server/tests/lib/appframework/middleware/MiddlewareTest.php
Lukas Reschke 8313a3fcb3 Add mitigation against BREACH
While BREACH requires the following three factors to be effectively exploitable we should add another mitigation:

1. Application must support HTTP compression
2. Response most reflect user-controlled input
3. Response should contain sensitive data

Especially part 2 is with ownCloud not really given since user-input is usually only echoed if a CSRF token has been passed.

To reduce the risk even further it is however sensible to encrypt the CSRF token with a shared secret. Since this will change on every request an attack such as BREACH is not feasible anymore against the CSRF token at least.
2015-08-14 01:31:32 +02:00

100 lines
2.5 KiB
PHP

<?php
/**
* ownCloud - App Framework
*
* @author Bernhard Posselt
* @copyright 2012 Bernhard Posselt <dev@bernhard-posselt.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
*
*/
namespace OC\AppFramework;
use OC\AppFramework\Http\Request;
use OCP\AppFramework\Middleware;
use OCP\AppFramework\Http\Response;
class ChildMiddleware extends Middleware {};
class MiddlewareTest extends \Test\TestCase {
/**
* @var Middleware
*/
private $middleware;
private $controller;
private $exception;
private $api;
/** @var Response */
private $response;
protected function setUp(){
parent::setUp();
$this->middleware = new ChildMiddleware();
$this->api = $this->getMockBuilder(
'OC\AppFramework\DependencyInjection\DIContainer')
->disableOriginalConstructor()
->getMock();
$this->controller = $this->getMock(
'OCP\AppFramework\Controller',
[],
[
$this->api,
new Request(
[],
$this->getMock('\OCP\Security\ISecureRandom'),
$this->getMock('\OCP\Security\ICrypto'),
$this->getMock('\OCP\IConfig')
)
]
);
$this->exception = new \Exception();
$this->response = $this->getMock('OCP\AppFramework\Http\Response');
}
public function testBeforeController() {
$this->middleware->beforeController($this->controller, null);
$this->assertNull(null);
}
public function testAfterExceptionRaiseAgainWhenUnhandled() {
$this->setExpectedException('Exception');
$afterEx = $this->middleware->afterException($this->controller, null, $this->exception);
}
public function testAfterControllerReturnResponseWhenUnhandled() {
$response = $this->middleware->afterController($this->controller, null, $this->response);
$this->assertEquals($this->response, $response);
}
public function testBeforeOutputReturnOutputhenUnhandled() {
$output = $this->middleware->beforeOutput($this->controller, null, 'test');
$this->assertEquals('test', $output);
}
}