-
Notifications
You must be signed in to change notification settings - Fork 371
Expand file tree
/
Copy pathHTMLValidationRuleThrowsTest.java
More file actions
146 lines (128 loc) · 5.47 KB
/
HTMLValidationRuleThrowsTest.java
File metadata and controls
146 lines (128 loc) · 5.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project. For details, please see
* <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
*
* Copyright (c) 2019 - The OWASP Foundation
*
* The ESAPI is published by OWASP under the BSD license. You should read and accept the
* LICENSE before you use, modify, and/or redistribute this software.
*
* @author kevin.w.wall@gmail.com
* @since 2019
*/
package org.owasp.esapi.reference.validation;
import org.owasp.esapi.ESAPI;
import org.owasp.esapi.SecurityConfiguration;
import org.owasp.esapi.SecurityConfigurationWrapper;
import org.owasp.esapi.ValidationErrorList;
import org.owasp.esapi.ValidationRule;
import org.owasp.esapi.Validator;
import org.owasp.esapi.errors.ValidationException;
import org.owasp.esapi.reference.validation.HTMLValidationRule;
import static org.owasp.esapi.PropNames.VALIDATOR_HTML_VALIDATION_ACTION;
import org.junit.Test;
import org.junit.Before;
import org.junit.After;
import org.junit.Rule;
import org.junit.rules.ExpectedException;
import static org.junit.Assert.*;
/**
* The Class HTMLValidationRuleThrowsTest.
*
* Based on original test cases, testGetValidSafeHTML() and
* testIsValidSafeHTML() from ValidatorTest by
* Mike Fauzy (mike.fauzy@aspectsecurity.com) and
* Jeff Williams (jeff.williams@aspectsecurity.com)
* that were originally part of src/test/java/org/owasp/esapi/reference/ValidatorTest.java.
*
* This class tests the cases where the new ESAPI.property
* <b>Validator.HtmlValidationAction</b>
* is set to "throw", which causes certain calls to
* {@code ESAPI.validator().getValidSafeHTML()}
* to throw a ValidationException rather than simply logging a warning and returning
* the cleansed (sanitizied) output when certain unsafe input is encountered.
*/
public class HTMLValidationRuleThrowsTest {
private static class ConfOverride extends SecurityConfigurationWrapper {
private String desiredReturn = "clean";
ConfOverride(SecurityConfiguration orig, String desiredReturn) {
super(orig);
this.desiredReturn = desiredReturn;
}
@Override
public String getStringProp(String propName) {
// Would it be better making this file a static import?
if ( propName.equals( VALIDATOR_HTML_VALIDATION_ACTION ) ) {
return desiredReturn;
} else {
return super.getStringProp( propName );
}
}
}
// Must be public!
@Rule
public ExpectedException thrownEx = ExpectedException.none();
@After
public void tearDown() throws Exception {
ESAPI.override(null);
thrownEx = ExpectedException.none();
}
@Before
public void setUp() throws Exception {
ESAPI.override(
new ConfOverride( ESAPI.securityConfiguration(), "throw" )
);
}
@Test
public void testGetValid() throws Exception {
System.out.println("getValid");
Validator instance = ESAPI.validator();
HTMLValidationRule rule = new HTMLValidationRule("test");
ESAPI.validator().addRule(rule);
thrownEx.expect(ValidationException.class);
thrownEx.expectMessage("test: Invalid HTML input");
instance.getRule("test").getValid("test", "Test. <script>alert(document.cookie)</script>");
}
@Test
public void testGetValidSafeHTML() throws Exception {
System.out.println("getValidSafeHTML");
Validator instance = ESAPI.validator();
HTMLValidationRule rule = new HTMLValidationRule("test");
ESAPI.validator().addRule(rule);
String[] testInput = {
// These first two don't cause AntiSamy to throw.
// "Test. <a href=\"http://www.aspectsecurity.com\">Aspect Security</a>",
// "Test. <<div on<script></script>load=alert()",
"Test. <script>alert(document.cookie)</script>",
"Test. <script>alert(document.cookie)</script>",
"Test. <div style={xss:expression(xss)}>b</div>",
"Test. <s%00cript>alert(document.cookie)</script>",
"Test. <s\tcript>alert(document.cookie)</script>",
"Test. <s\tcript>alert(document.cookie)</script>"
};
int errors = 0;
for( int i = 0; i < testInput.length; i++ ) {
try {
String result = instance.getValidSafeHTML("test", testInput[i], 100, false);
errors++;
System.out.println("testGetValidSafeHTML(): testInput '" + testInput[i] + "' failed to throw.");
}
catch( ValidationException vex ) {
System.out.println("testGetValidSafeHTML(): testInput '" + testInput[i] + "' returned:");
System.out.println("\t" + i + ": logMsg =" + vex.getLogMessage());
assertEquals( vex.getUserMessage(), "test: Invalid HTML input");
}
catch( Exception ex ) {
errors++;
System.out.println("testGetValidSafeHTML(): testInput '" + testInput[i] +
"' threw wrong exception type: " + ex.getClass().getName() );
}
}
if ( errors > 0 ) {
fail("testGetValidSafeHTML() encountered " + errors + " failures.");
}
}
}