PageRenderTime 67ms CodeModel.GetById 13ms RepoModel.GetById 0ms app.codeStats 0ms

/lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php

http://github.com/cakephp/cakephp
PHP | 1280 lines | 766 code | 152 blank | 362 comment | 0 complexity | 7b403f11a3030ea713568c824dd2c093 MD5 | raw file
Possible License(s): JSON
  1. <?php
  2. /**
  3. * SecurityComponentTest file
  4. *
  5. * PHP 5
  6. *
  7. * CakePHP(tm) Tests <http://book.cakephp.org/view/1196/Testing>
  8. * Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
  9. *
  10. * Licensed under The MIT License
  11. * Redistributions of files must retain the above copyright notice
  12. *
  13. * @copyright Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
  14. * @link http://book.cakephp.org/view/1196/Testing CakePHP(tm) Tests
  15. * @package Cake.Test.Case.Controller.Component
  16. * @since CakePHP(tm) v 1.2.0.5435
  17. * @license MIT License (http://www.opensource.org/licenses/mit-license.php)
  18. */
  19. App::uses('SecurityComponent', 'Controller/Component');
  20. App::uses('Controller', 'Controller');
  21. /**
  22. * TestSecurityComponent
  23. *
  24. * @package Cake.Test.Case.Controller.Component
  25. * @package Cake.Test.Case.Controller.Component
  26. */
  27. class TestSecurityComponent extends SecurityComponent {
  28. /**
  29. * validatePost method
  30. *
  31. * @param Controller $controller
  32. * @return unknown
  33. */
  34. public function validatePost($controller) {
  35. return $this->_validatePost($controller);
  36. }
  37. }
  38. /**
  39. * SecurityTestController
  40. *
  41. * @package Cake.Test.Case.Controller.Component
  42. * @package Cake.Test.Case.Controller.Component
  43. */
  44. class SecurityTestController extends Controller {
  45. /**
  46. * name property
  47. *
  48. * @var string 'SecurityTest'
  49. */
  50. public $name = 'SecurityTest';
  51. /**
  52. * components property
  53. *
  54. * @var array
  55. */
  56. public $components = array('Session', 'TestSecurity');
  57. /**
  58. * failed property
  59. *
  60. * @var bool false
  61. */
  62. public $failed = false;
  63. /**
  64. * Used for keeping track of headers in test
  65. *
  66. * @var array
  67. */
  68. public $testHeaders = array();
  69. /**
  70. * fail method
  71. *
  72. * @return void
  73. */
  74. public function fail() {
  75. $this->failed = true;
  76. }
  77. /**
  78. * redirect method
  79. *
  80. * @param mixed $option
  81. * @param mixed $code
  82. * @param mixed $exit
  83. * @return void
  84. */
  85. public function redirect($url, $status = null, $exit = true) {
  86. return $status;
  87. }
  88. /**
  89. * Conveinence method for header()
  90. *
  91. * @param string $status
  92. * @return void
  93. */
  94. public function header($status) {
  95. $this->testHeaders[] = $status;
  96. }
  97. }
  98. /**
  99. * SecurityComponentTest class
  100. *
  101. * @package Cake.Test.Case.Controller.Component
  102. */
  103. class SecurityComponentTest extends CakeTestCase {
  104. /**
  105. * Controller property
  106. *
  107. * @var SecurityTestController
  108. */
  109. public $Controller;
  110. /**
  111. * oldSalt property
  112. *
  113. * @var string
  114. */
  115. public $oldSalt;
  116. /**
  117. * setUp method
  118. *
  119. * @return void
  120. */
  121. public function setUp() {
  122. parent::setUp();
  123. $request = new CakeRequest('posts/index', false);
  124. $request->addParams(array('controller' => 'posts', 'action' => 'index'));
  125. $this->Controller = new SecurityTestController($request);
  126. $this->Controller->Components->init($this->Controller);
  127. $this->Controller->Security = $this->Controller->TestSecurity;
  128. $this->Controller->Security->blackHoleCallback = 'fail';
  129. $this->Security = $this->Controller->Security;
  130. $this->Security->csrfCheck = false;
  131. Configure::write('Security.salt', 'foo!');
  132. }
  133. /**
  134. * Tear-down method. Resets environment state.
  135. *
  136. * @return void
  137. */
  138. public function tearDown() {
  139. parent::tearDown();
  140. $this->Controller->Session->delete('_Token');
  141. unset($this->Controller->Security);
  142. unset($this->Controller->Component);
  143. unset($this->Controller);
  144. }
  145. /**
  146. * test that initalize can set properties.
  147. *
  148. * @return void
  149. */
  150. public function testConstructorSettingProperties() {
  151. $settings = array(
  152. 'requirePost' => array('edit', 'update'),
  153. 'requireSecure' => array('update_account'),
  154. 'requireGet' => array('index'),
  155. 'validatePost' => false,
  156. );
  157. $Security = new SecurityComponent($this->Controller->Components, $settings);
  158. $this->Controller->Security->initialize($this->Controller, $settings);
  159. $this->assertEquals($Security->requirePost, $settings['requirePost']);
  160. $this->assertEquals($Security->requireSecure, $settings['requireSecure']);
  161. $this->assertEquals($Security->requireGet, $settings['requireGet']);
  162. $this->assertEquals($Security->validatePost, $settings['validatePost']);
  163. }
  164. /**
  165. * testStartup method
  166. *
  167. * @return void
  168. */
  169. public function testStartup() {
  170. $this->Controller->Security->startup($this->Controller);
  171. $result = $this->Controller->params['_Token']['key'];
  172. $this->assertNotNull($result);
  173. $this->assertTrue($this->Controller->Session->check('_Token'));
  174. }
  175. /**
  176. * testRequirePostFail method
  177. *
  178. * @return void
  179. */
  180. public function testRequirePostFail() {
  181. $_SERVER['REQUEST_METHOD'] = 'GET';
  182. $this->Controller->request['action'] = 'posted';
  183. $this->Controller->Security->requirePost(array('posted'));
  184. $this->Controller->Security->startup($this->Controller);
  185. $this->assertTrue($this->Controller->failed);
  186. }
  187. /**
  188. * testRequirePostSucceed method
  189. *
  190. * @return void
  191. */
  192. public function testRequirePostSucceed() {
  193. $_SERVER['REQUEST_METHOD'] = 'POST';
  194. $this->Controller->request['action'] = 'posted';
  195. $this->Controller->Security->requirePost('posted');
  196. $this->Security->startup($this->Controller);
  197. $this->assertFalse($this->Controller->failed);
  198. }
  199. /**
  200. * testRequireSecureFail method
  201. *
  202. * @return void
  203. */
  204. public function testRequireSecureFail() {
  205. $_SERVER['HTTPS'] = 'off';
  206. $_SERVER['REQUEST_METHOD'] = 'POST';
  207. $this->Controller->request['action'] = 'posted';
  208. $this->Controller->Security->requireSecure(array('posted'));
  209. $this->Controller->Security->startup($this->Controller);
  210. $this->assertTrue($this->Controller->failed);
  211. }
  212. /**
  213. * testRequireSecureSucceed method
  214. *
  215. * @return void
  216. */
  217. public function testRequireSecureSucceed() {
  218. $_SERVER['REQUEST_METHOD'] = 'Secure';
  219. $this->Controller->request['action'] = 'posted';
  220. $_SERVER['HTTPS'] = 'on';
  221. $this->Controller->Security->requireSecure('posted');
  222. $this->Controller->Security->startup($this->Controller);
  223. $this->assertFalse($this->Controller->failed);
  224. }
  225. /**
  226. * testRequireAuthFail method
  227. *
  228. * @return void
  229. */
  230. public function testRequireAuthFail() {
  231. $_SERVER['REQUEST_METHOD'] = 'AUTH';
  232. $this->Controller->request['action'] = 'posted';
  233. $this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
  234. $this->Controller->Security->requireAuth(array('posted'));
  235. $this->Controller->Security->startup($this->Controller);
  236. $this->assertTrue($this->Controller->failed);
  237. $this->Controller->Session->write('_Token', array('allowedControllers' => array()));
  238. $this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
  239. $this->Controller->request['action'] = 'posted';
  240. $this->Controller->Security->requireAuth('posted');
  241. $this->Controller->Security->startup($this->Controller);
  242. $this->assertTrue($this->Controller->failed);
  243. $this->Controller->Session->write('_Token', array(
  244. 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted2')
  245. ));
  246. $this->Controller->request->data = array('username' => 'willy', 'password' => 'somePass');
  247. $this->Controller->request['action'] = 'posted';
  248. $this->Controller->Security->requireAuth('posted');
  249. $this->Controller->Security->startup($this->Controller);
  250. $this->assertTrue($this->Controller->failed);
  251. }
  252. /**
  253. * testRequireAuthSucceed method
  254. *
  255. * @return void
  256. */
  257. public function testRequireAuthSucceed() {
  258. $_SERVER['REQUEST_METHOD'] = 'AUTH';
  259. $this->Controller->request['action'] = 'posted';
  260. $this->Controller->Security->requireAuth('posted');
  261. $this->Controller->Security->startup($this->Controller);
  262. $this->assertFalse($this->Controller->failed);
  263. $this->Controller->Security->Session->write('_Token', array(
  264. 'allowedControllers' => array('SecurityTest'), 'allowedActions' => array('posted')
  265. ));
  266. $this->Controller->request['controller'] = 'SecurityTest';
  267. $this->Controller->request['action'] = 'posted';
  268. $this->Controller->request->data = array(
  269. 'username' => 'willy', 'password' => 'somePass', '_Token' => ''
  270. );
  271. $this->Controller->action = 'posted';
  272. $this->Controller->Security->requireAuth('posted');
  273. $this->Controller->Security->startup($this->Controller);
  274. $this->assertFalse($this->Controller->failed);
  275. }
  276. /**
  277. * testRequirePostSucceedWrongMethod method
  278. *
  279. * @return void
  280. */
  281. public function testRequirePostSucceedWrongMethod() {
  282. $_SERVER['REQUEST_METHOD'] = 'GET';
  283. $this->Controller->request['action'] = 'getted';
  284. $this->Controller->Security->requirePost('posted');
  285. $this->Controller->Security->startup($this->Controller);
  286. $this->assertFalse($this->Controller->failed);
  287. }
  288. /**
  289. * testRequireGetFail method
  290. *
  291. * @return void
  292. */
  293. public function testRequireGetFail() {
  294. $_SERVER['REQUEST_METHOD'] = 'POST';
  295. $this->Controller->request['action'] = 'getted';
  296. $this->Controller->Security->requireGet(array('getted'));
  297. $this->Controller->Security->startup($this->Controller);
  298. $this->assertTrue($this->Controller->failed);
  299. }
  300. /**
  301. * testRequireGetSucceed method
  302. *
  303. * @return void
  304. */
  305. public function testRequireGetSucceed() {
  306. $_SERVER['REQUEST_METHOD'] = 'GET';
  307. $this->Controller->request['action'] = 'getted';
  308. $this->Controller->Security->requireGet('getted');
  309. $this->Controller->Security->startup($this->Controller);
  310. $this->assertFalse($this->Controller->failed);
  311. }
  312. /**
  313. * testRequireGetSucceedWrongMethod method
  314. *
  315. * @return void
  316. */
  317. public function testRequireGetSucceedWrongMethod() {
  318. $_SERVER['REQUEST_METHOD'] = 'POST';
  319. $this->Controller->request['action'] = 'posted';
  320. $this->Security->requireGet('getted');
  321. $this->Security->startup($this->Controller);
  322. $this->assertFalse($this->Controller->failed);
  323. }
  324. /**
  325. * testRequirePutFail method
  326. *
  327. * @return void
  328. */
  329. public function testRequirePutFail() {
  330. $_SERVER['REQUEST_METHOD'] = 'POST';
  331. $this->Controller->request['action'] = 'putted';
  332. $this->Controller->Security->requirePut(array('putted'));
  333. $this->Controller->Security->startup($this->Controller);
  334. $this->assertTrue($this->Controller->failed);
  335. }
  336. /**
  337. * testRequirePutSucceed method
  338. *
  339. * @return void
  340. */
  341. public function testRequirePutSucceed() {
  342. $_SERVER['REQUEST_METHOD'] = 'PUT';
  343. $this->Controller->request['action'] = 'putted';
  344. $this->Controller->Security->requirePut('putted');
  345. $this->Controller->Security->startup($this->Controller);
  346. $this->assertFalse($this->Controller->failed);
  347. }
  348. /**
  349. * testRequirePutSucceedWrongMethod method
  350. *
  351. * @return void
  352. */
  353. public function testRequirePutSucceedWrongMethod() {
  354. $_SERVER['REQUEST_METHOD'] = 'POST';
  355. $this->Controller->request['action'] = 'posted';
  356. $this->Controller->Security->requirePut('putted');
  357. $this->Controller->Security->startup($this->Controller);
  358. $this->assertFalse($this->Controller->failed);
  359. }
  360. /**
  361. * testRequireDeleteFail method
  362. *
  363. * @return void
  364. */
  365. public function testRequireDeleteFail() {
  366. $_SERVER['REQUEST_METHOD'] = 'POST';
  367. $this->Controller->request['action'] = 'deleted';
  368. $this->Controller->Security->requireDelete(array('deleted', 'other_method'));
  369. $this->Controller->Security->startup($this->Controller);
  370. $this->assertTrue($this->Controller->failed);
  371. }
  372. /**
  373. * testRequireDeleteSucceed method
  374. *
  375. * @return void
  376. */
  377. public function testRequireDeleteSucceed() {
  378. $_SERVER['REQUEST_METHOD'] = 'DELETE';
  379. $this->Controller->request['action'] = 'deleted';
  380. $this->Controller->Security->requireDelete('deleted');
  381. $this->Controller->Security->startup($this->Controller);
  382. $this->assertFalse($this->Controller->failed);
  383. }
  384. /**
  385. * testRequireDeleteSucceedWrongMethod method
  386. *
  387. * @return void
  388. */
  389. public function testRequireDeleteSucceedWrongMethod() {
  390. $_SERVER['REQUEST_METHOD'] = 'POST';
  391. $this->Controller->request['action'] = 'posted';
  392. $this->Controller->Security->requireDelete('deleted');
  393. $this->Controller->Security->startup($this->Controller);
  394. $this->assertFalse($this->Controller->failed);
  395. }
  396. /**
  397. * Simple hash validation test
  398. *
  399. * @return void
  400. */
  401. public function testValidatePost() {
  402. $this->Controller->Security->startup($this->Controller);
  403. $key = $this->Controller->request->params['_Token']['key'];
  404. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  405. $unlocked = '';
  406. $this->Controller->request->data = array(
  407. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  408. '_Token' => compact('key', 'fields', 'unlocked')
  409. );
  410. $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
  411. }
  412. /**
  413. * Test that validatePost fails if you are missing the session information.
  414. *
  415. * @return void
  416. */
  417. public function testValidatePostNoSession() {
  418. $this->Controller->Security->startup($this->Controller);
  419. $this->Controller->Session->delete('_Token');
  420. $key = $this->Controller->params['_Token']['key'];
  421. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  422. $this->Controller->data = array(
  423. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  424. '_Token' => compact('key', 'fields')
  425. );
  426. $this->assertFalse($this->Controller->Security->validatePost($this->Controller));
  427. }
  428. /**
  429. * test that validatePost fails if any of its required fields are missing.
  430. *
  431. * @return void
  432. */
  433. public function testValidatePostFormHacking() {
  434. $this->Controller->Security->startup($this->Controller);
  435. $key = $this->Controller->params['_Token']['key'];
  436. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  437. $unlocked = '';
  438. $this->Controller->request->data = array(
  439. 'Model' => array('username' => 'nate', 'password' => 'foo', 'valid' => '0'),
  440. '_Token' => compact('key', 'unlocked')
  441. );
  442. $result = $this->Controller->Security->validatePost($this->Controller);
  443. $this->assertFalse($result, 'validatePost passed when fields were missing. %s');
  444. }
  445. /**
  446. * Test that objects can't be passed into the serialized string. This was a vector for RFI and LFI
  447. * attacks. Thanks to Felix Wilhelm
  448. *
  449. * @return void
  450. */
  451. public function testValidatePostObjectDeserialize() {
  452. $this->Controller->Security->startup($this->Controller);
  453. $key = $this->Controller->request->params['_Token']['key'];
  454. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877';
  455. $unlocked = '';
  456. // a corrupted serialized object, so we can see if it ever gets to deserialize
  457. $attack = 'O:3:"App":1:{s:5:"__map";a:1:{s:3:"foo";s:7:"Hacked!";s:1:"fail"}}';
  458. $fields .= urlencode(':' . str_rot13($attack));
  459. $this->Controller->request->data = array(
  460. 'Model' => array('username' => 'mark', 'password' => 'foo', 'valid' => '0'),
  461. '_Token' => compact('key', 'fields', 'unlocked')
  462. );
  463. $result = $this->Controller->Security->validatePost($this->Controller);
  464. $this->assertFalse($result, 'validatePost passed when key was missing. %s');
  465. }
  466. /**
  467. * Tests validation of checkbox arrays
  468. *
  469. * @return void
  470. */
  471. public function testValidatePostArray() {
  472. $this->Controller->Security->startup($this->Controller);
  473. $key = $this->Controller->request->params['_Token']['key'];
  474. $fields = 'f7d573650a295b94e0938d32b323fde775e5f32b%3A';
  475. $unlocked = '';
  476. $this->Controller->request->data = array(
  477. 'Model' => array('multi_field' => array('1', '3')),
  478. '_Token' => compact('key', 'fields', 'unlocked')
  479. );
  480. $this->assertTrue($this->Controller->Security->validatePost($this->Controller));
  481. }
  482. /**
  483. * testValidatePostNoModel method
  484. *
  485. * @return void
  486. */
  487. public function testValidatePostNoModel() {
  488. $this->Controller->Security->startup($this->Controller);
  489. $key = $this->Controller->request->params['_Token']['key'];
  490. $fields = '540ac9c60d323c22bafe997b72c0790f39a8bdef%3A';
  491. $unlocked = '';
  492. $this->Controller->request->data = array(
  493. 'anything' => 'some_data',
  494. '_Token' => compact('key', 'fields', 'unlocked')
  495. );
  496. $result = $this->Controller->Security->validatePost($this->Controller);
  497. $this->assertTrue($result);
  498. }
  499. /**
  500. * testValidatePostSimple method
  501. *
  502. * @return void
  503. */
  504. public function testValidatePostSimple() {
  505. $this->Controller->Security->startup($this->Controller);
  506. $key = $this->Controller->request->params['_Token']['key'];
  507. $fields = '69f493434187b867ea14b901fdf58b55d27c935d%3A';
  508. $unlocked = '';
  509. $this->Controller->request->data = $data = array(
  510. 'Model' => array('username' => '', 'password' => ''),
  511. '_Token' => compact('key', 'fields', 'unlocked')
  512. );
  513. $result = $this->Controller->Security->validatePost($this->Controller);
  514. $this->assertTrue($result);
  515. }
  516. /**
  517. * Tests hash validation for multiple records, including locked fields
  518. *
  519. * @return void
  520. */
  521. public function testValidatePostComplex() {
  522. $this->Controller->Security->startup($this->Controller);
  523. $key = $this->Controller->request->params['_Token']['key'];
  524. $fields = 'c9118120e680a7201b543f562e5301006ccfcbe2%3AAddresses.0.id%7CAddresses.1.id';
  525. $unlocked = '';
  526. $this->Controller->request->data = array(
  527. 'Addresses' => array(
  528. '0' => array(
  529. 'id' => '123456', 'title' => '', 'first_name' => '', 'last_name' => '',
  530. 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
  531. ),
  532. '1' => array(
  533. 'id' => '654321', 'title' => '', 'first_name' => '', 'last_name' => '',
  534. 'address' => '', 'city' => '', 'phone' => '', 'primary' => ''
  535. )
  536. ),
  537. '_Token' => compact('key', 'fields', 'unlocked')
  538. );
  539. $result = $this->Controller->Security->validatePost($this->Controller);
  540. $this->assertTrue($result);
  541. }
  542. /**
  543. * test ValidatePost with multiple select elements.
  544. *
  545. * @return void
  546. */
  547. public function testValidatePostMultipleSelect() {
  548. $this->Controller->Security->startup($this->Controller);
  549. $key = $this->Controller->request->params['_Token']['key'];
  550. $fields = '422cde416475abc171568be690a98cad20e66079%3A';
  551. $unlocked = '';
  552. $this->Controller->request->data = array(
  553. 'Tag' => array('Tag' => array(1, 2)),
  554. '_Token' => compact('key', 'fields', 'unlocked'),
  555. );
  556. $result = $this->Controller->Security->validatePost($this->Controller);
  557. $this->assertTrue($result);
  558. $this->Controller->request->data = array(
  559. 'Tag' => array('Tag' => array(1, 2, 3)),
  560. '_Token' => compact('key', 'fields', 'unlocked'),
  561. );
  562. $result = $this->Controller->Security->validatePost($this->Controller);
  563. $this->assertTrue($result);
  564. $this->Controller->request->data = array(
  565. 'Tag' => array('Tag' => array(1, 2, 3, 4)),
  566. '_Token' => compact('key', 'fields', 'unlocked'),
  567. );
  568. $result = $this->Controller->Security->validatePost($this->Controller);
  569. $this->assertTrue($result);
  570. $fields = '19464422eafe977ee729c59222af07f983010c5f%3A';
  571. $this->Controller->request->data = array(
  572. 'User.password' => 'bar', 'User.name' => 'foo', 'User.is_valid' => '1',
  573. 'Tag' => array('Tag' => array(1)),
  574. '_Token' => compact('key', 'fields', 'unlocked'),
  575. );
  576. $result = $this->Controller->Security->validatePost($this->Controller);
  577. $this->assertTrue($result);
  578. }
  579. /**
  580. * testValidatePostCheckbox method
  581. *
  582. * First block tests un-checked checkbox
  583. * Second block tests checked checkbox
  584. *
  585. * @return void
  586. */
  587. public function testValidatePostCheckbox() {
  588. $this->Controller->Security->startup($this->Controller);
  589. $key = $this->Controller->request->params['_Token']['key'];
  590. $fields = 'a5475372b40f6e3ccbf9f8af191f20e1642fd877%3AModel.valid';
  591. $unlocked = '';
  592. $this->Controller->request->data = array(
  593. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  594. '_Token' => compact('key', 'fields', 'unlocked')
  595. );
  596. $result = $this->Controller->Security->validatePost($this->Controller);
  597. $this->assertTrue($result);
  598. $fields = '874439ca69f89b4c4a5f50fb9c36ff56a28f5d42%3A';
  599. $this->Controller->request->data = array(
  600. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  601. '_Token' => compact('key', 'fields', 'unlocked')
  602. );
  603. $result = $this->Controller->Security->validatePost($this->Controller);
  604. $this->assertTrue($result);
  605. $this->Controller->request->data = array();
  606. $this->Controller->Security->startup($this->Controller);
  607. $key = $this->Controller->request->params['_Token']['key'];
  608. $this->Controller->request->data = $data = array(
  609. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  610. '_Token' => compact('key', 'fields', 'unlocked')
  611. );
  612. $result = $this->Controller->Security->validatePost($this->Controller);
  613. $this->assertTrue($result);
  614. }
  615. /**
  616. * testValidatePostHidden method
  617. *
  618. * @return void
  619. */
  620. public function testValidatePostHidden() {
  621. $this->Controller->Security->startup($this->Controller);
  622. $key = $this->Controller->request->params['_Token']['key'];
  623. $fields = '51ccd8cb0997c7b3d4523ecde5a109318405ef8c%3AModel.hidden%7CModel.other_hidden';
  624. $unlocked = '';
  625. $this->Controller->request->data = array(
  626. 'Model' => array(
  627. 'username' => '', 'password' => '', 'hidden' => '0',
  628. 'other_hidden' => 'some hidden value'
  629. ),
  630. '_Token' => compact('key', 'fields', 'unlocked')
  631. );
  632. $result = $this->Controller->Security->validatePost($this->Controller);
  633. $this->assertTrue($result);
  634. }
  635. /**
  636. * testValidatePostWithDisabledFields method
  637. *
  638. * @return void
  639. */
  640. public function testValidatePostWithDisabledFields() {
  641. $this->Controller->Security->disabledFields = array('Model.username', 'Model.password');
  642. $this->Controller->Security->startup($this->Controller);
  643. $key = $this->Controller->request->params['_Token']['key'];
  644. $fields = 'ef1082968c449397bcd849f963636864383278b1%3AModel.hidden';
  645. $unlocked = '';
  646. $this->Controller->request->data = array(
  647. 'Model' => array(
  648. 'username' => '', 'password' => '', 'hidden' => '0'
  649. ),
  650. '_Token' => compact('fields', 'key', 'unlocked')
  651. );
  652. $result = $this->Controller->Security->validatePost($this->Controller);
  653. $this->assertTrue($result);
  654. }
  655. /**
  656. * test validating post data with posted unlocked fields.
  657. *
  658. * @return void
  659. */
  660. public function testValidatePostDisabledFieldsInData() {
  661. $this->Controller->Security->startup($this->Controller);
  662. $key = $this->Controller->request->params['_Token']['key'];
  663. $unlocked = 'Model.username';
  664. $fields = array('Model.hidden', 'Model.password');
  665. $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt')));
  666. $this->Controller->request->data = array(
  667. 'Model' => array(
  668. 'username' => 'mark',
  669. 'password' => 'sekret',
  670. 'hidden' => '0'
  671. ),
  672. '_Token' => compact('fields', 'key', 'unlocked')
  673. );
  674. $result = $this->Controller->Security->validatePost($this->Controller);
  675. $this->assertTrue($result);
  676. }
  677. /**
  678. * test that missing 'unlocked' input causes failure
  679. *
  680. * @return void
  681. */
  682. public function testValidatePostFailNoDisabled() {
  683. $this->Controller->Security->startup($this->Controller);
  684. $key = $this->Controller->request->params['_Token']['key'];
  685. $fields = array('Model.hidden', 'Model.password', 'Model.username');
  686. $fields = urlencode(Security::hash(serialize($fields) . Configure::read('Security.salt')));
  687. $this->Controller->request->data = array(
  688. 'Model' => array(
  689. 'username' => 'mark',
  690. 'password' => 'sekret',
  691. 'hidden' => '0'
  692. ),
  693. '_Token' => compact('fields', 'key')
  694. );
  695. $result = $this->Controller->Security->validatePost($this->Controller);
  696. $this->assertFalse($result);
  697. }
  698. /**
  699. * Test that validatePost fails when unlocked fields are changed.
  700. *
  701. * @return
  702. */
  703. public function testValidatePostFailDisabledFieldTampering() {
  704. $this->Controller->Security->startup($this->Controller);
  705. $key = $this->Controller->request->params['_Token']['key'];
  706. $unlocked = 'Model.username';
  707. $fields = array('Model.hidden', 'Model.password');
  708. $fields = urlencode(Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt')));
  709. // Tamper the values.
  710. $unlocked = 'Model.username|Model.password';
  711. $this->Controller->request->data = array(
  712. 'Model' => array(
  713. 'username' => 'mark',
  714. 'password' => 'sekret',
  715. 'hidden' => '0'
  716. ),
  717. '_Token' => compact('fields', 'key', 'unlocked')
  718. );
  719. $result = $this->Controller->Security->validatePost($this->Controller);
  720. $this->assertFalse($result);
  721. }
  722. /**
  723. * testValidateHiddenMultipleModel method
  724. *
  725. * @return void
  726. */
  727. public function testValidateHiddenMultipleModel() {
  728. $this->Controller->Security->startup($this->Controller);
  729. $key = $this->Controller->request->params['_Token']['key'];
  730. $fields = 'a2d01072dc4660eea9d15007025f35a7a5b58e18%3AModel.valid%7CModel2.valid%7CModel3.valid';
  731. $unlocked = '';
  732. $this->Controller->request->data = array(
  733. 'Model' => array('username' => '', 'password' => '', 'valid' => '0'),
  734. 'Model2' => array('valid' => '0'),
  735. 'Model3' => array('valid' => '0'),
  736. '_Token' => compact('key', 'fields', 'unlocked')
  737. );
  738. $result = $this->Controller->Security->validatePost($this->Controller);
  739. $this->assertTrue($result);
  740. }
  741. /**
  742. * testValidateHasManyModel method
  743. *
  744. * @return void
  745. */
  746. public function testValidateHasManyModel() {
  747. $this->Controller->Security->startup($this->Controller);
  748. $key = $this->Controller->request->params['_Token']['key'];
  749. $fields = '51e3b55a6edd82020b3f29c9ae200e14bbeb7ee5%3AModel.0.hidden%7CModel.0.valid';
  750. $fields .= '%7CModel.1.hidden%7CModel.1.valid';
  751. $unlocked = '';
  752. $this->Controller->request->data = array(
  753. 'Model' => array(
  754. array(
  755. 'username' => 'username', 'password' => 'password',
  756. 'hidden' => 'value', 'valid' => '0'
  757. ),
  758. array(
  759. 'username' => 'username', 'password' => 'password',
  760. 'hidden' => 'value', 'valid' => '0'
  761. )
  762. ),
  763. '_Token' => compact('key', 'fields', 'unlocked')
  764. );
  765. $result = $this->Controller->Security->validatePost($this->Controller);
  766. $this->assertTrue($result);
  767. }
  768. /**
  769. * testValidateHasManyRecordsPass method
  770. *
  771. * @return void
  772. */
  773. public function testValidateHasManyRecordsPass() {
  774. $this->Controller->Security->startup($this->Controller);
  775. $key = $this->Controller->request->params['_Token']['key'];
  776. $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
  777. $fields .= 'Address.1.id%7CAddress.1.primary';
  778. $unlocked = '';
  779. $this->Controller->request->data = array(
  780. 'Address' => array(
  781. 0 => array(
  782. 'id' => '123',
  783. 'title' => 'home',
  784. 'first_name' => 'Bilbo',
  785. 'last_name' => 'Baggins',
  786. 'address' => '23 Bag end way',
  787. 'city' => 'the shire',
  788. 'phone' => 'N/A',
  789. 'primary' => '1',
  790. ),
  791. 1 => array(
  792. 'id' => '124',
  793. 'title' => 'home',
  794. 'first_name' => 'Frodo',
  795. 'last_name' => 'Baggins',
  796. 'address' => '50 Bag end way',
  797. 'city' => 'the shire',
  798. 'phone' => 'N/A',
  799. 'primary' => '1'
  800. )
  801. ),
  802. '_Token' => compact('key', 'fields', 'unlocked')
  803. );
  804. $result = $this->Controller->Security->validatePost($this->Controller);
  805. $this->assertTrue($result);
  806. }
  807. /**
  808. * testValidateHasManyRecords method
  809. *
  810. * validatePost should fail, hidden fields have been changed.
  811. *
  812. * @return void
  813. */
  814. public function testValidateHasManyRecordsFail() {
  815. $this->Controller->Security->startup($this->Controller);
  816. $key = $this->Controller->request->params['_Token']['key'];
  817. $fields = '7a203edb3d345bbf38fe0dccae960da8842e11d7%3AAddress.0.id%7CAddress.0.primary%7C';
  818. $fields .= 'Address.1.id%7CAddress.1.primary';
  819. $unlocked = '';
  820. $this->Controller->request->data = array(
  821. 'Address' => array(
  822. 0 => array(
  823. 'id' => '123',
  824. 'title' => 'home',
  825. 'first_name' => 'Bilbo',
  826. 'last_name' => 'Baggins',
  827. 'address' => '23 Bag end way',
  828. 'city' => 'the shire',
  829. 'phone' => 'N/A',
  830. 'primary' => '5',
  831. ),
  832. 1 => array(
  833. 'id' => '124',
  834. 'title' => 'home',
  835. 'first_name' => 'Frodo',
  836. 'last_name' => 'Baggins',
  837. 'address' => '50 Bag end way',
  838. 'city' => 'the shire',
  839. 'phone' => 'N/A',
  840. 'primary' => '1'
  841. )
  842. ),
  843. '_Token' => compact('key', 'fields', 'unlocked')
  844. );
  845. $result = $this->Controller->Security->validatePost($this->Controller);
  846. $this->assertFalse($result);
  847. }
  848. /**
  849. * testFormDisabledFields method
  850. *
  851. * @return void
  852. */
  853. public function testFormDisabledFields() {
  854. $this->Controller->Security->startup($this->Controller);
  855. $key = $this->Controller->request->params['_Token']['key'];
  856. $fields = '11842060341b9d0fc3808b90ba29fdea7054d6ad%3An%3A0%3A%7B%7D';
  857. $unlocked = '';
  858. $this->Controller->request->data = array(
  859. 'MyModel' => array('name' => 'some data'),
  860. '_Token' => compact('key', 'fields', 'unlocked')
  861. );
  862. $result = $this->Controller->Security->validatePost($this->Controller);
  863. $this->assertFalse($result);
  864. $this->Controller->Security->startup($this->Controller);
  865. $this->Controller->Security->disabledFields = array('MyModel.name');
  866. $key = $this->Controller->request->params['_Token']['key'];
  867. $this->Controller->request->data = array(
  868. 'MyModel' => array('name' => 'some data'),
  869. '_Token' => compact('key', 'fields', 'unlocked')
  870. );
  871. $result = $this->Controller->Security->validatePost($this->Controller);
  872. $this->assertTrue($result);
  873. }
  874. /**
  875. * testRadio method
  876. *
  877. * @return void
  878. */
  879. public function testRadio() {
  880. $this->Controller->Security->startup($this->Controller);
  881. $key = $this->Controller->request->params['_Token']['key'];
  882. $fields = '575ef54ca4fc8cab468d6d898e9acd3a9671c17e%3An%3A0%3A%7B%7D';
  883. $unlocked = '';
  884. $this->Controller->request->data = array(
  885. '_Token' => compact('key', 'fields', 'unlocked')
  886. );
  887. $result = $this->Controller->Security->validatePost($this->Controller);
  888. $this->assertFalse($result);
  889. $this->Controller->request->data = array(
  890. '_Token' => compact('key', 'fields', 'unlocked'),
  891. 'Test' => array('test' => '')
  892. );
  893. $result = $this->Controller->Security->validatePost($this->Controller);
  894. $this->assertTrue($result);
  895. $this->Controller->request->data = array(
  896. '_Token' => compact('key', 'fields', 'unlocked'),
  897. 'Test' => array('test' => '1')
  898. );
  899. $result = $this->Controller->Security->validatePost($this->Controller);
  900. $this->assertTrue($result);
  901. $this->Controller->request->data = array(
  902. '_Token' => compact('key', 'fields', 'unlocked'),
  903. 'Test' => array('test' => '2')
  904. );
  905. $result = $this->Controller->Security->validatePost($this->Controller);
  906. $this->assertTrue($result);
  907. }
  908. /**
  909. * test that a requestAction's controller will have the _Token appended to
  910. * the params.
  911. *
  912. * @return void
  913. * @see http://cakephp.lighthouseapp.com/projects/42648/tickets/68
  914. */
  915. public function testSettingTokenForRequestAction() {
  916. $this->Controller->Security->startup($this->Controller);
  917. $key = $this->Controller->request->params['_Token']['key'];
  918. $this->Controller->params['requested'] = 1;
  919. unset($this->Controller->request->params['_Token']);
  920. $this->Controller->Security->startup($this->Controller);
  921. $this->assertEquals($this->Controller->request->params['_Token']['key'], $key);
  922. }
  923. /**
  924. * test that blackhole doesn't delete the _Token session key so repeat data submissions
  925. * stay blackholed.
  926. *
  927. * @link http://cakephp.lighthouseapp.com/projects/42648/tickets/214
  928. * @return void
  929. */
  930. public function testBlackHoleNotDeletingSessionInformation() {
  931. $this->Controller->Security->startup($this->Controller);
  932. $this->Controller->Security->blackHole($this->Controller, 'auth');
  933. $this->assertTrue($this->Controller->Security->Session->check('_Token'), '_Token was deleted by blackHole %s');
  934. }
  935. /**
  936. * test that csrf checks are skipped for request action.
  937. *
  938. * @return void
  939. */
  940. public function testCsrfSkipRequestAction() {
  941. $_SERVER['REQUEST_METHOD'] = 'POST';
  942. $this->Security->validatePost = false;
  943. $this->Security->csrfCheck = true;
  944. $this->Security->csrfExpires = '+10 minutes';
  945. $this->Controller->request->params['requested'] = 1;
  946. $this->Security->startup($this->Controller);
  947. $this->assertFalse($this->Controller->failed, 'fail() was called.');
  948. }
  949. /**
  950. * test setting
  951. *
  952. * @return void
  953. */
  954. public function testCsrfSettings() {
  955. $this->Security->validatePost = false;
  956. $this->Security->csrfCheck = true;
  957. $this->Security->csrfExpires = '+10 minutes';
  958. $this->Security->startup($this->Controller);
  959. $token = $this->Security->Session->read('_Token');
  960. $this->assertEquals(count($token['csrfTokens']), 1, 'Missing the csrf token.');
  961. $this->assertEquals(strtotime('+10 minutes'), current($token['csrfTokens']), 'Token expiry does not match');
  962. $this->assertEquals(array('key', 'unlockedFields'), array_keys($this->Controller->request->params['_Token']), 'Keys don not match');
  963. }
  964. /**
  965. * Test setting multiple nonces, when startup() is called more than once, (ie more than one request.)
  966. *
  967. * @return void
  968. */
  969. public function testCsrfSettingMultipleNonces() {
  970. $this->Security->validatePost = false;
  971. $this->Security->csrfCheck = true;
  972. $this->Security->csrfExpires = '+10 minutes';
  973. $this->Security->startup($this->Controller);
  974. $this->Security->startup($this->Controller);
  975. $token = $this->Security->Session->read('_Token');
  976. $this->assertEquals(count($token['csrfTokens']), 2, 'Missing the csrf token.');
  977. foreach ($token['csrfTokens'] as $key => $expires) {
  978. $this->assertEquals(strtotime('+10 minutes'), $expires, 'Token expiry does not match');
  979. }
  980. }
  981. /**
  982. * test that nonces are consumed by form submits.
  983. *
  984. * @return void
  985. */
  986. public function testCsrfNonceConsumption() {
  987. $this->Security->validatePost = false;
  988. $this->Security->csrfCheck = true;
  989. $this->Security->csrfExpires = '+10 minutes';
  990. $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
  991. $this->Controller->request = $this->getMock('CakeRequest', array('is'));
  992. $this->Controller->request->expects($this->once())->method('is')
  993. ->with('post')
  994. ->will($this->returnValue(true));
  995. $this->Controller->request->params['action'] = 'index';
  996. $this->Controller->request->data = array(
  997. '_Token' => array(
  998. 'key' => 'nonce1'
  999. ),
  1000. 'Post' => array(
  1001. 'title' => 'Woot'
  1002. )
  1003. );
  1004. $this->Security->startup($this->Controller);
  1005. $token = $this->Security->Session->read('_Token');
  1006. $this->assertFalse(isset($token['csrfTokens']['nonce1']), 'Token was not consumed');
  1007. }
  1008. /**
  1009. * test that expired values in the csrfTokens are cleaned up.
  1010. *
  1011. * @return void
  1012. */
  1013. public function testCsrfNonceVacuum() {
  1014. $this->Security->validatePost = false;
  1015. $this->Security->csrfCheck = true;
  1016. $this->Security->csrfExpires = '+10 minutes';
  1017. $this->Security->Session->write('_Token.csrfTokens', array(
  1018. 'valid' => strtotime('+30 minutes'),
  1019. 'poof' => strtotime('-11 minutes'),
  1020. 'dust' => strtotime('-20 minutes')
  1021. ));
  1022. $this->Security->startup($this->Controller);
  1023. $tokens = $this->Security->Session->read('_Token.csrfTokens');
  1024. $this->assertEquals(2, count($tokens), 'Too many tokens left behind');
  1025. $this->assertNotEmpty('valid', $tokens, 'Valid token was removed.');
  1026. }
  1027. /**
  1028. * test that when the key is missing the request is blackHoled
  1029. *
  1030. * @return void
  1031. */
  1032. public function testCsrfBlackHoleOnKeyMismatch() {
  1033. $this->Security->validatePost = false;
  1034. $this->Security->csrfCheck = true;
  1035. $this->Security->csrfExpires = '+10 minutes';
  1036. $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
  1037. $this->Controller->request = $this->getMock('CakeRequest', array('is'));
  1038. $this->Controller->request->expects($this->once())->method('is')
  1039. ->with('post')
  1040. ->will($this->returnValue(true));
  1041. $this->Controller->request->params['action'] = 'index';
  1042. $this->Controller->request->data = array(
  1043. '_Token' => array(
  1044. 'key' => 'not the right value'
  1045. ),
  1046. 'Post' => array(
  1047. 'title' => 'Woot'
  1048. )
  1049. );
  1050. $this->Security->startup($this->Controller);
  1051. $this->assertTrue($this->Controller->failed, 'fail() was not called.');
  1052. }
  1053. /**
  1054. * test that when the key is missing the request is blackHoled
  1055. *
  1056. * @return void
  1057. */
  1058. public function testCsrfBlackHoleOnExpiredKey() {
  1059. $this->Security->validatePost = false;
  1060. $this->Security->csrfCheck = true;
  1061. $this->Security->csrfExpires = '+10 minutes';
  1062. $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('-5 minutes')));
  1063. $this->Controller->request = $this->getMock('CakeRequest', array('is'));
  1064. $this->Controller->request->expects($this->once())->method('is')
  1065. ->with('post')
  1066. ->will($this->returnValue(true));
  1067. $this->Controller->request->params['action'] = 'index';
  1068. $this->Controller->request->data = array(
  1069. '_Token' => array(
  1070. 'key' => 'nonce1'
  1071. ),
  1072. 'Post' => array(
  1073. 'title' => 'Woot'
  1074. )
  1075. );
  1076. $this->Security->startup($this->Controller);
  1077. $this->assertTrue($this->Controller->failed, 'fail() was not called.');
  1078. }
  1079. /**
  1080. * test that csrfUseOnce = false works.
  1081. *
  1082. * @return void
  1083. */
  1084. public function testCsrfNotUseOnce() {
  1085. $this->Security->validatePost = false;
  1086. $this->Security->csrfCheck = true;
  1087. $this->Security->csrfUseOnce = false;
  1088. $this->Security->csrfExpires = '+10 minutes';
  1089. // Generate one token
  1090. $this->Security->startup($this->Controller);
  1091. $token = $this->Security->Session->read('_Token.csrfTokens');
  1092. $this->assertEquals(1, count($token), 'Should only be one token.');
  1093. $this->Security->startup($this->Controller);
  1094. $token2 = $this->Security->Session->read('_Token.csrfTokens');
  1095. $this->assertEquals(1, count($token2), 'Should only be one token.');
  1096. $this->assertEquals($token, $token2, 'Tokens should not be different.');
  1097. $key = $this->Controller->request->params['_Token']['key'];
  1098. $this->assertEquals(array($key), array_keys($token), '_Token.key and csrfToken do not match request will blackhole.');
  1099. }
  1100. /**
  1101. * ensure that longer session tokens are not consumed
  1102. *
  1103. * @return void
  1104. */
  1105. public function testCsrfNotUseOnceValidationLeavingToken() {
  1106. $this->Security->validatePost = false;
  1107. $this->Security->csrfCheck = true;
  1108. $this->Security->csrfUseOnce = false;
  1109. $this->Security->csrfExpires = '+10 minutes';
  1110. $this->Security->Session->write('_Token.csrfTokens', array('nonce1' => strtotime('+10 minutes')));
  1111. $this->Controller->request = $this->getMock('CakeRequest', array('is'));
  1112. $this->Controller->request->expects($this->once())->method('is')
  1113. ->with('post')
  1114. ->will($this->returnValue(true));
  1115. $this->Controller->request->params['action'] = 'index';
  1116. $this->Controller->request->data = array(
  1117. '_Token' => array(
  1118. 'key' => 'nonce1'
  1119. ),
  1120. 'Post' => array(
  1121. 'title' => 'Woot'
  1122. )
  1123. );
  1124. $this->Security->startup($this->Controller);
  1125. $token = $this->Security->Session->read('_Token');
  1126. $this->assertTrue(isset($token['csrfTokens']['nonce1']), 'Token was consumed');
  1127. }
  1128. }