Working on XSS detection (#595)
This commit is contained in:
parent
159eb4a6ce
commit
73a51bb4fb
|
@ -30,7 +30,7 @@ has _macros => ( is => 'rw' );
|
||||||
has _groups => ( is => 'rw' );
|
has _groups => ( is => 'rw' );
|
||||||
|
|
||||||
# TrustedDomain regexp
|
# TrustedDomain regexp
|
||||||
has trustedDomains => ( is => 'rw' );
|
has trustedDomainsRe => ( is => 'rw' );
|
||||||
|
|
||||||
# Lists to store plugins entry-points
|
# Lists to store plugins entry-points
|
||||||
has beforeAuth => (
|
has beforeAuth => (
|
||||||
|
@ -120,7 +120,7 @@ sub reloadConf {
|
||||||
$self->conf->{templateDir} . '/' . $self->conf->{portalSkin};
|
$self->conf->{templateDir} . '/' . $self->conf->{portalSkin};
|
||||||
|
|
||||||
$self->{staticPrefix} = $self->conf->{staticPrefix} || '/';
|
$self->{staticPrefix} = $self->conf->{staticPrefix} || '/';
|
||||||
$self->{languages} = $self->conf->{languages} || '/';
|
$self->{languages} = $self->conf->{languages} || '/';
|
||||||
|
|
||||||
# Initialize session DBs
|
# Initialize session DBs
|
||||||
unless ( $self->conf->{globalStorage} ) {
|
unless ( $self->conf->{globalStorage} ) {
|
||||||
|
@ -166,17 +166,25 @@ sub reloadConf {
|
||||||
if ( $self->conf->{trustedDomains}
|
if ( $self->conf->{trustedDomains}
|
||||||
and $self->conf->{trustedDomains} =~ /^\s*\*\s*$/ )
|
and $self->conf->{trustedDomains} =~ /^\s*\*\s*$/ )
|
||||||
{
|
{
|
||||||
$self->trustedDomains(qr#^https?://#);
|
$self->trustedDomainsRe(qr#^https?://#);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
my $re = Regexp::Assemble->new();
|
my $re = Regexp::Assemble->new();
|
||||||
if ( my $td = $self->conf->{trustedDomains} ) {
|
if ( my $td = $self->conf->{trustedDomains} ) {
|
||||||
$td =~ s/^\s*(.*?)\s*/$1/;
|
$td =~ s/^\s*(.*?)\s*/$1/;
|
||||||
$self->lmLog( "Domain $_ added in trusted domains", 'debug' );
|
|
||||||
foreach ( split( /\s+/, $td ) ) {
|
foreach ( split( /\s+/, $td ) ) {
|
||||||
|
next unless($td);
|
||||||
s#^\.#([^/]+\.)?#;
|
s#^\.#([^/]+\.)?#;
|
||||||
s/\./\\./;
|
$self->lmLog( "Domain $_ added in trusted domains", 'debug' );
|
||||||
$re->add($_);
|
s/\./\\./g;
|
||||||
|
|
||||||
|
# This regexp is valid for the followings hosts:
|
||||||
|
# - $td
|
||||||
|
# - $domainlabel.$td
|
||||||
|
# $domainlabel is build looking RFC2396
|
||||||
|
# (see Regexp::Common::URI::RFC2396)
|
||||||
|
$_ =~ s/\*\\\./(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9]\\.)*/g;
|
||||||
|
$re->add("$_");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) {
|
foreach my $vhost ( keys %{ $self->conf->{locationRules} } ) {
|
||||||
|
@ -192,20 +200,8 @@ sub reloadConf {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
my $tmp = 'https?://' . $re->as_string . '(?:/|$)';
|
my $tmp = 'https?://' . $re->as_string . '(?::\d+)?(?:/|$)';
|
||||||
$self->trustedDomains(qr/$tmp/);
|
$self->trustedDomainsRe(qr/$tmp/);
|
||||||
}
|
|
||||||
if ( my $td = $self->conf->{trustedDomains} ) {
|
|
||||||
$td =~ s/^\s*(.*?)\s*/$1/;
|
|
||||||
if ( $td eq '*' ) {
|
|
||||||
$self->trustedDomains(qr#^https?://#);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
my $tmp =
|
|
||||||
join( '|', map { s#^\.#([^/]+\.)?# } split( /\s+/, $td ) );
|
|
||||||
$tmp =~ s/\./\\./g;
|
|
||||||
$self->trustedDomains(qr#^https?://$tmp(?:\d+)?(?:/|$)#);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Compile macros in _macros, groups in _groups
|
# Compile macros in _macros, groups in _groups
|
||||||
|
|
|
@ -332,7 +332,7 @@ sub _md5hash {
|
||||||
# trusted domain
|
# trusted domain
|
||||||
sub isTrustedUrl {
|
sub isTrustedUrl {
|
||||||
my ( $self, $url ) = @_;
|
my ( $self, $url ) = @_;
|
||||||
return $url =~ $self->trustedDomains ? 1 : 0;
|
return $url =~ $self->trustedDomainsRe ? 1 : 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
|
|
|
@ -1,150 +1,141 @@
|
||||||
# Before `make install' is performed this script should be runnable with
|
use Test::More;
|
||||||
# `make test'. After `make install' it should work as `perl Lemonldap-NG-Portal.t'
|
|
||||||
|
|
||||||
#########################
|
|
||||||
|
|
||||||
# change 'tests => 1' to 'tests => last_test_to_print';
|
|
||||||
|
|
||||||
package My::Portal;
|
|
||||||
use strict;
|
use strict;
|
||||||
use Test::More tests => 22;
|
use IO::String;
|
||||||
|
|
||||||
BEGIN {
|
BEGIN {
|
||||||
use_ok( 'Lemonldap::NG::Portal::Simple', ':all' );
|
use_ok( 'Lemonldap::NG::Portal::Main::Constants', ':all' );
|
||||||
sub Lemonldap::NG::Portal::Simple::lmLog { }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#use Lemonldap::NG::Portal::Simple;
|
require 't/test-lib.pm';
|
||||||
|
|
||||||
our @ISA = 'Lemonldap::NG::Portal::Simple';
|
init( { useSafeJail => 1, trustedDomains => 'example3.com *.example2.com' } );
|
||||||
my ( $url, $result, $logout );
|
|
||||||
$logout = 0;
|
|
||||||
my @h = (
|
|
||||||
|
|
||||||
'' => PE_OK, 'Empty',
|
my @tests = (
|
||||||
|
|
||||||
# 4 http://test.example.com/
|
# 1 No redirection
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20v' => PE_OK, 'Protected virtual host',
|
'' => 0, 'Empty',
|
||||||
|
|
||||||
# 5 http://test.example.com
|
# 2 http://test1.example.com/
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20v' => PE_OK, 'Missing / in URL',
|
'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tLw==' => 1, 'Protected virtual host',
|
||||||
|
|
||||||
# 6 http://test.example.com:8000/test
|
# 3 http://test1.example.com
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMC90ZXN0' => PE_OK, 'Non default port',
|
'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29t' => 1, 'Missing / in URL',
|
||||||
|
|
||||||
# 7 http://test.example.com:8000/
|
# 4 http://test1.example.com:8000/test
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMA==' => PE_BADURL,
|
'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAvdGVzdA==' => 1,
|
||||||
|
'Non default port',
|
||||||
|
|
||||||
|
# 5 http://test1.example.com:8000/
|
||||||
|
'aHR0cDovL3Rlc3QxLmV4YW1wbGUuY29tOjgwMDAv' => 1,
|
||||||
'Non default port with missing /',
|
'Non default port with missing /',
|
||||||
|
|
||||||
# 8 http://t.example2.com/test
|
# 6 http://t.example2.com/test
|
||||||
'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => PE_OK,
|
'aHR0cDovL3QuZXhhbXBsZTIuY29tL3Rlc3Q=' => 1,
|
||||||
'Undeclared virtual host in trusted domain',
|
'Undeclared virtual host in trusted domain',
|
||||||
|
|
||||||
# 9 http://testexample2.com/
|
# 7 http://testexample2.com/
|
||||||
'aHR0cDovL3Rlc3RleGFtcGxlMi5jb20vCg==' => PE_BADURL,
|
'aHR0cDovL3Rlc3RleGFtcGxlMi5jb20vCg==' => 0,
|
||||||
'Undeclared virtual host in untrusted domain'
|
'Undeclared virtual host in untrusted domain'
|
||||||
. ' (looks like a trusted domain, but is not)',
|
. ' (looks like a trusted domain, but is not)',
|
||||||
|
|
||||||
# 10 http://test.example3.com/
|
# 8 http://test.example3.com/
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZTMuY29tLwo=' => PE_BADURL,
|
'aHR0cDovL3Rlc3QuZXhhbXBsZTMuY29tLwo=' => 0,
|
||||||
'Undeclared virtual host in untrusted domain (domain name'
|
'Undeclared virtual host in untrusted domain (domain name'
|
||||||
. ' "example3.com" is trusted, but domain "*.example3.com" not)',
|
. ' "example3.com" is trusted, but domain "*.example3.com" not)',
|
||||||
|
|
||||||
# 11 http://example3.com/
|
# 9 http://example3.com/
|
||||||
'aHR0cDovL2V4YW1wbGUzLmNvbS8K' => PE_OK,
|
'aHR0cDovL2V4YW1wbGUzLmNvbS8K' => 1,
|
||||||
'Undeclared virtual host with trusted domain name',
|
'Undeclared virtual host with trusted domain name',
|
||||||
|
|
||||||
# 12 http://t.example.com/test
|
# 10 http://t.example.com/test
|
||||||
'aHR0cDovL3QuZXhhbXBsZS5jb20vdGVzdA==' => PE_BADURL,
|
'aHR0cDovL3QuZXhhbXBsZS5jb20vdGVzdA==' => 0,
|
||||||
'Undeclared virtual host in (untrusted) protected domain',
|
'Undeclared virtual host in (untrusted) protected domain',
|
||||||
|
|
||||||
# 13
|
# 11
|
||||||
'http://test.com/' => PE_BADURL, 'Non base64 encoded characters',
|
'http://test.com/' => 0, 'Non base64 encoded characters',
|
||||||
|
|
||||||
# 14 http://test.example.com:8000V
|
# 12 http://test.example.com:8000V
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMFY=' => PE_BADURL,
|
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb206ODAwMFY=' => 0,
|
||||||
'Non number in port',
|
'Non number in port',
|
||||||
|
|
||||||
# 15 http://t.ex.com/test
|
# 13 http://t.ex.com/test
|
||||||
'aHR0cDovL3QuZXguY29tL3Rlc3Q=' => PE_BADURL,
|
'aHR0cDovL3QuZXguY29tL3Rlc3Q=' => 0,
|
||||||
'Undeclared virtual host in untrusted domain',
|
'Undeclared virtual host in untrusted domain',
|
||||||
|
|
||||||
# 16 http://test.example.com/%00
|
# 14 http://test.example.com/%00
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vJTAw' => PE_BADURL, 'Base64 encoded \0',
|
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vJTAw' => 0, 'Base64 encoded \0',
|
||||||
|
|
||||||
# 17 http://test.example.com/test\0
|
# 15 http://test.example.com/test\0
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdAA=' => PE_BADURL,
|
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdAA=' => 0,
|
||||||
'Base64 and url encoded \0',
|
'Base64 and url encoded \0',
|
||||||
|
|
||||||
# 18
|
# 16
|
||||||
'XX%00' => PE_BADURL, 'Non base64 encoded \0 ',
|
'XX%00' => 0, 'Non base64 encoded \0 ',
|
||||||
|
|
||||||
# 19 http://test.example.com/test?<script>alert()</script>
|
# 17 http://test.example.com/test?<script>alert()</script>
|
||||||
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdD88c2NyaXB0PmFsZXJ0KCk8L3NjcmlwdD4='
|
'aHR0cDovL3Rlc3QuZXhhbXBsZS5jb20vdGVzdD88c2NyaXB0PmFsZXJ0KCk8L3NjcmlwdD4='
|
||||||
=> PE_BADURL,
|
=> 0,
|
||||||
'base64 encoded HTML tags',
|
'base64 encoded HTML tags',
|
||||||
|
|
||||||
# LOGOUT TESTS
|
# LOGOUT TESTS
|
||||||
'LOGOUT',
|
'LOGOUT',
|
||||||
|
|
||||||
# 20 url=http://www.toto.com/, bad referer
|
# 18 url=http://www.toto.com/, bad referer
|
||||||
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
|
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
|
||||||
'http://bad.com/' => PE_BADURL,
|
'http://bad.com/' => 0,
|
||||||
'Logout required by bad site',
|
'Logout required by bad site',
|
||||||
|
|
||||||
# 21 url=http://www.toto.com/, good referer
|
# 19 url=http://www.toto.com/, good referer
|
||||||
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
|
'aHR0cDovL3d3dy50b3RvLmNvbS8=',
|
||||||
'http://test.example.com/' => PE_OK,
|
'http://test.example.com/' => 1,
|
||||||
'Logout required by good site',
|
'Logout required by good site',
|
||||||
|
|
||||||
# 22 url=http://www?<script>, good referer
|
# 20 url=http://www?<script>, good referer
|
||||||
'aHR0cDovL3d3dz88c2NyaXB0Pg==',
|
'aHR0cDovL3d3dz88c2NyaXB0Pg==',
|
||||||
'http://test.example.com/' => PE_BADURL,
|
'http://test.example.com/' => 0,
|
||||||
'script with logout',
|
'script with logout',
|
||||||
);
|
);
|
||||||
|
|
||||||
my $count = 0;
|
my $res;
|
||||||
|
ok(
|
||||||
|
$res = &client->_post(
|
||||||
|
'/', '',
|
||||||
|
IO::String->new('user=dwho&password=dwho'),
|
||||||
|
'application/x-www-form-urlencoded', 23
|
||||||
|
),
|
||||||
|
'Auth query'
|
||||||
|
);
|
||||||
|
ok( $res->[0] == 200, 'Response is 200' ) or explain( $res->[0], 200 );
|
||||||
|
my $id;
|
||||||
|
ok( $id = getCookies($res)->{lemonldap}, 'Get LLNG cookie' )
|
||||||
|
or explain( $res, 'Set-Cookie: something' );
|
||||||
|
|
||||||
sub param {
|
count(4);
|
||||||
shift;
|
|
||||||
my $p = shift;
|
while ( defined( my $url = shift(@tests) ) ) {
|
||||||
$count++;
|
last if ( $url eq 'LOGOUT' );
|
||||||
if ( $p and $p eq 'url' ) {
|
my $redir = shift @tests;
|
||||||
return $url;
|
my $detail = shift @tests;
|
||||||
}
|
ok(
|
||||||
else {
|
$res = &client->_get(
|
||||||
return $logout;
|
'/',
|
||||||
}
|
query => "url=$url",
|
||||||
|
cookie => "lemonldap=$id",
|
||||||
|
|
||||||
|
accept => 'text/html'
|
||||||
|
),
|
||||||
|
$detail
|
||||||
|
);
|
||||||
|
ok( ( $res->[0] == ( $redir ? 302 : 200 ) ),
|
||||||
|
( $redir ? 'Get redirection' : 'Redirection dropped' ) )
|
||||||
|
or explain( $res->[0], ( $redir ? 302 : 200 ) );
|
||||||
|
count(2);
|
||||||
}
|
}
|
||||||
|
|
||||||
my $p;
|
clean_sessions();
|
||||||
|
|
||||||
# CGI Environment
|
|
||||||
$ENV{SCRIPT_NAME} = '/test.pl';
|
|
||||||
$ENV{SCRIPT_FILENAME} = '/tmp/test.pl';
|
|
||||||
$ENV{REQUEST_METHOD} = 'GET';
|
|
||||||
$ENV{REQUEST_URI} = "/test.pl";
|
|
||||||
$ENV{QUERY_STRING} = "";
|
|
||||||
|
|
||||||
ok(
|
|
||||||
$p = My::Portal->new(
|
|
||||||
{
|
|
||||||
globalStorage => 'Apache::Session::File',
|
|
||||||
domain => 'example.com',
|
|
||||||
authentication => 'LDAP test=1',
|
|
||||||
userDB => 'Null',
|
|
||||||
passwordDB => 'Null',
|
|
||||||
registerDB => 'Null',
|
|
||||||
domain => 'example.com',
|
|
||||||
trustedDomains => '.example2.com example3.com',
|
|
||||||
checkXSS => 1,
|
|
||||||
}
|
|
||||||
),
|
|
||||||
'Portal object'
|
|
||||||
);
|
|
||||||
|
|
||||||
$p->{reVHosts} = '(?:test\.example\.com)';
|
|
||||||
|
|
||||||
|
done_testing( count() );
|
||||||
|
__END__
|
||||||
while ( defined( $url = shift(@h) ) ) {
|
while ( defined( $url = shift(@h) ) ) {
|
||||||
last if ( $url eq 'LOGOUT' );
|
last if ( $url eq 'LOGOUT' );
|
||||||
$result = shift @h;
|
$result = shift @h;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user