Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
chiappa
/
irdb
-ын хуулбар https://git.snix.ch/chiappa/irdb.git
1
0
Салаа 0
Файлууд Асуудлууд 0
Мод: 393bc30ac3
Салаанууд Тагууд
irdb
/
ui
/
tests
/
Unit
/
Http
/
CspMiddlewareTest.php

CspMiddlewareTest.php 3.7 KB
Түүх Анхны өгөгдөл

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Unit\Http;
    6. 

  6. 

  7. use App\Http\CspMiddleware;
    8. 

  8. use PHPUnit\Framework\TestCase;
    9. 

  9. use Psr\Http\Message\ResponseInterface;
    10. 

  10. use Psr\Http\Message\ServerRequestInterface;
    11. 

  11. use Psr\Http\Server\RequestHandlerInterface;
    12. 

  12. use Slim\Psr7\Factory\ResponseFactory;
    13. 

  13. use Slim\Psr7\Factory\ServerRequestFactory;
    14. 

  14. 

  15. final class CspMiddlewareTest extends TestCase
    16. 

  16. {
    17. 

  17.     public function testGeneratedNoncesAreUniqueAndUrlSafe(): void
    18. 

  18.     {
    19. 

  19.         $seen = [];
    20. 

  20.         for ($i = 0; $i < 50; $i++) {
    21. 

  21.             $nonce = CspMiddleware::generateNonce();
    22. 

  22.             self::assertMatchesRegularExpression('/^[A-Za-z0-9_-]+$/', $nonce);
    23. 

  23.             self::assertFalse(in_array($nonce, $seen, true), 'nonce should be unique');
    24. 

  24.             $seen[] = $nonce;
    25. 

  25.         }
    26. 

  26.     }
    27. 

  27. 

  28.     public function testPolicyContainsNonceAndDropsUnsafeDirectives(): void
    29. 

  29.     {
    30. 

  30.         $nonce = 'TESTNONCE123';
    31. 

  31.         $policy = CspMiddleware::policy($nonce);
    32. 

  32. 

  33.         self::assertStringContainsString("'nonce-{$nonce}'", $policy);
    34. 

  34.         self::assertStringNotContainsString("'unsafe-eval'", $policy);
    35. 

  35.         // `script-src` directive itself must not list `'unsafe-inline'`.
    36. 

  36.         $scriptSrc = self::extractDirective($policy, 'script-src');
    37. 

  37.         self::assertNotSame('', $scriptSrc, 'script-src directive missing');
    38. 

  38.         self::assertStringNotContainsString("'unsafe-inline'", $scriptSrc);
    39. 

  39.         self::assertStringContainsString("'self'", $scriptSrc);
    40. 

  40.         self::assertStringContainsString("'nonce-{$nonce}'", $scriptSrc);
    41. 

  41.         // SEC_REVIEW F62: `style-src` must NOT contain `'unsafe-inline'`.
    42. 

  42.         // Inline styles attribute selectors would otherwise let an
    43. 

  43.         // attacker exfiltrate secrets like the CSRF token char-by-char.
    44. 

  44.         $styleSrc = self::extractDirective($policy, 'style-src');
    45. 

  45.         self::assertNotSame('', $styleSrc, 'style-src directive missing');
    46. 

  46.         self::assertStringNotContainsString("'unsafe-inline'", $styleSrc);
    47. 

  47.         self::assertSame("style-src 'self'", $styleSrc);
    48. 

  48.         // Defence-in-depth: frame-ancestors / form-action / base-uri locked down.
    49. 

  49.         self::assertStringContainsString("frame-ancestors 'none'", $policy);
    50. 

  50.         self::assertStringContainsString("form-action 'self'", $policy);
    51. 

  51.         self::assertStringContainsString("base-uri 'self'", $policy);
    52. 

  52.     }
    53. 

  53. 

  54.     private static function extractDirective(string $csp, string $name): string
    55. 

  55.     {
    56. 

  56.         foreach (explode(';', $csp) as $part) {
    57. 

  57.             $part = trim($part);
    58. 

  58.             if (str_starts_with($part, $name . ' ')) {
    59. 

  59.                 return $part;
    60. 

  60.             }
    61. 

  61.         }
    62. 

  62. 

  63.         return '';
    64. 

  64.     }
    65. 

  65. 

  66.     public function testProcessSetsHeaderAndExposesNonceOnRequestAttribute(): void
    67. 

  67.     {
    68. 

  68.         $middleware = new CspMiddleware();
    69. 

  69.         $request = (new ServerRequestFactory())->createServerRequest('GET', '/');
    70. 

  70.         $rf = new ResponseFactory();
    71. 

  71. 

  72.         $captured = null;
    73. 

  73.         $handler = new class ($rf, $captured) implements RequestHandlerInterface {
    74. 

  74.             public function __construct(
    75. 

  75.                 private readonly ResponseFactory $rf,
    76. 

  76.                 public ?string $captured,
    77. 

  77.             ) {
    78. 

  78.             }
    79. 

  79. 

  80.             public function handle(ServerRequestInterface $request): ResponseInterface
    81. 

  81.             {
    82. 

  82.                 $this->captured = $request->getAttribute(CspMiddleware::ATTR_NONCE);
    83. 

  83. 

  84.                 return $this->rf->createResponse(200);
    85. 

  85.             }
    86. 

  86.         };
    87. 

  87. 

  88.         $response = $middleware->process($request, $handler);
    89. 

  89. 

  90.         self::assertNotNull($handler->captured);
    91. 

  91.         self::assertNotSame('', $handler->captured);
    92. 

  92.         self::assertStringContainsString(
    93. 

  93.             "'nonce-{$handler->captured}'",
    94. 

  94.             $response->getHeaderLine('Content-Security-Policy'),
    95. 

  95.         );
    96. 

  96.     }
    97. 

  97. }
    98.