‪TYPO3CMS  11.5
ReferrerEnforcerTest.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
18 namespace ‪TYPO3\CMS\Core\Tests\Unit\Http\Security;
19 
20 use Prophecy\PhpUnit\ProphecyTrait;
21 use Psr\Http\Message\ServerRequestInterface;
22 use ‪TYPO3\CMS\Core\Http\NormalizedParams;
23 use ‪TYPO3\CMS\Core\Http\Security\InvalidReferrerException;
24 use ‪TYPO3\CMS\Core\Http\Security\MissingReferrerException;
25 use ‪TYPO3\CMS\Core\Http\Security\ReferrerEnforcer;
26 use ‪TYPO3\CMS\Core\Http\Uri;
27 use TYPO3\TestingFramework\Core\Unit\UnitTestCase;
28 
29 class ‪ReferrerEnforcerTest extends UnitTestCase
30 {
31  use ProphecyTrait;
32 
33  private static function ‪buildRefreshContentPattern(string $uri): string
34  {
35  return sprintf(
36  '#.+href="%s\d+" id="referrer-refresh".+#',
37  preg_quote(
38  htmlspecialchars($uri . (str_contains($uri, '?') ? '&' : '?') . 'referrer-refresh='),
39  '#'
40  )
41  );
42  }
43 
44  public function ‪validReferrerIsHandledDataProvider(): array
45  {
46  return [
47  // Without query parameters
48  [
49  'https://example.org/typo3/login', // requestUri
50  'https://example.org/typo3/index.php', // referrer
51  null, // options
52  null, // response
53  ],
54  [
55  'https://example.org/typo3/login',
56  '',
57  ['flags' => ['refresh-empty']],
58  ‪self::buildRefreshContentPattern(
59  'https://example.org/typo3/login'
60  ),
61  ],
62  [
63  'https://example.org/typo3/login',
64  'https://example.org/?eID=handler',
65  ['flags' => ['refresh-same-site']],
66  ‪self::buildRefreshContentPattern(
67  'https://example.org/typo3/login'
68  ),
69  ],
70  [
71  'https://example.org/typo3/login',
72  'https://other-example.site/security/',
73  ['flags' => ['refresh-always']],
74  ‪self::buildRefreshContentPattern(
75  'https://example.org/typo3/login'
76  ),
77  ],
78  // With query parameters
79  [
80  'https://example.org/typo3/login?query=parameter',
81  'https://example.org/typo3/index.php',
82  null,
83  null,
84  ],
85  [
86  'https://example.org/typo3/login?query=parameter',
87  '',
88  ['flags' => ['refresh-empty']],
89  ‪self::buildRefreshContentPattern(
90  'https://example.org/typo3/login?query=parameter'
91  ),
92  ],
93  [
94  'https://example.org/typo3/login?query=parameter',
95  'https://example.org/?eID=handler',
96  ['flags' => ['refresh-same-site']],
97  ‪self::buildRefreshContentPattern(
98  'https://example.org/typo3/login?query=parameter'
99  ),
100  ],
101  [
102  'https://example.org/typo3/login?query=parameter',
103  'https://other-example.site/security/',
104  ['flags' => ['refresh-always']],
105  ‪self::buildRefreshContentPattern(
106  'https://example.org/typo3/login?query=parameter'
107  ),
108  ],
109  ];
110  }
111 
121  public function ‪validReferrerIsHandled(string $requestUri, string $referrer, ?array $options, ?string $expectedResponse): void
122  {
123  $subject = $this->‪buildSubject($requestUri, $referrer);
124  $response = $subject->handle($options);
125 
126  if ($expectedResponse === null) {
127  self::assertNull($response);
128  } else {
129  self::assertMatchesRegularExpression($expectedResponse, (string)$response->getBody());
130  }
131  }
132 
133  public function ‪invalidReferrerIsHandledDataProvider(): array
134  {
135  return [
136  [
137  'https://example.org/typo3/login', // requestUri
138  'https://example.org/?eID=handler', // referrer
139  null, // options
140  ],
141  [
142  'https://example.org/typo3/login',
143  'https://example.org/?eID=handler',
144  ['flags' => ['refresh-empty']],
145  ],
146  [
147  'https://example.org/typo3/login',
148  'https://example.org.security/?eID=handler',
149  ['flags' => ['refresh-same-site']],
150  ],
151  [
152  'https://example.org/typo3/login',
153  'https://other-example.site/security/',
154  null,
155  ],
156  ];
157  }
158 
167  public function ‪invalidReferrerIsHandled(string $requestUri, string $referrer, ?array $options): void
168  {
169  $this->expectException(InvalidReferrerException::class);
170  $this->expectExceptionCode(1588095936);
171  $subject = $this->‪buildSubject($requestUri, $referrer);
172  $subject->handle($options);
173  }
174 
178  public function ‪missingReferrerIsHandled(): void
179  {
180  $this->expectException(MissingReferrerException::class);
181  $this->expectExceptionCode(1588095935);
182  $subject = $this->‪buildSubject(
183  'https://example.org/typo3/login',
184  ''
185  );
186  $subject->handle();
187  }
188 
189  private function ‪buildSubject(string $requestUri, string $referrer): ‪ReferrerEnforcer
190  {
191  $requestUriInstance = new ‪Uri($requestUri);
192  $host = sprintf(
193  '%s://%s',
194  $requestUriInstance->getScheme(),
195  $requestUriInstance->getHost()
196  );
197  ‪$dir = $host . rtrim(dirname($requestUriInstance->getPath()), '/') . '/';
198  parse_str($requestUriInstance->getQuery(), $queryParams);
199 
200  $normalizedParams = $this->prophesize(NormalizedParams::class);
201  $normalizedParams->getRequestHost()->willReturn($host);
202  $normalizedParams->getRequestDir()->willReturn(‪$dir);
203  $request = $this->prophesize(ServerRequestInterface::class);
204  $request->getAttribute('normalizedParams')->willReturn($normalizedParams);
205  $request->getServerParams()->willReturn(['HTTP_REFERER' => $referrer]);
206  $request->getUri()->willReturn($requestUriInstance);
207  $request->getQueryParams()->willReturn($queryParams);
208 
209  return new ‪ReferrerEnforcer($request->reveal());
210  }
211 }
‪TYPO3\CMS\Core\Http\Security\ReferrerEnforcer
Definition: ReferrerEnforcer.php:31
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\validReferrerIsHandledDataProvider
‪validReferrerIsHandledDataProvider()
Definition: ReferrerEnforcerTest.php:43
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\buildSubject
‪buildSubject(string $requestUri, string $referrer)
Definition: ReferrerEnforcerTest.php:188
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\buildRefreshContentPattern
‪static buildRefreshContentPattern(string $uri)
Definition: ReferrerEnforcerTest.php:32
‪$dir
‪$dir
Definition: validateRstFiles.php:213
‪TYPO3\CMS\Core\Http\Security\MissingReferrerException
Definition: MissingReferrerException.php:23
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\invalidReferrerIsHandled
‪invalidReferrerIsHandled(string $requestUri, string $referrer, ?array $options)
Definition: ReferrerEnforcerTest.php:166
‪TYPO3\CMS\Core\Http\Uri
Definition: Uri.php:29
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\validReferrerIsHandled
‪validReferrerIsHandled(string $requestUri, string $referrer, ?array $options, ?string $expectedResponse)
Definition: ReferrerEnforcerTest.php:120
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\invalidReferrerIsHandledDataProvider
‪invalidReferrerIsHandledDataProvider()
Definition: ReferrerEnforcerTest.php:132
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest\missingReferrerIsHandled
‪missingReferrerIsHandled()
Definition: ReferrerEnforcerTest.php:177
‪TYPO3\CMS\Core\Tests\Unit\Http\Security
Definition: ReferrerEnforcerTest.php:18
‪TYPO3\CMS\Core\Http\Security\InvalidReferrerException
Definition: InvalidReferrerException.php:23
‪TYPO3\CMS\Core\Tests\Unit\Http\Security\ReferrerEnforcerTest
Definition: ReferrerEnforcerTest.php:30
‪TYPO3\CMS\Core\Http\NormalizedParams
Definition: NormalizedParams.php:35