class RequestSanitizerTest
Same name in other branches
- 9 core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php \Drupal\Tests\Core\Security\RequestSanitizerTest
- 8.9.x core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php \Drupal\Tests\Core\Security\RequestSanitizerTest
- 10 core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php \Drupal\Tests\Core\Security\RequestSanitizerTest
- 11.x core/tests/Drupal/Tests/Core/Security/RequestSanitizerTest.php \Drupal\Tests\Core\Security\RequestSanitizerTest
Tests DrupalRequestSanitizer class.
Hierarchy
- class \DrupalTestCase
- class \DrupalUnitTestCase extends \DrupalTestCase
- class \RequestSanitizerTest extends \DrupalUnitTestCase
- class \DrupalUnitTestCase extends \DrupalTestCase
Expanded class hierarchy of RequestSanitizerTest
File
-
modules/
simpletest/ tests/ request_sanitizer.test, line 11
View source
class RequestSanitizerTest extends DrupalUnitTestCase {
/**
* Log of errors triggered during sanitization.
*
* @var array
*/
protected $errors;
/**
* {@inheritdoc}
*/
public static function getInfo() {
return array(
'name' => 'DrupalRequestSanitizer',
'description' => 'Test the DrupalRequestSanitizer class',
'group' => 'System',
);
}
/**
* {@inheritdoc}
*/
protected function setUp() {
require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
parent::setUp();
set_error_handler(array(
$this,
"sanitizerTestErrorHandler",
));
}
/**
* Iterate through all the RequestSanitizerTests.
*/
public function testRequestSanitization() {
foreach ($this->requestSanitizerTests() as $label => $data) {
$this->errors = array();
// Normalize the test parameters.
$test = array(
'request' => $data[0],
'expected' => isset($data[1]) ? $data[1] : array(),
'expected_errors' => isset($data[2]) ? $data[2] : NULL,
'whitelist' => isset($data[3]) ? $data[3] : array(),
);
$this->requestSanitizationTest($test['request'], $test['expected'], $test['expected_errors'], $test['whitelist'], $label);
}
}
/**
* Tests RequestSanitizer class.
*
* @param \SanitizerTestRequest $request
* The request to sanitize.
* @param array $expected
* An array of expected request parameters after sanitization.
* @param array|null $expected_errors
* An array of expected errors. If set to NULL then error logging is
* disabled.
* @param array $whitelist
* An array of keys to whitelist and not sanitize.
* @param string $label
* A descriptive name for each test / group of assertions.
*
* @throws \ReflectionException
*/
public function requestSanitizationTest(SanitizerTestRequest $request, array $expected = array(), array $expected_errors = NULL, array $whitelist = array(), $label = NULL) {
// Set up globals.
$_GET = $request->getQuery();
$_POST = $request->getRequest();
$_COOKIE = $request->getCookies();
$_REQUEST = array_merge($request->getQuery(), $request->getRequest());
$GLOBALS['conf']['sanitize_input_whitelist'] = $whitelist;
$GLOBALS['conf']['sanitize_input_logging'] = is_null($expected_errors) ? FALSE : TRUE;
if ($label !== 'already sanitized request') {
$reflection = new \ReflectionProperty('DrupalRequestSanitizer', 'sanitized');
$reflection->setAccessible(TRUE);
$reflection->setValue(NULL, FALSE);
}
DrupalRequestSanitizer::sanitize();
if (isset($_GET['destination'])) {
DrupalRequestSanitizer::cleanDestination();
}
// Normalise the expected data.
$expected += array(
'cookies' => array(),
'query' => array(),
'request' => array(),
);
// Test PHP globals.
$this->assertEqualLabelled($expected['cookies'], $_COOKIE, NULL, 'Other', $label . ' (COOKIE)');
$this->assertEqualLabelled($expected['query'], $_GET, NULL, 'Other', $label . ' (GET)');
$this->assertEqualLabelled($expected['request'], $_POST, NULL, 'Other', $label . ' (POST)');
$expected_request = array_merge($expected['query'], $expected['request']);
$this->assertEqualLabelled($expected_request, $_REQUEST, NULL, 'Other', $label . ' (REQUEST)');
// Ensure any expected errors have been triggered.
if (!empty($expected_errors)) {
foreach ($expected_errors as $expected_error) {
$this->assertError($expected_error, E_USER_NOTICE, $label . ' (errors)');
}
}
else {
$this->assertEqualLabelled(array(), $this->errors, NULL, 'Other', $label . ' (errors)');
}
}
/**
* Data provider for testRequestSanitization.
*
* @return array
* A list of tests to carry out.
*/
public function requestSanitizerTests() {
$tests = array();
$request = new SanitizerTestRequest(array(
'q' => 'index.php',
));
$tests['no sanitization GET'] = array(
$request,
array(
'query' => array(
'q' => 'index.php',
),
),
);
$request = new SanitizerTestRequest(array(), array(
'field' => 'value',
));
$tests['no sanitization POST'] = array(
$request,
array(
'request' => array(
'field' => 'value',
),
),
);
$request = new SanitizerTestRequest(array(), array(), array(), array(
'key' => 'value',
));
$tests['no sanitization COOKIE'] = array(
$request,
array(
'cookies' => array(
'key' => 'value',
),
),
);
$request = new SanitizerTestRequest(array(
'q' => 'index.php',
), array(
'field' => 'value',
), array(), array(
'key' => 'value',
));
$tests['no sanitization GET, POST, COOKIE'] = array(
$request,
array(
'query' => array(
'q' => 'index.php',
),
'request' => array(
'field' => 'value',
),
'cookies' => array(
'key' => 'value',
),
),
);
$request = new SanitizerTestRequest(array(
'q' => 'index.php',
));
$tests['no sanitization GET log'] = array(
$request,
array(
'query' => array(
'q' => 'index.php',
),
),
array(),
);
$request = new SanitizerTestRequest(array(), array(
'field' => 'value',
));
$tests['no sanitization POST log'] = array(
$request,
array(
'request' => array(
'field' => 'value',
),
),
array(),
);
$request = new SanitizerTestRequest(array(), array(), array(), array(
'key' => 'value',
));
$tests['no sanitization COOKIE log'] = array(
$request,
array(
'cookies' => array(
'key' => 'value',
),
),
array(),
);
$request = new SanitizerTestRequest(array(
'#q' => 'index.php',
));
$tests['sanitization GET'] = array(
$request,
);
$request = new SanitizerTestRequest(array(), array(
'#field' => 'value',
));
$tests['sanitization POST'] = array(
$request,
);
$request = new SanitizerTestRequest(array(), array(), array(), array(
'#key' => 'value',
));
$tests['sanitization COOKIE'] = array(
$request,
);
$request = new SanitizerTestRequest(array(
'#q' => 'index.php',
), array(
'#field' => 'value',
), array(), array(
'#key' => 'value',
));
$tests['sanitization GET, POST, COOKIE'] = array(
$request,
);
$request = new SanitizerTestRequest(array(
'#q' => 'index.php',
));
$tests['sanitization GET log'] = array(
$request,
array(),
array(
'Potentially unsafe keys removed from query string parameters (GET): #q',
),
);
$request = new SanitizerTestRequest(array(), array(
'#field' => 'value',
));
$tests['sanitization POST log'] = array(
$request,
array(),
array(
'Potentially unsafe keys removed from request body parameters (POST): #field',
),
);
$request = new SanitizerTestRequest(array(), array(), array(), array(
'#key' => 'value',
));
$tests['sanitization COOKIE log'] = array(
$request,
array(),
array(
'Potentially unsafe keys removed from cookie parameters (COOKIE): #key',
),
);
$request = new SanitizerTestRequest(array(
'#q' => 'index.php',
), array(
'#field' => 'value',
), array(), array(
'#key' => 'value',
));
$tests['sanitization GET, POST, COOKIE log'] = array(
$request,
array(),
array(
'Potentially unsafe keys removed from query string parameters (GET): #q',
'Potentially unsafe keys removed from request body parameters (POST): #field',
'Potentially unsafe keys removed from cookie parameters (COOKIE): #key',
),
);
$request = new SanitizerTestRequest(array(
'q' => 'index.php',
'foo' => array(
'#bar' => 'foo',
),
));
$tests['recursive sanitization log'] = array(
$request,
array(
'query' => array(
'q' => 'index.php',
'foo' => array(),
),
),
array(
'Potentially unsafe keys removed from query string parameters (GET): #bar',
),
);
$request = new SanitizerTestRequest(array(
'q' => 'index.php',
'foo' => array(
'#bar' => 'foo',
),
));
$tests['recursive no sanitization whitelist'] = array(
$request,
array(
'query' => array(
'q' => 'index.php',
'foo' => array(
'#bar' => 'foo',
),
),
),
array(),
array(
'#bar',
),
);
$request = new SanitizerTestRequest(array(), array(
'#field' => 'value',
));
$tests['no sanitization POST whitelist'] = array(
$request,
array(
'request' => array(
'#field' => 'value',
),
),
array(),
array(
'#field',
),
);
$request = new SanitizerTestRequest(array(
'q' => 'index.php',
'foo' => array(
'#bar' => 'foo',
'#foo' => 'bar',
),
));
$tests['recursive multiple sanitization log'] = array(
$request,
array(
'query' => array(
'q' => 'index.php',
'foo' => array(),
),
),
array(
'Potentially unsafe keys removed from query string parameters (GET): #bar, #foo',
),
);
$request = new SanitizerTestRequest(array(
'#q' => 'index.php',
));
$tests['already sanitized request'] = array(
$request,
array(
'query' => array(
'#q' => 'index.php',
),
),
);
$request = new SanitizerTestRequest(array(
'destination' => 'whatever?%23test=value',
));
$tests['destination removal GET'] = array(
$request,
);
$request = new SanitizerTestRequest(array(
'destination' => 'whatever?%23test=value',
));
$tests['destination removal GET log'] = array(
$request,
array(),
array(
'Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: #test',
),
);
$request = new SanitizerTestRequest(array(
'destination' => 'whatever?q[%23test]=value',
));
$tests['destination removal subkey'] = array(
$request,
);
$request = new SanitizerTestRequest(array(
'destination' => 'whatever?q[%23test]=value',
));
$tests['destination whitelist'] = array(
$request,
array(
'query' => array(
'destination' => 'whatever?q[%23test]=value',
),
),
array(),
array(
'#test',
),
);
$request = new SanitizerTestRequest(array(
'destination' => "whatever?\x00bar=base&%23test=value",
));
$tests['destination removal zero byte'] = array(
$request,
);
$request = new SanitizerTestRequest(array(
'destination' => 'whatever?q=value',
));
$tests['destination kept'] = array(
$request,
array(
'query' => array(
'destination' => 'whatever?q=value',
),
),
);
$request = new SanitizerTestRequest(array(
'destination' => 'whatever',
));
$tests['destination no query'] = array(
$request,
array(
'query' => array(
'destination' => 'whatever',
),
),
);
return $tests;
}
/**
* Catches and logs errors to $this->errors.
*
* @param int $errno
* The severity level of the error.
* @param string $errstr
* The error message.
*/
public function sanitizerTestErrorHandler($errno, $errstr) {
$this->errors[] = compact('errno', 'errstr');
}
/**
* Asserts that the expected error has been logged.
*
* @param string $errstr
* The error message.
* @param int $errno
* The severity level of the error.
* @param string $label
* The label to include with the message.
*
* @return bool
* TRUE if the assertion succeeded, FALSE otherwise.
*/
protected function assertError($errstr, $errno, $label) {
$label = empty($label) ? '' : $label . ': ';
foreach ($this->errors as $error) {
if ($error['errstr'] === $errstr && $error['errno'] === $errno) {
return $this->pass($label . "Error with level {$errno} and message '{$errstr}' found");
}
}
return $this->fail($label . "Error with level {$errno} and message '{$errstr}' not found in " . var_export($this->errors, TRUE));
}
/**
* Asserts two values are equal, includes a label.
*
* @param mixed $first
* The first value to check.
* @param mixed $second
* The second value to check.
* @param string $message
* The message to display along with the assertion.
* @param string $group
* The type of assertion - examples are "Browser", "PHP".
* @param string $label
* The label to include with the message.
*
* @return bool
* TRUE if the assertion succeeded, FALSE otherwise.
*/
protected function assertEqualLabelled($first, $second, $message = '', $group = 'Other', $label = '') {
$label = empty($label) ? '' : $label . ': ';
$message = $message ? $message : t('Value @first is equal to value @second.', array(
'@first' => var_export($first, TRUE),
'@second' => var_export($second, TRUE),
));
return $this->assert($first == $second, $label . $message, $group);
}
}Members
| Title Sort descending | Modifiers | Object type | Summary | Overriden Title | Overrides |
|---|---|---|---|---|---|
| DrupalTestCase::$assertions | protected | property | Assertions thrown in that test case. | ||
| DrupalTestCase::$databasePrefix | protected | property | The database prefix of this test run. | ||
| DrupalTestCase::$originalFileDirectory | protected | property | The original file directory, before it was changed for testing purposes. | ||
| DrupalTestCase::$originalLanguage | protected | property | The original language. | ||
| DrupalTestCase::$originalLanguageDefault | protected | property | The original default language. | ||
| DrupalTestCase::$originalTheme | protected | property | The original theme. | ||
| DrupalTestCase::$originalThemeKey | protected | property | The original theme key. | ||
| DrupalTestCase::$originalThemePath | protected | property | The original theme path. | ||
| DrupalTestCase::$results | public | property | Current results of this test case. | ||
| DrupalTestCase::$setup | protected | property | Flag to indicate whether the test has been set up. | ||
| DrupalTestCase::$setupDatabasePrefix | protected | property | |||
| DrupalTestCase::$setupEnvironment | protected | property | |||
| DrupalTestCase::$skipClasses | protected | property | This class is skipped when looking for the source of an assertion. | ||
| DrupalTestCase::$testId | protected | property | The test run ID. | ||
| DrupalTestCase::$timeLimit | protected | property | Time limit for the test. | ||
| DrupalTestCase::$useSetupInstallationCache | public | property | Whether to cache the installation part of the setUp() method. | ||
| DrupalTestCase::$useSetupModulesCache | public | property | Whether to cache the modules installation part of the setUp() method. | ||
| DrupalTestCase::$verboseDirectoryUrl | protected | property | URL to the verbose output file directory. | ||
| DrupalTestCase::assert | protected | function | Internal helper: stores the assert. | ||
| DrupalTestCase::assertEqual | protected | function | Check to see if two values are equal. | ||
| DrupalTestCase::assertFalse | protected | function | Check to see if a value is false (an empty string, 0, NULL, or FALSE). | ||
| DrupalTestCase::assertIdentical | protected | function | Check to see if two values are identical. | ||
| DrupalTestCase::assertNotEqual | protected | function | Check to see if two values are not equal. | ||
| DrupalTestCase::assertNotIdentical | protected | function | Check to see if two values are not identical. | ||
| DrupalTestCase::assertNotNull | protected | function | Check to see if a value is not NULL. | ||
| DrupalTestCase::assertNull | protected | function | Check to see if a value is NULL. | ||
| DrupalTestCase::assertTrue | protected | function | Check to see if a value is not false (not an empty string, 0, NULL, or FALSE). | ||
| DrupalTestCase::deleteAssert | public static | function | Delete an assertion record by message ID. | ||
| DrupalTestCase::error | protected | function | Fire an error assertion. | 1 | |
| DrupalTestCase::errorHandler | public | function | Handle errors during test runs. | 1 | |
| DrupalTestCase::exceptionHandler | protected | function | Handle exceptions. | ||
| DrupalTestCase::fail | protected | function | Fire an assertion that is always negative. | ||
| DrupalTestCase::generatePermutations | public static | function | Converts a list of possible parameters into a stack of permutations. | ||
| DrupalTestCase::getAssertionCall | protected | function | Cycles through backtrace until the first non-assertion method is found. | ||
| DrupalTestCase::getDatabaseConnection | public static | function | Returns the database connection to the site running Simpletest. | ||
| DrupalTestCase::insertAssert | public static | function | Store an assertion from outside the testing context. | ||
| DrupalTestCase::pass | protected | function | Fire an assertion that is always positive. | ||
| DrupalTestCase::randomName | public static | function | Generates a random string containing letters and numbers. | ||
| DrupalTestCase::randomString | public static | function | Generates a random string of ASCII characters of codes 32 to 126. | ||
| DrupalTestCase::run | public | function | Run all tests in this class. | ||
| DrupalTestCase::verbose | protected | function | Logs a verbose message in a text file. | ||
| DrupalUnitTestCase::tearDown | protected | function | 1 | ||
| DrupalUnitTestCase::__construct | function | Constructor for DrupalUnitTestCase. | Overrides DrupalTestCase::__construct | ||
| RequestSanitizerTest::$errors | protected | property | Log of errors triggered during sanitization. | ||
| RequestSanitizerTest::assertEqualLabelled | protected | function | Asserts two values are equal, includes a label. | ||
| RequestSanitizerTest::assertError | protected | function | Asserts that the expected error has been logged. | ||
| RequestSanitizerTest::getInfo | public static | function | |||
| RequestSanitizerTest::requestSanitizationTest | public | function | Tests RequestSanitizer class. | ||
| RequestSanitizerTest::requestSanitizerTests | public | function | Data provider for testRequestSanitization. | ||
| RequestSanitizerTest::sanitizerTestErrorHandler | public | function | Catches and logs errors to $this->errors. | ||
| RequestSanitizerTest::setUp | protected | function | Sets up unit test environment. | Overrides DrupalUnitTestCase::setUp | |
| RequestSanitizerTest::testRequestSanitization | public | function | Iterate through all the RequestSanitizerTests. |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.