lemonldap-ng/lemonldap-ng-portal/t/03-XSS-protection.t

use Test::More;
use strict;
use IO::String;

require 't/test-lib.pm';

my $client = LLNG::Manager::Test->new( {
        ini => {
            logLevel       => 'error',
            useSafeJail    => 1,
            trustedDomains => 'example3.com *.example2.com'
        }
    }
);

my @tests = (

    # 1 No redirection
    '' => 0, 'Empty',

    # 2 http://test1.example.com/
    'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==' => 1, 'Protected virtual host',

    # 3 http://test1.example.com
    'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t' => 1, 'Missing / in URL',

    # 4 http://test1.example.com:8000/test
    'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAvdGVzdA==' => 1,
    'Non default port',

    # 5 http://test1.example.com:8000/
    'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAv' => 1,
    'Non default port with missing /',

    # 6 http://t.example2.com/test
    'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => 1,
    'Undeclared virtual host in trusted domain',

    # 7 http://testexample2.com/
    'aHR0cDovL3Rlc3RleGFtcGxlMi5jb20vCg==' => 0,
    'Undeclared virtual host in untrusted domain'
      . ' (looks like a trusted domain, but is not)',

    # 8 http://test.example3.com/
    'aHR0cDovL3Rlc3QuZXhhbXBsZTMuY29tLwo=' => 0,
    'Undeclared virtual host in untrusted domain (domain name'
      . ' "example3.com" is trusted, but domain "*.example3.com" not)',

    # 9 http://example3.com/
    'aHR0cDovL2V4YW1wbGUzLmNvbS8K' => 1,
    'Undeclared virtual host with trusted domain name',

    # 10 http://t.example.com/test
    'aHR0cDovL3QuZXhhbXBsZS5jb20vdGVzdA==' => 0,
    'Undeclared virtual host in (untrusted) protected domain',

    # 11
    'http://test.com/' => 0, 'Non base64 encoded characters',

    # 12 http://test.example.com:8000V
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMFY=' => 0,
    'Non number in port',

    # 13 http://t.ex.com/test
    'aHR0cDovL3QuZXguY29tL3Rlc3Q=' => 0,
    'Undeclared virtual host in untrusted domain',

    # 14 http://test.example.com/%00
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vJTAw' => 0, 'Base64 encoded \0',

    # 15 http://test.example.com/test\0
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdAA=' => 0,
    'Base64 and url encoded \0',

    # 16
    'XX%00' => 0, 'Non base64 encoded \0 ',

    # 17 http://test.example.com/test?<script>alert()</script>
    'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdD88c2NyaXB0PmFsZXJ0KCk8L3NjcmlwdD4='
      => 0,
    'base64 encoded HTML tags',

    # LOGOUT TESTS
    'LOGOUT',

    # 18 url=http://www.toto.com/, bad referer
    'aHR0cDovL3d3dy50b3RvLmNvbS8=',
    'http://bad.com/' => 0,
    'Logout required by bad site',

    # 19 url=http://www.toto.com/, good referer
    'aHR0cDovL3d3dy50b3RvLmNvbS8=',
    'http://test1.example.com/' => 1,
    'Logout required by good site',

    # 20 url=http://www?<script>, good referer
    'aHR0cDovL3d3dz88c2NyaXB0Pg==',
    'http://test1.example.com/' => 0,
    'script with logout',

    # 21 url=http://www.toto.com/, no referer
    'aHR0cDovL3d3dy50b3RvLmNvbS8=',
    '' => 1,
    'Logout required by good site, empty referer',
);

my $res;
ok(
    $res = $client->_post(
        '/',
        IO::String->new('user=dwho&password=dwho'),
        length => 23
    ),
    'Auth query'
);
count(1);
expectOK($res);
my $id = expectCookie($res);

while ( defined( my $url = shift(@tests) ) ) {
    last if ( $url eq 'LOGOUT' );
    my $redir  = shift @tests;
    my $detail = shift @tests;
    ok(
        $res = $client->_get(
            '/',
            query  => "url=$url",
            cookie => "lemonldap=$id",
            accept => 'text/html'
        ),
        $detail
    );
    ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),
        ( $redir ? 'Get redirection' : 'Redirection dropped' ) )
      or explain( $res->[0], ( $redir ? 302 : 200 ) );
    count(2);
}

while ( defined( my $url = shift(@tests) ) ) {
    my $referer = shift @tests;
    my $redir   = shift @tests;
    my $detail  = shift @tests;
    ok(
        $res = $client->_get(
            '/',
            query  => "url=$url&logout=1",
            cookie => "lemonldap=$id",

            accept  => 'text/html',
            referer => $referer,
        ),
        $detail
    );
    ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),
        ( $redir ? 'Get redirection' : 'Redirection dropped' ) )
      or explain( $res->[0], ( $redir ? 302 : 200 ) );
    ok(
        $res = $client->_post(
            '/',
            IO::String->new('user=dwho&password=dwho'),
            length => 23
        ),
        'Auth query'
    );
    expectOK($res);
    $id = expectCookie($res);
    count(3);
}

clean_sessions();

done_testing( count() );
__END__

# LOGOUT CASES
$logout = 1;
while ( defined( $url = shift(@h) ) ) {
    my $referer = shift @h;
    $result = shift @h;
    my $text = shift @h;
    $ENV{HTTP_REFERER} = $referer;

    ok( $p->controlUrlOrigin() == $result, $text );
}
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`use Test::More;`
XSS tests 2009-02-17 20:37:06 +01:00			`use strict;`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`use IO::String;`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`require 't/test-lib.pm';`
XSS tests 2009-02-17 20:37:06 +01:00
tidy with new conf 2019-02-07 09:27:56 +01:00			`my $client = LLNG::Manager::Test->new( {`
Prepare tests for SAML (#595) 2016-11-14 13:34:46 +01:00			`ini => {`
			`logLevel => 'error',`
			`useSafeJail => 1,`
			`trustedDomains => 'example3.com *.example2.com'`
			`}`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`}`
			`);`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`my @tests = (`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 1 No redirection`
			`'' => 0, 'Empty',`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 2 http://test1.example.com/`
			`'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==' => 1, 'Protected virtual host',`
More tests 2009-02-19 09:06:59 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 3 http://test1.example.com`
			`'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t' => 1, 'Missing / in URL',`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 4 http://test1.example.com:8000/test`
			`'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAvdGVzdA==' => 1,`
			`'Non default port',`

			`# 5 http://test1.example.com:8000/`
			`'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAv' => 1,`
More tests 2009-02-19 09:06:59 +01:00			`'Non default port with missing /',`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 6 http://t.example2.com/test`
			`'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => 1,`
* New parameter for XSS protection : trustedDomains * parameters test to avoid warnings * debian/control : missing dependencies * perltidy * tests update 2009-06-14 18:43:02 +02:00			`'Undeclared virtual host in trusted domain',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 7 http://testexample2.com/`
			`'aHR0cDovL3Rlc3RleGFtcGxlMi5jb20vCg==' => 0,`
Changes in tests for requests checking (Lemonldap-467) 2012-05-24 17:12:45 +02:00			`'Undeclared virtual host in untrusted domain'`
Make tidy 2012-07-26 04:47:27 +02:00			`. ' (looks like a trusted domain, but is not)',`
Changes in tests for requests checking (Lemonldap-467) 2012-05-24 17:12:45 +02:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 8 http://test.example3.com/`
			`'aHR0cDovL3Rlc3QuZXhhbXBsZTMuY29tLwo=' => 0,`
Make tidy 2012-07-26 04:47:27 +02:00			`'Undeclared virtual host in untrusted domain (domain name'`
			`. ' "example3.com" is trusted, but domain "*.example3.com" not)',`
Changes in tests for requests checking (Lemonldap-467) 2012-05-24 17:12:45 +02:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 9 http://example3.com/`
			`'aHR0cDovL2V4YW1wbGUzLmNvbS8K' => 1,`
Changes in tests for requests checking (Lemonldap-467) 2012-05-24 17:12:45 +02:00			`'Undeclared virtual host with trusted domain name',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 10 http://t.example.com/test`
			`'aHR0cDovL3QuZXhhbXBsZS5jb20vdGVzdA==' => 0,`
* New parameter for XSS protection : trustedDomains * parameters test to avoid warnings * debian/control : missing dependencies * perltidy * tests update 2009-06-14 18:43:02 +02:00			`'Undeclared virtual host in (untrusted) protected domain',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 11`
			`'http://test.com/' => 0, 'Non base64 encoded characters',`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 12 http://test.example.com:8000V`
			`'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMFY=' => 0,`
More tests 2009-02-19 09:06:59 +01:00			`'Non number in port',`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 13 http://t.ex.com/test`
			`'aHR0cDovL3QuZXguY29tL3Rlc3Q=' => 0,`
Changes in tests for requests checking (Lemonldap-467) 2012-05-24 17:12:45 +02:00			`'Undeclared virtual host in untrusted domain',`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 14 http://test.example.com/%00`
			`'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vJTAw' => 0, 'Base64 encoded \0',`
More tests 2009-02-19 09:06:59 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 15 http://test.example.com/test\0`
			`'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdAA=' => 0,`
More tests 2009-02-19 09:06:59 +01:00			`'Base64 and url encoded \0',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 16`
			`'XX%00' => 0, 'Non base64 encoded \0 ',`
More tests 2009-02-19 09:06:59 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 17 http://test.example.com/test?<script>alert()</script>`
More tests 2009-02-19 09:06:59 +01:00			`'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdD88c2NyaXB0PmFsZXJ0KCk8L3NjcmlwdD4='`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`=> 0,`
More tests 2009-02-19 09:06:59 +01:00			`'base64 encoded HTML tags',`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00
			`# LOGOUT TESTS`
			`'LOGOUT',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 18 url=http://www.toto.com/, bad referer`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`'aHR0cDovL3d3dy50b3RvLmNvbS8=',`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`'http://bad.com/' => 0,`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`'Logout required by bad site',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 19 url=http://www.toto.com/, good referer`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`'aHR0cDovL3d3dy50b3RvLmNvbS8=',`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`'http://test1.example.com/' => 1,`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`'Logout required by good site',`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`# 20 url=http://www?<script>, good referer`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`'aHR0cDovL3d3dz88c2NyaXB0Pg==',`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`'http://test1.example.com/' => 0,`
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`'script with logout',`
Make sure empty referers are valid during logout 2021-07-09 15:02:20 +02:00
			`# 21 url=http://www.toto.com/, no referer`
			`'aHR0cDovL3d3dy50b3RvLmNvbS8=',`
			`'' => 1,`
			`'Logout required by good site, empty referer',`
XSS tests 2009-02-17 20:37:06 +01:00			`);`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`my $res;`
XSS tests 2009-02-17 20:37:06 +01:00			`ok(`
Prepare tests for SAML (#595) 2016-11-14 13:34:46 +01:00			`$res = $client->_post(`
Update tests (#595) 2016-05-30 22:20:50 +02:00			`'/',`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`IO::String->new('user=dwho&password=dwho'),`
Update tests (#595) 2016-05-30 22:20:50 +02:00			`length => 23`
XSS tests 2009-02-17 20:37:06 +01:00			`),`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`'Auth query'`
XSS tests 2009-02-17 20:37:06 +01:00			`);`
Clean tests (not finished) (#595)' 2016-12-23 07:41:03 +01:00			`count(1);`
			`expectOK($res);`
			`my $id = expectCookie($res);`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00
			`while ( defined( my $url = shift(@tests) ) ) {`
			`last if ( $url eq 'LOGOUT' );`
			`my $redir = shift @tests;`
			`my $detail = shift @tests;`
			`ok(`
Prepare tests for SAML (#595) 2016-11-14 13:34:46 +01:00			`$res = $client->_get(`
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`'/',`
			`query => "url=$url",`
			`cookie => "lemonldap=$id",`
			`accept => 'text/html'`
			`),`
			`$detail`
			`);`
			`ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),`
			`( $redir ? 'Get redirection' : 'Redirection dropped' ) )`
			`or explain( $res->[0], ( $redir ? 302 : 200 ) );`
			`count(2);`
			`}`
XSS tests 2009-02-17 20:37:06 +01:00
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`while ( defined( my $url = shift(@tests) ) ) {`
			`my $referer = shift @tests;`
			`my $redir = shift @tests;`
			`my $detail = shift @tests;`
			`ok(`
Prepare tests for SAML (#595) 2016-11-14 13:34:46 +01:00			`$res = $client->_get(`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`'/',`
			`query => "url=$url&logout=1",`
			`cookie => "lemonldap=$id",`

			`accept => 'text/html',`
			`referer => $referer,`
			`),`
			`$detail`
			`);`
			`ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),`
			`( $redir ? 'Get redirection' : 'Redirection dropped' ) )`
			`or explain( $res->[0], ( $redir ? 302 : 200 ) );`
			`ok(`
Prepare tests for SAML (#595) 2016-11-14 13:34:46 +01:00			`$res = $client->_post(`
Update tests (#595) 2016-05-30 22:20:50 +02:00			`'/',`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`IO::String->new('user=dwho&password=dwho'),`
Update tests (#595) 2016-05-30 22:20:50 +02:00			`length => 23`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`),`
			`'Auth query'`
			`);`
Clean tests (not finished) (#595)' 2016-12-23 07:41:03 +01:00			`expectOK($res);`
			`$id = expectCookie($res);`
			`count(3);`
Working on logout and XSS (#595) 2016-05-23 18:55:23 +02:00			`}`

Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`clean_sessions();`
XSS tests 2009-02-17 20:37:06 +01:00
Working on XSS detection (#595) 2016-05-23 13:53:09 +02:00			`done_testing( count() );`
			`__END__`
* New parameter for XSS protection : trustedDomains * parameters test to avoid warnings * debian/control : missing dependencies * perltidy * tests update 2009-06-14 18:43:02 +02:00
Modif for XSS: for logout URL, we test now Referer field 2010-05-01 15:12:28 +02:00			`# LOGOUT CASES`
			`$logout = 1;`
			`while ( defined( $url = shift(@h) ) ) {`
			`my $referer = shift @h;`
			`$result = shift @h;`
			`my $text = shift @h;`
			`$ENV{HTTP_REFERER} = $referer;`

			`ok( $p->controlUrlOrigin() == $result, $text );`
			`}`