test/classes/SanitizeTest.php

   1 <?php
   2
   3 declare(strict_types=1);
   4
   5 namespace PhpMyAdmin\Tests;
   6
   7 use PhpMyAdmin\Sanitize;
   8
   9 class SanitizeTest extends AbstractTestCase
  10 {
  11     /**
  12      * Sets up the fixture, for example, opens a network connection.
  13      * This method is called before a test is executed.
  14      */
  15     protected function setUp(): void
  16     {
  17         parent::setUp();
  18         parent::setLanguage();
  19     }
  20
  21     /**
  22      * Tests for proper escaping of XSS.
  23      */
  24     public function testXssInHref(): void
  25     {
  26         $this->assertEquals(
  27             '[a@javascript:alert(\'XSS\');@target]link</a>',
  28             Sanitize::sanitizeMessage('[a@javascript:alert(\'XSS\');@target]link[/a]')
  29         );
  30     }
  31
  32     /**
  33      * Tests correct generating of link redirector.
  34      */
  35     public function testLink(): void
  36     {
  37         $lang = $GLOBALS['lang'];
  38
  39         unset($GLOBALS['server']);
  40         unset($GLOBALS['lang']);
  41         $this->assertEquals(
  42             '<a href="./url.php?url=https%3A%2F%2Fwww.phpmyadmin.net%2F" target="target">link</a>',
  43             Sanitize::sanitizeMessage('[a@https://www.phpmyadmin.net/@target]link[/a]')
  44         );
  45
  46         $GLOBALS['lang'] = $lang;
  47     }
  48
  49     /**
  50      * Tests links to documentation.
  51      *
  52      * @param string $link     link
  53      * @param string $expected expected result
  54      *
  55      * @dataProvider docLinks
  56      */
  57     public function testDoc(string $link, string $expected): void
  58     {
  59         $this->assertEquals(
  60             '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2Fen%2Flatest%2F'
  61                 . $expected . '" target="documentation">doclink</a>',
  62             Sanitize::sanitizeMessage('[doc@' . $link . ']doclink[/doc]')
  63         );
  64     }
  65
  66     /**
  67      * Data provider for sanitize [doc@foo] markup
  68      *
  69      * @return array
  70      */
  71     public function docLinks(): array
  72     {
  73         return [
  74             [
  75                 'foo',
  76                 'setup.html%23foo',
  77             ],
  78             [
  79                 'cfg_TitleTable',
  80                 'config.html%23cfg_TitleTable',
  81             ],
  82             [
  83                 'faq3-11',
  84                 'faq.html%23faq3-11',
  85             ],
  86             [
  87                 'bookmarks@',
  88                 'bookmarks.html',
  89             ],
  90         ];
  91     }
  92
  93     /**
  94      * Tests link target validation.
  95      */
  96     public function testInvalidTarget(): void
  97     {
  98         $this->assertEquals(
  99             '[a@./Documentation.html@INVALID9]doc</a>',
 100             Sanitize::sanitizeMessage('[a@./Documentation.html@INVALID9]doc[/a]')
 101         );
 102     }
 103
 104     /**
 105      * Tests XSS escaping after valid link.
 106      */
 107     public function testLinkDocXss(): void
 108     {
 109         $this->assertEquals(
 110             '[a@./Documentation.html" onmouseover="alert(foo)"]doc</a>',
 111             Sanitize::sanitizeMessage('[a@./Documentation.html" onmouseover="alert(foo)"]doc[/a]')
 112         );
 113     }
 114
 115     /**
 116      * Tests proper handling of multi link code.
 117      */
 118     public function testLinkAndXssInHref(): void
 119     {
 120         $this->assertEquals(
 121             '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2F">doc</a>'
 122                 . '[a@javascript:alert(\'XSS\');@target]link</a>',
 123             Sanitize::sanitizeMessage(
 124                 '[a@https://docs.phpmyadmin.net/]doc[/a][a@javascript:alert(\'XSS\');@target]link[/a]'
 125             )
 126         );
 127     }
 128
 129     /**
 130      * Test escaping of HTML tags
 131      */
 132     public function testHtmlTags(): void
 133     {
 134         $this->assertEquals(
 135             '&lt;div onclick=""&gt;',
 136             Sanitize::sanitizeMessage('<div onclick="">')
 137         );
 138     }
 139
 140     /**
 141      * Tests basic BB code.
 142      */
 143     public function testBBCode(): void
 144     {
 145         $this->assertEquals(
 146             '<strong>strong</strong>',
 147             Sanitize::sanitizeMessage('[strong]strong[/strong]')
 148         );
 149     }
 150
 151     /**
 152      * Tests output escaping.
 153      */
 154     public function testEscape(): void
 155     {
 156         $this->assertEquals(
 157             '&lt;strong&gt;strong&lt;/strong&gt;',
 158             Sanitize::sanitizeMessage('[strong]strong[/strong]', true)
 159         );
 160     }
 161
 162     /**
 163      * Test for Sanitize::sanitizeFilename
 164      */
 165     public function testSanitizeFilename(): void
 166     {
 167         $this->assertEquals(
 168             'File_name_123',
 169             Sanitize::sanitizeFilename('File_name 123')
 170         );
 171     }
 172
 173     /**
 174      * Test for Sanitize::getJsValue
 175      *
 176      * @param string          $key      Key
 177      * @param string|bool|int $value    Value
 178      * @param string          $expected Expected output
 179      *
 180      * @dataProvider variables
 181      */
 182     public function testGetJsValue(string $key, $value, string $expected): void
 183     {
 184         $this->assertEquals($expected, Sanitize::getJsValue($key, $value));
 185         $this->assertEquals('foo = 100', Sanitize::getJsValue('foo', '100', false));
 186         $array = [
 187             '1',
 188             '2',
 189             '3',
 190         ];
 191         $this->assertEquals(
 192             "foo = [\"1\",\"2\",\"3\",];\n",
 193             Sanitize::getJsValue('foo', $array)
 194         );
 195         $this->assertEquals(
 196             "foo = \"bar\\\"baz\";\n",
 197             Sanitize::getJsValue('foo', 'bar"baz')
 198         );
 199     }
 200
 201     /**
 202      * Test for Sanitize::jsFormat
 203      */
 204     public function testJsFormat(): void
 205     {
 206         $this->assertEquals('`foo`', Sanitize::jsFormat('foo'));
 207     }
 208
 209     /**
 210      * Provider for testFormat
 211      *
 212      * @return array
 213      */
 214     public function variables(): array
 215     {
 216         return [
 217             [
 218                 'foo',
 219                 true,
 220                 "foo = true;\n",
 221             ],
 222             [
 223                 'foo',
 224                 false,
 225                 "foo = false;\n",
 226             ],
 227             [
 228                 'foo',
 229                 100,
 230                 "foo = 100;\n",
 231             ],
 232             [
 233                 'foo',
 234                 0,
 235                 "foo = 0;\n",
 236             ],
 237             [
 238                 'foo',
 239                 'text',
 240                 "foo = \"text\";\n",
 241             ],
 242             [
 243                 'foo',
 244                 'quote"',
 245                 "foo = \"quote\\\"\";\n",
 246             ],
 247             [
 248                 'foo',
 249                 'apostroph\'',
 250                 "foo = \"apostroph\\'\";\n",
 251             ],
 252         ];
 253     }
 254
 255     /**
 256      * Sanitize::escapeJsString tests
 257      *
 258      * @param string $target expected output
 259      * @param string $source string to be escaped
 260      *
 261      * @dataProvider escapeDataProvider
 262      */
 263     public function testEscapeJsString(string $target, string $source): void
 264     {
 265         $this->assertEquals($target, Sanitize::escapeJsString($source));
 266     }
 267
 268     /**
 269      * Data provider for testEscape
 270      *
 271      * @return array data for testEscape test case
 272      */
 273     public function escapeDataProvider(): array
 274     {
 275         return [
 276             [
 277                 '\\\';',
 278                 '\';',
 279             ],
 280             [
 281                 '\r\n\\\'<scrIpt></\' + \'script>',
 282                 "\r\n'<scrIpt></sCRIPT>",
 283             ],
 284             [
 285                 '\\\';[XSS]',
 286                 '\';[XSS]',
 287             ],
 288             [
 289                 '</\' + \'script></head><body>[HTML]',
 290                 '</SCRIPT></head><body>[HTML]',
 291             ],
 292             [
 293                 '\"\\\'\\\\\\\'\"',
 294                 '"\'\\\'"',
 295             ],
 296             [
 297                 "\\\\\'\'\'\'\'\'\'\'\'\'\'\'\\\\",
 298                 "\\''''''''''''\\",
 299             ],
 300         ];
 301     }
 302
 303     /**
 304      * Test for removeRequestVars
 305      */
 306     public function testRemoveRequestVars(): void
 307     {
 308         $GLOBALS['_POST'] = [];
 309         $_REQUEST['foo'] = 'bar';
 310         $_REQUEST['allow'] = 'all';
 311         $_REQUEST['second'] = 1;
 312         $allow_list = [
 313             'allow',
 314             'second',
 315         ];
 316         Sanitize::removeRequestVars($allow_list);
 317         $this->assertArrayNotHasKey('foo', $_REQUEST);
 318         $this->assertArrayNotHasKey('second', $_REQUEST);
 319         $this->assertArrayHasKey('allow', $_REQUEST);
 320     }
 321 }