Search moodle.org's
Developer Documentation
Developer Documentation
See Release Notes
Long Term Support Release
- Bug fixes for general core bugs in 3.9.x will end* 10 May 2021 (12 months).
- Bug fixes for security issues in 3.9.x will end* 8 May 2023 (36 months).
- PHP version: minimum PHP 7.2.0 Note: minimum PHP version has increased since Moodle 3.8. PHP 7.3.x and 7.4.x are supported too.
/lib/tests/ -> curl_security_helper_test.php (source)
Differences Between: [Versions 39 and 310] [Versions 39 and 311] [Versions 39 and 400] [Versions 39 and 401] [Versions 39 and 402] [Versions 39 and 403]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Unit tests for /lib/classes/curl/curl_security_helper.php. 19 * 20 * @package core 21 * @copyright 2016 Jake Dallimore <jrhdallimore@gmail.com> 22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 23 */ 24 25 defined('MOODLE_INTERNAL') || die(); 26 27 /** 28 * cURL security test suite. 29 * 30 * Note: The curl_security_helper class performs forward and reverse DNS look-ups in some cases. This class will not attempt to test 31 * this functionality as look-ups can vary from machine to machine. Instead, human testing with known inputs/outputs is recommended. 32 * 33 * @package core 34 * @copyright 2016 Jake Dallimore <jrhdallimore@gmail.com> 35 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 36 */ 37 class core_curl_security_helper_testcase extends advanced_testcase { 38 /** 39 * Test for \core\files\curl_security_helper::url_is_blocked(). 40 * 41 * @param array $dns a mapping between hosts and IPs to be used instead of a real DNS lookup. The values must be arrays. 42 * @param string $url the url to validate. 43 * @param string $blockedhosts the list of blocked hosts. 44 * @param string $allowedports the list of allowed ports. 45 * @param bool $expected the expected result. 46 * @dataProvider curl_security_url_data_provider 47 */ 48 public function test_curl_security_helper_url_is_blocked($dns, $url, $blockedhosts, $allowedports, $expected) { 49 $this->resetAfterTest(true); 50 $helper = $this->getMockBuilder('\core\files\curl_security_helper') 51 ->setMethods(['get_host_list_by_name']) 52 ->getMock(); 53 54 // Override the get host list method to return hard coded values based on a mapping provided by $dns. 55 $helper->method('get_host_list_by_name') 56 ->will( 57 $this->returnCallback( 58 function($host) use ($dns) { 59 return isset($dns[$host]) ? $dns[$host] : []; 60 } 61 ) 62 ); 63 64 set_config('curlsecurityblockedhosts', $blockedhosts); 65 set_config('curlsecurityallowedport', $allowedports); 66 $this->assertEquals($expected, $helper->url_is_blocked($url)); 67 } 68 69 /** 70 * Data provider for test_curl_security_helper_url_is_blocked(). 71 * 72 * @return array 73 */ 74 public function curl_security_url_data_provider() { 75 $simpledns = ['localhost' => ['127.0.0.1']]; 76 $multiplerecorddns = [ 77 'sub.example.com' => ['1.2.3.4', '5.6.7.8'] 78 ]; 79 // Format: url, blocked hosts, allowed ports, expected result. 80 return [ 81 // Base set without the blacklist enabled - no checking takes place. 82 [$simpledns, "http://localhost/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http). 83 [$simpledns, "http://localhost:80/x.png", "", "", false], // IP=127.0.0.1, Port=80 (specific port overrides http scheme). 84 [$simpledns, "https://localhost/x.png", "", "", false], // IP=127.0.0.1, Port=443 (port inferred from https). 85 [$simpledns, "http://localhost:443/x.png", "", "", false], // IP=127.0.0.1, Port=443 (specific port overrides http scheme). 86 [$simpledns, "localhost/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http fallback). 87 [$simpledns, "localhost:443/x.png", "", "", false], // IP=127.0.0.1, Port=443 (port hard specified, despite http fallback). 88 [$simpledns, "http://127.0.0.1/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http). 89 [$simpledns, "127.0.0.1/x.png", "", "", false], // IP=127.0.0.1, Port=80 (port inferred from http fallback). 90 [$simpledns, "http://localhost:8080/x.png", "", "", false], // IP=127.0.0.1, Port=8080 (port hard specified). 91 [$simpledns, "http://192.168.1.10/x.png", "", "", false], // IP=192.168.1.10, Port=80 (port inferred from http). 92 [$simpledns, "https://192.168.1.10/x.png", "", "", false], // IP=192.168.1.10, Port=443 (port inferred from https). 93 [$simpledns, "http://sub.example.com/x.png", "", "", false], // IP=::1, Port = 80 (port inferred from http). 94 [$simpledns, "http://s-1.d-1.com/x.png", "", "", false], // IP=::1, Port = 80 (port inferred from http). 95 96 // Test set using domain name filters but with all ports allowed (empty). 97 [$simpledns, "http://localhost/x.png", "localhost", "", true], 98 [$simpledns, "localhost/x.png", "localhost", "", true], 99 [$simpledns, "localhost:0/x.png", "localhost", "", true], 100 [$simpledns, "ftp://localhost/x.png", "localhost", "", true], 101 [$simpledns, "http://sub.example.com/x.png", "localhost", "", false], 102 [$simpledns, "http://example.com/x.png", "example.com", "", true], 103 [$simpledns, "http://sub.example.com/x.png", "example.com", "", false], 104 105 // Test set using wildcard domain name filters but with all ports allowed (empty). 106 [$simpledns, "http://sub.example.com/x.png", "*.com", "", true], 107 [$simpledns, "http://example.com/x.png", "*.example.com", "", false], 108 [$simpledns, "http://sub.example.com/x.png", "*.example.com", "", true], 109 [$simpledns, "http://sub.example.com/x.png", "*.sub.example.com", "", false], 110 [$simpledns, "http://sub.example.com/x.png", "*.example", "", false], 111 112 // Test set using IP address filters but with all ports allowed (empty). 113 [$simpledns, "http://localhost/x.png", "127.0.0.1", "", true], 114 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.1", "", true], 115 116 // Test set using CIDR IP range filters but with all ports allowed (empty). 117 [$simpledns, "http://localhost/x.png", "127.0.0.0/24", "", true], 118 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.0/24", "", true], 119 120 // Test set using last-group range filters but with all ports allowed (empty). 121 [$simpledns, "http://localhost/x.png", "127.0.0.0-30", "", true], 122 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.0-30", "", true], 123 124 // Test set using port filters but with all hosts allowed (empty). 125 [$simpledns, "http://localhost/x.png", "", "80\n443", false], 126 [$simpledns, "http://localhost:80/x.png", "", "80\n443", false], 127 [$simpledns, "https://localhost/x.png", "", "80\n443", false], 128 [$simpledns, "http://localhost:443/x.png", "", "80\n443", false], 129 [$simpledns, "http://sub.example.com:8080/x.png", "", "80\n443", true], 130 [$simpledns, "http://sub.example.com:-80/x.png", "", "80\n443", true], 131 [$simpledns, "http://sub.example.com:aaa/x.png", "", "80\n443", true], 132 133 // Test set using port filters and hosts filters. 134 [$simpledns, "http://localhost/x.png", "127.0.0.1", "80\n443", true], 135 [$simpledns, "http://127.0.0.1/x.png", "127.0.0.1", "80\n443", true], 136 137 // Test using multiple A records. 138 // Multiple record DNS gives two IPs for the same host, we want to make 139 // sure that if we blacklist one of those (doesn't matter which one) 140 // the request is blocked. 141 [$multiplerecorddns, "http://sub.example.com", '1.2.3.4', "", true], 142 [$multiplerecorddns, "http://sub.example.com", '5.6.7.8', "", true], 143 144 // Test when DNS resolution fails. 145 [[], "http://example.com", "127.0.0.1", "", true], 146 147 // Test ensures that the default value of getremoteaddr() 0.0.0.0 will check against the provided blocked list. 148 [$simpledns, "http://0.0.0.0/x.png", "0.0.0.0", "", true], 149 // Test set using IPV4 with integer format. 150 [$simpledns, "http://2852039166/x.png", "169.254.169.254", "", true], 151 152 // Test some freaky deaky Unicode domains. Should be blocked always. 153 [$simpledns, "http://169。254。169。254/", "127.0.0.1", "", true], 154 [$simpledns, "http://169。254。169。254/", "1.2.3.4", "", true], 155 [$simpledns, "http://169。254。169。254/", "127.0.0.1", "80\n443", true] 156 157 // Note on testing URLs using IPv6 notation: 158 // At present, the curl_security_helper class doesn't support IPv6 url notation. 159 // E.g. http://[ad34::dddd]:port/resource 160 // This is because it uses clean_param(x, PARAM_URL) as part of parsing, which won't validate urls having IPv6 notation. 161 // The underlying IPv6 address and range support is in place, however, so if clean_param is changed in future, 162 // please add the following test sets. 163 // 1. ["http://[::1]/x.png", "", "", false] 164 // 2. ["http://[::1]/x.png", "::1", "", true] 165 // 3. ["http://[::1]/x.png", "::1/64", "", true] 166 // 4. ["http://[fe80::dddd]/x.png", "fe80::cccc-eeee", "", true] 167 // 5. ["http://[fe80::dddd]/x.png", "fe80::dddd/128", "", true]. 168 ]; 169 } 170 171 /** 172 * Test for \core\files\curl_security_helper->is_enabled(). 173 * 174 * @param string $blockedhosts the list of blocked hosts. 175 * @param string $allowedports the list of allowed ports. 176 * @param bool $expected the expected result. 177 * @dataProvider curl_security_settings_data_provider 178 */ 179 public function test_curl_security_helper_is_enabled($blockedhosts, $allowedports, $expected) { 180 $this->resetAfterTest(true); 181 $helper = new \core\files\curl_security_helper(); 182 set_config('curlsecurityblockedhosts', $blockedhosts); 183 set_config('curlsecurityallowedport', $allowedports); 184 $this->assertEquals($expected, $helper->is_enabled()); 185 } 186 187 /** 188 * Data provider for test_curl_security_helper_is_enabled(). 189 * 190 * @return array 191 */ 192 public function curl_security_settings_data_provider() { 193 // Format: blocked hosts, allowed ports, expected result. 194 return [ 195 ["", "", false], 196 ["127.0.0.1", "", true], 197 ["localhost", "", true], 198 ["127.0.0.0/24\n192.0.0.0/24", "", true], 199 ["", "80\n443", true], 200 ]; 201 } 202 203 /** 204 * Test for \core\files\curl_security_helper::host_is_blocked(). 205 * 206 * @param string $host the host to validate. 207 * @param string $blockedhosts the list of blocked hosts. 208 * @param bool $expected the expected result. 209 * @dataProvider curl_security_host_data_provider 210 */ 211 public function test_curl_security_helper_host_is_blocked($host, $blockedhosts, $expected) { 212 $this->resetAfterTest(true); 213 $helper = new \core\files\curl_security_helper(); 214 set_config('curlsecurityblockedhosts', $blockedhosts); 215 $this->assertEquals($expected, phpunit_util::call_internal_method($helper, 'host_is_blocked', [$host], 216 '\core\files\curl_security_helper')); 217 } 218 219 /** 220 * Data provider for test_curl_security_helper_host_is_blocked(). 221 * 222 * @return array 223 */ 224 public function curl_security_host_data_provider() { 225 return [ 226 // IPv4 hosts. 227 ["127.0.0.1", "127.0.0.1", true], 228 ["127.0.0.1", "127.0.0.0/24", true], 229 ["127.0.0.1", "127.0.0.0-40", true], 230 ["", "127.0.0.0/24", false], 231 232 // IPv6 hosts. 233 // Note: ["::", "::", true], - should match but 'address_in_subnet()' has trouble with fully collapsed IPv6 addresses. 234 ["::1", "::1", true], 235 ["::1", "::0-cccc", true], 236 ["::1", "::0/64", true], 237 ["FE80:0000:0000:0000:0000:0000:0000:0000", "fe80::/128", true], 238 ["fe80::eeee", "fe80::ddde/64", true], 239 ["fe80::dddd", "fe80::cccc-eeee", true], 240 ["fe80::dddd", "fe80::ddde-eeee", false], 241 242 // Domain name hosts. 243 ["example.com", "example.com", true], 244 ["sub.example.com", "example.com", false], 245 ["example.com", "*.com", true], 246 ["example.com", "*.example.com", false], 247 ["sub.example.com", "*.example.com", true], 248 ["sub.sub.example.com", "*.example.com", true], 249 ["sub.example.com", "*example.com", false], 250 ["sub.example.com", "*.example", false], 251 252 // International domain name hosts. 253 ["xn--nw2a.xn--j6w193g", "xn--nw2a.xn--j6w193g", true], // The domain 見.香港 is ace-encoded to xn--nw2a.xn--j6w193g. 254 ]; 255 } 256 257 /** 258 * Test for \core\files\curl_security_helper->port_is_blocked(). 259 * 260 * @param int|string $port the port to validate. 261 * @param string $allowedports the list of allowed ports. 262 * @param bool $expected the expected result. 263 * @dataProvider curl_security_port_data_provider 264 */ 265 public function test_curl_security_helper_port_is_blocked($port, $allowedports, $expected) { 266 $this->resetAfterTest(true); 267 $helper = new \core\files\curl_security_helper(); 268 set_config('curlsecurityallowedport', $allowedports); 269 $this->assertEquals($expected, phpunit_util::call_internal_method($helper, 'port_is_blocked', [$port], 270 '\core\files\curl_security_helper')); 271 } 272 273 /** 274 * Data provider for test_curl_security_helper_port_is_blocked(). 275 * 276 * @return array 277 */ 278 public function curl_security_port_data_provider() { 279 return [ 280 ["", "80\n443", true], 281 [" ", "80\n443", true], 282 ["-1", "80\n443", true], 283 [-1, "80\n443", true], 284 ["n", "80\n443", true], 285 [0, "80\n443", true], 286 ["0", "80\n443", true], 287 [8080, "80\n443", true], 288 ["8080", "80\n443", true], 289 ["80", "80\n443", false], 290 [80, "80\n443", false], 291 [443, "80\n443", false], 292 [0, "", true], // Port 0 and below are always invalid, even when the admin hasn't set whitelist entries. 293 [-1, "", true], // Port 0 and below are always invalid, even when the admin hasn't set whitelist entries. 294 [null, "", true], // Non-string, non-int values are invalid. 295 ]; 296 } 297 298 /** 299 * Test for \core\files\curl_security_helper::get_blocked_url_string(). 300 */ 301 public function test_curl_security_helper_get_blocked_url_string() { 302 $helper = new \core\files\curl_security_helper(); 303 $this->assertEquals(get_string('curlsecurityurlblocked', 'admin'), $helper->get_blocked_url_string()); 304 } 305 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
