Beispiel #1
0
 @Test
 public void testNonceSource() throws ParseException, TokeniserException {
   assertEquals(
       "script-src 'self' https://example.com 'nonce-MTIzNDU2Nw=='",
       parse("script-src 'self' https://example.com 'nonce-MTIzNDU2Nw=='")
           .getDirectiveByType(ScriptSrcDirective.class)
           .show());
   Policy p = parse("script-src 'nonce-MTIzNDU2Nw=='");
   Policy q = parse("script-src 'nonce-MTIzNDU2Nw=='");
   ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
   assertEquals("hash code matches", p.hashCode(), q.hashCode());
   assertTrue("nonce-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
   q = parse("script-src 'nonce-aGVsbG8gd29ybGQ='");
   assertFalse("sandbox !equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
 }
Beispiel #2
0
 @Test
 public void sourceListTest() throws ParseException, TokeniserException {
   Policy p = parse("script-src http://a https://b; style-src http://e");
   Policy q = parse("script-src c d");
   ScriptSrcDirective d1 = p.getDirectiveByType(ScriptSrcDirective.class);
   assertFalse(
       "source-list inequality", d1.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
   d1.union(q.getDirectiveByType(ScriptSrcDirective.class));
   assertEquals("source-list union", "script-src http://a https://b c d", d1.show());
   ScriptSrcDirective d2 = q.getDirectiveByType(ScriptSrcDirective.class);
   p = parse("script-src http://a https://b");
   q = parse("script-src http://a https://b");
   d1 = p.getDirectiveByType(ScriptSrcDirective.class);
   assertTrue("source-list equality", d1.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
   assertEquals("source-list hashcode equality", p.hashCode(), q.hashCode());
 }
Beispiel #3
0
  @Test
  public void testHashSource() throws ParseException, TokeniserException {
    failsToParse(
        "script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    failsToParse(
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='",
        parse(
                "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'",
        parse(
                "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='",
        parse(
                "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    Policy p =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    Policy q =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode());
    ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
    assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
    q =
        parse(
            "script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='");
    assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));

    try {
      parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage());
    }
  }