/tests/TestCase/Controller/Component/SecurityComponentTest.php
PHP | 1399 lines | 1053 code | 108 blank | 238 comment | 1 complexity | 415ab628e3751dc3a44fa5a92984afca MD5 | raw file
Possible License(s): JSON
- <?php
- declare(strict_types=1);
- /**
- * CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
- * Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
- *
- * Licensed under The MIT License
- * For full copyright and license information, please see the LICENSE.txt
- * Redistributions of files must retain the above copyright notice
- *
- * @copyright Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
- * @link https://cakephp.org CakePHP(tm) Project
- * @since 1.2.0
- * @license https://opensource.org/licenses/mit-license.php MIT License
- * @deprecated 4.0.0 SecurityComponent is deprecated.
- */
- namespace Cake\Test\TestCase\Controller\Component;
- use Cake\Controller\Component\SecurityComponent;
- use Cake\Controller\Exception\SecurityException;
- use Cake\Core\Configure;
- use Cake\Event\Event;
- use Cake\Http\Response;
- use Cake\Http\ServerRequest;
- use Cake\Http\Session;
- use Cake\Routing\Router;
- use Cake\TestSuite\TestCase;
- use Cake\Utility\Security;
- use TestApp\Controller\SecurityTestController;
- /**
- * SecurityComponentTest class
- *
- * @property \TestApp\Controller\Component\TestSecurityComponent $Security
- */
- class SecurityComponentTest extends TestCase
- {
- /**
- * SERVER variable backup.
- *
- * @var array
- */
- protected $server = [];
- /**
- * Controller property
- *
- * @var \TestApp\Controller\SecurityTestController
- */
- protected $Controller;
- /**
- * oldSalt property
- *
- * @var string
- */
- protected $oldSalt;
- /**
- * setUp method
- *
- * Initializes environment state.
- */
- public function setUp(): void
- {
- parent::setUp();
- $this->server = $_SERVER;
- $session = new Session();
- $request = new ServerRequest([
- 'url' => '/articles/index',
- 'session' => $session,
- 'params' => ['controller' => 'Articles', 'action' => 'index'],
- ]);
- $this->Controller = new SecurityTestController($request);
- $this->Controller->Security = $this->Controller->TestSecurity;
- $this->Controller->Security->setConfig('blackHoleCallback', 'fail');
- $this->Security = $this->Controller->Security;
- Security::setSalt('foo!');
- }
- /**
- * Resets environment state.
- */
- public function tearDown(): void
- {
- parent::tearDown();
- $_SERVER = $this->server;
- unset($this->Controller->Security);
- unset($this->Controller->Component);
- unset($this->Controller);
- }
- public function validatePost(
- string $expectedException = 'SecurityException',
- ?string $expectedExceptionMessage = null
- ): ?bool {
- try {
- return $this->Controller->Security->validatePost($this->Controller);
- } catch (SecurityException $ex) {
- $this->assertInstanceOf('Cake\\Controller\\Exception\\' . $expectedException, $ex);
- $this->assertEquals($expectedExceptionMessage, $ex->getMessage());
- return false;
- }
- }
- /**
- * testBlackholeWithBrokenCallback method
- *
- * Test that requests are still blackholed when controller has incorrect
- * visibility keyword in the blackhole callback.
- *
- * @triggers Controller.startup $Controller, $this->Controller
- */
- public function testBlackholeWithBrokenCallback(): void
- {
- $this->expectException(\Cake\Http\Exception\BadRequestException::class);
- $request = new ServerRequest([
- 'url' => 'posts/index',
- 'session' => new Session(),
- 'params' => [
- 'controller' => 'Posts',
- 'action' => 'index',
- ],
- ]);
- $Controller = new \TestApp\Controller\SomePagesController($request);
- $event = new Event('Controller.startup', $Controller);
- $Security = new SecurityComponent($Controller->components());
- $Security->setConfig('blackHoleCallback', '_fail');
- $Security->startup($event);
- $Security->blackHole($Controller, 'csrf');
- }
- /**
- * testExceptionWhenActionIsBlackholeCallback method
- *
- * Ensure that directly requesting the blackholeCallback as the controller
- * action results in an exception.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testExceptionWhenActionIsBlackholeCallback(): void
- {
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withParam('controller', 'posts')
- ->withParam('action', 'fail'));
- $event = new Event('Controller.startup', $this->Controller);
- $this->assertFalse($this->Controller->failed);
- $this->Controller->Security->startup($event);
- $this->assertTrue($this->Controller->failed, 'Request was blackholed.');
- }
- /**
- * test blackholeCallback returning a response
- */
- public function testBlackholeReturnResponse(): void
- {
- $request = new ServerRequest([
- 'url' => 'posts/index',
- 'session' => $this->Security->session,
- 'method' => 'POST',
- 'params' => [
- 'controller' => 'Posts',
- 'action' => 'index',
- ],
- 'post' => [
- 'key' => 'value',
- ],
- ]);
- $Controller = new \TestApp\Controller\SomePagesController($request);
- $event = new Event('Controller.startup', $Controller);
- $Security = new SecurityComponent($Controller->components());
- $Security->setConfig('blackHoleCallback', 'responseGenerator');
- $result = $Security->startup($event);
- $this->assertInstanceOf(Response::class, $result);
- }
- /**
- * testConstructorSettingProperties method
- *
- * Test that initialize can set properties.
- */
- public function testConstructorSettingProperties(): void
- {
- $settings = [
- 'requireSecure' => ['update_account'],
- 'validatePost' => false,
- ];
- $Security = new SecurityComponent($this->Controller->components(), $settings);
- $this->assertEquals($Security->validatePost, $settings['validatePost']);
- }
- /**
- * testRequireSecureFail method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testRequireSecureFail(): void
- {
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withParam('action', 'posted')
- ->withEnv('HTTPS', 'off')
- ->withEnv('REQUEST_METHOD', 'POST'));
- $event = new Event('Controller.startup', $this->Controller);
- $this->Controller->Security->requireSecure(['posted']);
- $this->Controller->Security->startup($event);
- $this->assertTrue($this->Controller->failed);
- }
- /**
- * testRequireSecureSucceed method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testRequireSecureSucceed(): void
- {
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withParam('action', 'posted')
- ->withEnv('HTTPS', 'on')
- ->withEnv('REQUEST_METHOD', 'Secure'));
- $event = new Event('Controller.startup', $this->Controller);
- $this->Controller->Security->requireSecure('posted');
- $this->Controller->Security->startup($event);
- $this->assertFalse($this->Controller->failed);
- }
- /**
- * testRequireSecureEmptyFail method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testRequireSecureEmptyFail(): void
- {
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withParam('action', 'posted')
- ->withEnv('HTTPS', 'off')
- ->withEnv('REQUEST_METHOD', 'POST'));
- $event = new Event('Controller.startup', $this->Controller);
- $this->Controller->Security->requireSecure();
- $this->Controller->Security->startup($event);
- $this->assertTrue($this->Controller->failed);
- }
- /**
- * testRequireSecureEmptySucceed method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testRequireSecureEmptySucceed(): void
- {
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withParam('action', 'posted')
- ->withEnv('HTTPS', 'on')
- ->withEnv('REQUEST_METHOD', 'Secure'));
- $event = new Event('Controller.startup', $this->Controller);
- $this->Controller->Security->requireSecure();
- $this->Controller->Security->startup($event);
- $this->assertFalse($this->Controller->failed);
- }
- /**
- * testValidatePost method
- *
- * Simple hash validation test
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePost(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '4697b45f7f430ff3ab73018c20f315eecb0ba5a6%3AModel.valid';
- $unlocked = '';
- $debug = '';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => 'nate', 'password' => 'foo', 'valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $this->assertNull($this->validatePost());
- }
- /**
- * testValidatePostOnGetWithData method
- *
- * Test that validatePost fires on GET with request data.
- * This could happen when method overriding is used.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostOnGetWithData(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'an-invalid-token';
- $unlocked = '';
- $debug = urlencode(json_encode([
- 'some-action',
- [],
- [],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withEnv('REQUEST_METHOD', 'GET')
- ->withData('Model', ['username' => 'nate', 'password' => 'foo', 'valid' => '0'])
- ->withData('_Token', compact('fields', 'unlocked', 'debug')));
- $this->Security->startup($event);
- $this->assertTrue($this->Controller->failed);
- }
- /**
- * testValidatePostNoSession method
- *
- * Test that validatePost fails if you are missing the session information.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostNoSession(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = '';
- $debug = urlencode(json_encode([
- '/articles/index',
- [],
- [],
- ]));
- $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => 'nate', 'password' => 'foo', 'valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $this->assertFalse($this->validatePost('AuthSecurityException', 'Unexpected field \'Model.password\' in POST data, Unexpected field \'Model.username\' in POST data'));
- }
- /**
- * testValidatePostNoUnlockedInRequestData method
- *
- * Test that validatePost fails if you are missing unlocked in request data.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostNoUnlockedInRequestData(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => 'nate', 'password' => 'foo', 'valid' => '0'],
- '_Token' => compact('fields'),
- ]));
- $this->assertFalse($this->validatePost('AuthSecurityException', '\'_Token.unlocked\' was not found in request data.'));
- }
- /**
- * testValidatePostFormTampering method
- *
- * Test that validatePost fails if any of its required fields are missing.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFormTampering(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = '';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => 'nate', 'password' => 'foo', 'valid' => '0'],
- '_Token' => compact('unlocked'),
- ]));
- $result = $this->validatePost('AuthSecurityException', '\'_Token.fields\' was not found in request data.');
- $this->assertFalse($result, 'validatePost passed when fields were missing. %s');
- }
- /**
- * testValidatePostEmptyForm method
- *
- * Test that validatePost fails if empty form is submitted.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostEmptyForm(): void
- {
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withEnv('REQUEST_METHOD', 'POST')
- ->withParsedBody([]));
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $result = $this->validatePost('AuthSecurityException', '\'_Token\' was not found in request data.');
- $this->assertFalse($result, 'validatePost passed when empty form is submitted');
- }
- /**
- * testValidatePostObjectDeserialize
- *
- * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI
- * attacks. Thanks to Felix Wilhelm
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostObjectDeserialize(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
- $unlocked = '';
- $debug = urlencode(json_encode([
- '/articles/index',
- ['Model.password', 'Model.username', 'Model.valid'],
- [],
- ]));
- // a corrupted serialized object, so we can see if it ever gets to deserialize
- $attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
- $fields .= urlencode(':' . str_rot13($attack));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => 'mark', 'password' => 'foo', 'valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost('SecurityException', 'Bad Request');
- $this->assertFalse($result, 'validatePost passed when key was missing. %s');
- }
- /**
- * testValidatePostIgnoresCsrfToken method
- *
- * Tests validation post data ignores `_csrfToken`.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostIgnoresCsrfToken(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'f95b472a63f1d883b9eaacaf8a8e36e325e3fe82%3A';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['multi_field' => ['1', '3']],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $this->assertNull($this->validatePost());
- }
- /**
- * testValidatePostArray method
- *
- * Tests validation of checkbox arrays.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostArray(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'f95b472a63f1d883b9eaacaf8a8e36e325e3fe82%3A';
- $unlocked = '';
- $debug = urlencode(json_encode([
- 'some-action',
- [],
- [],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['multi_field' => ['1', '3']],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $this->assertNull($this->validatePost());
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['multi_field' => [12 => '1', 20 => '3']],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $this->assertNull($this->validatePost());
- }
- /**
- * testValidateIntFieldName method
- *
- * Tests validation of integer field names.
- */
- public function testValidateIntFieldName(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '11f87a5962db9ac26405e460cd3063bb6ff76cf8%3A';
- $unlocked = '';
- $debug = urlencode(json_encode([
- 'some-action',
- [],
- [],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 1 => 'value,',
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $this->assertNull($this->validatePost());
- }
- /**
- * testValidatePostNoModel method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostNoModel(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'a2a942f587deb20e90241c51b59d901d8a7f796b%3A';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'anything' => 'some_data',
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostSimple method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostSimple(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'de2ca3670dd06c29558dd98482c8739e86da2c7c%3A';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => '', 'password' => ''],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * test validatePost uses full URL
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostSubdirectory(): void
- {
- // set the base path.
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withAttribute('base', 'subdir')
- ->withAttributE('webroot', 'subdir/'));
- Router::setRequest($this->Controller->getRequest());
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- // Differs from testValidatePostSimple because of base url
- $fields = 'cc9b6af3f33147235ae8f8037b0a71399a2425f2%3A';
- $unlocked = '';
- $debug = '';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => '', 'password' => ''],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostComplex method
- *
- * Tests hash validation for multiple records, including locked fields.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostComplex(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'b00b7e5c2e3bf8bc474fb7cfde6f9c2aa06ab9bc%3AAddresses.0.id%7CAddresses.1.id';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Addresses' => [
- '0' => [
- 'id' => '123456', 'title' => '', 'first_name' => '', 'last_name' => '',
- 'address' => '', 'city' => '', 'phone' => '', 'primary' => '',
- ],
- '1' => [
- 'id' => '654321', 'title' => '', 'first_name' => '', 'last_name' => '',
- 'address' => '', 'city' => '', 'phone' => '', 'primary' => '',
- ],
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostMultipleSelect method
- *
- * Test ValidatePost with multiple select elements.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostMultipleSelect(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '28dd05f0af314050784b18b3366857e8e8c78e73%3A';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Tag' => ['Tag' => [1, 2]],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Tag' => ['Tag' => [1, 2, 3]],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Tag' => ['Tag' => [1, 2, 3, 4]],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $fields = '1e4c9269b64756e9b141d364497c5f037b428a37%3A';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'User.password' => 'bar', 'User.name' => 'foo', 'User.is_valid' => '1',
- 'Tag' => ['Tag' => [1]],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostCheckbox method
- *
- * First block tests un-checked checkbox
- * Second block tests checked checkbox
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostCheckbox(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '4697b45f7f430ff3ab73018c20f315eecb0ba5a6%3AModel.valid';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => '', 'password' => '', 'valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $fields = '3f368401f9a8610bcace7746039651066cdcdc38%3A';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => '', 'password' => '', 'valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([]));
- $this->Security->startup($event);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => '', 'password' => '', 'valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostHidden method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostHidden(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '96e61bded2b62b0c420116a0eb06a3b3acddb8f1%3AModel.hidden%7CModel.other_hidden';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => '', 'password' => '', 'hidden' => '0',
- 'other_hidden' => 'some hidden value',
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostDisabledFieldsInData method
- *
- * Test validating post data with posted unlocked fields.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostDisabledFieldsInData(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = 'Model.username';
- $fields = ['Model.hidden', 'Model.password'];
- $fields = urlencode(
- hash_hmac('sha1', '/articles/index' . serialize($fields) . $unlocked . 'cli', Security::getSalt())
- );
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- 'hidden' => '0',
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostFailNoDisabled method
- *
- * Test that missing 'unlocked' input causes failure.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFailNoDisabled(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = ['Model.hidden', 'Model.password', 'Model.username'];
- $fields = urlencode(Security::hash(serialize($fields) . Security::getSalt()));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- 'hidden' => '0',
- ],
- '_Token' => compact('fields'),
- ]));
- $result = $this->validatePost('SecurityException', '\'_Token.unlocked\' was not found in request data.');
- $this->assertFalse($result);
- }
- /**
- * testValidatePostFailNoDebug method
- *
- * Test that missing 'debug' input causes failure.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFailNoDebug(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = ['Model.hidden', 'Model.password', 'Model.username'];
- $fields = urlencode(Security::hash(serialize($fields) . Security::getSalt()));
- $unlocked = '';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- 'hidden' => '0',
- ],
- '_Token' => compact('fields', 'unlocked'),
- ]));
- $result = $this->validatePost('SecurityException', '\'_Token.debug\' was not found in request data.');
- $this->assertFalse($result);
- }
- /**
- * testValidatePostFailNoDebugMode method
- *
- * Test that missing 'debug' input is not the problem when debug mode disabled.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFailNoDebugMode(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = ['Model.hidden', 'Model.password', 'Model.username'];
- $fields = urlencode(Security::hash(serialize($fields) . Security::getSalt()));
- $unlocked = '';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- 'hidden' => '0',
- ],
- '_Token' => compact('fields', 'unlocked'),
- ]));
- Configure::write('debug', false);
- $result = $this->validatePost('SecurityException', 'The request has been black-holed');
- $this->assertFalse($result);
- }
- /**
- * testValidatePostFailDisabledFieldTampering method
- *
- * Test that validatePost fails when unlocked fields are changed.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFailDisabledFieldTampering(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = 'Model.username';
- $fields = ['Model.hidden', 'Model.password'];
- $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Security::getSalt()));
- $debug = urlencode(json_encode([
- '/articles/index',
- ['Model.hidden', 'Model.password'],
- ['Model.username'],
- ]));
- // Tamper the values.
- $unlocked = 'Model.username|Model.password';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- 'hidden' => '0',
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost('SecurityException', 'Missing field \'Model.password\' in POST data, Unexpected unlocked field \'Model.password\' in POST data');
- $this->assertFalse($result);
- }
- /**
- * Test that invalid types cause failures.
- */
- public function testValidatePostFailArrayData(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- ],
- '_Token' => [
- 'fields' => [],
- 'unlocked' => '',
- ],
- ]));
- Configure::write('debug', false);
- $result = $this->validatePost('SecurityException', "'_Token.fields' is invalid.");
- $this->assertFalse($result);
- }
- /**
- * testValidateHiddenMultipleModel method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidateHiddenMultipleModel(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '642b7a6db3b848fab88952b86ea36c572f93df40%3AModel.valid%7CModel2.valid%7CModel3.valid';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => ['username' => '', 'password' => '', 'valid' => '0'],
- 'Model2' => ['valid' => '0'],
- 'Model3' => ['valid' => '0'],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidateHasManyModel method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidateHasManyModel(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '792324c8a374772ad82acfb28f0e77e70f8ed3af%3AModel.0.hidden%7CModel.0.valid';
- $fields .= '%7CModel.1.hidden%7CModel.1.valid';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- [
- 'username' => 'username', 'password' => 'password',
- 'hidden' => 'value', 'valid' => '0',
- ],
- [
- 'username' => 'username', 'password' => 'password',
- 'hidden' => 'value', 'valid' => '0',
- ],
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidateHasManyRecordsPass method
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidateHasManyRecordsPass(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '7f4bff67558e25ebeea44c84ea4befa8d50b080c%3AAddress.0.id%7CAddress.0.primary%7C';
- $fields .= 'Address.1.id%7CAddress.1.primary';
- $unlocked = '';
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Address' => [
- 0 => [
- 'id' => '123',
- 'title' => 'home',
- 'first_name' => 'Bilbo',
- 'last_name' => 'Baggins',
- 'address' => '23 Bag end way',
- 'city' => 'the shire',
- 'phone' => 'N/A',
- 'primary' => '1',
- ],
- 1 => [
- 'id' => '124',
- 'title' => 'home',
- 'first_name' => 'Frodo',
- 'last_name' => 'Baggins',
- 'address' => '50 Bag end way',
- 'city' => 'the shire',
- 'phone' => 'N/A',
- 'primary' => '1',
- ],
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidateNestedNumericSets method
- *
- * Test that values like Foo.0.1
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidateNestedNumericSets(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = '';
- $hashFields = ['TaxonomyData'];
- $fields = urlencode(
- hash_hmac('sha1', '/articles/index' . serialize($hashFields) . $unlocked . 'cli', Security::getSalt())
- );
- $debug = 'not used';
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'TaxonomyData' => [
- 1 => [[2]],
- 2 => [[3]],
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidateHasManyRecords method
- *
- * validatePost should fail, hidden fields have been changed.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidateHasManyRecordsFail(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
- $fields .= 'Address.1.id%7CAddress.1.primary';
- $unlocked = '';
- $debug = urlencode(json_encode([
- '/articles/index',
- [
- 'Address.0.address',
- 'Address.0.city',
- 'Address.0.first_name',
- 'Address.0.last_name',
- 'Address.0.phone',
- 'Address.0.title',
- 'Address.1.address',
- 'Address.1.city',
- 'Address.1.first_name',
- 'Address.1.last_name',
- 'Address.1.phone',
- 'Address.1.title',
- 'Address.0.id' => '123',
- 'Address.0.primary' => '5',
- 'Address.1.id' => '124',
- 'Address.1.primary' => '1',
- ],
- [],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Address' => [
- 0 => [
- 'id' => '123',
- 'title' => 'home',
- 'first_name' => 'Bilbo',
- 'last_name' => 'Baggins',
- 'address' => '23 Bag end way',
- 'city' => 'the shire',
- 'phone' => 'N/A',
- 'primary' => '5',
- ],
- 1 => [
- 'id' => '124',
- 'title' => 'home',
- 'first_name' => 'Frodo',
- 'last_name' => 'Baggins',
- 'address' => '50 Bag end way',
- 'city' => 'the shire',
- 'phone' => 'N/A',
- 'primary' => '1',
- ],
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost('SecurityException', 'Bad Request');
- $this->assertFalse($result);
- }
- /**
- * testValidatePostRadio method
- *
- * Test validatePost with radio buttons.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostRadio(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'a709dfdee0a0cce52c4c964a1b8a56159bb081b4%3An%3A0%3A%7B%7D';
- $unlocked = '';
- $debug = urlencode(json_encode([
- '/articles/index',
- [],
- [],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost('SecurityException', 'Bad Request');
- $this->assertFalse($result);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- '_Token' => compact('fields', 'unlocked', 'debug'),
- 'Test' => ['test' => ''],
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- '_Token' => compact('fields', 'unlocked', 'debug'),
- 'Test' => ['test' => '1'],
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- '_Token' => compact('fields', 'unlocked', 'debug'),
- 'Test' => ['test' => '2'],
- ]));
- $result = $this->validatePost();
- $this->assertNull($result);
- }
- /**
- * testValidatePostUrlAsHashInput method
- *
- * Test validatePost uses here() as a hash input.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostUrlAsHashInput(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $fields = 'de2ca3670dd06c29558dd98482c8739e86da2c7c%3A';
- $unlocked = '';
- $debug = urlencode(json_encode([
- 'another-url',
- ['Model.username', 'Model.password'],
- [],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withData('Model', ['username' => '', 'password' => ''])
- ->withData('_Token', compact('fields', 'unlocked', 'debug')));
- $this->assertNull($this->validatePost());
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withRequestTarget('/posts/index?page=1'));
- $this->assertFalse($this->validatePost(
- 'SecurityException',
- 'URL mismatch in POST data (expected \'another-url\' but found \'/posts/index?page=1\')'
- ));
- $this->Controller->setRequest($this->Controller->getRequest()
- ->withRequestTarget('/posts/edit/1'));
- $this->assertFalse($this->validatePost(
- 'SecurityException',
- 'URL mismatch in POST data (expected \'another-url\' but found \'/posts/edit/1\')'
- ));
- }
- /**
- * testGenerateToken method
- *
- * Test generateToken().
- */
- public function testGenerateToken(): void
- {
- $request = $this->Controller->getRequest();
- $request = $this->Security->generateToken($request);
- $securityToken = $request->getAttribute('formTokenData');
- $this->assertNotEmpty($securityToken);
- $this->assertSame([], $securityToken['unlockedFields']);
- }
- /**
- * testUnlockedActions method
- *
- * Test unlocked actions.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testUnlockedActions(): void
- {
- $_SERVER['REQUEST_METHOD'] = 'POST';
- $event = new Event('Controller.startup', $this->Controller);
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody(['data']));
- $this->Security->unlockedActions = 'index';
- $this->Security->blackHoleCallback = null;
- $result = $this->Controller->Security->startup($event);
- $this->assertNull($result);
- }
- /**
- * testValidatePostDebugFormat method
- *
- * Test that debug token format is right.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostDebugFormat(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = 'Model.username';
- $fields = ['Model.hidden', 'Model.password'];
- $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Security::getSalt()));
- $debug = urlencode(json_encode([
- '/articles/index',
- ['Model.hidden', 'Model.password'],
- ['Model.username'],
- ['not expected'],
- ]));
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'username' => 'mark',
- 'password' => 'sekret',
- 'hidden' => '0',
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost('SecurityException', 'Invalid security debug token.');
- $this->assertFalse($result);
- $debug = urlencode(json_encode('not an array'));
- $result = $this->validatePost('SecurityException', 'Invalid security debug token.');
- $this->assertFalse($result);
- }
- /**
- * testBlackholeThrowsException method
- *
- * Test blackhole will now throw passed exception if debug enabled.
- */
- public function testBlackholeThrowsException(): void
- {
- $this->expectException(\Cake\Controller\Exception\SecurityException::class);
- $this->expectExceptionMessage('error description');
- $this->Security->setConfig('blackHoleCallback', '');
- $this->Security->blackHole($this->Controller, 'auth', new SecurityException('error description'));
- }
- /**
- * testBlackholeThrowsBadRequest method
- *
- * Test blackhole will throw BadRequest if debug disabled.
- */
- public function testBlackholeThrowsBadRequest(): void
- {
- $this->Security->setConfig('blackHoleCallback', '');
- $message = $reason = null;
- Configure::write('debug', false);
- try {
- $this->Security->blackHole($this->Controller, 'auth', new SecurityException('error description'));
- } catch (SecurityException $ex) {
- $message = $ex->getMessage();
- $reason = $ex->getReason();
- }
- $this->assertSame('The request has been black-holed', $message);
- $this->assertSame('error description', $reason);
- }
- /**
- * testValidatePostFailTampering method
- *
- * Test that validatePost fails with tampered fields and explanation.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFailTampering(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = '';
- $fields = ['Model.hidden' => 'value', 'Model.id' => '1'];
- $debug = urlencode(json_encode([
- '/articles/index',
- $fields,
- [],
- ]));
- $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Security::getSalt()));
- $fields .= urlencode(':Model.hidden|Model.id');
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'hidden' => 'tampered',
- 'id' => '1',
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- $result = $this->validatePost('SecurityException', 'Tampered field \'Model.hidden\' in POST data (expected value \'value\' but found \'tampered\')');
- $this->assertFalse($result);
- }
- /**
- * testValidatePostFailTamperingMutatedIntoArray method
- *
- * Test that validatePost fails with tampered fields and explanation.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostFailTamperingMutatedIntoArray(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = '';
- $fields = ['Model.hidden' => 'value', 'Model.id' => '1'];
- $debug = urlencode(json_encode([
- '/articles/index',
- $fields,
- [],
- ]));
- $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Security::getSalt()));
- $fields .= urlencode(':Model.hidden|Model.id');
- $this->Controller->setRequest($this->Controller->getRequest()->withData('Model', [
- 'hidden' => ['some-key' => 'some-value'],
- 'id' => '1',
- ])->withData('_Token', compact('fields', 'unlocked', 'debug')));
- $result = $this->validatePost(
- 'SecurityException',
- 'Unexpected field \'Model.hidden.some-key\' in POST data, Missing field \'Model.hidden\' in POST data'
- );
- $this->assertFalse($result);
- }
- /**
- * testValidatePostUnexpectedDebugToken method
- *
- * Test that debug token should not be sent if debug is disabled.
- *
- * @triggers Controller.startup $this->Controller
- */
- public function testValidatePostUnexpectedDebugToken(): void
- {
- $event = new Event('Controller.startup', $this->Controller);
- $this->Security->startup($event);
- $unlocked = '';
- $fields = ['Model.hidden' => 'value', 'Model.id' => '1'];
- $debug = urlencode(json_encode([
- '/articles/index',
- $fields,
- [],
- ]));
- $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Security::getSalt()));
- $fields .= urlencode(':Model.hidden|Model.id');
- $this->Controller->setRequest($this->Controller->getRequest()->withParsedBody([
- 'Model' => [
- 'hidden' => ['some-key' => 'some-value'],
- 'id' => '1',
- ],
- '_Token' => compact('fields', 'unlocked', 'debug'),
- ]));
- Configure::write('debug', false);
- $result = $this->validatePost('SecurityException', 'Unexpected \'_Token.debug\' found in request data');
- $this->assertFalse($result);
- }
- }