-
Notifications
You must be signed in to change notification settings - Fork 321
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PASSBOLT-2402 Extract security resources fixtures
- Loading branch information
1 parent
be5fc7a
commit 928436d
Showing
9 changed files
with
107 additions
and
82 deletions.
There are no files selected for viewing
4 changes: 2 additions & 2 deletions
4
app/Plugin/DataTests/Console/Command/Task/LargeGpgkeyTask.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 2 additions & 4 deletions
6
app/Plugin/DataTests/Console/Command/Task/LargeGroupUserTask.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 2 additions & 4 deletions
6
app/Plugin/DataTests/Console/Command/Task/LargePermissionTask.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 2 additions & 4 deletions
6
app/Plugin/DataTests/Console/Command/Task/LargeProfileTask.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 2 additions & 4 deletions
6
app/Plugin/DataTests/Console/Command/Task/LargeResourceTask.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
93 changes: 93 additions & 0 deletions
93
app/Plugin/DataTests/Console/Command/Task/SecurityResourceTask.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| <?php | ||
| /** | ||
| * Insert Security Resource Task | ||
| * | ||
| * @copyright (c) 2017-present Passbolt SARL | ||
| * @licence GNU Affero General Public License http://www.gnu.org/licenses/agpl-3.0.en.html | ||
| */ | ||
|
|
||
| require_once(ROOT . DS . APP_DIR . DS . 'Console' . DS . 'Command' . DS . 'Task' . DS . 'ModelTask.php'); | ||
|
|
||
| App::uses('Resource', 'Model'); | ||
| App::uses('User', 'Model'); | ||
|
|
||
| class SecurityResourceTask extends ModelTask { | ||
|
|
||
| public $model = 'Resource'; | ||
|
|
||
| /** | ||
| * Execute the task | ||
| * Overrides ModelTask by setting the current user from created_by for permissions.created_by to match | ||
| * | ||
| * @return void | ||
| */ | ||
| public function execute() { | ||
| $User = $this->_getModel('User'); | ||
| $Model = $this->_getModel($this->model); | ||
| $this->beforeInsert($Model); | ||
| $data = $this->getData(); | ||
|
|
||
| $i = 0; | ||
| // Insert regular data | ||
| foreach ($data as $item) { | ||
| // the 'owner' entry for permission.created_by will matching the resource.created_by | ||
| $user = $User->find('first', ['conditions' => ['User.id' => $item['Resource']['created_by']]]); | ||
| User::setActive($user); | ||
| try { | ||
| $this->tryInsertItem($item, $Model); | ||
| } catch(Exception $e) { | ||
| $i--; | ||
| $this->out('Security test data not inserted in ' . $Model->name . ' ' . $item['Resource']['username'] . ' ' . $item['Resource']['name']); | ||
| } | ||
| $i++; | ||
| } | ||
|
|
||
| $this->out('Data for model ' . $this->model . ' inserted (' . $i . ')'); | ||
|
|
||
| } | ||
|
|
||
| /** | ||
| * Get data | ||
| * | ||
| * @return array | ||
| */ | ||
| public function getData() { | ||
| // URL XSS Tests | ||
| $r = []; | ||
| $xss = [ | ||
| 'xss JavaScript directive quote semicolon' => "javascript:alert('xss1');", | ||
| 'xss JavaScript directive quote no semicolon' => "javascript:alert('xss2')", | ||
| 'xss JavaScript directive double quote' => 'javascript:alert("XSS3")', | ||
| 'xss JavaScript directive case insensitive' => "JaVaScRiPt:alert('XSS4')", | ||
| 'xss Javascript directive HTML entities' => 'javascript:alert("XSS5")', | ||
| 'xss Javascript directive fromCharCode' => 'javascript:alert(String.fromCharCode(88,83,83))', | ||
| 'xss Decimal HTML character references' => 'javascript:alert('XSS')', | ||
| 'xss Decimal HTML character references without trailing semicolons' => 'javascript:alert('XSS')', | ||
| 'xss Hexadecimal HTML char references without trailing semicolons' => 'javascript:alert('XSS')', | ||
| 'xss Embedded tab' => "jav ascript:alert('XSS10');", | ||
| 'xss Embedded Encoded tab' => "jav	ascript:alert('XSS11');", | ||
| 'xss Embedded carriage return to break up XSS' => "jav
ascript:alert('XSS12');", | ||
| 'xss Embedded newline to break up XSS' => "jav
ascript:alert('XSS13');", | ||
| 'xss space and meta chars before the javascript' => " javascript:alert('XSS14');", | ||
| 'xss Extraneous >' => '"' . "><script>alert('xss15')</script>", | ||
| 'xss Extraneous closing double quote' => '">' . "onclick=alert('xxs16')", | ||
| 'xss & JavaScript includes' => "&{alert('XSS17')}", | ||
| 'xss null breaks up javascript directive' => 'java\0script:alert("XSS18")', | ||
| ]; | ||
| $i = 1; | ||
| foreach ($xss as $name => $x) { | ||
| $r[] = ['Resource' => [ | ||
| 'id' => Common::uuid($name), | ||
| 'name' => substr($name,0,64), | ||
| 'username' => 'test' . $i++, | ||
| 'expiry_date' => null, | ||
| 'uri' => $x, | ||
| 'description' => 'xss test', | ||
| 'deleted' => 0, | ||
| 'created_by' => Common::uuid('user.id.ada'), | ||
| 'modified_by' => Common::uuid('user.id.ada') | ||
| ]]; | ||
| } | ||
| return $r; | ||
| } | ||
| } |