Example #1
0
 @Test
 public void testNonceSource() throws ParseException, TokeniserException {
   assertEquals(
       "script-src 'self' https://example.com 'nonce-MTIzNDU2Nw=='",
       parse("script-src 'self' https://example.com 'nonce-MTIzNDU2Nw=='")
           .getDirectiveByType(ScriptSrcDirective.class)
           .show());
   Policy p = parse("script-src 'nonce-MTIzNDU2Nw=='");
   Policy q = parse("script-src 'nonce-MTIzNDU2Nw=='");
   ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
   assertEquals("hash code matches", p.hashCode(), q.hashCode());
   assertTrue("nonce-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
   q = parse("script-src 'nonce-aGVsbG8gd29ybGQ='");
   assertFalse("sandbox !equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
 }
Example #2
0
 @Test
 public void sourceListTest() throws ParseException, TokeniserException {
   Policy p = parse("script-src http://a https://b; style-src http://e");
   Policy q = parse("script-src c d");
   ScriptSrcDirective d1 = p.getDirectiveByType(ScriptSrcDirective.class);
   assertFalse(
       "source-list inequality", d1.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
   d1.union(q.getDirectiveByType(ScriptSrcDirective.class));
   assertEquals("source-list union", "script-src http://a https://b c d", d1.show());
   ScriptSrcDirective d2 = q.getDirectiveByType(ScriptSrcDirective.class);
   p = parse("script-src http://a https://b");
   q = parse("script-src http://a https://b");
   d1 = p.getDirectiveByType(ScriptSrcDirective.class);
   assertTrue("source-list equality", d1.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
   assertEquals("source-list hashcode equality", p.hashCode(), q.hashCode());
 }
Example #3
0
  @Test
  public void testAncestorSource() throws ParseException, TokeniserException {
    assertEquals(
        "directive-name, no directive-value",
        "frame-ancestors",
        parse("frame-ancestors").getDirectiveByType(FrameAncestorsDirective.class).show());
    assertEquals(
        "directive-name, directive-value",
        "frame-ancestors 'none'",
        parse("frame-ancestors 'none'").getDirectiveByType(FrameAncestorsDirective.class).show());

    Policy p;
    p = parse("frame-ancestors 'self' https://example.com");
    Policy q;
    q = parse("script-src abc; frame-ancestors http://example.com");
    FrameAncestorsDirective d1 = p.getDirectiveByType(FrameAncestorsDirective.class);
    FrameAncestorsDirective d2 = q.getDirectiveByType(FrameAncestorsDirective.class);

    d1.union(d2);
    assertEquals(
        "ancestor-source union",
        "frame-ancestors 'self' https://example.com http://example.com",
        d1.show());
    assertFalse("ancestor-source inequality", d1.equals(d2));

    p = parse("frame-ancestors http://example.com");
    q = parse("frame-ancestors http://example.com");
    d1 = p.getDirectiveByType(FrameAncestorsDirective.class);
    d2 = q.getDirectiveByType(FrameAncestorsDirective.class);
    assertTrue("ancestor-source equality", d1.equals(d2));
    assertEquals("ancestor-source hashcode equality", d1.hashCode(), d2.hashCode());
    p = parse("frame-ancestors http:");
    q = parse("frame-ancestors http:");
    assertTrue("ancestor-source scheme-source equality", p.equals(q));
    assertEquals("ancestor-source scheme-source equality", p.hashCode(), q.hashCode());

    failsToParse("frame-ancestors scheme::");
    failsToParse("frame-ancestors 'none' 'self'");

    p = parse("frame-ancestors *");
    q = parse("frame-ancestors http://example.com");
    p.union(q);
    assertEquals("frame-ancestors *", p.show());
  }
Example #4
0
 @Test
 public void testSandboxParsing() throws ParseException, TokeniserException {
   failsToParse("sandbox a!*\n");
   failsToParse("sandbox a!*^:");
   assertEquals(
       "sandbox is valid",
       "sandbox abc",
       parse("sandbox abc").getDirectiveByType(SandboxDirective.class).show());
   Policy p;
   p = parse("sandbox a");
   Policy q;
   q = parse("sandbox a");
   SandboxDirective d1 = p.getDirectiveByType(SandboxDirective.class);
   assertTrue("sandbox equals", d1.equals(q.getDirectiveByType(SandboxDirective.class)));
   assertEquals("sandbox hashcode equality", p.hashCode(), q.hashCode());
   q = parse("sandbox b; script-src a");
   assertFalse(
       "sandbox directives equality", d1.equals(q.getDirectiveByType(SandboxDirective.class)));
   d1.union(q.getDirectiveByType(SandboxDirective.class));
   assertEquals("sandbox union", "sandbox a b", d1.show());
   assertNotEquals("sandbox hashcode inequality", p.hashCode(), q.hashCode());
   ScriptSrcDirective d2 = q.getDirectiveByType(ScriptSrcDirective.class);
 }
Example #5
0
  @Test
  public void testReportUri() throws ParseException, TokeniserException {
    failsToParse("report-uri ");
    failsToParse("report-uri #");
    failsToParse("report-uri a");
    Policy p, q;
    p = parse("report-uri http://a");
    q = parse("report-uri http://b");
    ReportUriDirective d1 = p.getDirectiveByType(ReportUriDirective.class);
    assertFalse("report-uri inequality", d1.equals(q.getDirectiveByType(ReportUriDirective.class)));
    d1.union(q.getDirectiveByType(ReportUriDirective.class));
    assertEquals("report-uri union", "report-uri http://a http://b", d1.show());
    assertNotEquals("report-uri hashcode shouldn't match", p.hashCode(), q.hashCode());

    p = parse("report-uri  https://a");
    q = parse("report-uri https://a; ");
    assertEquals("report-uri hashcode match", p.hashCode(), q.hashCode());
    assertTrue("report-uri equals", p.equals(q));
    q = parse("report-uri http://a; sandbox 4");
    d1 = q.getDirectiveByType(ReportUriDirective.class);
    SandboxDirective d2 = q.getDirectiveByType(SandboxDirective.class);
    assertEquals("report-uri http://a", d1.show());
    assertEquals("sandbox 4", d2.show());
  }
Example #6
0
  @Test
  public void testHashSource() throws ParseException, TokeniserException {
    failsToParse(
        "script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    failsToParse(
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='",
        parse(
                "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'",
        parse(
                "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='",
        parse(
                "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    Policy p =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    Policy q =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode());
    ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
    assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
    q =
        parse(
            "script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='");
    assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));

    try {
      parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage());
    }
  }