首页 发现 帮助
注册 登录
chengwenliang
/
newsupernova
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: c9405dd336
分支列表 标签列表
newsupernova
/
dev
/
tests
/
static
/
testsuite
/
Magento
/
Test
/
Php
/
XssPhtmlTemplateTest.php

XssPhtmlTemplateTest.php 3.5 KB
文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * Copyright © Magento, Inc. All rights reserved.
    4. 

  4.  * See COPYING.txt for license details.
    5. 

  5.  */
    6. 

  6. 

  7. namespace Magento\Test\Php;
    8. 

  8. 

  9. use Magento\Framework\App\Utility\Files;
    10. 

  10. use Magento\TestFramework\Utility\XssOutputValidator;
    11. 

  11. use Magento\Framework\Component\ComponentRegistrar;
    12. 

  12. 

  13. /**
    14. 

  14.  * Find not escaped output in phtml templates
    15. 

  15.  */
    16. 

  16. class XssPhtmlTemplateTest extends \PHPUnit\Framework\TestCase
    17. 

  17. {
    18. 

  18.     /**
    19. 

  19.      * @return void
    20. 

  20.      */
    21. 

  21.     public function testXssSensitiveOutput()
    22. 

  22.     {
    23. 

  23.         $invoker = new \Magento\Framework\App\Utility\AggregateInvoker($this);
    24. 

  24.         $xssOutputValidator = new XssOutputValidator();
    25. 

  25.         $invoker(
    26. 

  26.             /**
    27. 

  27.              * Static test will cover the following cases:
    28. 

  28.              *
    29. 

  29.              * 1. /\* @noEscape \*\/ before output. Output doesn't require escaping. Test is green.
    30. 

  30.              * 2. Methods which contains "html" in their names (e.g. echo $object->{suffix}Html{postfix}() ).
    31. 

  31.              *    Data is ready for the HTML output. Test is green.
    32. 

  32.              * 3. AbstractBlock methods escapeHtml, escapeUrl, escapeQuote, escapeXssInUrl are allowed. Test is green.
    33. 

  33.              * 4. Type casting and php function count() are allowed
    34. 

  34.              *    (e.g. echo (int)$var, echo (float)$var, echo (bool)$var, echo count($var)). Test is green.
    35. 

  35.              * 5. Output in single quotes (e.g. echo 'some text'). Test is green.
    36. 

  36.              * 6. Output in double quotes without variables (e.g. echo "some text"). Test is green.
    37. 

  37.              * 7. Other of p.1-6. Output is not escaped. Test is red.
    38. 

  38.              *
    39. 

  39.              * @param string $file
    40. 

  40.              */
    41. 

  41.             function ($file) use ($xssOutputValidator) {
    42. 

  42.                 $lines = $xssOutputValidator->getLinesWithXssSensitiveOutput($file);
    43. 

  43.                 $this->assertEmpty(
    44. 

  44.                     $lines,
    45. 

  45.                     "Potentially XSS vulnerability. " .
    46. 

  46.                     "Please verify that output is escaped at lines " . $lines
    47. 

  47.                 );
    48. 

  48.             },
    49. 

  49.             Files::init()->getPhtmlFiles()
    50. 

  50.         );
    51. 

  51.     }
    52. 

  52. 

  53.     /**
    54. 

  54.      * @return void
    55. 

  55.      */
    56. 

  56.     public function testAbsenceOfEscapeNotVerifiedAnnotationInRefinedModules()
    57. 

  57.     {
    58. 

  58.         $componentRegistrar = new ComponentRegistrar();
    59. 

  59.         $exemptModules = [];
    60. 

  60.         foreach (array_diff(scandir(__DIR__ . '/_files/whitelist/exempt_modules'), ['..', '.']) as $file) {
    61. 

  61.             $exemptModules = array_merge(
    62. 

  62.                 $exemptModules,
    63. 

  63.                 include(__DIR__ . '/_files/whitelist/exempt_modules/' . $file)
    64. 

  64.             );
    65. 

  65.         }
    66. 

  66. 

  67.         $result = "";
    68. 

  68.         foreach ($componentRegistrar->getPaths(ComponentRegistrar::MODULE) as $moduleName => $modulePath) {
    69. 

  69.             if (in_array($moduleName, $exemptModules)) {
    70. 

  70.                 continue;
    71. 

  71.             }
    72. 

  72.             foreach (Files::init()->getFiles([$modulePath], '*.phtml') as $file) {
    73. 

  73.                 $fileContents = file_get_contents($file);
    74. 

  74.                 $pattern = "/\\/* @escapeNotVerified \\*\\/ echo (?!__).+/";
    75. 

  75.                 $instances = preg_grep($pattern, explode("\n", $fileContents));
    76. 

  76.                 if (!empty($instances)) {
    77. 

  77.                     foreach (array_keys($instances) as $line) {
    78. 

  78.                         $result .= $file . ':' . ($line + 1) . "\n";
    79. 

  79.                     }
    80. 

  80.                 }
    81. 

  81.             }
    82. 

  82.         }
    83. 

  83.         $this->assertEmpty(
    84. 

  84.             $result,
    85. 

  85.             "@escapeNotVerified annotation detected.\n" .
    86. 

  86.             "Please use the correct escape strategy and remove annotation at:\n" . $result
    87. 

  87.         );
    88. 

  88.     }
    89. 

  89. }
    90.