Skip to content

Commit 8831860

Browse files
author
Warren Buckley
authored
2 parents f5fde0f + be587b2 commit 8831860

8 files changed

Lines changed: 2202 additions & 1934 deletions
Lines changed: 157 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
using System.Collections.Specialized;
2+
using System.Web;
3+
using System.Web.Helpers;
4+
using Moq;
5+
using Newtonsoft.Json;
6+
using NUnit.Framework;
7+
using Umbraco.Core;
8+
using Umbraco.Tests.TestHelpers;
9+
using Umbraco.Web.Mvc;
10+
using Umbraco.Web.Security;
11+
12+
namespace Umbraco.Tests.Security
13+
{
14+
[TestFixture]
15+
public class UmbracoAntiForgeryAdditionalDataProviderTests
16+
{
17+
[Test]
18+
public void Test_Wrapped_Non_BeginUmbracoForm()
19+
{
20+
var wrapped = Mock.Of<IAntiForgeryAdditionalDataProvider>(x => x.GetAdditionalData(It.IsAny<HttpContextBase>()) == "custom");
21+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(wrapped);
22+
23+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
24+
var data = provider.GetAdditionalData(httpContextFactory.HttpContext);
25+
26+
Assert.IsTrue(data.DetectIsJson());
27+
var json = JsonConvert.DeserializeObject<UmbracoAntiForgeryAdditionalDataProvider.AdditionalData>(data);
28+
Assert.AreEqual(null, json.Ufprt);
29+
Assert.IsTrue(json.Stamp != default);
30+
Assert.AreEqual("custom", json.WrappedValue);
31+
}
32+
33+
[Test]
34+
public void Null_Wrapped_Non_BeginUmbracoForm()
35+
{
36+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
37+
38+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
39+
var data = provider.GetAdditionalData(httpContextFactory.HttpContext);
40+
41+
Assert.IsTrue(data.DetectIsJson());
42+
var json = JsonConvert.DeserializeObject<UmbracoAntiForgeryAdditionalDataProvider.AdditionalData>(data);
43+
Assert.AreEqual(null, json.Ufprt);
44+
Assert.IsTrue(json.Stamp != default);
45+
Assert.AreEqual("default", json.WrappedValue);
46+
}
47+
48+
[Test]
49+
public void Validate_Non_Json()
50+
{
51+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
52+
53+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
54+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "hello");
55+
56+
Assert.IsFalse(isValid);
57+
}
58+
59+
[Test]
60+
public void Validate_Invalid_Json()
61+
{
62+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
63+
64+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
65+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '0'}");
66+
Assert.IsFalse(isValid);
67+
68+
isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': ''}");
69+
Assert.IsFalse(isValid);
70+
71+
isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'hello': 'world'}");
72+
Assert.IsFalse(isValid);
73+
74+
}
75+
76+
[Test]
77+
public void Validate_No_Request_Ufprt()
78+
{
79+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
80+
81+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
82+
//there is a ufprt in the additional data, but not in the request
83+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': 'ASBVDFDFDFDF'}");
84+
Assert.IsFalse(isValid);
85+
}
86+
87+
[Test]
88+
public void Validate_No_AdditionalData_Ufprt()
89+
{
90+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
91+
92+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
93+
var requestMock = Mock.Get(httpContextFactory.HttpContext.Request);
94+
requestMock.SetupGet(x => x["ufprt"]).Returns("ABCDEFG");
95+
96+
//there is a ufprt in the additional data, but not in the request
97+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': ''}");
98+
Assert.IsFalse(isValid);
99+
}
100+
101+
[Test]
102+
public void Validate_No_AdditionalData_Or_Request_Ufprt()
103+
{
104+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
105+
106+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
107+
108+
//there is a ufprt in the additional data, but not in the request
109+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': ''}");
110+
Assert.IsTrue(isValid);
111+
}
112+
113+
[Test]
114+
public void Validate_Request_And_AdditionalData_Ufprt()
115+
{
116+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(null);
117+
118+
var routeParams1 = $"{RenderRouteHandler.ReservedAdditionalKeys.Controller}={HttpUtility.UrlEncode("Test")}&{RenderRouteHandler.ReservedAdditionalKeys.Action}={HttpUtility.UrlEncode("Index")}&{RenderRouteHandler.ReservedAdditionalKeys.Area}=Umbraco";
119+
var routeParams2 = $"{RenderRouteHandler.ReservedAdditionalKeys.Controller}={HttpUtility.UrlEncode("Test")}&{RenderRouteHandler.ReservedAdditionalKeys.Action}={HttpUtility.UrlEncode("Index")}&{RenderRouteHandler.ReservedAdditionalKeys.Area}=Umbraco";
120+
121+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
122+
var requestMock = Mock.Get(httpContextFactory.HttpContext.Request);
123+
requestMock.SetupGet(x => x["ufprt"]).Returns(routeParams1.EncryptWithMachineKey());
124+
125+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': '" + routeParams2.EncryptWithMachineKey() + "'}");
126+
Assert.IsTrue(isValid);
127+
128+
routeParams2 = $"{RenderRouteHandler.ReservedAdditionalKeys.Controller}={HttpUtility.UrlEncode("Invalid")}&{RenderRouteHandler.ReservedAdditionalKeys.Action}={HttpUtility.UrlEncode("Index")}&{RenderRouteHandler.ReservedAdditionalKeys.Area}=Umbraco";
129+
isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': '" + routeParams2.EncryptWithMachineKey() + "'}");
130+
Assert.IsFalse(isValid);
131+
}
132+
133+
[Test]
134+
public void Validate_Wrapped_Request_And_AdditionalData_Ufprt()
135+
{
136+
var wrapped = Mock.Of<IAntiForgeryAdditionalDataProvider>(x => x.ValidateAdditionalData(It.IsAny<HttpContextBase>(), "custom") == true);
137+
var provider = new UmbracoAntiForgeryAdditionalDataProvider(wrapped);
138+
139+
var routeParams1 = $"{RenderRouteHandler.ReservedAdditionalKeys.Controller}={HttpUtility.UrlEncode("Test")}&{RenderRouteHandler.ReservedAdditionalKeys.Action}={HttpUtility.UrlEncode("Index")}&{RenderRouteHandler.ReservedAdditionalKeys.Area}=Umbraco";
140+
var routeParams2 = $"{RenderRouteHandler.ReservedAdditionalKeys.Controller}={HttpUtility.UrlEncode("Test")}&{RenderRouteHandler.ReservedAdditionalKeys.Action}={HttpUtility.UrlEncode("Index")}&{RenderRouteHandler.ReservedAdditionalKeys.Area}=Umbraco";
141+
142+
var httpContextFactory = new FakeHttpContextFactory("/hello/world");
143+
var requestMock = Mock.Get(httpContextFactory.HttpContext.Request);
144+
requestMock.SetupGet(x => x["ufprt"]).Returns(routeParams1.EncryptWithMachineKey());
145+
146+
var isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': '" + routeParams2.EncryptWithMachineKey() + "'}");
147+
Assert.IsFalse(isValid);
148+
149+
isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'custom', 'Ufprt': '" + routeParams2.EncryptWithMachineKey() + "'}");
150+
Assert.IsTrue(isValid);
151+
152+
routeParams2 = $"{RenderRouteHandler.ReservedAdditionalKeys.Controller}={HttpUtility.UrlEncode("Invalid")}&{RenderRouteHandler.ReservedAdditionalKeys.Action}={HttpUtility.UrlEncode("Index")}&{RenderRouteHandler.ReservedAdditionalKeys.Area}=Umbraco";
153+
isValid = provider.ValidateAdditionalData(httpContextFactory.HttpContext, "{'Stamp': '636970328040070330', 'WrappedValue': 'default', 'Ufprt': '" + routeParams2.EncryptWithMachineKey() + "'}");
154+
Assert.IsFalse(isValid);
155+
}
156+
}
157+
}

0 commit comments

Comments
 (0)