Ejemplo n.º 1
0
  @Test
  public void testDirectiveNameParsing() throws ParseException, TokeniserException {
    Policy p;

    p = parse("font-src a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("form-action a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("frame-ancestors 'none'");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("frame-src a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("img-src a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("media-src a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("object-src a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("plugin-types */*");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("report-uri https://example.com/report");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("sandbox allow-scripts");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("script-src a");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("style-src http://*.example.com:*");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    p = parse("style-src samba://*.example.com");
    assertNotNull("policy should not be null", p);
    assertEquals("directive count", 1, p.getDirectives().size());

    failsToParse("abc");
    failsToParse("zzscript-src *; bla");
  }
Ejemplo n.º 2
0
  @Test
  public void testAncestorSource() throws ParseException, TokeniserException {
    assertEquals(
        "directive-name, no directive-value",
        "frame-ancestors",
        parse("frame-ancestors").getDirectiveByType(FrameAncestorsDirective.class).show());
    assertEquals(
        "directive-name, directive-value",
        "frame-ancestors 'none'",
        parse("frame-ancestors 'none'").getDirectiveByType(FrameAncestorsDirective.class).show());

    Policy p;
    p = parse("frame-ancestors 'self' https://example.com");
    Policy q;
    q = parse("script-src abc; frame-ancestors http://example.com");
    FrameAncestorsDirective d1 = p.getDirectiveByType(FrameAncestorsDirective.class);
    FrameAncestorsDirective d2 = q.getDirectiveByType(FrameAncestorsDirective.class);

    d1.union(d2);
    assertEquals(
        "ancestor-source union",
        "frame-ancestors 'self' https://example.com http://example.com",
        d1.show());
    assertFalse("ancestor-source inequality", d1.equals(d2));

    p = parse("frame-ancestors http://example.com");
    q = parse("frame-ancestors http://example.com");
    d1 = p.getDirectiveByType(FrameAncestorsDirective.class);
    d2 = q.getDirectiveByType(FrameAncestorsDirective.class);
    assertTrue("ancestor-source equality", d1.equals(d2));
    assertEquals("ancestor-source hashcode equality", d1.hashCode(), d2.hashCode());
    p = parse("frame-ancestors http:");
    q = parse("frame-ancestors http:");
    assertTrue("ancestor-source scheme-source equality", p.equals(q));
    assertEquals("ancestor-source scheme-source equality", p.hashCode(), q.hashCode());

    failsToParse("frame-ancestors scheme::");
    failsToParse("frame-ancestors 'none' 'self'");

    p = parse("frame-ancestors *");
    q = parse("frame-ancestors http://example.com");
    p.union(q);
    assertEquals("frame-ancestors *", p.show());
  }
Ejemplo n.º 3
0
  @Test()
  public void testPluginTypesParsing() throws ParseException, TokeniserException {
    failsToParse("plugin-types");
    // XXX: technically allowed via ietf-token if an RFC introduces a type/subtype that is empty
    failsToParse("plugin-types /");
    assertEquals(
        "directive-name, directive-value",
        "plugin-types a/b",
        parse("plugin-types a/b").getDirectiveByType(PluginTypesDirective.class).show());
    assertEquals(
        "directive-name, directive-value",
        "plugin-types a/b c/d",
        parse("plugin-types a/b c/d").getDirectiveByType(PluginTypesDirective.class).show());
    assertEquals(
        "directive-name, directive-value",
        "plugin-types x-a/x-b",
        parse("plugin-types x-a/x-b").getDirectiveByType(PluginTypesDirective.class).show());
    assertEquals(
        "directive-name, directive-value",
        "plugin-types X-A/X-B",
        parse("plugin-types X-A/X-B").getDirectiveByType(PluginTypesDirective.class).show());

    Policy p, q;
    p = parse("plugin-types a/b");
    q = parse("plugin-types c/d; script-src *");

    PluginTypesDirective d1 = p.getDirectiveByType(PluginTypesDirective.class);
    PluginTypesDirective d2 = q.getDirectiveByType(PluginTypesDirective.class);

    d1.union(d2);
    assertEquals("plugin-types union", "plugin-types a/b c/d", d1.show());
    p = parse("plugin-types a/b");
    q = parse("plugin-types a/c;");
    d1 = p.getDirectiveByType(PluginTypesDirective.class);
    d2 = q.getDirectiveByType(PluginTypesDirective.class);
    assertFalse("plugin-type subtype inequality", d1.equals(d2));
    p = parse("plugin-types a/b");
    q = parse("plugin-types a/b;");
    d1 = p.getDirectiveByType(PluginTypesDirective.class);
    d2 = q.getDirectiveByType(PluginTypesDirective.class);
    assertEquals("plugin-types hashcode equality", d1.hashCode(), d2.hashCode());
  }
Ejemplo n.º 4
0
 @Test
 public void testSandboxParsing() throws ParseException, TokeniserException {
   failsToParse("sandbox a!*\n");
   failsToParse("sandbox a!*^:");
   assertEquals(
       "sandbox is valid",
       "sandbox abc",
       parse("sandbox abc").getDirectiveByType(SandboxDirective.class).show());
   Policy p;
   p = parse("sandbox a");
   Policy q;
   q = parse("sandbox a");
   SandboxDirective d1 = p.getDirectiveByType(SandboxDirective.class);
   assertTrue("sandbox equals", d1.equals(q.getDirectiveByType(SandboxDirective.class)));
   assertEquals("sandbox hashcode equality", p.hashCode(), q.hashCode());
   q = parse("sandbox b; script-src a");
   assertFalse(
       "sandbox directives equality", d1.equals(q.getDirectiveByType(SandboxDirective.class)));
   d1.union(q.getDirectiveByType(SandboxDirective.class));
   assertEquals("sandbox union", "sandbox a b", d1.show());
   assertNotEquals("sandbox hashcode inequality", p.hashCode(), q.hashCode());
   ScriptSrcDirective d2 = q.getDirectiveByType(ScriptSrcDirective.class);
 }
Ejemplo n.º 5
0
  @Test
  public void testReportUri() throws ParseException, TokeniserException {
    failsToParse("report-uri ");
    failsToParse("report-uri #");
    failsToParse("report-uri a");
    Policy p, q;
    p = parse("report-uri http://a");
    q = parse("report-uri http://b");
    ReportUriDirective d1 = p.getDirectiveByType(ReportUriDirective.class);
    assertFalse("report-uri inequality", d1.equals(q.getDirectiveByType(ReportUriDirective.class)));
    d1.union(q.getDirectiveByType(ReportUriDirective.class));
    assertEquals("report-uri union", "report-uri http://a http://b", d1.show());
    assertNotEquals("report-uri hashcode shouldn't match", p.hashCode(), q.hashCode());

    p = parse("report-uri  https://a");
    q = parse("report-uri https://a; ");
    assertEquals("report-uri hashcode match", p.hashCode(), q.hashCode());
    assertTrue("report-uri equals", p.equals(q));
    q = parse("report-uri http://a; sandbox 4");
    d1 = q.getDirectiveByType(ReportUriDirective.class);
    SandboxDirective d2 = q.getDirectiveByType(SandboxDirective.class);
    assertEquals("report-uri http://a", d1.show());
    assertEquals("sandbox 4", d2.show());
  }
Ejemplo n.º 6
0
  @Test
  public void testSourceExpressionParsing() throws ParseException, TokeniserException {
    assertEquals("directive-name, no directive-value", "base-uri", parseAndShow("base-uri"));
    assertEquals("directive-name, <tab>", "base-uri", parseAndShow("base-uri\t"));
    assertEquals("directive-name, <space>", "base-uri", parseAndShow("base-uri "));
    assertEquals("directive-name, 3*<space>", "base-uri", parseAndShow("base-uri   "));
    assertEquals("directive-name, scheme-part", "base-uri https:", parseAndShow("base-uri https:"));
    assertEquals(
        "directive-name, 2*scheme-part",
        "base-uri file: javascript:",
        parseAndShow("base-uri file: javascript: "));
    assertEquals(
        "directive-name, eliminated scheme-part", "base-uri *", parseAndShow("base-uri * https:"));
    assertEquals("directive-name, host-part *", "base-uri *", parseAndShow("base-uri *"));
    assertEquals("directive-name, host-part *.", "base-uri *.a", parseAndShow("base-uri *.a"));

    assertEquals(
        "represent origin host-source as 'self' keyword-source",
        "default-src 'self'",
        parse("default-src http://example.com").show());

    failsToParse("connect-src 'none' scheme:");
    failsToParse("connect-src scheme: 'none'");

    // XXX: these two tests are actually valid according to the CSP spec, but we choose not to
    // support paths other than path-abempty
    failsToParse("base-uri abc_");
    failsToParse("base-uri abc..");

    assertEquals("directive-name, port-part", "base-uri *:12", parseAndShow("base-uri *:12"));
    failsToParse("base-uri *:ee");
    assertEquals("directive-name, path-part", "base-uri */abc", parseAndShow("base-uri */abc"));
    failsToParse("base-uri *\n");
    assertEquals(
        "directive-name, full host source",
        "base-uri https://a.com:888/ert",
        parseAndShow("base-uri https://a.com:888/ert"));

    // GH-79 should pass
    assertEquals(
        "directive-name, host-source *:*", "script-src *:*", parseAndShow("script-src *:*"));
    assertEquals(
        "directive-name, host-source a:*", "script-src a:*", parseAndShow("script-src a:*"));
    assertEquals(
        "directive-name, host-source http://a:*",
        "script-src http://a:*",
        parseAndShow("script-src http://a:*"));

    // GH-81 should pass
    assertEquals("optimisation", "", parseAndShow("script-src example.com *"));
    assertEquals("optimisation", "", parseAndShow("script-src 'self' *"));
  }
Ejemplo n.º 7
0
  @Test
  public void testParseMulti() throws ParseException, TokeniserException {
    List<Policy> pl;
    ArrayList<Warning> warnings;

    pl =
        Parser.parseMulti(
            "script-src a; script-src b, , script-src c; script-src d", "https://origin.com");
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("script-src c", pl.get(1).show());

    pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"));
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("", pl.get(1).show());

    warnings = new ArrayList<>();
    pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"), warnings);
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("", pl.get(1).show());
    assertEquals(0, warnings.size());

    warnings = new ArrayList<>();
    pl = Parser.parseMulti("script-src a, sandbox", "https://origin.com", warnings);
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("sandbox", pl.get(1).show());
    assertEquals(0, warnings.size());

    warnings = new ArrayList<>();
    pl =
        ParserWithLocation.parseMulti(
            "   plugin-types  a/b  , script-src 'unsafe-redirect'", "https://origin.com", warnings);
    assertEquals(2, pl.size());
    assertEquals("plugin-types a/b", pl.get(0).show());
    assertEquals("script-src 'unsafe-redirect'", pl.get(1).show());
    assertEquals(1, warnings.size());
    assertEquals(
        "1:36: 'unsafe-redirect' has been removed from CSP as of version 2.0",
        warnings.get(0).show());

    warnings = new ArrayList<>();
    pl =
        ParserWithLocation.parseMulti(
            "script-src a, frame-src b", URI.parse("https://origin.com"), warnings);
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("frame-src b", pl.get(1).show());
    assertEquals(1, warnings.size());
    assertEquals(
        "1:15: The frame-src directive is deprecated as of CSP version 1.1. Authors who wish to govern nested browsing contexts SHOULD use the child-src directive instead.",
        warnings.get(0).show());

    try {
      pl.clear();
      pl = Parser.parseMulti("script-src a,b", "https://origin.com");
      fail();
    } catch (IllegalArgumentException e1) {
      assertEquals(0, pl.size());
      assertEquals("Unrecognised directive name: b", e1.getMessage());
    }

    try {
      ParserWithLocation.parse(
          "script-src a, script-src b", "https://origin.com", new ArrayList<>());
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals("1:13: expecting end of policy but found ,", e1.getMessage());
    }

    try {
      Parser.parse("script-src a, script-src b", "https://origin.com");
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals("expecting end of policy but found ,", e1.getMessage());
    }

    try {
      pl.clear();
      pl = ParserWithLocation.parseMulti("allow 'none', options", "https://origin.com");
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals(
          "1:1: The allow directive has been replaced with default-src and is not in the CSP specification.",
          e1.getMessage());
    }

    try {
      pl.clear();
      pl = ParserWithLocation.parseMulti("allow 'none', referrer", URI.parse("https://origin.com"));
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals(
          "1:1: The allow directive has been replaced with default-src and is not in the CSP specification.",
          e1.getMessage());
    }

    failsToParse("script-src *, ");
  }
Ejemplo n.º 8
0
  @Test
  public void testHashSource() throws ParseException, TokeniserException {
    failsToParse(
        "script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    failsToParse(
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='",
        parse(
                "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'",
        parse(
                "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='",
        parse(
                "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    Policy p =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    Policy q =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode());
    ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
    assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
    q =
        parse(
            "script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='");
    assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));

    try {
      parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage());
    }
  }