Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code

Unified Diff: test/WebRequest.cpp

Issue 29377825: Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed) Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: updated patch with feedback Created March 6, 2017, 5:50 p.m.
Use n/p to move between diff chunks; N/P to move between comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « lib/compat.js ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/WebRequest.cpp
===================================================================
--- a/test/WebRequest.cpp
+++ b/test/WebRequest.cpp
@@ -21,41 +21,55 @@
namespace
{
class MockWebRequest : public AdblockPlus::WebRequest
{
public:
AdblockPlus::ServerResponse GET(const std::string& url, const AdblockPlus::HeaderList& requestHeaders) const
{
+ lastRequestHeaders.clear();
+ for (auto header : requestHeaders)
+ {
+ lastRequestHeaders.insert(header.first);
+ }
+
AdblockPlus::Sleep(50);
AdblockPlus::ServerResponse result;
result.status = NS_OK;
result.responseStatus = 123;
result.responseHeaders.push_back(std::pair<std::string, std::string>("Foo", "Bar"));
- result.responseText = url + "\n" + requestHeaders[0].first + "\n" + requestHeaders[0].second;
+ result.responseText = url + "\n";
+ if (!requestHeaders.empty())
+ {
+ result.responseText += requestHeaders[0].first + "\n" + requestHeaders[0].second;
+ }
return result;
}
+
+ // mutable. Very Ugly. But we are testing and need to change this in GET which is const.
+ mutable std::set<std::string> lastRequestHeaders;
};
template<class T>
class WebRequestTest : public BaseJsTest
{
protected:
void SetUp()
{
BaseJsTest::SetUp();
jsEngine->SetWebRequest(AdblockPlus::WebRequestPtr(new T));
jsEngine->SetFileSystem(AdblockPlus::FileSystemPtr(new LazyFileSystem));
}
};
typedef WebRequestTest<MockWebRequest> MockWebRequestTest;
typedef WebRequestTest<AdblockPlus::DefaultWebRequest> DefaultWebRequestTest;
+ typedef WebRequestTest<MockWebRequest> XMLHttpRequestTest;
}
TEST_F(MockWebRequestTest, BadCall)
{
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET()"));
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('', {}, function(){})"));
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET({toString: false}, {}, function(){})"));
ASSERT_ANY_THROW(jsEngine->Evaluate("_webRequest.GET('http://example.com/', null, function(){})"));
@@ -112,16 +126,19 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq
do
{
AdblockPlus::Sleep(200);
} while (jsEngine->Evaluate("result")->IsUndefined());
ASSERT_EQ(AdblockPlus::WebRequest::NS_OK, jsEngine->Evaluate("request.channel.status")->AsInt());
ASSERT_EQ(200, jsEngine->Evaluate("request.status")->AsInt());
ASSERT_EQ("[Adblock Plus ", jsEngine->Evaluate("result.substr(0, 14)")->AsString());
ASSERT_EQ("text/plain", jsEngine->Evaluate("request.getResponseHeader('Content-Type').substr(0, 10)")->AsString());
+#if defined(HAVE_CURL)
+ ASSERT_EQ("gzip", jsEngine->Evaluate("request.getResponseHeader('Content-Encoding').substr(0, 4)")->AsString());
+#endif
ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Location')")->IsNull());
}
#else
TEST_F(DefaultWebRequestTest, DummyWebRequest)
{
jsEngine->Evaluate("_webRequest.GET('https://easylist-downloads.adblockplus.org/easylist.txt', {}, function(result) {foo = result;} )");
do
{
@@ -152,8 +169,136 @@ TEST_F(DefaultWebRequestTest, XMLHttpReq
} while (jsEngine->Evaluate("result")->IsUndefined());
ASSERT_EQ(AdblockPlus::WebRequest::NS_ERROR_FAILURE, jsEngine->Evaluate("request.channel.status")->AsInt());
ASSERT_EQ(0, jsEngine->Evaluate("request.status")->AsInt());
ASSERT_EQ("error", jsEngine->Evaluate("result")->AsString());
ASSERT_TRUE(jsEngine->Evaluate("request.getResponseHeader('Content-Type')")->IsNull());
}
#endif
+
+namespace
+{
+ class CatchLogSystem : public AdblockPlus::LogSystem
+ {
+ public:
+ AdblockPlus::LogSystem::LogLevel lastLogLevel;
+ std::string lastMessage;
+
+ CatchLogSystem()
+ : AdblockPlus::LogSystem(),
+ lastLogLevel(AdblockPlus::LogSystem::LOG_LEVEL_TRACE)
+ {
+ }
+
+ void operator()(AdblockPlus::LogSystem::LogLevel logLevel,
+ const std::string& message, const std::string&)
+ {
+ lastLogLevel = logLevel;
+ lastMessage = message;
+ }
+
+ void clear()
+ {
+ lastLogLevel = AdblockPlus::LogSystem::LOG_LEVEL_TRACE;
+ lastMessage.clear();
+ }
+ };
+
+ typedef std::shared_ptr<CatchLogSystem> CatchLogSystemPtr;
+
+ void
+ ResetTestXHR(const AdblockPlus::JsEnginePtr& jsEngine, const CatchLogSystemPtr& logger)
+ {
+ jsEngine->Evaluate("\
+ var result;\
+ var request = new XMLHttpRequest();\
+ request.open('GET', 'https://easylist-downloads.adblockplus.org/easylist.txt');\
+ request.overrideMimeType('text/plain');\
+ request.addEventListener('load', function() {result = request.responseText;}, false);\
+ request.addEventListener('error', function() {result = 'error';}, false);\
+ ");
+ logger->clear();
+ }
+}
+
+TEST_F(XMLHttpRequestTest, RequestHeaderValidation)
+{
+ #define WAIT_FOR_XHR_RESULT do\
+ {\
+ AdblockPlus::Sleep(60);\
+ } while (jsEngine->Evaluate("result")->IsUndefined())
+
+ auto catchLogSystem = CatchLogSystemPtr(new CatchLogSystem);
+ jsEngine->SetLogSystem(catchLogSystem);
+
+ AdblockPlus::FilterEngine filterEngine(jsEngine);
+ auto webRequest =
+ std::static_pointer_cast<MockWebRequest>(jsEngine->GetWebRequest());
+
+ ASSERT_TRUE(webRequest);
+
+ const std::string msg = "Attempt to set a forbidden header was denied: ";
+
+ // The test will check that console.warn has been called when the
+ // header is rejected. While this is an implementation detail, we
+ // have no other way to check this
+
+ // test 'Accept-Encoding' is rejected
+ ResetTestXHR(jsEngine, catchLogSystem);
+ jsEngine->Evaluate("\
+ request.setRequestHeader('Accept-Encoding', 'gzip');\nrequest.send();");
+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);
+ EXPECT_EQ(msg + "Accept-Encoding", catchLogSystem->lastMessage);
+ WAIT_FOR_XHR_RESULT;
+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==
+ webRequest->lastRequestHeaders.find("Accept-Encoding"));
+
+ // test 'DNT' is rejected
+ ResetTestXHR(jsEngine, catchLogSystem);
+ jsEngine->Evaluate("\
+ request.setRequestHeader('DNT', '1');\nrequest.send();");
+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);
+ EXPECT_EQ(msg + "DNT", catchLogSystem->lastMessage);
+ WAIT_FOR_XHR_RESULT;
+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==
+ webRequest->lastRequestHeaders.find("DNT"));
+
+ // test random 'X' header is accepted
+ ResetTestXHR(jsEngine, catchLogSystem);
+ jsEngine->Evaluate("\
+ request.setRequestHeader('X', 'y');\nrequest.send();");
+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel);
+ EXPECT_EQ("", catchLogSystem->lastMessage);
+ WAIT_FOR_XHR_RESULT;
+ EXPECT_FALSE(webRequest->lastRequestHeaders.cend() ==
+ webRequest->lastRequestHeaders.find("X"));
+
+ // test /^Proxy-/ is rejected.
+ ResetTestXHR(jsEngine, catchLogSystem);
+ jsEngine->Evaluate("\
+ request.setRequestHeader('Proxy-foo', 'bar');\nrequest.send();");
+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);
+ EXPECT_EQ(msg + "Proxy-foo", catchLogSystem->lastMessage);
+ WAIT_FOR_XHR_RESULT;
+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==
+ webRequest->lastRequestHeaders.find("Proxy-foo"));
+
+ // test /^Sec-/ is rejected.
+ ResetTestXHR(jsEngine, catchLogSystem);
+ jsEngine->Evaluate("\
+ request.setRequestHeader('Sec-foo', 'bar');\nrequest.send();");
+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_WARN, catchLogSystem->lastLogLevel);
+ EXPECT_EQ(msg + "Sec-foo", catchLogSystem->lastMessage);
+ WAIT_FOR_XHR_RESULT;
+ EXPECT_TRUE(webRequest->lastRequestHeaders.cend() ==
+ webRequest->lastRequestHeaders.find("Sec-foo"));
+
+ // test 'Security' is accepted.
+ ResetTestXHR(jsEngine, catchLogSystem);
+ jsEngine->Evaluate("\
+ request.setRequestHeader('Security', 'theater');\nrequest.send();");
+ EXPECT_EQ(AdblockPlus::LogSystem::LOG_LEVEL_TRACE, catchLogSystem->lastLogLevel);
+ EXPECT_EQ("", catchLogSystem->lastMessage);
+ WAIT_FOR_XHR_RESULT;
+ EXPECT_FALSE(webRequest->lastRequestHeaders.cend() ==
+ webRequest->lastRequestHeaders.find("Security"));
+}
« no previous file with comments | « lib/compat.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld