Example #1
0
  @Test
  public void testFutureDirectives() throws TokeniserException {
    try {
      parse("referrer no-referrer");
      fail();
    } catch (ParseException e1) {
      assertEquals("The referrer directive is not in the CSP specification yet.", e1.getMessage());
    }

    try {
      parse("upgrade-insecure-requests");
      fail();
    } catch (ParseException e2) {
      assertEquals(
          "The upgrade-insecure-requests directive is not in the CSP specification yet.",
          e2.getMessage());
    }

    try {
      parse("block-all-mixed-content");
      fail();
    } catch (ParseException e3) {
      assertEquals(
          "The block-all-mixed-content directive is not in the CSP specification yet.",
          e3.getMessage());
    }
  }
Example #2
0
 @Test
 public void testAllowDirective() throws TokeniserException {
   try {
     parse("allow 'none'");
   } catch (ParseException e1) {
     assertEquals(
         "The allow directive has been replaced with default-src and is not in the CSP specification.",
         e1.getMessage());
     return;
   }
   fail();
 }
Example #3
0
 @Test
 public void testOptionsDirective() throws TokeniserException {
   try {
     parse("options inline-script");
   } catch (ParseException e1) {
     assertEquals(
         "The options directive has been replaced with 'unsafe-inline' and 'unsafe-eval' and is not in the CSP specification.",
         e1.getMessage());
     return;
   }
   fail();
 }
Example #4
0
  @Test
  public void testParseMulti() throws ParseException, TokeniserException {
    List<Policy> pl;
    ArrayList<Warning> warnings;

    pl =
        Parser.parseMulti(
            "script-src a; script-src b, , script-src c; script-src d", "https://origin.com");
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("script-src c", pl.get(1).show());

    pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"));
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("", pl.get(1).show());

    warnings = new ArrayList<>();
    pl = Parser.parseMulti("script-src a,", URI.parse("https://origin.com"), warnings);
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("", pl.get(1).show());
    assertEquals(0, warnings.size());

    warnings = new ArrayList<>();
    pl = Parser.parseMulti("script-src a, sandbox", "https://origin.com", warnings);
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("sandbox", pl.get(1).show());
    assertEquals(0, warnings.size());

    warnings = new ArrayList<>();
    pl =
        ParserWithLocation.parseMulti(
            "   plugin-types  a/b  , script-src 'unsafe-redirect'", "https://origin.com", warnings);
    assertEquals(2, pl.size());
    assertEquals("plugin-types a/b", pl.get(0).show());
    assertEquals("script-src 'unsafe-redirect'", pl.get(1).show());
    assertEquals(1, warnings.size());
    assertEquals(
        "1:36: 'unsafe-redirect' has been removed from CSP as of version 2.0",
        warnings.get(0).show());

    warnings = new ArrayList<>();
    pl =
        ParserWithLocation.parseMulti(
            "script-src a, frame-src b", URI.parse("https://origin.com"), warnings);
    assertEquals(2, pl.size());
    assertEquals("script-src a", pl.get(0).show());
    assertEquals("frame-src b", pl.get(1).show());
    assertEquals(1, warnings.size());
    assertEquals(
        "1:15: The frame-src directive is deprecated as of CSP version 1.1. Authors who wish to govern nested browsing contexts SHOULD use the child-src directive instead.",
        warnings.get(0).show());

    try {
      pl.clear();
      pl = Parser.parseMulti("script-src a,b", "https://origin.com");
      fail();
    } catch (IllegalArgumentException e1) {
      assertEquals(0, pl.size());
      assertEquals("Unrecognised directive name: b", e1.getMessage());
    }

    try {
      ParserWithLocation.parse(
          "script-src a, script-src b", "https://origin.com", new ArrayList<>());
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals("1:13: expecting end of policy but found ,", e1.getMessage());
    }

    try {
      Parser.parse("script-src a, script-src b", "https://origin.com");
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals("expecting end of policy but found ,", e1.getMessage());
    }

    try {
      pl.clear();
      pl = ParserWithLocation.parseMulti("allow 'none', options", "https://origin.com");
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals(
          "1:1: The allow directive has been replaced with default-src and is not in the CSP specification.",
          e1.getMessage());
    }

    try {
      pl.clear();
      pl = ParserWithLocation.parseMulti("allow 'none', referrer", URI.parse("https://origin.com"));
      fail();
    } catch (ParseException e1) {
      assertEquals(0, pl.size());
      assertEquals(
          "1:1: The allow directive has been replaced with default-src and is not in the CSP specification.",
          e1.getMessage());
    }

    failsToParse("script-src *, ");
  }
Example #5
0
  @Test
  public void testHashSource() throws ParseException, TokeniserException {
    failsToParse(
        "script-src 'self' https://example.com 'sha255-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    failsToParse(
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols'");
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='",
        parse(
                "script-src 'self' https://example.com 'sha256-K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'",
        parse(
                "script-src 'self' https://example.com 'sha384-QXIS/RyLxYlv79jbWK+CRUXoWw0FRkCTZqMK73Jp+uJYFzvRhfsmLIbzu4b7oENo'")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    assertEquals(
        "directive-name, directive-value",
        "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='",
        parse(
                "script-src 'self' https://example.com 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='")
            .getDirectiveByType(ScriptSrcDirective.class)
            .show());
    Policy p =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    Policy q =
        parse(
            "script-src 'sha512-vSsar3708Jvp9Szi2NWZZ02Bqp1qRCFpbcTZPdBhnWgs5WtNZKnvCXdhztmeD2cmW192CF5bDufKRpayrW/isg=='");
    assertEquals("hash-source hashcode equality", p.hashCode(), q.hashCode());
    ScriptSrcDirective d = p.getDirectiveByType(ScriptSrcDirective.class);
    assertTrue("hash-source equals", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));
    q =
        parse(
            "script-src 'sha512-HD6Xh+Y6oIZnXv4XqbKxrb6t3RkoPYv+NkqOBE8MwkssuATRE2aFBp8Nm9kp/Xn5a4l2Ki8QkX5qIUlbXQgO4Q=='");
    assertFalse("hash-source inequality", d.equals(q.getDirectiveByType(ScriptSrcDirective.class)));

    try {
      parse("script-src 'sha256-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-256 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha384-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-384 value (wrong length): 20", e.getMessage());
    }

    try {
      parse("script-src 'sha512-gpw4BEAbByf3D3PUQV4WJADL5Xs='");
      fail();
    } catch (ParseException e) {
      assertEquals("Invalid SHA-512 value (wrong length): 20", e.getMessage());
    }
  }