[Svn] r2323 - in trunk/roundcubemail: . tests tests/src

trac at roundcube.net trac at roundcube.net
Mon Mar 2 15:46:13 CET 2009


Author: thomasb
Date: 2009-03-02 08:46:12 -0600 (Mon, 02 Mar 2009)
New Revision: 2323

Added:
   trunk/roundcubemail/tests/
   trunk/roundcubemail/tests/mailfunc.php
   trunk/roundcubemail/tests/modcss.php
   trunk/roundcubemail/tests/runtests.sh
   trunk/roundcubemail/tests/src/
   trunk/roundcubemail/tests/src/BID-26800.txt
   trunk/roundcubemail/tests/src/htmlbody.txt
   trunk/roundcubemail/tests/src/htmlxss.txt
   trunk/roundcubemail/tests/src/plainbody.txt
   trunk/roundcubemail/tests/src/valid.css
Log:
Create some basic unit tests based in simpletest.org

Added: trunk/roundcubemail/tests/mailfunc.php
===================================================================
--- trunk/roundcubemail/tests/mailfunc.php	                        (rev 0)
+++ trunk/roundcubemail/tests/mailfunc.php	2009-03-02 14:46:12 UTC (rev 2323)
@@ -0,0 +1,110 @@
+<?php
+
+/**
+ * Test class to test steps/mail/func.inc functions
+ *
+ * @package Tests
+ */
+class rcube_test_mailfunc extends UnitTestCase
+{
+
+  function __construct()
+  {
+    $this->UnitTestCase('Mail body rendering tests');
+    
+    // simulate environment to successfully include func.inc
+    $GLOBALS['RCMAIL'] = $RCMAIL = rcmail::get_instance();
+    $GLOBALS['OUTPUT'] = $OUTPUT = $RCMAIL->load_gui();
+    $RCMAIL->action = 'spell';
+    $IMAP = $RCMAIL->imap;
+    
+    require_once 'steps/mail/func.inc';
+  }
+
+  /**
+   * Helper method to create a HTML message part object
+   */
+  function get_html_part($body)
+  {
+    $part = new rcube_message_part;
+    $part->ctype_primary = 'text';
+    $part->ctype_secondary = 'html';
+    $part->body = file_get_contents(TESTS_DIR . $body);
+    $part->replaces = array();
+    return $part;
+  }
+
+  /**
+   * Test sanitization of a "normal" html message
+   */
+  function test_html()
+  {
+    $part = $this->get_html_part('src/htmlbody.txt');
+    $part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
+    
+    // render HTML in normal mode
+    $html = rcmail_print_body($part, array('safe' => false));
+
+    $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
+    $this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
+    $this->assertNoPattern('/ex3.jpg/', $html, "No references to external images");
+    $this->assertNoPattern('/<meta [^>]+>/', $html, "No meta tags allowed");
+    $this->assertNoPattern('/<style [^>]+>/', $html, "No style tags allowed");
+    $this->assertNoPattern('/<form [^>]+>/', $html, "No form tags allowed");
+    $this->assertPattern('/Subscription form/', $html, "Include <form> contents");
+    $this->assertPattern('/<!-- input not allowed -->/', $html, "No input elements allowed");
+    $this->assertPattern('/<a[^>]+ target="_blank">/', $html, "Set target to _blank");
+    $this->assertTrue($GLOBALS['REMOTE_OBJECTS'], "Remote object detected");
+    
+    // render HTML in safe mode
+    $html2 = rcmail_print_body($part, array('safe' => true));
+    
+    $this->assertPattern('/<style [^>]+>/', $html2, "Allow styles in safe mode");
+    $this->assertPattern('#src="http://evilsite.net/mailings/ex3.jpg"#', $html2, "Allow external images in HTML (safe mode)");
+    $this->assertPattern("#url\('http://evilsite.net/newsletter/image/bg/bg-64.jpg'\)#", $html2, "Allow external images in CSS (safe mode)");
+  }
+
+  /**
+   * Test the elimination of some trivial XSS vulnerabilities
+   */
+  function test_html_xss()
+  {
+    $part = $this->get_html_part('src/htmlxss.txt');
+    $washed = rcmail_print_body($part, array('safe' => true));
+
+    $this->assertNoPattern('/src="skins/', $washed, "Remove local references");
+    $this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes");
+    $this->assertNoPattern('/alert/', $wahsed, "Remove alerts");
+  }
+
+  /**
+   * Test HTML sanitization to fix the CSS Expression Input Validation Vulnerability
+   * reported at http://www.securityfocus.com/bid/26800/
+   */
+  function test_html_xss2()
+  {
+    $part = $this->get_html_part('src/BID-26800.txt');
+    $washed = rcmail_print_body($part, array('safe' => true));
+
+    $this->assertNoPattern('/alert|expression|javascript|xss/', $washed, "Remove evil style blocks");
+    $this->assertNoPattern('/font-style:italic/', $washed, "Allow valid styles");
+  }
+
+  /**
+   * Test links pattern replacements in plaintext messages
+   */
+  function test_plaintext()
+  {
+    $part = new rcube_message_part;
+    $part->ctype_primary = 'text';
+    $part->ctype_secondary = 'plain';
+    $part->body = quoted_printable_decode(file_get_contents(TESTS_DIR . 'src/plainbody.txt'));
+    $html = rcmail_print_body($part, array('safe' => true));
+    
+    $this->assertPattern('/<a href="mailto:nobody at roundcube.net" onclick="return rcmail.command\(\'compose\',\'nobody at roundcube.net\',this\)">nobody at roundcube.net<\/a>/', $html, "Mailto links with onclick");
+    $this->assertPattern('#<a href="http://www.apple.com/legal/privacy/" target="_blank">http://www.apple.com/legal/privacy/</a>#', $html, "Links with target=_blank");
+  }
+
+}
+
+?>
\ No newline at end of file

Added: trunk/roundcubemail/tests/modcss.php
===================================================================
--- trunk/roundcubemail/tests/modcss.php	                        (rev 0)
+++ trunk/roundcubemail/tests/modcss.php	2009-03-02 14:46:12 UTC (rev 2323)
@@ -0,0 +1,45 @@
+<?php
+
+/**
+ * Test class to test rcmail_mod_css_styles and XSS vulnerabilites
+ *
+ * @package Tests
+ */
+class rcube_test_modcss extends UnitTestCase
+{
+
+  function __construct()
+  {
+    $this->UnitTestCase('CSS modification and vulnerability tests');
+  }
+  
+  function test_modcss()
+  {
+    $css = file_get_contents(TESTS_DIR . 'src/valid.css');
+    $mod = rcmail_mod_css_styles($css, 'rcmbody');
+
+    $this->assertPattern('/#rcmbody div.rcmBody\s+\{/', $mod, "Replace body style definition");
+    $this->assertPattern('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)");
+    $this->assertPattern('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)");
+    $this->assertPattern('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles");
+  }
+  
+  function test_xss()
+  {
+    $mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody');
+    $this->assertEqual("/* evil! */", $mod, "No url() values allowed");
+    
+    $mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody');
+    $this->assertEqual("/* evil! */", $mod, "No import statements");
+    
+    $mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody');
+    $this->assertEqual("/* evil! */", $mod, "No expression properties");
+    
+    $mod = rcmail_mod_css_styles("left:exp/*  */ression( alert('xss3') )", 'rcmbody');
+    $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks");
+    
+    $mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
+    $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)");
+  }
+  
+}
\ No newline at end of file

Added: trunk/roundcubemail/tests/runtests.sh
===================================================================
--- trunk/roundcubemail/tests/runtests.sh	                        (rev 0)
+++ trunk/roundcubemail/tests/runtests.sh	2009-03-02 14:46:12 UTC (rev 2323)
@@ -0,0 +1,53 @@
+#!/usr/bin/env php
+<?php
+
+/*
+ +-----------------------------------------------------------------------+
+ | tests/runtests.sh                                                     |
+ |                                                                       |
+ | This file is part of the RoundCube Webmail client                     |
+ | Copyright (C) 2009, RoundCube Dev. - Switzerland                      |
+ | Licensed under the GNU GPL                                            |
+ |                                                                       |
+ | PURPOSE:                                                              |
+ |   Run-script for unit tests based on http://simpletest.org            |
+ |   All .php files in this folder will be treated as tests              |
+ +-----------------------------------------------------------------------+
+ | Author: Thomas Bruederli <roundcube at gmail.com>                        |
+ +-----------------------------------------------------------------------+
+
+ $Id:  $
+
+*/
+
+if (php_sapi_name() != 'cli')
+  die("Not in shell mode (php-cli)");
+
+if (!defined('SIMPLETEST'))   define('SIMPLETEST', '/www/simpletest/');
+if (!defined('INSTALL_PATH')) define('INSTALL_PATH', realpath(dirname(__FILE__) . '/..') . '/' );
+
+define('TESTS_DIR', dirname(__FILE__) . '/');
+
+require_once(SIMPLETEST . 'unit_tester.php');
+require_once(SIMPLETEST . 'reporter.php');
+require_once(INSTALL_PATH . 'program/include/iniset.php');
+
+if (count($_SERVER['argv']) > 1) {
+  $testfiles = array();
+  for ($i=1; $i < count($_SERVER['argv']); $i++)
+    $testfiles[] = realpath('./' . $_SERVER['argv'][$i]);
+}
+else {
+  $testfiles = glob(TESTS_DIR . '*.php');
+}
+
+$test = new TestSuite('RoundCube unit tests');
+$reporter = new TextReporter();
+
+foreach ($testfiles as $fn) {
+  $test->addTestFile($fn);
+}
+
+$test->run($reporter);
+
+?>
\ No newline at end of file


Property changes on: trunk/roundcubemail/tests/runtests.sh
___________________________________________________________________
Name: svn:executable
   + *

Added: trunk/roundcubemail/tests/src/BID-26800.txt
===================================================================
--- trunk/roundcubemail/tests/src/BID-26800.txt	                        (rev 0)
+++ trunk/roundcubemail/tests/src/BID-26800.txt	2009-03-02 14:46:12 UTC (rev 2323)
@@ -0,0 +1,52 @@
+<html>
+<head>
+</head>
+<body>
+<h1>1 test</h1>
+<p><style> block</p>
+<style>input { left:expression( alert('expression!') ) }</style>
+<style>div   { background:url(alert('URL!') ) }</style>
+
+<h1>2 test</h1>
+<p><div> block</p>
+<div style="font-style:italic">valid css</div>
+<div style="{ left:expression( alert('expression!') ) }">
+<div style="{ background:url( alert('URL!') ) }">
+
+<h1>3 test</h1>
+<p>Inject comment text</p>
+<div style="{ left:exp/*  */ression( alert('xss3') ) }">
+<div style="{ background:u/* */rl( alert('xssurl3') ) }">
+
+<h1>4 test</h1>
+<p>Using reverse solid to directe the codepoint</p>
+<div style="{ left:\0065\0078pression( alert('xss4') ) }">
+<div style="{ background:\0075rl( alert('xssurl4') ) }">
+
+<h1>5 test</h1>
+<p>Character entity references</p>
+<p>Character entity references is acceptable in "inline styles"</p>
+<div style="{ left:&#x0065;xpression( alert('xss') ) }">
+<div style="{ left:expression( alert('xss') ) }">
+<div style="{ background:&#x0075;rl( alert('URL!') ) }">
+<div style="{ background:url( alert('URL!') ) }">
+<div style="{ left:&#x0065xpression( alert('xss') ) }">
+
+<div style="{ left:ï½.ï½.pï½.ï½.ï½.ï½.ï½.oï½.( alert('xss') ) }">
+<div style="{ left:ï½.ï½.&#x2f;**/pression( alert('xss') ) }">
+<div style="{ left:exp&#x0280;essio&#x0274;( alert('xss') ) }">
+<div style="{ left:&#x5c;0065&#x5c;0078pression( alert('xss') ) }">
+<div style="{ left:ex p ression( alert('xss') ) }">
+
+<div style="{ background:ï½.ï½.ï½.( javascript:alert('xss') ) }">
+<div style="{ background:&#x0075;/**/rl( javascript:alert('xss') ) }">
+<div style="{ background:\0075\0072\006c( javascript:alert('xss') ) }">
+<div style="{ background:u&#x0280;&#x029F;( javascript:alert('xss') ) 
+}">
+<div style="{ background:&#x5c;0075&#x5c;0280l( javascript:alert('xss') 
+) }">
+<div style="{ background:u r l( javascript:alert('xss') ) }">
+
+</body>
+</html>
+

Added: trunk/roundcubemail/tests/src/htmlbody.txt
===================================================================
--- trunk/roundcubemail/tests/src/htmlbody.txt	                        (rev 0)
+++ trunk/roundcubemail/tests/src/htmlbody.txt	2009-03-02 14:46:12 UTC (rev 2323)
@@ -0,0 +1,50 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
+<title>RoundCube Test Message</title>
+<style type="text/css">
+
+p, a {
+	font-family: Arial, 'Bitstream Vera Sans', Helvetica;
+	margin-top: 0px;
+	margin-bottom: 0px;
+	padding-top: 0px;
+	padding-bottom: 0px;