You are here

class RequestSanitizerTest in Drupal 7

Tests DrupalRequestSanitizer class.

Hierarchy

Expanded class hierarchy of RequestSanitizerTest

File

modules/simpletest/tests/request_sanitizer.test, line 11
Tests for the RequestSanitizer class.

View source
class RequestSanitizerTest extends DrupalUnitTestCase {

  /**
   * Log of errors triggered during sanitization.
   *
   * @var array
   */
  protected $errors;

  /**
   * {@inheritdoc}
   */
  public static function getInfo() {
    return array(
      'name' => 'DrupalRequestSanitizer',
      'description' => 'Test the DrupalRequestSanitizer class',
      'group' => 'System',
    );
  }

  /**
   * {@inheritdoc}
   */
  protected function setUp() {
    require_once DRUPAL_ROOT . '/includes/request-sanitizer.inc';
    parent::setUp();
    set_error_handler(array(
      $this,
      "sanitizerTestErrorHandler",
    ));
  }

  /**
   * Iterate through all the RequestSanitizerTests.
   */
  public function testRequestSanitization() {
    foreach ($this
      ->requestSanitizerTests() as $label => $data) {
      $this->errors = array();

      // Normalize the test parameters.
      $test = array(
        'request' => $data[0],
        'expected' => isset($data[1]) ? $data[1] : array(),
        'expected_errors' => isset($data[2]) ? $data[2] : NULL,
        'whitelist' => isset($data[3]) ? $data[3] : array(),
      );
      $this
        ->requestSanitizationTest($test['request'], $test['expected'], $test['expected_errors'], $test['whitelist'], $label);
    }
  }

  /**
   * Tests RequestSanitizer class.
   *
   * @param \SanitizerTestRequest $request
   *   The request to sanitize.
   * @param array $expected
   *   An array of expected request parameters after sanitization.
   * @param array|null $expected_errors
   *   An array of expected errors. If set to NULL then error logging is
   *   disabled.
   * @param array $whitelist
   *   An array of keys to whitelist and not sanitize.
   * @param string $label
   *   A descriptive name for each test / group of assertions.
   *
   * @throws \ReflectionException
   */
  public function requestSanitizationTest(SanitizerTestRequest $request, array $expected = array(), array $expected_errors = NULL, array $whitelist = array(), $label = NULL) {

    // Set up globals.
    $_GET = $request
      ->getQuery();
    $_POST = $request
      ->getRequest();
    $_COOKIE = $request
      ->getCookies();
    $_REQUEST = array_merge($request
      ->getQuery(), $request
      ->getRequest());
    $GLOBALS['conf']['sanitize_input_whitelist'] = $whitelist;
    $GLOBALS['conf']['sanitize_input_logging'] = is_null($expected_errors) ? FALSE : TRUE;
    if ($label !== 'already sanitized request') {
      $reflection = new \ReflectionProperty('DrupalRequestSanitizer', 'sanitized');
      $reflection
        ->setAccessible(TRUE);
      $reflection
        ->setValue(NULL, FALSE);
    }
    DrupalRequestSanitizer::sanitize();
    if (isset($_GET['destination'])) {
      DrupalRequestSanitizer::cleanDestination();
    }

    // Normalise the expected data.
    $expected += array(
      'cookies' => array(),
      'query' => array(),
      'request' => array(),
    );

    // Test PHP globals.
    $this
      ->assertEqualLabelled($expected['cookies'], $_COOKIE, NULL, 'Other', $label . ' (COOKIE)');
    $this
      ->assertEqualLabelled($expected['query'], $_GET, NULL, 'Other', $label . ' (GET)');
    $this
      ->assertEqualLabelled($expected['request'], $_POST, NULL, 'Other', $label . ' (POST)');
    $expected_request = array_merge($expected['query'], $expected['request']);
    $this
      ->assertEqualLabelled($expected_request, $_REQUEST, NULL, 'Other', $label . ' (REQUEST)');

    // Ensure any expected errors have been triggered.
    if (!empty($expected_errors)) {
      foreach ($expected_errors as $expected_error) {
        $this
          ->assertError($expected_error, E_USER_NOTICE, $label . ' (errors)');
      }
    }
    else {
      $this
        ->assertEqualLabelled(array(), $this->errors, NULL, 'Other', $label . ' (errors)');
    }
  }

  /**
   * Data provider for testRequestSanitization.
   *
   * @return array
   *   A list of tests to carry out.
   */
  public function requestSanitizerTests() {
    $tests = array();
    $request = new SanitizerTestRequest(array(
      'q' => 'index.php',
    ));
    $tests['no sanitization GET'] = array(
      $request,
      array(
        'query' => array(
          'q' => 'index.php',
        ),
      ),
    );
    $request = new SanitizerTestRequest(array(), array(
      'field' => 'value',
    ));
    $tests['no sanitization POST'] = array(
      $request,
      array(
        'request' => array(
          'field' => 'value',
        ),
      ),
    );
    $request = new SanitizerTestRequest(array(), array(), array(), array(
      'key' => 'value',
    ));
    $tests['no sanitization COOKIE'] = array(
      $request,
      array(
        'cookies' => array(
          'key' => 'value',
        ),
      ),
    );
    $request = new SanitizerTestRequest(array(
      'q' => 'index.php',
    ), array(
      'field' => 'value',
    ), array(), array(
      'key' => 'value',
    ));
    $tests['no sanitization GET, POST, COOKIE'] = array(
      $request,
      array(
        'query' => array(
          'q' => 'index.php',
        ),
        'request' => array(
          'field' => 'value',
        ),
        'cookies' => array(
          'key' => 'value',
        ),
      ),
    );
    $request = new SanitizerTestRequest(array(
      'q' => 'index.php',
    ));
    $tests['no sanitization GET log'] = array(
      $request,
      array(
        'query' => array(
          'q' => 'index.php',
        ),
      ),
      array(),
    );
    $request = new SanitizerTestRequest(array(), array(
      'field' => 'value',
    ));
    $tests['no sanitization POST log'] = array(
      $request,
      array(
        'request' => array(
          'field' => 'value',
        ),
      ),
      array(),
    );
    $request = new SanitizerTestRequest(array(), array(), array(), array(
      'key' => 'value',
    ));
    $tests['no sanitization COOKIE log'] = array(
      $request,
      array(
        'cookies' => array(
          'key' => 'value',
        ),
      ),
      array(),
    );
    $request = new SanitizerTestRequest(array(
      '#q' => 'index.php',
    ));
    $tests['sanitization GET'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(), array(
      '#field' => 'value',
    ));
    $tests['sanitization POST'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(), array(), array(), array(
      '#key' => 'value',
    ));
    $tests['sanitization COOKIE'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(
      '#q' => 'index.php',
    ), array(
      '#field' => 'value',
    ), array(), array(
      '#key' => 'value',
    ));
    $tests['sanitization GET, POST, COOKIE'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(
      '#q' => 'index.php',
    ));
    $tests['sanitization GET log'] = array(
      $request,
      array(),
      array(
        'Potentially unsafe keys removed from query string parameters (GET): #q',
      ),
    );
    $request = new SanitizerTestRequest(array(), array(
      '#field' => 'value',
    ));
    $tests['sanitization POST log'] = array(
      $request,
      array(),
      array(
        'Potentially unsafe keys removed from request body parameters (POST): #field',
      ),
    );
    $request = new SanitizerTestRequest(array(), array(), array(), array(
      '#key' => 'value',
    ));
    $tests['sanitization COOKIE log'] = array(
      $request,
      array(),
      array(
        'Potentially unsafe keys removed from cookie parameters (COOKIE): #key',
      ),
    );
    $request = new SanitizerTestRequest(array(
      '#q' => 'index.php',
    ), array(
      '#field' => 'value',
    ), array(), array(
      '#key' => 'value',
    ));
    $tests['sanitization GET, POST, COOKIE log'] = array(
      $request,
      array(),
      array(
        'Potentially unsafe keys removed from query string parameters (GET): #q',
        'Potentially unsafe keys removed from request body parameters (POST): #field',
        'Potentially unsafe keys removed from cookie parameters (COOKIE): #key',
      ),
    );
    $request = new SanitizerTestRequest(array(
      'q' => 'index.php',
      'foo' => array(
        '#bar' => 'foo',
      ),
    ));
    $tests['recursive sanitization log'] = array(
      $request,
      array(
        'query' => array(
          'q' => 'index.php',
          'foo' => array(),
        ),
      ),
      array(
        'Potentially unsafe keys removed from query string parameters (GET): #bar',
      ),
    );
    $request = new SanitizerTestRequest(array(
      'q' => 'index.php',
      'foo' => array(
        '#bar' => 'foo',
      ),
    ));
    $tests['recursive no sanitization whitelist'] = array(
      $request,
      array(
        'query' => array(
          'q' => 'index.php',
          'foo' => array(
            '#bar' => 'foo',
          ),
        ),
      ),
      array(),
      array(
        '#bar',
      ),
    );
    $request = new SanitizerTestRequest(array(), array(
      '#field' => 'value',
    ));
    $tests['no sanitization POST whitelist'] = array(
      $request,
      array(
        'request' => array(
          '#field' => 'value',
        ),
      ),
      array(),
      array(
        '#field',
      ),
    );
    $request = new SanitizerTestRequest(array(
      'q' => 'index.php',
      'foo' => array(
        '#bar' => 'foo',
        '#foo' => 'bar',
      ),
    ));
    $tests['recursive multiple sanitization log'] = array(
      $request,
      array(
        'query' => array(
          'q' => 'index.php',
          'foo' => array(),
        ),
      ),
      array(
        'Potentially unsafe keys removed from query string parameters (GET): #bar, #foo',
      ),
    );
    $request = new SanitizerTestRequest(array(
      '#q' => 'index.php',
    ));
    $tests['already sanitized request'] = array(
      $request,
      array(
        'query' => array(
          '#q' => 'index.php',
        ),
      ),
    );
    $request = new SanitizerTestRequest(array(
      'destination' => 'whatever?%23test=value',
    ));
    $tests['destination removal GET'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(
      'destination' => 'whatever?%23test=value',
    ));
    $tests['destination removal GET log'] = array(
      $request,
      array(),
      array(
        'Potentially unsafe destination removed from query string parameters (GET) because it contained the following keys: #test',
      ),
    );
    $request = new SanitizerTestRequest(array(
      'destination' => 'whatever?q[%23test]=value',
    ));
    $tests['destination removal subkey'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(
      'destination' => 'whatever?q[%23test]=value',
    ));
    $tests['destination whitelist'] = array(
      $request,
      array(
        'query' => array(
          'destination' => 'whatever?q[%23test]=value',
        ),
      ),
      array(),
      array(
        '#test',
      ),
    );
    $request = new SanitizerTestRequest(array(
      'destination' => "whatever?\0bar=base&%23test=value",
    ));
    $tests['destination removal zero byte'] = array(
      $request,
    );
    $request = new SanitizerTestRequest(array(
      'destination' => 'whatever?q=value',
    ));
    $tests['destination kept'] = array(
      $request,
      array(
        'query' => array(
          'destination' => 'whatever?q=value',
        ),
      ),
    );
    $request = new SanitizerTestRequest(array(
      'destination' => 'whatever',
    ));
    $tests['destination no query'] = array(
      $request,
      array(
        'query' => array(
          'destination' => 'whatever',
        ),
      ),
    );
    return $tests;
  }

  /**
   * Catches and logs errors to $this->errors.
   *
   * @param int $errno
   *   The severity level of the error.
   * @param string $errstr
   *   The error message.
   */
  public function sanitizerTestErrorHandler($errno, $errstr) {
    $this->errors[] = compact('errno', 'errstr');
  }

  /**
   * Asserts that the expected error has been logged.
   *
   * @param string $errstr
   *   The error message.
   * @param int $errno
   *   The severity level of the error.
   * @param string $label
   *   The label to include with the message.
   *
   * @return bool
   *   TRUE if the assertion succeeded, FALSE otherwise.
   */
  protected function assertError($errstr, $errno, $label) {
    $label = empty($label) ? '' : $label . ': ';
    foreach ($this->errors as $error) {
      if ($error['errstr'] === $errstr && $error['errno'] === $errno) {
        return $this
          ->pass($label . "Error with level {$errno} and message '{$errstr}' found");
      }
    }
    return $this
      ->fail($label . "Error with level {$errno} and message '{$errstr}' not found in " . var_export($this->errors, TRUE));
  }

  /**
   * Asserts two values are equal, includes a label.
   *
   * @param mixed $first
   *   The first value to check.
   * @param mixed $second
   *   The second value to check.
   * @param string $message
   *   The message to display along with the assertion.
   * @param string $group
   *   The type of assertion - examples are "Browser", "PHP".
   * @param string $label
   *   The label to include with the message.
   *
   * @return bool
   *   TRUE if the assertion succeeded, FALSE otherwise.
   */
  protected function assertEqualLabelled($first, $second, $message = '', $group = 'Other', $label = '') {
    $label = empty($label) ? '' : $label . ': ';
    $message = $message ? $message : t('Value @first is equal to value @second.', array(
      '@first' => var_export($first, TRUE),
      '@second' => var_export($second, TRUE),
    ));
    return $this
      ->assert($first == $second, $label . $message, $group);
  }

}

Members

Namesort descending Modifiers Type Description Overrides
DrupalTestCase::$assertions protected property Assertions thrown in that test case.
DrupalTestCase::$databasePrefix protected property The database prefix of this test run.
DrupalTestCase::$originalFileDirectory protected property The original file directory, before it was changed for testing purposes.
DrupalTestCase::$results public property Current results of this test case.
DrupalTestCase::$setup protected property Flag to indicate whether the test has been set up.
DrupalTestCase::$setupDatabasePrefix protected property
DrupalTestCase::$setupEnvironment protected property
DrupalTestCase::$skipClasses protected property This class is skipped when looking for the source of an assertion.
DrupalTestCase::$testId protected property The test run ID.
DrupalTestCase::$timeLimit protected property Time limit for the test.
DrupalTestCase::$useSetupInstallationCache public property Whether to cache the installation part of the setUp() method.
DrupalTestCase::$useSetupModulesCache public property Whether to cache the modules installation part of the setUp() method.
DrupalTestCase::$verboseDirectoryUrl protected property URL to the verbose output file directory.
DrupalTestCase::assert protected function Internal helper: stores the assert.
DrupalTestCase::assertEqual protected function Check to see if two values are equal.
DrupalTestCase::assertFalse protected function Check to see if a value is false (an empty string, 0, NULL, or FALSE).
DrupalTestCase::assertIdentical protected function Check to see if two values are identical.
DrupalTestCase::assertNotEqual protected function Check to see if two values are not equal.
DrupalTestCase::assertNotIdentical protected function Check to see if two values are not identical.
DrupalTestCase::assertNotNull protected function Check to see if a value is not NULL.
DrupalTestCase::assertNull protected function Check to see if a value is NULL.
DrupalTestCase::assertTrue protected function Check to see if a value is not false (not an empty string, 0, NULL, or FALSE).
DrupalTestCase::deleteAssert public static function Delete an assertion record by message ID.
DrupalTestCase::error protected function Fire an error assertion. 1
DrupalTestCase::errorHandler public function Handle errors during test runs. 1
DrupalTestCase::exceptionHandler protected function Handle exceptions.
DrupalTestCase::fail protected function Fire an assertion that is always negative.
DrupalTestCase::generatePermutations public static function Converts a list of possible parameters into a stack of permutations.
DrupalTestCase::getAssertionCall protected function Cycles through backtrace until the first non-assertion method is found.
DrupalTestCase::getDatabaseConnection public static function Returns the database connection to the site running Simpletest.
DrupalTestCase::insertAssert public static function Store an assertion from outside the testing context.
DrupalTestCase::pass protected function Fire an assertion that is always positive.
DrupalTestCase::randomName public static function Generates a random string containing letters and numbers.
DrupalTestCase::randomString public static function Generates a random string of ASCII characters of codes 32 to 126.
DrupalTestCase::run public function Run all tests in this class.
DrupalTestCase::verbose protected function Logs a verbose message in a text file.
DrupalUnitTestCase::tearDown protected function 1
DrupalUnitTestCase::__construct function Constructor for DrupalUnitTestCase. Overrides DrupalTestCase::__construct
RequestSanitizerTest::$errors protected property Log of errors triggered during sanitization.
RequestSanitizerTest::assertEqualLabelled protected function Asserts two values are equal, includes a label.
RequestSanitizerTest::assertError protected function Asserts that the expected error has been logged.
RequestSanitizerTest::getInfo public static function
RequestSanitizerTest::requestSanitizationTest public function Tests RequestSanitizer class.
RequestSanitizerTest::requestSanitizerTests public function Data provider for testRequestSanitization.
RequestSanitizerTest::sanitizerTestErrorHandler public function Catches and logs errors to $this->errors.
RequestSanitizerTest::setUp protected function Sets up unit test environment. Overrides DrupalUnitTestCase::setUp
RequestSanitizerTest::testRequestSanitization public function Iterate through all the RequestSanitizerTests.