SecurityTest.php 44 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088
  1. <?php
  2. /* Copyright (C) 2010 Laurent Destailleur <eldy@users.sourceforge.net>
  3. * Copyright (C) 2023 Alexandre Janniaux <alexandre.janniaux@gmail.com>
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of the GNU General Public License as published by
  7. * the Free Software Foundation; either version 3 of the License, or
  8. * (at your option) any later version.
  9. *
  10. * This program is distributed in the hope that it will be useful,
  11. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  13. * GNU General Public License for more details.
  14. *
  15. * You should have received a copy of the GNU General Public License
  16. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  17. * or see https://www.gnu.org/
  18. */
  19. /**
  20. * \file test/phpunit/SecurityTest.php
  21. * \ingroup test
  22. * \brief PHPUnit test
  23. * \remarks To run this script as CLI: phpunit filename.php
  24. */
  25. global $conf,$user,$langs,$db;
  26. //define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver
  27. //require_once 'PHPUnit/Autoload.php';
  28. if (! defined('NOREQUIRESOC')) {
  29. define('NOREQUIRESOC', '1');
  30. }
  31. if (! defined('NOCSRFCHECK')) {
  32. define('NOCSRFCHECK', '1');
  33. }
  34. if (! defined('NOTOKENRENEWAL')) {
  35. define('NOTOKENRENEWAL', '1');
  36. }
  37. if (! defined('NOREQUIREMENU')) {
  38. define('NOREQUIREMENU', '1'); // If there is no menu to show
  39. }
  40. if (! defined('NOREQUIREHTML')) {
  41. define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
  42. }
  43. if (! defined('NOREQUIREAJAX')) {
  44. define('NOREQUIREAJAX', '1');
  45. }
  46. if (! defined("NOLOGIN")) {
  47. define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
  48. }
  49. if (! defined("NOSESSION")) {
  50. define("NOSESSION", '1');
  51. }
  52. require_once dirname(__FILE__).'/../../htdocs/main.inc.php';
  53. require_once dirname(__FILE__).'/../../htdocs/core/lib/security.lib.php';
  54. require_once dirname(__FILE__).'/../../htdocs/core/lib/security2.lib.php';
  55. if (empty($user->id)) {
  56. print "Load permissions for admin user nb 1\n";
  57. $user->fetch(1);
  58. $user->getrights();
  59. }
  60. $conf->global->MAIN_DISABLE_ALL_MAILS=1;
  61. /**
  62. * Class for PHPUnit tests
  63. *
  64. * @backupGlobals disabled
  65. * @backupStaticAttributes enabled
  66. * @remarks backupGlobals must be disabled to have db,conf,user and lang not erased.
  67. */
  68. class SecurityTest extends PHPUnit\Framework\TestCase
  69. {
  70. protected $savconf;
  71. protected $savuser;
  72. protected $savlangs;
  73. protected $savdb;
  74. /**
  75. * Constructor
  76. * We save global variables into local variables
  77. *
  78. * @param string $name Name
  79. * @return SecurityTest
  80. */
  81. public function __construct($name = '')
  82. {
  83. parent::__construct($name);
  84. //$this->sharedFixture
  85. global $conf,$user,$langs,$db;
  86. $this->savconf=$conf;
  87. $this->savuser=$user;
  88. $this->savlangs=$langs;
  89. $this->savdb=$db;
  90. print __METHOD__." db->type=".$db->type." user->id=".$user->id;
  91. //print " - db ".$db->db;
  92. print "\n";
  93. }
  94. /**
  95. * setUpBeforeClass
  96. *
  97. * @return void
  98. */
  99. public static function setUpBeforeClass(): void
  100. {
  101. global $conf,$user,$langs,$db;
  102. $db->begin(); // This is to have all actions inside a transaction even if test launched without suite.
  103. print __METHOD__."\n";
  104. }
  105. /**
  106. * tearDownAfterClass
  107. *
  108. * @return void
  109. */
  110. public static function tearDownAfterClass(): void
  111. {
  112. global $conf,$user,$langs,$db;
  113. $db->rollback();
  114. // Restore value to a neutral value (it was set to a test value by some tests)
  115. unset($_SERVER["PHP_SELF"]);
  116. print __METHOD__."\n";
  117. }
  118. /**
  119. * Init phpunit tests
  120. *
  121. * @return void
  122. */
  123. protected function setUp(): void
  124. {
  125. global $conf,$user,$langs,$db;
  126. $conf=$this->savconf;
  127. $user=$this->savuser;
  128. $langs=$this->savlangs;
  129. $db=$this->savdb;
  130. print __METHOD__."\n";
  131. }
  132. /**
  133. * End phpunit tests
  134. *
  135. * @return void
  136. */
  137. protected function tearDown(): void
  138. {
  139. print __METHOD__."\n";
  140. }
  141. /**
  142. * testSetLang
  143. *
  144. * @return string
  145. */
  146. public function testSetLang()
  147. {
  148. global $conf;
  149. $conf=$this->savconf;
  150. $tmplangs = new Translate('', $conf);
  151. $_SERVER['HTTP_ACCEPT_LANGUAGE'] = "' malicious text with quote";
  152. $tmplangs->setDefaultLang('auto');
  153. print __METHOD__.' $tmplangs->defaultlang='.$tmplangs->defaultlang."\n";
  154. $this->assertEquals($tmplangs->defaultlang, 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE');
  155. }
  156. /**
  157. * testSqlAndScriptInjectWithPHPUnit
  158. *
  159. * @return void
  160. */
  161. public function testSqlAndScriptInjectWithPHPUnit()
  162. {
  163. // Run tests
  164. // More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
  165. // Should be OK
  166. $expectedresult=0;
  167. /*
  168. $test = '';
  169. $result=testSqlAndScriptInject($test, 0);
  170. $this->assertGreaterThanOrEqual(0, $result, 'Error on testSqlAndScriptInject kkk');
  171. */
  172. $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php';
  173. $result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
  174. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should be ok');
  175. $test = 'This is a < inside string with < and > also and tag like <a> before the >';
  176. $result=testSqlAndScriptInject($test, 0);
  177. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0b');
  178. $test = 'This is the union of all for the selection of the best';
  179. $result=testSqlAndScriptInject($test, 0);
  180. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject expected 0c');
  181. $test='/user/perms.php?id=1&action=addrights&entity=1&rights=123&confirm=yes&token=123456789&updatedmodulename=lmscoursetracking';
  182. $result=testSqlAndScriptInject($test, 1);
  183. print "test=".$test." result=".$result."\n";
  184. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject with a valid url');
  185. // Should detect attack
  186. $expectedresult=1;
  187. $_SERVER["PHP_SELF"]='/DIR WITH SPACE/htdocs/admin/index.php/<svg>';
  188. $result=testSqlAndScriptInject($_SERVER["PHP_SELF"], 2);
  189. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject for PHP_SELF that should detect XSS');
  190. $test = 'select @@version';
  191. $result=testSqlAndScriptInject($test, 0);
  192. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1a. Should find an attack on POST param and did not.');
  193. $test = 'select @@version';
  194. $result=testSqlAndScriptInject($test, 1);
  195. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.');
  196. $test = '... update ... set ... =';
  197. $result=testSqlAndScriptInject($test, 1);
  198. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2a. Should find an attack on GET param and did not.');
  199. $test = "delete\nfrom";
  200. $result=testSqlAndScriptInject($test, 1);
  201. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2b. Should find an attack on GET param and did not.');
  202. $test = 'action=update& ... set ... =';
  203. $result=testSqlAndScriptInject($test, 1);
  204. $this->assertEquals(0, $result, 'Error on testSqlAndScriptInject for SQL2b. Should not find an attack on GET param and did.');
  205. $test = '... union ... selection ';
  206. $result=testSqlAndScriptInject($test, 1);
  207. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for SQL2c. Should find an attack on GET param and did not.');
  208. $test = 'j&#x61;vascript:';
  209. $result=testSqlAndScriptInject($test, 0);
  210. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript1. Should find an attack and did not.');
  211. $test = 'j&#x61vascript:';
  212. $result=testSqlAndScriptInject($test, 0);
  213. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript2. Should find an attack and did not.');
  214. $test = 'javascript&colon&#x3B;alert(1)';
  215. $result=testSqlAndScriptInject($test, 0);
  216. $this->assertEquals($expectedresult, $result, 'Error on testSqlAndScriptInject for javascript2');
  217. $test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
  218. $result=testSqlAndScriptInject($test, 0);
  219. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa1');
  220. $test="<img src='1.jpg' onerror =javascript:alert('XSS')>";
  221. $result=testSqlAndScriptInject($test, 2);
  222. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa2');
  223. $test='<IMG SRC=# onmouseover="alert(1)">';
  224. $result=testSqlAndScriptInject($test, 0);
  225. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa3');
  226. $test='<IMG SRC onmouseover="alert(1)">';
  227. $result=testSqlAndScriptInject($test, 0);
  228. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa4');
  229. $test='<IMG onmouseover="alert(1)">';
  230. $result=testSqlAndScriptInject($test, 0);
  231. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa5');
  232. $test='<IMG SRC=/ onerror="alert(1)">';
  233. $result=testSqlAndScriptInject($test, 0);
  234. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa6');
  235. $test='<IMG SRC=" &#14; javascript:alert(1);">';
  236. $result=testSqlAndScriptInject($test, 0);
  237. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject aaa7');
  238. $test='<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>';
  239. $result=testSqlAndScriptInject($test, 0);
  240. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject bbb');
  241. $test='<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>';
  242. $result=testSqlAndScriptInject($test, 0);
  243. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ccc');
  244. $test='<IMG SRC="javascript:alert(\'XSS\');">';
  245. $result=testSqlAndScriptInject($test, 1);
  246. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ddd');
  247. $test='<IMG """><SCRIPT>alert("XSS")</SCRIPT>">';
  248. $result=testSqlAndScriptInject($test, 0);
  249. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee');
  250. $test='<!-- Google analytics -->
  251. <script>
  252. (function(i,s,o,g,r,a,m){i[\'GoogleAnalyticsObject\']=r;i[r]=i[r]||function(){
  253. (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  254. m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  255. })(window,document,\'script\',\'https://www.google-analytics.com/analytics.js\',\'ga\');
  256. ga(\'create\',\'UA-99999999-9\', \'auto\');
  257. ga(\'send\', \'pageview\');
  258. </script>';
  259. $result=testSqlAndScriptInject($test, 0);
  260. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject eee');
  261. $test="<IMG SRC=\"jav\tascript:alert('XSS');\">"; // Is locked by some browser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer.
  262. $test="<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">"; // Same
  263. $test='<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>';
  264. $result=testSqlAndScriptInject($test, 0);
  265. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject fff1');
  266. $test='<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>';
  267. $result=testSqlAndScriptInject($test, 0);
  268. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject fff2');
  269. // This case seems to be filtered by browsers now.
  270. $test='<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(1)>';
  271. //$result=testSqlAndScriptInject($test, 0);
  272. //$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ggg');
  273. $test='<iframe src=http://xss.rocks/scriptlet.html <';
  274. $result=testSqlAndScriptInject($test, 0);
  275. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject hhh');
  276. $test='Set.constructor`alert\x281\x29```';
  277. $result=testSqlAndScriptInject($test, 0);
  278. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject iii');
  279. $test="on<!-- ab\nc -->error=alert(1)";
  280. $result=testSqlAndScriptInject($test, 0);
  281. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject jjj');
  282. $test="<img src=x one<a>rror=alert(document.location)";
  283. $result=testSqlAndScriptInject($test, 0);
  284. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject kkk');
  285. $test="<a onpointerdown=alert(document.domain)>XSS</a>";
  286. $result=testSqlAndScriptInject($test, 0);
  287. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject lll');
  288. $test='<a onscrollend=alert(1) style="display:block;overflow:auto;border:1px+dashed;width:500px;height:100px;"><br><br><br><br><br><span+id=x>test</span></a>'; // Add the char %F6 into the variable
  289. $result=testSqlAndScriptInject($test, 0);
  290. //print "test=".$test." result=".$result."\n";
  291. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject mmm');
  292. $test="Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)";
  293. $result=testSqlAndScriptInject($test, 0); // result must be 0
  294. $this->assertEquals(0, $result, 'Error on testSqlAndScriptInject mmm, result should be 0 and is not');
  295. $test ='<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt:&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.cookie)&rpar;">XSS</a>';
  296. $result=testSqlAndScriptInject($test, 0);
  297. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject nnn, result should be >= 1 and is not');
  298. $test="/dolibarr/htdocs/index.php/".chr('246')."abc"; // Add the char %F6 into the variable
  299. $result=testSqlAndScriptInject($test, 2);
  300. //print "test=".$test." result=".$result."\n";
  301. $this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject with a non valid UTF8 char');
  302. }
  303. /**
  304. * testGETPOST
  305. *
  306. * @return string
  307. */
  308. public function testGETPOST()
  309. {
  310. global $conf,$user,$langs,$db;
  311. $conf=$this->savconf;
  312. $user=$this->savuser;
  313. $langs=$this->savlangs;
  314. $db=$this->savdb;
  315. // Force default mode
  316. $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0;
  317. $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0;
  318. $_COOKIE["id"]=111;
  319. $_GET["param1"]="222";
  320. $_POST["param1"]="333";
  321. $_GET["param2"]='a/b#e(pr)qq-rr\cc';
  322. $_GET["param3"]='"&#110;a/b#e(pr)qq-rr\cc'; // Same than param2 + " and &#110;
  323. $_GET["param4a"]='..&#47;../dir';
  324. $_GET["param4b"]='..&#92;..\dirwindows';
  325. $_GET["param5"]="a_1-b";
  326. $_POST["param6"]="&quot;&gt;<svg o&#110;load='console.log(&quot;123&quot;)'&gt;";
  327. $_POST["param6b"]='<<<../>../>../svg><<<../>../>../animate =alert(1)>abc';
  328. $_GET["param7"]='"c:\this is a path~1\aaa&#110; &#x&#x31;&#x31;&#x30;;" abc<bad>def</bad>';
  329. $_POST["param8a"]="Hacker<svg o&#110;load='console.log(&quot;123&quot;)'"; // html tag is not closed so it is not detected as html tag but is still harmfull
  330. $_POST['param8b']='<img src=x onerror=alert(document.location) t='; // this is html obfuscated by non closing tag
  331. $_POST['param8c']='< with space after is ok';
  332. $_POST['param8d']='<abc123 is html to clean';
  333. $_POST['param8e']='<123abc is not html to clean'; // other similar case: '<2021-12-12'
  334. $_POST['param8f']='abc<<svg <><<animate onbegin=alert(document.domain) a';
  335. $_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
  336. $_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
  337. $_POST["param11"]=' Name <email@email.com> ';
  338. $_POST["param12"]='<!DOCTYPE html><html>aaa</html>';
  339. $_POST["param13"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61;vascript:alert(document.domain)\">XSS</a>';
  340. $_POST["param13b"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61vascript:alert(document.domain)\">XSS</a>';
  341. $_POST["param14"]="Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)";
  342. $_POST["param15"]="<img onerror<=alert(document.domain)> src=>0xbeefed";
  343. //$_POST["param15b"]="<html><head><title>Example HTML</title></head><body><div><p>This is a paragraph.</div><ul><li>Item 1</li><li>Item 2</li></ol></body><html>";
  344. $_POST["param16"]='<a style="z-index: 1000">abc</a>';
  345. $_POST["param17"]='<span style="background-image: url(logout.php)">abc</span>';
  346. $_POST["param18"]='<span style="background-image: url(...?...action=aaa)">abc</span>';
  347. $_POST["param19"]='<a href="j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt:&lpar;alert(document.cookie)&rpar;">XSS</a>';
  348. //$_POST["param19"]='<a href="javascript:alert(document.cookie)">XSS</a>';
  349. $result=GETPOST('id', 'int'); // Must return nothing
  350. print __METHOD__." result=".$result."\n";
  351. $this->assertEquals($result, '');
  352. $result=GETPOST("param1", 'int');
  353. print __METHOD__." result=".$result."\n";
  354. $this->assertEquals($result, 222, 'Test on param1 with no 3rd param');
  355. $result=GETPOST("param1", 'int', 2);
  356. print __METHOD__." result=".$result."\n";
  357. $this->assertEquals($result, 333, 'Test on param1 with 3rd param = 2');
  358. // Test with alpha
  359. $result=GETPOST("param2", 'alpha');
  360. print __METHOD__." result=".$result."\n";
  361. $this->assertEquals($result, $_GET["param2"], 'Test on param2');
  362. $result=GETPOST("param3", 'alpha'); // Must return string sanitized from char "
  363. print __METHOD__." result=".$result."\n";
  364. $this->assertEquals($result, 'na/b#e(pr)qq-rr\cc', 'Test on param3');
  365. $result=GETPOST("param4a", 'alpha'); // Must return string sanitized from ../
  366. print __METHOD__." result=".$result."\n";
  367. $this->assertEquals($result, 'dir');
  368. $result=GETPOST("param4b", 'alpha'); // Must return string sanitized from ../
  369. print __METHOD__." result=".$result."\n";
  370. $this->assertEquals($result, 'dirwindows');
  371. // Test with aZ09
  372. $result=GETPOST("param1", 'aZ09');
  373. print __METHOD__." result=".$result."\n";
  374. $this->assertEquals($result, $_GET["param1"]);
  375. $result=GETPOST("param2", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
  376. print __METHOD__." result=".$result."\n";
  377. $this->assertEquals($result, '');
  378. $result=GETPOST("param3", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
  379. print __METHOD__." result=".$result."\n";
  380. $this->assertEquals($result, '');
  381. $result=GETPOST("param4a", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
  382. print __METHOD__." result=".$result."\n";
  383. $this->assertEquals('', $result);
  384. $result=GETPOST("param4b", 'aZ09'); // Must return '' as string contains car not in aZ09 definition
  385. print __METHOD__." result=".$result."\n";
  386. $this->assertEquals('', $result);
  387. $result=GETPOST("param5", 'aZ09');
  388. print __METHOD__." result=".$result."\n";
  389. $this->assertEquals($_GET["param5"], $result);
  390. // Test with nohtml
  391. $result=GETPOST("param6", 'nohtml');
  392. print __METHOD__." result=".$result."\n";
  393. $this->assertEquals('">', $result);
  394. // Test with alpha = alphanohtml. We must convert the html entities like &#110; and disable all entities
  395. $result=GETPOST("param6", 'alphanohtml');
  396. print __METHOD__." result=".$result."\n";
  397. $this->assertEquals('>', $result);
  398. $result=GETPOST("param6b", 'alphanohtml');
  399. print __METHOD__." result=".$result."\n";
  400. $this->assertEquals('abc', $result);
  401. $result=GETPOST("param8a", 'alphanohtml');
  402. print __METHOD__." result=".$result."\n";
  403. $this->assertEquals("Hackersvg onload='console.log(123)'", $result);
  404. $result=GETPOST("param8b", 'alphanohtml');
  405. print __METHOD__." result=".$result."\n";
  406. $this->assertEquals('img src=x onerror=alert(document.location) t=', $result, 'Test a string with non closing html tag with alphanohtml');
  407. $result=GETPOST("param8c", 'alphanohtml');
  408. print __METHOD__." result=".$result."\n";
  409. $this->assertEquals($_POST['param8c'], $result, 'Test a string with non closing html tag with alphanohtml');
  410. $result=GETPOST("param8d", 'alphanohtml');
  411. print __METHOD__." result=".$result."\n";
  412. $this->assertEquals('abc123 is html to clean', $result, 'Test a string with non closing html tag with alphanohtml');
  413. $result=GETPOST("param8e", 'alphanohtml');
  414. print __METHOD__." result=".$result."\n";
  415. $this->assertEquals($_POST['param8e'], $result, 'Test a string with non closing html tag with alphanohtml');
  416. $result=GETPOST("param8f", 'alphanohtml');
  417. print __METHOD__." result=".$result."\n";
  418. $this->assertEquals('abcsvg animate onbegin=alert(document.domain) a', $result, 'Test a string with html tag open with several <');
  419. $result=GETPOST("param9", 'alphanohtml');
  420. print __METHOD__." result=".$result."\n";
  421. $this->assertEquals($_POST["param9"], $result);
  422. $result=GETPOST("param10", 'alphanohtml');
  423. print __METHOD__." result=".$result."\n";
  424. $this->assertEquals($_POST["param9"], $result, 'We should get param9 after processing param10');
  425. $result=GETPOST("param11", 'alphanohtml');
  426. print __METHOD__." result=".$result."\n";
  427. $this->assertEquals("Name", $result, 'Test an email string with alphanohtml');
  428. $result=GETPOST("param13", 'alphanohtml');
  429. print __METHOD__." result=".$result."\n";
  430. $this->assertEquals('n n > < XSS', $result, 'Test that html entities are decoded with alpha');
  431. // Test with alphawithlgt
  432. $result=GETPOST("param11", 'alphawithlgt');
  433. print __METHOD__." result=".$result."\n";
  434. $this->assertEquals(trim($_POST["param11"]), $result, 'Test an email string with alphawithlgt');
  435. // Test with restricthtml: we must remove html open/close tag and content but not htmlentities (we can decode html entities for ascii chars like &#110;)
  436. $result=GETPOST("param6", 'restricthtml');
  437. print __METHOD__." result param6=".$result."\n";
  438. $this->assertEquals('&quot;&gt;', $result);
  439. $result=GETPOST("param7", 'restricthtml');
  440. print __METHOD__." result param7 = ".$result."\n";
  441. $this->assertEquals('"c:\this is a path~1\aaan &#x;;;;" abcdef', $result);
  442. $result=GETPOST("param8e", 'restricthtml');
  443. print __METHOD__." result param8e = ".$result."\n";
  444. $this->assertEquals('', $result);
  445. $result=GETPOST("param12", 'restricthtml');
  446. print __METHOD__." result=".$result."\n";
  447. $this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
  448. $result=GETPOST("param13", 'restricthtml');
  449. print __METHOD__." result=".$result."\n";
  450. $this->assertEquals('n n &gt; &lt; &quot; <a href=\"alert(document.domain)\">XSS</a>', $result, 'Test 13 that HTML entities are decoded with restricthtml, but only for common alpha chars');
  451. $result=GETPOST("param13b", 'restricthtml');
  452. print __METHOD__." result=".$result."\n";
  453. $this->assertEquals('n n &gt; &lt; &quot; <a href=\"alert(document.domain)\">XSS</a>', $result, 'Test 13b that HTML entities are decoded with restricthtml, but only for common alpha chars');
  454. $result=GETPOST("param14", 'restricthtml');
  455. print __METHOD__." result=".$result."\n";
  456. $this->assertEquals("Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)", $result, 'Test 14');
  457. $result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
  458. print __METHOD__." result=".$result."\n";
  459. $this->assertEquals("<img onerror=alert(document.domain) src=>0xbeefed", $result, 'Test 15'); // The GETPOST return a harmull string
  460. $result=GETPOST("param19", 'restricthtml');
  461. print __METHOD__." result=".$result."\n";
  462. $this->assertEquals('<a href="&lpar;alert(document.cookie)&rpar;">XSS</a>', $result, 'Test 19');
  463. // Test with restricthtml + MAIN_RESTRICTHTML_ONLY_VALID_HTML to test disabling of bad atrributes
  464. $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
  465. $result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
  466. print __METHOD__." result=".$result."\n";
  467. // $this->assertEquals('InvalidHTMLStringCantBeCleaned', $result, 'Test 15b'); // With some PHP and libxml version, we got this result when parsing invalid HTML, but ...
  468. //$this->assertEquals('<img onerror> src=&gt;0xbeefed', $result, 'Test 15b'); // ... on other PHP and libxml versions, we got a HTML that has been cleaned
  469. unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML);
  470. // Test with restricthtml + MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES to test disabling of bad atrributes
  471. $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 1;
  472. $result=GETPOST("param15", 'restricthtml');
  473. print __METHOD__." result=".$result."\n";
  474. $this->assertEquals('<img src="">0xbeefed', $result, 'Test 15c');
  475. $result=GETPOST('param16', 'restricthtml');
  476. print __METHOD__." result=".$result."\n";
  477. $this->assertEquals('<a style=" 1000">abc</a>', $result, 'Test tag a with forbidden attribute z-index');
  478. $result=GETPOST('param17', 'restricthtml');
  479. print __METHOD__." result=".$result."\n";
  480. $this->assertEquals('<span style="background-image: url()">abc</span>', $result, 'Test anytag with a forbidden value for attribute');
  481. $result=GETPOST('param18', 'restricthtml');
  482. print __METHOD__." result=".$result."\n";
  483. $this->assertEquals('<span style="background-image: url(...?...aaa)">abc</span>', $result, 'Test anytag with a forbidden value for attribute');
  484. unset($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES);
  485. // Special test for GETPOST of backtopage, backtolist or backtourl parameter
  486. $_POST["backtopage"]='//www.google.com';
  487. $result=GETPOST("backtopage");
  488. print __METHOD__." result=".$result."\n";
  489. $this->assertEquals('www.google.com', $result, 'Test for backtopage param');
  490. $_POST["backtopage"]='https:https://www.google.com';
  491. $result=GETPOST("backtopage");
  492. print __METHOD__." result=".$result."\n";
  493. $this->assertEquals('www.google.com', $result, 'Test for backtopage param');
  494. $_POST["backtolist"]='::HTTPS://www.google.com';
  495. $result=GETPOST("backtolist");
  496. print __METHOD__." result=".$result."\n";
  497. $this->assertEquals('www.google.com', $result, 'Test for backtopage param');
  498. $_POST["backtopage"]='http:www.google.com';
  499. $result=GETPOST("backtopage");
  500. print __METHOD__." result=".$result."\n";
  501. $this->assertEquals('httpwww.google.com', $result, 'Test for backtopage param');
  502. $_POST["backtopage"]='/mydir/mypage.php?aa=a%10a';
  503. $result=GETPOST("backtopage");
  504. print __METHOD__." result=".$result."\n";
  505. $this->assertEquals('/mydir/mypage.php?aa=a%10a', $result, 'Test for backtopage param');
  506. $_POST["backtopage"]='javascripT&javascript#javascriptxjavascript3a alert(1)';
  507. $result=GETPOST("backtopage");
  508. print __METHOD__." result=".$result."\n";
  509. $this->assertEquals('x3aalert(1)', $result, 'Test for backtopage param');
  510. $conf->global->MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT = 3;
  511. $_POST["pagecontentwithlinks"]='<img src="aaa"><img src="bbb"><img src="ccc"><span style="background: url(/ddd)"></span>';
  512. $result=GETPOST("pagecontentwithlinks", 'restricthtml');
  513. print __METHOD__." result=".$result."\n";
  514. $this->assertEquals('ErrorTooManyLinksIntoHTMLString', $result, 'Test on limit on GETPOST fails');
  515. // Test that img src="data:..." is excluded from the count of external links
  516. $conf->global->MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT = 3;
  517. $_POST["pagecontentwithlinks"]='<img src="data:abc"><img src="bbb"><img src="ccc"><span style="background: url(/ddd)"></span>';
  518. $result=GETPOST("pagecontentwithlinks", 'restricthtml');
  519. print __METHOD__." result=".$result."\n";
  520. $this->assertEquals('<img src="data:abc"><img src="bbb"><img src="ccc"><span style="background: url(/ddd)"></span>', $result, 'Test on limit on GETPOST fails');
  521. // Test that no links is allowed
  522. $conf->global->MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 1;
  523. $_POST["pagecontentwithlinks"]='<img src="data:abc"><img src="bbb"><img src="ccc"><span style="background: url(/ddd)"></span>';
  524. $result=GETPOST("pagecontentwithlinks", 'restricthtml');
  525. print __METHOD__." result=".$result."\n";
  526. $this->assertEquals('ErrorHTMLLinksNotAllowed', $result, 'Test on limit on GETPOST fails');
  527. return $result;
  528. }
  529. /**
  530. * testEncodeDecode
  531. *
  532. * @return number
  533. */
  534. public function testEncodeDecode()
  535. {
  536. $stringtotest="This is a string to test encode/decode. This is a string to test encode/decode. This is a string to test encode/decode.";
  537. $encodedstring=dol_encode($stringtotest);
  538. $decodedstring=dol_decode($encodedstring);
  539. print __METHOD__." encodedstring=".$encodedstring." ".base64_encode($stringtotest)."\n";
  540. $this->assertEquals($stringtotest, $decodedstring, 'Use dol_encode/decode with no parameter');
  541. $encodedstring=dol_encode($stringtotest, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ');
  542. $decodedstring=dol_decode($encodedstring, 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ');
  543. print __METHOD__." encodedstring=".$encodedstring." ".base64_encode($stringtotest)."\n";
  544. $this->assertEquals($stringtotest, $decodedstring, 'Use dol_encode/decode with a key parameter');
  545. return 0;
  546. }
  547. /**
  548. * testDolStringOnlyTheseHtmlTags
  549. *
  550. * @return number
  551. */
  552. public function testDolHTMLEntityDecode()
  553. {
  554. $stringtotest = 'a &colon; b &quot; c &#039; d &apos; e &eacute;';
  555. $decodedstring = dol_html_entity_decode($stringtotest, ENT_QUOTES);
  556. $this->assertEquals('a &colon; b " c \' d &apos; e é', $decodedstring, 'Function did not sanitize correclty');
  557. $stringtotest = 'a &colon; b &quot; c &#039; d &apos; e &eacute;';
  558. $decodedstring = dol_html_entity_decode($stringtotest, ENT_QUOTES|ENT_HTML5);
  559. $this->assertEquals('a : b " c \' d \' e é', $decodedstring, 'Function did not sanitize correclty');
  560. return 0;
  561. }
  562. /**
  563. * testDolStringOnlyTheseHtmlTags
  564. *
  565. * @return number
  566. */
  567. public function testDolStringOnlyTheseHtmlTags()
  568. {
  569. $stringtotest = '<a href="javascript:aaa">bbbڴ';
  570. $decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1);
  571. $this->assertEquals('<a href="aaa">bbbڴ', $decodedstring, 'Function did not sanitize correclty with test 1');
  572. $stringtotest = '<a href="java'.chr(0).'script:aaa">bbbڴ';
  573. $decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1);
  574. $this->assertEquals('<a href="aaa">bbbڴ', $decodedstring, 'Function did not sanitize correclty with test 2');
  575. $stringtotest = '<a href="javascript&colon;aaa">bbbڴ';
  576. $decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1);
  577. $this->assertEquals('<a href="aaa">bbbڴ', $decodedstring, 'Function did not sanitize correclty with test 3');
  578. $stringtotest = 'text <link href="aaa"> text';
  579. $decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1, 0, array(), 0);
  580. $this->assertEquals('text text', $decodedstring, 'Function did not sanitize correclty with test 4a');
  581. $stringtotest = 'text <link href="aaa"> text';
  582. $decodedstring = dol_string_onlythesehtmltags($stringtotest, 1, 1, 1, 0, array(), 1);
  583. $this->assertEquals('text <link href="aaa"> text', $decodedstring, 'Function did not sanitize correclty with test 4b');
  584. return 0;
  585. }
  586. /**
  587. * testDolStringOnlyTheseHtmlAttributes
  588. *
  589. * @return number
  590. */
  591. public function testDolStringOnlyTheseHtmlAttributes()
  592. {
  593. $stringtotest = 'eée';
  594. $decodedstring = dol_string_onlythesehtmlattributes($stringtotest);
  595. $this->assertEquals('e&eacute;e', $decodedstring, 'Function did not sanitize correclty with test 1');
  596. $stringtotest = '<div onload="ee"><a href="123"><span class="abc">abc</span></a></div>';
  597. $decodedstring = dol_string_onlythesehtmlattributes($stringtotest);
  598. $decodedstring = preg_replace("/\n$/", "", $decodedstring);
  599. $this->assertEquals('<div><a href="123"><span class="abc">abc</span></a></div>', $decodedstring, 'Function did not sanitize correclty with test 2');
  600. return 0;
  601. }
  602. /**
  603. * testGetRandomPassword
  604. *
  605. * @return number
  606. */
  607. public function testGetRandomPassword()
  608. {
  609. global $conf;
  610. $genpass1=getRandomPassword(true); // Should be a string return by dol_hash (if no option set, will be md5)
  611. print __METHOD__." genpass1=".$genpass1."\n";
  612. $this->assertEquals(strlen($genpass1), 32);
  613. $genpass1=getRandomPassword(true, array('I')); // Should be a string return by dol_hash (if no option set, will be md5)
  614. print __METHOD__." genpass1=".$genpass1."\n";
  615. $this->assertEquals(strlen($genpass1), 32);
  616. $conf->global->USER_PASSWORD_GENERATED='None';
  617. $genpass2=getRandomPassword(false); // Should return an empty string
  618. print __METHOD__." genpass2=".$genpass2."\n";
  619. $this->assertEquals($genpass2, '');
  620. $conf->global->USER_PASSWORD_GENERATED='Standard';
  621. $genpass3=getRandomPassword(false); // Should return a password of 12 chars
  622. print __METHOD__." genpass3=".$genpass3."\n";
  623. $this->assertEquals(strlen($genpass3), 12);
  624. return 0;
  625. }
  626. /**
  627. * testRestrictedArea
  628. *
  629. * @return void
  630. */
  631. public function testRestrictedArea()
  632. {
  633. global $conf,$user,$langs,$db;
  634. $conf=$this->savconf;
  635. $user=$this->savuser;
  636. $langs=$this->savlangs;
  637. $db=$this->savdb;
  638. //$dummyuser=new User($db);
  639. //$result=restrictedArea($dummyuser,'societe');
  640. $result=restrictedArea($user, 'societe');
  641. $this->assertEquals(1, $result);
  642. }
  643. /**
  644. * testGetRandomPassword
  645. *
  646. * @return number
  647. */
  648. public function testGetURLContent()
  649. {
  650. global $conf;
  651. include_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php';
  652. $url = 'ftp://mydomain.com';
  653. $tmp = getURLContent($url);
  654. print __METHOD__." url=".$url."\n";
  655. $this->assertGreaterThan(0, strpos($tmp['curl_error_msg'], 'not supported')); // Test error if return does not contains 'not supported'
  656. $url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
  657. $tmp = getURLContent($url, 'GET', '', 0); // We do NOT follow
  658. print __METHOD__." url=".$url."\n";
  659. $this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 response and stop here');
  660. $url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
  661. $tmp = getURLContent($url); // We DO follow a page with return 300 so result should be 200
  662. print __METHOD__." url=".$url."\n";
  663. $this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with a follow -> 200 but we get '.$tmp['http_code']);
  664. $url = 'http://localhost';
  665. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
  666. print __METHOD__." url=".$url."\n";
  667. $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that resolves to a local URL'); // Test we receive an error because localtest.me is not an external URL
  668. $url = 'http://127.0.0.1';
  669. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
  670. print __METHOD__." url=".$url."\n";
  671. $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because 127.0.0.1 is not an external URL
  672. $url = 'http://127.0.2.1';
  673. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
  674. print __METHOD__." url=".$url."\n";
  675. $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because 127.0.2.1 is not an external URL
  676. $url = 'https://169.254.0.1';
  677. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
  678. print __METHOD__." url=".$url."\n";
  679. $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because 169.254.0.1 is not an external URL
  680. $url = 'http://[::1]';
  681. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
  682. print __METHOD__." url=".$url."\n";
  683. $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that is a local URL'); // Test we receive an error because [::1] is not an external URL
  684. /*$url = 'localtest.me';
  685. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL
  686. print __METHOD__." url=".$url."\n";
  687. $this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that resolves to a local URL'); // Test we receive an error because localtest.me is not an external URL
  688. */
  689. $url = 'http://192.0.0.192';
  690. $tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL but on an IP in blacklist
  691. print __METHOD__." url=".$url." tmp['http_code'] = ".$tmp['http_code']."\n";
  692. $this->assertEquals(400, $tmp['http_code'], 'Access should be refused and was not'); // Test we receive an error because ip is in blacklist
  693. return 0;
  694. }
  695. /**
  696. * testDolSanitizeUrl
  697. *
  698. * @return void
  699. */
  700. public function testDolSanitizeUrl()
  701. {
  702. global $conf,$user,$langs,$db;
  703. $conf=$this->savconf;
  704. $user=$this->savuser;
  705. $langs=$this->savlangs;
  706. $db=$this->savdb;
  707. $test = 'javascripT&javascript#x3a alert(1)';
  708. $result=dol_sanitizeUrl($test);
  709. $this->assertEquals('x3a alert(1)', $result, 'Test on dol_sanitizeUrl A');
  710. $test = 'javajavascriptscript&cjavascriptolon;alert(1)';
  711. $result=dol_sanitizeUrl($test);
  712. $this->assertEquals('alert(1)', $result, 'Test on dol_sanitizeUrl B');
  713. $test = '/javas:cript/google.com';
  714. $result=dol_sanitizeUrl($test);
  715. $this->assertEquals('google.com', $result, 'Test on dol_sanitizeUrl C');
  716. }
  717. /**
  718. * testDolSanitizeEmail
  719. *
  720. * @return void
  721. */
  722. public function testDolSanitizeEmail()
  723. {
  724. global $conf,$user,$langs,$db;
  725. $conf=$this->savconf;
  726. $user=$this->savuser;
  727. $langs=$this->savlangs;
  728. $db=$this->savdb;
  729. $test = 'aaa@mycompany.com <My name>, bbb@mycompany.com <Another name>';
  730. $result=dol_sanitizeEmail($test);
  731. $this->assertEquals($test, $result, 'Test on dol_sanitizeEmail A');
  732. $test = "aaa@mycompany.com <My name>,\nbbb@mycompany.com <Another name>";
  733. $result=dol_sanitizeEmail($test);
  734. $this->assertEquals('aaa@mycompany.com <My name>,bbb@mycompany.com <Another name>', $result, 'Test on dol_sanitizeEmail B');
  735. $test = 'aaa@mycompany.com <My name>,\nbbb@mycompany.com <Another name>';
  736. $result=dol_sanitizeEmail($test);
  737. $this->assertEquals('aaa@mycompany.com <My name>,nbbb@mycompany.com <Another name>', $result, 'Test on dol_sanitizeEmail C');
  738. $test = 'aaa@mycompany.com <My name>, "bcc:bbb"@mycompany.com <Another name>';
  739. $result=dol_sanitizeEmail($test);
  740. $this->assertEquals('aaa@mycompany.com <My name>, bccbbb@mycompany.com <Another name>', $result, 'Test on dol_sanitizeEmail D');
  741. }
  742. /**
  743. * testDolSanitizeFileName
  744. *
  745. * @return void
  746. */
  747. public function testDolSanitizeFileName()
  748. {
  749. global $conf,$user,$langs,$db;
  750. $conf=$this->savconf;
  751. $user=$this->savuser;
  752. $langs=$this->savlangs;
  753. $db=$this->savdb;
  754. //$dummyuser=new User($db);
  755. //$result=restrictedArea($dummyuser,'societe');
  756. $result=dol_sanitizeFileName('bad file | evilaction');
  757. $this->assertEquals('bad file _ evilaction', $result);
  758. $result=dol_sanitizeFileName('bad file -evilparam --evilparam ---evilparam ----evilparam');
  759. $this->assertEquals('bad file _evilparam _evilparam _evilparam _evilparam', $result);
  760. }
  761. /**
  762. * testDolEval
  763. *
  764. * @return void
  765. */
  766. public function testDolEval()
  767. {
  768. global $conf,$user,$langs,$db;
  769. $conf=$this->savconf;
  770. $user=$this->savuser;
  771. $langs=$this->savlangs;
  772. $db=$this->savdb;
  773. $result=dol_eval('1==1', 1, 0);
  774. print "result1 = ".$result."\n";
  775. $this->assertTrue($result);
  776. $result=dol_eval('1==2', 1, 0);
  777. print "result2 = ".$result."\n";
  778. $this->assertFalse($result);
  779. include_once DOL_DOCUMENT_ROOT.'/projet/class/project.class.php';
  780. include_once DOL_DOCUMENT_ROOT.'/projet/class/task.class.php';
  781. $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"';
  782. $result=dol_eval($s, 1, 1, '2');
  783. print "result3 = ".$result."\n";
  784. $this->assertEquals('Parent project not found', $result);
  785. $s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : \'Parent project not found\'';
  786. $result = (string) dol_eval($s, 1, 1, '2');
  787. print "result4 = ".$result."\n";
  788. $this->assertEquals('Parent project not found', $result);
  789. $result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '0');
  790. print "result5 = ".$result."\n";
  791. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  792. $result = (string) dol_eval('$a=function() { }; $a;', 1, 1, '1');
  793. print "result6 = ".$result."\n";
  794. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  795. $result = (string) dol_eval('$a=exec("ls");', 1, 1);
  796. print "result7 = ".$result."\n";
  797. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  798. $result = (string) dol_eval('$a=exec ("ls")', 1, 1);
  799. print "result8 = ".$result."\n";
  800. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  801. $result = (string) dol_eval('$a="test"; $$a;', 1, 0);
  802. print "result9 = ".$result."\n";
  803. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  804. $result = (string) dol_eval('`ls`', 1, 0);
  805. print "result10 = ".$result."\n";
  806. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  807. $result = (string) dol_eval("('ex'.'ec')('echo abc')", 1, 0);
  808. print "result11 = ".$result."\n";
  809. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  810. $result = (string) dol_eval("sprintf(\"%s%s\", \"ex\", \"ec\")('echo abc')", 1, 0);
  811. print "result12 = ".$result."\n";
  812. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  813. $result=dol_eval("90402.38+267678+0", 1, 1, 1);
  814. print "result13 = ".$result."\n";
  815. $this->assertEquals('358080.38', $result);
  816. global $leftmenu; // Used into strings to eval
  817. $leftmenu = 'AAA';
  818. $result=dol_eval('$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)', 1, 1, '1');
  819. print "result = ".$result."\n";
  820. $this->assertTrue($result);
  821. // Same with a value that does not match
  822. $leftmenu = 'XXX';
  823. $result=dol_eval('$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)', 1, 1, '1');
  824. print "result14 = ".$result."\n";
  825. $this->assertFalse($result);
  826. $leftmenu = 'AAA';
  827. $result=dol_eval('$conf->currency && isStringVarMatching(\'leftmenu\', \'(AAA|BBB)\')', 1, 1, '1');
  828. print "result15 = ".$result."\n";
  829. $this->assertTrue($result);
  830. $leftmenu = 'XXX';
  831. $result=dol_eval('$conf->currency && isStringVarMatching(\'leftmenu\', \'(AAA|BBB)\')', 1, 1, '1');
  832. print "result16 = ".$result."\n";
  833. $this->assertFalse($result);
  834. $string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)';
  835. $result=dol_eval($string, 1, 1, '1');
  836. print "result17 = ".$result."\n";
  837. $this->assertTrue($result);
  838. $result=dol_eval('1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL', 1, 0); // Should return false and not a 'Bad string syntax to evaluate ...'
  839. print "result18 = ".$result."\n";
  840. $this->assertFalse($result);
  841. $a='ab';
  842. $result = (string) dol_eval("(\$a.'s')", 1, 0);
  843. print "result19 = ".$result."\n";
  844. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  845. $leftmenu='abs';
  846. $result = (string) dol_eval('$leftmenu(-5)', 1, 0);
  847. print "result20 = ".$result."\n";
  848. $this->assertStringContainsString('Bad string syntax to evaluate', $result);
  849. }
  850. /**
  851. * testCheckLoginPassEntity
  852. *
  853. * @return void
  854. */
  855. public function testCheckLoginPassEntity()
  856. {
  857. $login=checkLoginPassEntity('loginbidon', 'passwordbidon', 1, array('dolibarr'));
  858. print __METHOD__." login=".$login."\n";
  859. $this->assertEquals($login, '');
  860. $login=checkLoginPassEntity('admin', 'passwordbidon', 1, array('dolibarr'));
  861. print __METHOD__." login=".$login."\n";
  862. $this->assertEquals($login, '');
  863. $login=checkLoginPassEntity('admin', 'admin', 1, array('dolibarr')); // Should works because admin/admin exists
  864. print __METHOD__." login=".$login."\n";
  865. $this->assertEquals($login, 'admin', 'The test to check if pass of user "admin" is "admin" has failed');
  866. $login=checkLoginPassEntity('admin', 'admin', 1, array('http','dolibarr')); // Should work because of second authentication method
  867. print __METHOD__." login=".$login."\n";
  868. $this->assertEquals($login, 'admin');
  869. $login=checkLoginPassEntity('admin', 'admin', 1, array('forceuser'));
  870. print __METHOD__." login=".$login."\n";
  871. $this->assertEquals('', $login, 'Error'); // Expected '' because should failed because login 'auto' does not exists
  872. }
  873. }