test/classes/SanitizeTest.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * Tests for methods in Sanitize class
   5  *
   6  * @package PhpMyAdmin-test
   7  */
   8 declare(strict_types=1);
   9
  10 namespace PhpMyAdmin\Tests;
  11
  12 use PhpMyAdmin\Sanitize;
  13 use PHPUnit\Framework\TestCase;
  14
  15 /**
  16  * Tests for methods in Sanitize class
  17  *
  18  * @package PhpMyAdmin-test
  19  */
  20 class SanitizeTest extends TestCase
  21 {
  22     /**
  23      * Tests for proper escaping of XSS.
  24      *
  25      * @return void
  26      */
  27     public function testXssInHref()
  28     {
  29         $this->assertEquals(
  30             '[a@javascript:alert(\'XSS\');@target]link</a>',
  31             Sanitize::sanitizeMessage('[a@javascript:alert(\'XSS\');@target]link[/a]')
  32         );
  33     }
  34
  35     /**
  36      * Tests correct generating of link redirector.
  37      *
  38      * @return void
  39      */
  40     public function testLink()
  41     {
  42         $lang = $GLOBALS['lang'];
  43
  44         unset($GLOBALS['server']);
  45         unset($GLOBALS['lang']);
  46         $this->assertEquals(
  47             '<a href="./url.php?url=https%3A%2F%2Fwww.phpmyadmin.net%2F" target="target">link</a>',
  48             Sanitize::sanitizeMessage('[a@https://www.phpmyadmin.net/@target]link[/a]')
  49         );
  50
  51         $GLOBALS['lang'] = $lang;
  52     }
  53
  54     /**
  55      * Tests links to documentation.
  56      *
  57      * @param string $link     link
  58      * @param string $expected expected result
  59      *
  60      * @return void
  61      *
  62      * @dataProvider docLinks
  63      */
  64     public function testDoc($link, $expected): void
  65     {
  66         $this->assertEquals(
  67             '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2Fen%2Flatest%2F' . $expected . '" target="documentation">doclink</a>',
  68             Sanitize::sanitizeMessage('[doc@' . $link . ']doclink[/doc]')
  69         );
  70     }
  71
  72     /**
  73      * Data provider for sanitize [doc@foo] markup
  74      *
  75      * @return array
  76      */
  77     public function docLinks()
  78     {
  79         return [
  80             [
  81                 'foo',
  82                 'setup.html%23foo',
  83             ],
  84             [
  85                 'cfg_TitleTable',
  86                 'config.html%23cfg_TitleTable',
  87             ],
  88             [
  89                 'faq3-11',
  90                 'faq.html%23faq3-11',
  91             ],
  92             [
  93                 'bookmarks@',
  94                 'bookmarks.html',
  95             ],
  96         ];
  97     }
  98
  99     /**
 100      * Tests link target validation.
 101      *
 102      * @return void
 103      */
 104     public function testInvalidTarget()
 105     {
 106         $this->assertEquals(
 107             '[a@./Documentation.html@INVALID9]doc</a>',
 108             Sanitize::sanitizeMessage('[a@./Documentation.html@INVALID9]doc[/a]')
 109         );
 110     }
 111
 112     /**
 113      * Tests XSS escaping after valid link.
 114      *
 115      * @return void
 116      */
 117     public function testLinkDocXss()
 118     {
 119         $this->assertEquals(
 120             '[a@./Documentation.html" onmouseover="alert(foo)"]doc</a>',
 121             Sanitize::sanitizeMessage('[a@./Documentation.html" onmouseover="alert(foo)"]doc[/a]')
 122         );
 123     }
 124
 125     /**
 126      * Tests proper handling of multi link code.
 127      *
 128      * @return void
 129      */
 130     public function testLinkAndXssInHref()
 131     {
 132         $this->assertEquals(
 133             '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2F">doc</a>[a@javascript:alert(\'XSS\');@target]link</a>',
 134             Sanitize::sanitizeMessage('[a@https://docs.phpmyadmin.net/]doc[/a][a@javascript:alert(\'XSS\');@target]link[/a]')
 135         );
 136     }
 137
 138     /**
 139      * Test escaping of HTML tags
 140      *
 141      * @return void
 142      */
 143     public function testHtmlTags()
 144     {
 145         $this->assertEquals(
 146             '&lt;div onclick=""&gt;',
 147             Sanitize::sanitizeMessage('<div onclick="">')
 148         );
 149     }
 150
 151     /**
 152      * Tests basic BB code.
 153      *
 154      * @return void
 155      */
 156     public function testBBCode()
 157     {
 158         $this->assertEquals(
 159             '<strong>strong</strong>',
 160             Sanitize::sanitizeMessage('[strong]strong[/strong]')
 161         );
 162     }
 163
 164     /**
 165      * Tests output escaping.
 166      *
 167      * @return void
 168      */
 169     public function testEscape()
 170     {
 171         $this->assertEquals(
 172             '&lt;strong&gt;strong&lt;/strong&gt;',
 173             Sanitize::sanitizeMessage('[strong]strong[/strong]', true)
 174         );
 175     }
 176
 177     /**
 178      * Test for Sanitize::sanitizeFilename
 179      *
 180      * @return void
 181      */
 182     public function testSanitizeFilename()
 183     {
 184         $this->assertEquals(
 185             'File_name_123',
 186             Sanitize::sanitizeFilename('File_name 123')
 187         );
 188     }
 189
 190     /**
 191      * Test for Sanitize::getJsValue
 192      *
 193      * @param string $key      Key
 194      * @param string $value    Value
 195      * @param string $expected Expected output
 196      *
 197      * @dataProvider variables
 198      *
 199      * @return void
 200      */
 201     public function testGetJsValue($key, $value, $expected): void
 202     {
 203         $this->assertEquals($expected, Sanitize::getJsValue($key, $value));
 204         $this->assertEquals('foo = 100', Sanitize::getJsValue('foo', '100', false));
 205         $array = [
 206             '1',
 207             '2',
 208             '3',
 209         ];
 210         $this->assertEquals(
 211             "foo = [\"1\",\"2\",\"3\",];\n",
 212             Sanitize::getJsValue('foo', $array)
 213         );
 214         $this->assertEquals(
 215             "foo = \"bar\\\"baz\";\n",
 216             Sanitize::getJsValue('foo', 'bar"baz')
 217         );
 218     }
 219
 220     /**
 221      * Test for Sanitize::jsFormat
 222      *
 223      * @return void
 224      */
 225     public function testJsFormat()
 226     {
 227         $this->assertEquals("`foo`", Sanitize::jsFormat('foo'));
 228     }
 229
 230     /**
 231      * Provider for testFormat
 232      *
 233      * @return array
 234      */
 235     public function variables()
 236     {
 237         return [
 238             [
 239                 'foo',
 240                 true,
 241                 "foo = true;\n",
 242             ],
 243             [
 244                 'foo',
 245                 false,
 246                 "foo = false;\n",
 247             ],
 248             [
 249                 'foo',
 250                 100,
 251                 "foo = 100;\n",
 252             ],
 253             [
 254                 'foo',
 255                 0,
 256                 "foo = 0;\n",
 257             ],
 258             [
 259                 'foo',
 260                 'text',
 261                 "foo = \"text\";\n",
 262             ],
 263             [
 264                 'foo',
 265                 'quote"',
 266                 "foo = \"quote\\\"\";\n",
 267             ],
 268             [
 269                 'foo',
 270                 'apostroph\'',
 271                 "foo = \"apostroph\\'\";\n",
 272             ],
 273         ];
 274     }
 275
 276     /**
 277      * Sanitize::escapeJsString tests
 278      *
 279      * @param string $target expected output
 280      * @param string $source string to be escaped
 281      *
 282      * @return void
 283      *
 284      * @dataProvider escapeDataProvider
 285      */
 286     public function testEscapeJsString($target, $source): void
 287     {
 288         $this->assertEquals($target, Sanitize::escapeJsString($source));
 289     }
 290
 291     /**
 292      * Data provider for testEscape
 293      *
 294      * @return array data for testEscape test case
 295      */
 296     public function escapeDataProvider()
 297     {
 298         return [
 299             [
 300                 '\\\';',
 301                 '\';',
 302             ],
 303             [
 304                 '\r\n\\\'<scrIpt></\' + \'script>',
 305                 "\r\n'<scrIpt></sCRIPT>",
 306             ],
 307             [
 308                 '\\\';[XSS]',
 309                 '\';[XSS]',
 310             ],
 311             [
 312                 '</\' + \'script></head><body>[HTML]',
 313                 '</SCRIPT></head><body>[HTML]',
 314             ],
 315             [
 316                 '\"\\\'\\\\\\\'\"',
 317                 '"\'\\\'"',
 318             ],
 319             [
 320                 "\\\\\'\'\'\'\'\'\'\'\'\'\'\'\\\\",
 321                 "\\''''''''''''\\",
 322             ],
 323         ];
 324     }
 325
 326     /**
 327      * Test for removeRequestVars
 328      *
 329      * @return void
 330      */
 331     public function testRemoveRequestVars()
 332     {
 333         $_REQUEST['foo'] = 'bar';
 334         $_REQUEST['allow'] = 'all';
 335         $_REQUEST['second'] = 1;
 336         $allow_list = [
 337             'allow',
 338             'second',
 339         ];
 340         Sanitize::removeRequestVars($allow_list);
 341         $this->assertArrayNotHasKey('foo', $_REQUEST);
 342         $this->assertArrayNotHasKey('second', $_REQUEST);
 343         $this->assertArrayHasKey('allow', $_REQUEST);
 344     }
 345 }