PageRenderTime 38ms CodeModel.GetById 26ms RepoModel.GetById 0ms app.codeStats 0ms

/src/DotNetOpenId.Test/UntrustedWebRequestTests.cs

https://github.com/tt/dotnetopenid
C# | 125 lines | 96 code | 8 blank | 21 comment | 0 complexity | a688943b18feae56d8d348bcbd370d2c MD5 | raw file
    

  1. using System;

    2. 

  2. using System.IO;

    3. 

  3. using System.Net;

    4. 

  4. using System.Text.RegularExpressions;

    5. 

  5. using DotNetOpenId.Test.Mocks;

    6. 

  6. using NUnit.Framework;

    7. 

  7. 

    8. 

  8. namespace DotNetOpenId.Test {

    9. 

  9. 	[TestFixture]

    10. 

  10. 	public class UntrustedWebRequestTests {

    11. 

  11. 		TimeSpan timeoutDefault;

    12. 

  12. 		[SetUp]

    13. 

  13. 		public void SetUp() {

    14. 

  14. 			UntrustedWebRequest.WhitelistHosts.Clear();

    15. 

  15. 			UntrustedWebRequest.WhitelistHostsRegex.Clear();

    16. 

  16. 			UntrustedWebRequest.BlacklistHosts.Clear();

    17. 

  17. 			UntrustedWebRequest.BlacklistHostsRegex.Clear();

    18. 

  18. 			timeoutDefault = UntrustedWebRequest.Timeout;

    19. 

  19. 		}

    20. 

  20. 		[TearDown]

    21. 

  21. 		public void TearDown() {

    22. 

  22. 			UntrustedWebRequest.Timeout = timeoutDefault; // in case a test changed it

    23. 

  23. 		}

    24. 

  24. 

    25. 

  25. 		[Test]

    26. 

  26. 		public void DisallowUnsafeHosts() {

    27. 

  27. 			string[] unsafeHosts = new[] {

    28. 

  28. 				// IPv4 loopback representations

    29. 

  29. 				"http://127.0.0.1",

    30. 

  30. 				"http://127.100.0.1",

    31. 

  31. 				"http://127.0.0.100",

    32. 

  32. 				"http://2130706433", // 127.0.0.1 in decimal format

    33. 

  33. 				"http://0x7f000001", // 127.0.0.1 in hex format

    34. 

  34. 				// IPv6 loopback representation

    35. 

  35. 				"http://[::1]",

    36. 

  36. 				// disallowed schemes

    37. 

  37. 				"ftp://ftp.microsoft.com",

    38. 

  38. 				"xri://boo",

    39. 

  39. 			};

    40. 

  40. 			foreach (string unsafeHost in unsafeHosts) {

    41. 

  41. 				try {

    42. 

  42. 					UntrustedWebRequest.Request(new Uri(unsafeHost));

    43. 

  43. 					Assert.Fail("ArgumentException expected but none thrown.");

    44. 

  44. 				} catch (ArgumentException) {

    45. 

  45. 					// expected exception caught.

    46. 

  46. 				}

    47. 

  47. 			}

    48. 

  48. 		}

    49. 

  49. 

    50. 

  50. 		[Test]

    51. 

  51. 		public void Whitelist() {

    52. 

  52. 			UntrustedWebRequest.WhitelistHosts.Add("localhost");

    53. 

  53. 			// if this works, then we'll be waiting around for localhost to not respond

    54. 

  54. 			// for a while unless we take the timeout to zero.

    55. 

  55. 			UntrustedWebRequest.Timeout = TimeSpan.Zero; // will be reset in TearDown method

    56. 

  56. 			try {

    57. 

  57. 				UntrustedWebRequest.Request(new Uri("http://localhost:1234"));

    58. 

  58. 				// We're verifying that an ArgumentException is not thrown

    59. 

  59. 				// since we requested localhost to be allowed.

    60. 

  60. 			} catch (WebException) {

    61. 

  61. 				// It's ok, we're not expecting the request to succeed.

    62. 

  62. 			}

    63. 

  63. 		}

    64. 

  64. 

    65. 

  65. 		[Test]

    66. 

  66. 		public void WhitelistRegex() {

    67. 

  67. 			UntrustedWebRequest.WhitelistHostsRegex.Add(new Regex(@"^127\.\d+\.\d+\.\d+$"));

    68. 

  68. 			// if this works, then we'll be waiting around for localhost to not respond

    69. 

  69. 			// for a while unless we take the timeout to zero.

    70. 

  70. 			UntrustedWebRequest.Timeout = TimeSpan.Zero; // will be reset in TearDown method

    71. 

  71. 			try {

    72. 

  72. 				UntrustedWebRequest.Request(new Uri("http://127.0.0.1:1234"));

    73. 

  73. 				// We're verifying that an ArgumentException is not thrown

    74. 

  74. 				// since we requested localhost to be allowed.

    75. 

  75. 			} catch (WebException) {

    76. 

  76. 				// It's ok, we're not expecting the request to succeed.

    77. 

  77. 			}

    78. 

  78. 		}

    79. 

  79. 

    80. 

  80. 		[Test, ExpectedException(typeof(ArgumentException))]

    81. 

  81. 		public void Blacklist() {

    82. 

  82. 			UntrustedWebRequest.BlacklistHosts.Add("www.microsoft.com");

    83. 

  83. 			UntrustedWebRequest.Request(new Uri("http://WWW.MICROSOFT.COM"));

    84. 

  84. 		}

    85. 

  85. 

    86. 

  86. 		[Test, ExpectedException(typeof(ArgumentException))]

    87. 

  87. 		public void BlacklistRegex() {

    88. 

  88. 			UntrustedWebRequest.BlacklistHostsRegex.Add(new Regex(@"\Wmicrosoft.com$"));

    89. 

  89. 			UntrustedWebRequest.Request(new Uri("http://WWW.MICROSOFT.COM"));

    90. 

  90. 		}

    91. 

  91. 

    92. 

  92. 		/// <summary>

    93. 

  93. 		/// Tests an implicit redirect where the HTTP server changes the responding URI without even

    94. 

  94. 		/// redirecting the client.

    95. 

  95. 		/// </summary>

    96. 

  96. 		[Test]

    97. 

  97. 		public void Redirects() {

    98. 

  98. 			UntrustedWebRequest.WhitelistHosts.Add("localhost");

    99. 

  99. 			UntrustedWebResponse resp = new UntrustedWebResponse(

    100. 

  100. 				new Uri("http://localhost/req"), new Uri("http://localhost/resp"),

    101. 

  101. 					new WebHeaderCollection(), HttpStatusCode.OK, "text/html", null, new MemoryStream());

    102. 

  102. 			MockHttpRequest.RegisterMockResponse(resp);

    103. 

  103. 			Assert.AreSame(resp, UntrustedWebRequest.Request(new Uri("http://localhost/req")));

    104. 

  104. 		}

    105. 

  105. 

    106. 

  106. 		/// <summary>

    107. 

  107. 		/// Tests that HTTP Location headers that only use a relative path get interpreted correctly.

    108. 

  108. 		/// </summary>

    109. 

  109. 		[Test]

    110. 

  110. 		public void RelativeRedirect() {

    111. 

  111. 			UntrustedWebRequest.WhitelistHosts.Add("localhost");

    112. 

  112. 			UntrustedWebResponse resp1 = new UntrustedWebResponse(

    113. 

  113. 				new Uri("http://localhost/dir/file1"), new Uri("http://localhost/dir/file1"),

    114. 

  114. 				new WebHeaderCollection {

    115. 

  115. 					{ HttpResponseHeader.Location, "file2" },

    116. 

  116. 				}, HttpStatusCode.Redirect, "text/html", null, new MemoryStream());

    117. 

  117. 			MockHttpRequest.RegisterMockResponse(resp1);

    118. 

  118. 			UntrustedWebResponse resp2 = new UntrustedWebResponse(

    119. 

  119. 				new Uri("http://localhost/dir/file2"), new Uri("http://localhost/dir/file2"),

    120. 

  120. 				new WebHeaderCollection(), HttpStatusCode.OK, "text/html", null, new MemoryStream());

    121. 

  121. 			MockHttpRequest.RegisterMockResponse(resp2);

    122. 

  122. 			Assert.AreSame(resp2, UntrustedWebRequest.Request(new Uri("http://localhost/dir/file1")));

    123. 

  123. 		}

    124. 

  124. 	}

    125. 

  125. }

    126. 

  126.