1', $arr);
258 $this->assertArrayNotHasKey(1, $arr['arr']);
259
260 Core::arrayRemove('arr/2', $arr);
261 $this->assertArrayNotHasKey('arr', $arr);
262
263 $tmp_arr = $arr;
264 Core::arrayRemove('sarr/not_existing/1', $arr);
265 $this->assertEquals($tmp_arr, $arr);
266
267 Core::arrayRemove('sarr/arr1/0', $arr);
268 $this->assertArrayNotHasKey(0, $arr['sarr']['arr1']);
269
270 Core::arrayRemove('sarr/arr1/1', $arr);
271 $this->assertArrayNotHasKey(1, $arr['sarr']['arr1']);
272
273 Core::arrayRemove('sarr/arr1/2', $arr);
274 $this->assertArrayNotHasKey('arr1', $arr['sarr']);
275
276 Core::arrayRemove('sarr/0/0', $arr);
277 $this->assertArrayNotHasKey(0, $arr['sarr'][0]);
278
279 Core::arrayRemove('sarr/0/1/0', $arr);
280 $this->assertArrayNotHasKey(0, $arr['sarr'][0][1]);
281
282 Core::arrayRemove('sarr/0/1/1', $arr);
283 $this->assertArrayNotHasKey(1, $arr['sarr'][0][1]);
284
285 Core::arrayRemove('sarr/0/1/2', $arr);
286 $this->assertArrayNotHasKey(1, $arr['sarr'][0]);
287
288 Core::arrayRemove('sarr/0/2', $arr);
289
290 $this->assertEmpty($arr);
291 }
292
293 /**
294 * Test for Core::checkPageValidity
295 *
296 * @param string|null $page Page
297 * @param array $allowList Allow list
298 * @param bool $include whether the page is going to be included
299 * @param bool $expected Expected value
300 *
301 * @dataProvider providerTestGotoNowhere
302 */
303 public function testGotoNowhere(?string $page, array $allowList, bool $include, bool $expected): void
304 {
305 $this->assertSame($expected, Core::checkPageValidity($page, $allowList, $include));
306 }
307
308 /**
309 * Data provider for testGotoNowhere
310 *
311 * @return array
312 */
313 public function providerTestGotoNowhere(): array
314 {
315 return [
316 [
317 null,
318 [],
319 false,
320 false,
321 ],
322 [
323 null,
324 [],
325 true,
326 false,
327 ],
328 [
329 'shell.php',
330 ['index.php'],
331 false,
332 false,
333 ],
334 [
335 'shell.php',
336 ['index.php'],
337 true,
338 false,
339 ],
340 [
341 'index.php?sql.php&test=true',
342 ['index.php'],
343 false,
344 true,
345 ],
346 [
347 'index.php?sql.php&test=true',
348 ['index.php'],
349 true,
350 false,
351 ],
352 [
353 'index.php%3Fsql.php%26test%3Dtrue',
354 ['index.php'],
355 false,
356 true,
357 ],
358 [
359 'index.php%3Fsql.php%26test%3Dtrue',
360 ['index.php'],
361 true,
362 false,
363 ],
364 ];
365 }
366
367 /**
368 * Test for Core::fatalError
369 */
370 public function testFatalErrorMessage(): void
371 {
372 $_REQUEST = [];
373 ResponseRenderer::getInstance()->setAjax(false);
374
375 $this->expectOutputRegex('/FatalError!/');
376 Core::fatalError('FatalError!');
377 }
378
379 /**
380 * Test for Core::fatalError
381 */
382 public function testFatalErrorMessageWithArgs(): void
383 {
384 $_REQUEST = [];
385 ResponseRenderer::getInstance()->setAjax(false);
386
387 $message = 'Fatal error #%d in file %s.';
388 $params = [
389 1,
390 'error_file.php',
391 ];
392
393 $this->expectOutputRegex('/Fatal error #1 in file error_file.php./');
394 Core::fatalError($message, $params);
395
396 $message = 'Fatal error in file %s.';
397 $params = 'error_file.php';
398
399 $this->expectOutputRegex('/Fatal error in file error_file.php./');
400 Core::fatalError($message, $params);
401 }
402
403 /**
404 * Test for Core::getRealSize
405 *
406 * @param string $size Size
407 * @param int $expected Expected value
408 *
409 * @group 32bit-incompatible
410 *
411 * @dataProvider providerTestGetRealSize
412 */
413 public function testGetRealSize(string $size, int $expected): void
414 {
415 $this->assertEquals($expected, Core::getRealSize($size));
416 }
417
418 /**
419 * Data provider for testGetRealSize
420 *
421 * @return array
422 */
423 public function providerTestGetRealSize(): array
424 {
425 return [
426 [
427 '0',
428 0,
429 ],
430 [
431 '1kb',
432 1024,
433 ],
434 [
435 '1024k',
436 1024 * 1024,
437 ],
438 [
439 '8m',
440 8 * 1024 * 1024,
441 ],
442 [
443 '12gb',
444 12 * 1024 * 1024 * 1024,
445 ],
446 [
447 '1024',
448 1024,
449 ],
450 [
451 '8000m',
452 8 * 1000 * 1024 * 1024,
453 ],
454 [
455 '8G',
456 8 * 1024 * 1024 * 1024,
457 ],
458 [
459 '2048',
460 2048,
461 ],
462 [
463 '2048K',
464 2048 * 1024,
465 ],
466 [
467 '2048K',
468 2048 * 1024,
469 ],
470 [
471 '102400K',
472 102400 * 1024,
473 ],
474 ];
475 }
476
477 /**
478 * Test for Core::getPHPDocLink
479 */
480 public function testGetPHPDocLink(): void
481 {
482 $lang = _pgettext('PHP documentation language', 'en');
483 $this->assertEquals(
484 Core::getPHPDocLink('function'),
485 './url.php?url=https%3A%2F%2Fwww.php.net%2Fmanual%2F'
486 . $lang . '%2Ffunction'
487 );
488 }
489
490 /**
491 * Test for Core::linkURL
492 *
493 * @param string $link URL where to go
494 * @param string $url Expected value
495 *
496 * @dataProvider providerTestLinkURL
497 */
498 public function testLinkURL(string $link, string $url): void
499 {
500 $this->assertEquals(Core::linkURL($link), $url);
501 }
502
503 /**
504 * Data provider for testLinkURL
505 *
506 * @return array
507 */
508 public function providerTestLinkURL(): array
509 {
510 return [
511 [
512 'https://wiki.phpmyadmin.net',
513 './url.php?url=https%3A%2F%2Fwiki.phpmyadmin.net',
514 ],
515 [
516 'https://wiki.phpmyadmin.net',
517 './url.php?url=https%3A%2F%2Fwiki.phpmyadmin.net',
518 ],
519 [
520 'wiki.phpmyadmin.net',
521 'wiki.phpmyadmin.net',
522 ],
523 [
524 'index.php?db=phpmyadmin',
525 'index.php?db=phpmyadmin',
526 ],
527 ];
528 }
529
530 /**
531 * Test for Core::sendHeaderLocation
532 */
533 public function testSendHeaderLocationWithoutSidWithIis(): void
534 {
535 $GLOBALS['server'] = 0;
536 $GLOBALS['config']->set('PMA_IS_IIS', true);
537
538 $testUri = 'https://example.com/test.php';
539
540 $this->mockResponse('Location: ' . $testUri);
541 Core::sendHeaderLocation($testUri); // sets $GLOBALS['header']
542
543 $this->mockResponse('Refresh: 0; ' . $testUri);
544 Core::sendHeaderLocation($testUri, true); // sets $GLOBALS['header']
545 }
546
547 /**
548 * Test for Core::sendHeaderLocation
549 */
550 public function testSendHeaderLocationWithoutSidWithoutIis(): void
551 {
552 $GLOBALS['server'] = 0;
553 parent::setGlobalConfig();
554 $GLOBALS['config']->set('PMA_IS_IIS', null);
555
556 $testUri = 'https://example.com/test.php';
557
558 $this->mockResponse('Location: ' . $testUri);
559 Core::sendHeaderLocation($testUri); // sets $GLOBALS['header']
560 }
561
562 /**
563 * Test for Core::sendHeaderLocation
564 */
565 public function testSendHeaderLocationIisLongUri(): void
566 {
567 $GLOBALS['server'] = 0;
568 parent::setGlobalConfig();
569 $GLOBALS['config']->set('PMA_IS_IIS', true);
570
571 // over 600 chars
572 $testUri = 'https://example.com/test.php?testlonguri=over600chars&test=test'
573 . '&test=test&test=test&test=test&test=test&test=test&test=test'
574 . '&test=test&test=test&test=test&test=test&test=test&test=test'
575 . '&test=test&test=test&test=test&test=test&test=test&test=test'
576 . '&test=test&test=test&test=test&test=test&test=test&test=test'
577 . '&test=test&test=test&test=test&test=test&test=test&test=test'
578 . '&test=test&test=test&test=test&test=test&test=test&test=test'
579 . '&test=test&test=test&test=test&test=test&test=test&test=test'
580 . '&test=test&test=test&test=test&test=test&test=test&test=test'
581 . '&test=test&test=test&test=test&test=test&test=test&test=test'
582 . '&test=test&test=test';
583 $testUri_html = htmlspecialchars($testUri);
584 $testUri_js = Sanitize::escapeJsString($testUri);
585
586 $header = "<html>\n<head>\n <title>- - -</title>"
587 . "\n <meta http-equiv=\"expires\" content=\"0\">"
588 . "\n <meta http-equiv=\"Pragma\" content=\"no-cache\">"
589 . "\n <meta http-equiv=\"Cache-Control\" content=\"no-cache\">"
590 . "\n <meta http-equiv=\"Refresh\" content=\"0;url=" . $testUri_html . '">'
591 . "\n <script type=\"text/javascript\">\n //<![CDATA["
592 . "\n setTimeout(function() { window.location = decodeURI('" . $testUri_js . "'); }, 2000);"
593 . "\n //]]>\n </script>\n</head>"
594 . "\n<body>\n<script type=\"text/javascript\">\n //<![CDATA["
595 . "\n document.write('<p><a href=\"" . $testUri_html . '">' . __('Go') . "</a></p>');"
596 . "\n //]]>\n</script>\n</body>\n</html>\n";
597
598 $this->expectOutputString($header);
599
600 $this->mockResponse();
601
602 Core::sendHeaderLocation($testUri);
603 }
604
605 /**
606 * Test for unserializing
607 *
608 * @param string $url URL to test
609 * @param mixed $expected Expected result
610 *
611 * @dataProvider provideTestIsAllowedDomain
612 */
613 public function testIsAllowedDomain(string $url, $expected): void
614 {
615 $_SERVER['SERVER_NAME'] = 'server.local';
616 $this->assertEquals(
617 $expected,
618 Core::isAllowedDomain($url)
619 );
620 }
621
622 /**
623 * Test data provider
624 *
625 * @return array
626 */
627 public function provideTestIsAllowedDomain(): array
628 {
629 return [
630 [
631 'https://www.phpmyadmin.net/',
632 true,
633 ],
634 [
635 'http://duckduckgo.com\\@github.com',
636 false,
637 ],
638 [
639 'https://github.com/',
640 true,
641 ],
642 [
643 'https://github.com:123/',
644 false,
645 ],
646 [
647 'https://user:pass@github.com:123/',
648 false,
649 ],
650 [
651 'https://user:pass@github.com/',
652 false,
653 ],
654 [
655 'https://server.local/',
656 true,
657 ],
658 [
659 './relative/',
660 false,
661 ],
662 ];
663 }
664
665 /**
666 * Test for unserializing
667 *
668 * @param string $data Serialized data
669 * @param mixed $expected Expected result
670 *
671 * @dataProvider provideTestSafeUnserialize
672 */
673 public function testSafeUnserialize(string $data, $expected): void
674 {
675 $this->assertEquals(
676 $expected,
677 Core::safeUnserialize($data)
678 );
679 }
680
681 /**
682 * Test data provider
683 *
684 * @return array
685 */
686 public function provideTestSafeUnserialize(): array
687 {
688 return [
689 [
690 's:6:"foobar";',
691 'foobar',
692 ],
693 [
694 'foobar',
695 null,
696 ],
697 [
698 'b:0;',
699 false,
700 ],
701 [
702 'O:1:"a":1:{s:5:"value";s:3:"100";}',
703 null,
704 ],
705 [
706 'O:8:"stdClass":1:{s:5:"field";O:8:"stdClass":0:{}}',
707 null,
708 ],
709 [
710 'a:2:{i:0;s:90:"1234567890;a3456789012345678901234567890123456789012'
711 . '34567890123456789012345678901234567890";i:1;O:8:"stdClass":0:{}}',
712 null,
713 ],
714 [
715 serialize([1, 2, 3]),
716 [
717 1,
718 2,
719 3,
720 ],
721 ],
722 [
723 serialize('string""'),
724 'string""',
725 ],
726 [
727 serialize(['foo' => 'bar']),
728 ['foo' => 'bar'],
729 ],
730 [
731 serialize(['1', new stdClass(), '2']),
732 null,
733 ],
734 ];
735 }
736
737 /**
738 * Test for MySQL host sanitizing
739 *
740 * @param string $host Test host name
741 * @param string $expected Expected result
742 *
743 * @dataProvider provideTestSanitizeMySQLHost
744 */
745 public function testSanitizeMySQLHost(string $host, string $expected): void
746 {
747 $this->assertEquals(
748 $expected,
749 Core::sanitizeMySQLHost($host)
750 );
751 }
752
753 /**
754 * Test data provider
755 *
756 * @return array
757 */
758 public function provideTestSanitizeMySQLHost(): array
759 {
760 return [
761 [
762 'p:foo.bar',
763 'foo.bar',
764 ],
765 [
766 'p:p:foo.bar',
767 'foo.bar',
768 ],
769 [
770 'bar.baz',
771 'bar.baz',
772 ],
773 [
774 'P:example.com',
775 'example.com',
776 ],
777 ];
778 }
779
780 /**
781 * Test for replacing dots.
782 */
783 public function testReplaceDots(): void
784 {
785 $this->assertEquals(
786 Core::securePath('../../../etc/passwd'),
787 './././etc/passwd'
788 );
789 $this->assertEquals(
790 Core::securePath('/var/www/../phpmyadmin'),
791 '/var/www/./phpmyadmin'
792 );
793 $this->assertEquals(
794 Core::securePath('./path/with..dots/../../file..php'),
795 './path/with.dots/././file.php'
796 );
797 }
798
799 /**
800 * Test for Core::warnMissingExtension
801 */
802 public function testMissingExtensionFatal(): void
803 {
804 $_REQUEST = [];
805 ResponseRenderer::getInstance()->setAjax(false);
806
807 $ext = 'php_ext';
808 $warn = 'The <a href="' . Core::getPHPDocLink('book.' . $ext . '.php')
809 . '" target="Documentation"><em>' . $ext
810 . '</em></a> extension is missing. Please check your PHP configuration.';
811
812 $this->expectOutputRegex('@' . preg_quote($warn, '@') . '@');
813
814 Core::warnMissingExtension($ext, true);
815 }
816
817 /**
818 * Test for Core::warnMissingExtension
819 */
820 public function testMissingExtensionFatalWithExtra(): void
821 {
822 $_REQUEST = [];
823 ResponseRenderer::getInstance()->setAjax(false);
824
825 $ext = 'php_ext';
826 $extra = 'Appended Extra String';
827
828 $warn = 'The <a href="' . Core::getPHPDocLink('book.' . $ext . '.php')
829 . '" target="Documentation"><em>' . $ext
830 . '</em></a> extension is missing. Please check your PHP configuration.'
831 . ' ' . $extra;
832
833 ob_start();
834 Core::warnMissingExtension($ext, true, $extra);
835 $printed = ob_get_contents();
836 ob_end_clean();
837
838 $this->assertGreaterThan(0, mb_strpos((string) $printed, $warn));
839 }
840
841 /**
842 * Test for Core::signSqlQuery
843 */
844 public function testSignSqlQuery(): void
845 {
846 $_SESSION[' HMAC_secret '] = hash('sha1', 'test');
847 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
848 $signature = Core::signSqlQuery($sqlQuery);
849 $hmac = '33371e8680a640dc05944a2a24e6e630d3e9e3dba24464135f2fb954c3a4ffe2';
850 $this->assertSame($hmac, $signature, 'The signature must match the computed one');
851 }
852
853 /**
854 * Test for Core::checkSqlQuerySignature
855 */
856 public function testCheckSqlQuerySignature(): void
857 {
858 $_SESSION[' HMAC_secret '] = hash('sha1', 'test');
859 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
860 $hmac = '33371e8680a640dc05944a2a24e6e630d3e9e3dba24464135f2fb954c3a4ffe2';
861 $this->assertTrue(Core::checkSqlQuerySignature($sqlQuery, $hmac));
862 }
863
864 /**
865 * Test for Core::checkSqlQuerySignature
866 */
867 public function testCheckSqlQuerySignatureFails(): void
868 {
869 $_SESSION[' HMAC_secret '] = hash('sha1', '132654987gguieunofz');
870 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
871 $hmac = '33371e8680a640dc05944a2a24e6e630d3e9e3dba24464135f2fb954c3a4ffe2';
872 $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac));
873 }
874
875 /**
876 * Test for Core::checkSqlQuerySignature
877 */
878 public function testCheckSqlQuerySignatureFailsBadHash(): void
879 {
880 $_SESSION[' HMAC_secret '] = hash('sha1', 'test');
881 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
882 $hmac = '3333333380a640dc05944a2a24e6e630d3e9e3dba24464135f2fb954c3eeeeee';
883 $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac));
884 }
885
886 /**
887 * Test for Core::checkSqlQuerySignature
888 */
889 public function testCheckSqlQuerySignatureFailsNoSession(): void
890 {
891 $_SESSION[' HMAC_secret '] = 'empty';
892 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
893 $hmac = '3333333380a640dc05944a2a24e6e630d3e9e3dba24464135f2fb954c3eeeeee';
894 $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac));
895 }
896
897 /**
898 * Test for Core::checkSqlQuerySignature
899 */
900 public function testCheckSqlQuerySignatureFailsFromAnotherSession(): void
901 {
902 $_SESSION[' HMAC_secret '] = hash('sha1', 'firstSession');
903 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
904 $hmac = Core::signSqlQuery($sqlQuery);
905 $this->assertTrue(Core::checkSqlQuerySignature($sqlQuery, $hmac));
906 $_SESSION[' HMAC_secret '] = hash('sha1', 'secondSession');
907 // Try to use the token (hmac) from the previous session
908 $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac));
909 }
910
911 /**
912 * Test for Core::checkSqlQuerySignature
913 */
914 public function testCheckSqlQuerySignatureFailsBlowfishSecretChanged(): void
915 {
916 $GLOBALS['cfg']['blowfish_secret'] = '';
917 $_SESSION[' HMAC_secret '] = hash('sha1', 'firstSession');
918 $sqlQuery = 'SELECT * FROM `test`.`db` WHERE 1;';
919 $hmac = Core::signSqlQuery($sqlQuery);
920 $this->assertTrue(Core::checkSqlQuerySignature($sqlQuery, $hmac));
921 $GLOBALS['cfg']['blowfish_secret'] = str_repeat('a', 32);
922 // Try to use the previous HMAC signature
923 $this->assertFalse(Core::checkSqlQuerySignature($sqlQuery, $hmac));
924
925 $GLOBALS['cfg']['blowfish_secret'] = str_repeat('a', 32);
926 // Generate the HMAC signature to check that it works
927 $hmac = Core::signSqlQuery($sqlQuery);
928 // Must work now, (good secret and blowfish_secret)
929 $this->assertTrue(Core::checkSqlQuerySignature($sqlQuery, $hmac));
930 }
931
932 public function testPopulateRequestWithEncryptedQueryParams(): void
933 {
934 $_SESSION = [];
935 $GLOBALS['config']->set('URLQueryEncryption', true);
936 $GLOBALS['config']->set('URLQueryEncryptionSecretKey', str_repeat('a', 32));
937
938 $_GET = ['pos' => '0', 'eq' => Url::encryptQuery('{"db":"test_db","table":"test_table"}')];
939 $_REQUEST = $_GET;
940
941 $request = $this->createStub(ServerRequest::class);
942 $request->method('getQueryParams')->willReturn($_GET);
943 $request->method('getParsedBody')->willReturn(null);
944 $request->method('withQueryParams')->willReturnSelf();
945 $request->method('withParsedBody')->willReturnSelf();
946
947 Core::populateRequestWithEncryptedQueryParams($request);
948
949 $expected = ['pos' => '0', 'db' => 'test_db', 'table' => 'test_table'];
950
951 $this->assertEquals($expected, $_GET);
952 $this->assertEquals($expected, $_REQUEST);
953 }
954
955 /**
956 * @param string[] $encrypted
957 * @param string[] $decrypted
958 *
959 * @dataProvider providerForTestPopulateRequestWithEncryptedQueryParamsWithInvalidParam
960 */
961 public function testPopulateRequestWithEncryptedQueryParamsWithInvalidParam(
962 array $encrypted,
963 array $decrypted
964 ): void {
965 $_SESSION = [];
966 $GLOBALS['config']->set('URLQueryEncryption', true);
967 $GLOBALS['config']->set('URLQueryEncryptionSecretKey', str_repeat('a', 32));
968
969 $_GET = $encrypted;
970 $_REQUEST = $encrypted;
971
972 $request = $this->createStub(ServerRequest::class);
973 $request->method('getQueryParams')->willReturn($_GET);
974 $request->method('getParsedBody')->willReturn(null);
975 $request->method('withQueryParams')->willReturnSelf();
976 $request->method('withParsedBody')->willReturnSelf();
977
978 Core::populateRequestWithEncryptedQueryParams($request);
979
980 $this->assertEquals($decrypted, $_GET);
981 $this->assertEquals($decrypted, $_REQUEST);
982 }
983
984 /**
985 * @return array<int, array<int, array<string, string|mixed[]>>>
986 */
987 public function providerForTestPopulateRequestWithEncryptedQueryParamsWithInvalidParam(): array
988 {
989 return [
990 [[], []],
991 [['eq' => []], []],
992 [['eq' => ''], []],
993 [['eq' => 'invalid'], []],
994 ];
995 }
996 }
phpMyAdmin