MediaWiki REL1_33
ContentSecurityPolicyTest.php
Go to the documentation of this file.
1<?php
2
4
7 private $csp;
8
9 protected function setUp() {
10 global $wgUploadDirectory;
11 $this->setMwGlobals( [
12 'wgAllowExternalImages' => false,
13 'wgAllowExternalImagesFrom' => [],
14 'wgAllowImageTag' => false,
15 'wgEnableImageWhitelist' => false,
16 'wgCrossSiteAJAXdomains' => [
17 'sister-site.somewhere.com',
18 '*.wikipedia.org',
19 '??.wikinews.org'
20 ],
21 'wgScriptPath' => '/w',
22 'wgForeignFileRepos' => [ [
23 'class' => ForeignAPIRepo::class,
24 'name' => 'wikimediacommons',
25 'apibase' => 'https://commons.wikimedia.org/w/api.php',
26 'url' => 'https://upload.wikimedia.org/wikipedia/commons',
27 'thumbUrl' => 'https://upload.wikimedia.org/wikipedia/commons/thumb',
28 'hashLevels' => 2,
29 'transformVia404' => true,
30 'fetchDescription' => true,
31 'descriptionCacheExpiry' => 43200,
32 'apiThumbCacheExpiry' => 0,
33 'directory' => $wgUploadDirectory,
34 'backend' => 'wikimediacommons-backend',
35 ] ],
36 ] );
37 // Note, there are some obscure globals which
38 // could affect the results which aren't included above.
39
41 $context = RequestContext::getMain();
42 $resp = $context->getRequest()->response();
43 $conf = $context->getConfig();
44 $csp = new ContentSecurityPolicy( 'secret', $resp, $conf );
45 $this->csp = TestingAccessWrapper::newFromObject( $csp );
46
47 return parent::setUp();
48 }
49
54 public function testFalsePositiveBrowser( $ua, $expected ) {
56 $this->assertEquals( $expected, $actual, $ua );
57 }
58
59 public function providerFalsePositiveBrowser() {
60 // @codingStandardsIgnoreStart Generic.Files.LineLength
61 return [
62 [ 'Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0', true ],
63 [ 'Mozilla/5.0 (X11; U; Linux i686; en-ca) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6', false ]
64 ];
65 // @codingStandardsIgnoreEnd Generic.Files.LineLength
66 }
67
72 public function testMakeCSPDirectives(
73 $policy,
74 $expectedFull,
75 $expectedReport
76 ) {
77 $actualFull = $this->csp->makeCSPDirectives( $policy, ContentSecurityPolicy::FULL_MODE );
78 $actualReport = $this->csp->makeCSPDirectives(
80 );
81 $policyJson = formatJson::encode( $policy );
82 $this->assertEquals( $expectedFull, $actualFull, "full: " . $policyJson );
83 $this->assertEquals( $expectedReport, $actualReport, "report: " . $policyJson );
84 }
85
86 public function providerMakeCSPDirectives() {
87 // @codingStandardsIgnoreStart Generic.Files.LineLength
88 return [
89 [ false, '', '' ],
90 [
91 [ 'useNonces' => false ],
92 "script-src 'unsafe-eval' 'self' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
93 "script-src 'unsafe-eval' 'self' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
94 "script-src 'unsafe-eval' 'self' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'"
95 ],
96 [
97 true,
98 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
99 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
100 ],
101 [
102 [],
103 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
104 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
105 ],
106 [
107 [ 'script-src' => [ 'http://example.com', 'http://something,else.com' ] ],
108 "script-src 'unsafe-eval' 'self' 'nonce-secret' http://example.com http://something%2Celse.com 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
109 "script-src 'unsafe-eval' 'self' 'nonce-secret' http://example.com http://something%2Celse.com 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
110 ],
111 [
112 [ 'unsafeFallback' => false ],
113 "script-src 'unsafe-eval' 'self' 'nonce-secret' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
114 "script-src 'unsafe-eval' 'self' 'nonce-secret' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
115 ],
116 [
117 [ 'unsafeFallback' => true ],
118 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
119 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
120 ],
121 [
122 [ 'default-src' => false ],
123 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
124 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
125 ],
126 [
127 [ 'default-src' => true ],
128 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
129 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
130 ],
131 [
132 [ 'default-src' => [ 'https://foo.com', 'http://bar.com', 'baz.de' ] ],
133 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
134 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org https://foo.com http://bar.com baz.de sister-site.somewhere.com *.wikipedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
135 ],
136 [
137 [ 'includeCORS' => false ],
138 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
139 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
140 ],
141 [
142 [ 'includeCORS' => false, 'default-src' => true ],
143 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
144 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline'; default-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org; style-src 'self' data: blob: https://upload.wikimedia.org https://commons.wikimedia.org 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
145 ],
146 [
147 [ 'includeCORS' => true ],
148 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
149 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
150 ],
151 [
152 [ 'report-uri' => false ],
153 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'",
154 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'",
155 ],
156 [
157 [ 'report-uri' => true ],
158 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&",
159 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&",
160 ],
161 [
162 [ 'report-uri' => 'https://example.com/index.php?foo;report=csp' ],
163 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri https://example.com/index.php?foo%3Breport=csp",
164 "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri https://example.com/index.php?foo%3Breport=csp",
165 ],
166 ];
167 }
168
172 public function testMakeCSPDirectivesImage() {
173 global $wgAllowImageTag;
174 $origImg = wfSetVar( $wgAllowImageTag, true );
175
176 $actual = $this->csp->makeCSPDirectives( true, ContentSecurityPolicy::FULL_MODE );
177
179
180 $expected = "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&";
181 $this->assertEquals( $expected, $actual );
182 }
183
188 $actual = $this->csp->makeCSPDirectives(
189 true,
191 );
192 $expected = "script-src 'unsafe-eval' 'self' 'nonce-secret' 'unsafe-inline' sister-site.somewhere.com *.wikipedia.org; default-src * data: blob:; style-src * data: blob: 'unsafe-inline'; report-uri /w/api.php?action=cspreport&format=json&reportonly=1&";
193 $this->assertEquals( $expected, $actual );
194 // @codingStandardsIgnoreEnd Generic.Files.LineLength
195 }
196
200 public function testGetHeaderName() {
201 $this->assertEquals(
202 $this->csp->getHeaderName( ContentSecurityPolicy::REPORT_ONLY_MODE ),
203 'Content-Security-Policy-Report-Only'
204 );
205 $this->assertEquals(
206 $this->csp->getHeaderName( ContentSecurityPolicy::FULL_MODE ),
207 'Content-Security-Policy'
208 );
209 }
210
214 public function testGetReportUri() {
215 $full = $this->csp->getReportUri( ContentSecurityPolicy::FULL_MODE );
216 $fullExpected = '/w/api.php?action=cspreport&format=json&';
217 $this->assertEquals( $full, $fullExpected, 'normal report uri' );
218
219 $report = $this->csp->getReportUri( ContentSecurityPolicy::REPORT_ONLY_MODE );
220 $reportExpected = $fullExpected . 'reportonly=1&';
221 $this->assertEquals( $report, $reportExpected, 'report only' );
222
223 global $wgScriptPath;
224 $origPath = wfSetVar( $wgScriptPath, '/tl;dr/a,%20wiki' );
225 $esc = $this->csp->getReportUri( ContentSecurityPolicy::FULL_MODE );
226 $escExpected = '/tl%3Bdr/a%2C%20wiki/api.php?action=cspreport&format=json&';
228 $this->assertEquals( $esc, $escExpected, 'test esc rules' );
229 }
230
235 public function testPrepareUrlForCSP( $url, $expected ) {
236 $actual = $this->csp->prepareUrlForCSP( $url );
237 $this->assertEquals( $actual, $expected, $url );
238 }
239
240 public function providerPrepareUrlForCSP() {
241 global $wgServer;
242 return [
243 [ $wgServer, false ],
244 [ 'https://example.com', 'https://example.com' ],
245 [ 'https://example.com:200', 'https://example.com:200' ],
246 [ 'http://example.com', 'http://example.com' ],
247 [ 'example.com', 'example.com' ],
248 [ '*.example.com', '*.example.com' ],
249 [ 'https://*.example.com', 'https://*.example.com' ],
250 [ '//example.com', 'example.com' ],
251 [ 'https://example.com/path', 'https://example.com' ],
252 [ 'https://example.com/path:', 'https://example.com' ],
253 [ 'https://example.com/Wikipedia:NPOV', 'https://example.com' ],
254 [ 'https://tl;dr.com', 'https://tl%3Bdr.com' ],
255 [ 'yes,no.com', 'yes%2Cno.com' ],
256 [ '/relative-url', false ],
257 [ '/relativeUrl:withColon', false ],
258 [ 'data:', 'data:' ],
259 [ 'blob:', 'blob:' ],
260 ];
261 }
262
266 public function testEscapeUrlForCSP() {
267 $escaped = $this->csp->escapeUrlForCSP( ',;%2B' );
268 $this->assertEquals( $escaped, '%2C%3B%2B' );
269 }
270
275 public function testCSPIsEnabled( $main, $reportOnly, $expected ) {
276 $this->setMwGlobals( 'wgCSPReportOnlyHeader', $reportOnly );
277 $this->setMwGlobals( 'wgCSPHeader', $main );
278 $res = ContentSecurityPolicy::isNonceRequired( RequestContext::getMain()->getConfig() );
279 $this->assertEquals( $res, $expected );
280 }
281
282 public function providerCSPIsEnabled() {
283 return [
284 [ true, true, true ],
285 [ false, true, true ],
286 [ true, false, true ],
287 [ false, false, false ],
288 [ false, [], true ],
289 [ [], false, true ],
290 [ [ 'default-src' => [ 'foo.example.com' ] ], false, true ],
291 [ [ 'useNonces' => false ], [ 'useNonces' => false ], false ],
292 [ [ 'useNonces' => true ], [ 'useNonces' => false ], true ],
293 [ [ 'useNonces' => false ], [ 'useNonces' => true ], true ],
294 ];
295 }
296}
and that you know you can do these things To protect your we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the or if you modify it For if you distribute copies of such a whether gratis or for a you must give the recipients all the rights that you have You must make sure that receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two and(2) offer you this license which gives you legal permission to copy
$wgUploadDirectory
The filesystem path of the images directory.
$wgScriptPath
The path we should point to.
$wgAllowImageTag
A different approach to the above: simply allow the "<img>" tag to be used.
$wgServer
URL of the server.
wfSetVar(&$dest, $source, $force=false)
Sets dest to source and returns the original value of dest If source is NULL, it just returns the val...
testPrepareUrlForCSP( $url, $expected)
providerPrepareUrlForCSP ContentSecurityPolicy::prepareUrlForCSP
testMakeCSPDirectives( $policy, $expectedFull, $expectedReport)
providerMakeCSPDirectives ContentSecurityPolicy::makeCSPDirectives
testEscapeUrlForCSP()
ContentSecurityPolicy::escapeUrlForCSP.
testFalsePositiveBrowser( $ua, $expected)
providerFalsePositiveBrowser ContentSecurityPolicy::falsePositiveBrowser
testCSPIsEnabled( $main, $reportOnly, $expected)
providerCSPIsEnabled ContentSecurityPolicy::isNonceRequired
testGetHeaderName()
ContentSecurityPolicy::getHeaderName.
testMakeCSPDirectivesImage()
ContentSecurityPolicy::makeCSPDirectives.
testMakeCSPDirectivesReportUri()
ContentSecurityPolicy::makeCSPDirectives.
testGetReportUri()
ContentSecurityPolicy::getReportUri.
static isNonceRequired(Config $config)
Should we set nonce attribute.
static falsePositiveBrowser( $ua)
Does this browser give false positive reports?
setMwGlobals( $pairs, $value=null)
Sets a global, maintaining a stashed version of the previous global to be restored in tearDown.
static destroySingleton()
Destroy the singleton instance, so that a new one will be created next time singleton() is called.
Definition RepoGroup.php:76
$res
Definition database.txt:21
do that in ParserLimitReportFormat instead use this to modify the parameters of the image all existing parser cache entries will be invalid To avoid you ll need to handle that somehow(e.g. with the RejectParserCacheValue hook) because MediaWiki won 't do it for you. & $defaults also a ContextSource after deleting those rows but within the same transaction you ll probably need to make sure the header is varied on and they can depend only on the ResourceLoaderContext $context
Definition hooks.txt:2848
null means default in associative array with keys and values unescaped Should be merged with default with a value of false meaning to suppress the attribute in associative array with keys and values unescaped noclasses just before the function returns a value If you return true
Definition hooks.txt:2004
processing should stop and the error should be shown to the user * false
Definition hooks.txt:187