george/PrivateBin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

introduce new zerobincompatibility option, replacing the base64 one, if it is enabled, delete tokens use sha256; added per paste salt with server salt fallback; this resolves the points 2.2 & 2.9 in #103

Browse Source
This commit is contained in:
El RIDO
2016-07-06 11:37:13 +02:00
parent 6b0b814dc6
commit 0e217a42c5
8 changed files with 87 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tst/bootstrap.php
View File

@@ -85,6 +85,7 @@ class helper
public static function getPasteWithAttachment($meta = array())
{
$example = self::$paste;
$example['meta']['salt'] = serversalt::generate();
$example['meta'] = array_merge($example['meta'], $meta);
return $example;
}
@@ -97,6 +98,8 @@ class helper
public static function getPasteAsJson($meta = array())
{
$example = self::getPaste();
// the JSON shouldn't contain the salt
unset($example['meta']['salt']);
if (count($meta))
$example['meta'] = $meta;
$example['comments'] = array();

2
tst/configuration.php
View File

@@ -13,10 +13,10 @@ class configurationTest extends PHPUnit_Framework_TestCase
'sizelimit' => 2097152,
'template' => 'bootstrap',
'notice' => '',
'base64version' => '2.1.9',
'languageselection' => false,
'languagedefault' => '',
'urlshortener' => '',
'zerobincompatibility' => false,
),
'expire' => array(
'default' => '1week',

22
tst/jsonApi.php
View File

@@ -46,13 +46,14 @@ class jsonApiTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertStringEndsWith('?' . $response['id'], $response['url'], 'returned URL points to new paste');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertStringEndsWith('?' . $response['id'], $response['url'], 'returned URL points to new paste');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
}
/**
@@ -80,13 +81,14 @@ class jsonApiTest extends PHPUnit_Framework_TestCase
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertEquals(helper::getPasteId(), $response['id'], 'outputted paste ID matches input');
$this->assertStringEndsWith('?' . $response['id'], $response['url'], 'returned URL points to new paste');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertStringEndsWith('?' . $response['id'], $response['url'], 'returned URL points to new paste');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
}
/**
@@ -97,9 +99,10 @@ class jsonApiTest extends PHPUnit_Framework_TestCase
$this->reset();
$this->_model->create(helper::getPasteId(), helper::getPaste());
$this->assertTrue($this->_model->exists(helper::getPasteId()), 'paste exists before deleting data');
$paste = $this->_model->read(helper::getPasteId());
$file = tempnam(sys_get_temp_dir(), 'FOO');
file_put_contents($file, http_build_query(array(
'deletetoken' => hash_hmac('sha1', helper::getPasteId(), serversalt::get()),
'deletetoken' => hash_hmac('sha256', helper::getPasteId(), $paste->meta->salt),
)));
request::setInputStream($file);
$_SERVER['QUERY_STRING'] = helper::getPasteId();
@@ -121,9 +124,10 @@ class jsonApiTest extends PHPUnit_Framework_TestCase
$this->reset();
$this->_model->create(helper::getPasteId(), helper::getPaste());
$this->assertTrue($this->_model->exists(helper::getPasteId()), 'paste exists before deleting data');
$paste = $this->_model->read(helper::getPasteId());
$_POST = array(
'action' => 'delete',
'deletetoken' => hash_hmac('sha1', helper::getPasteId(), serversalt::get()),
'deletetoken' => hash_hmac('sha256', helper::getPasteId(), $paste->meta->salt),
);
$_SERVER['QUERY_STRING'] = helper::getPasteId();
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
@@ -254,4 +258,4 @@ class jsonApiTest extends PHPUnit_Framework_TestCase
$this->assertEquals('{}', $content, 'does not output nasty data');
}
}
}

65
tst/zerobin.php
View File

@@ -169,12 +169,13 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
}
/**
@@ -288,13 +289,13 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertGreaterThanOrEqual($time + 300, $paste->meta->expire_date, 'time is set correctly');
}
@@ -320,13 +321,13 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertGreaterThanOrEqual($time + 300, $paste->meta->expire_date, 'time is set correctly');
$this->assertEquals(1, $paste->meta->opendiscussion, 'discussion is enabled');
}
@@ -351,12 +352,13 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
}
/**
@@ -426,17 +428,17 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$original = json_decode(json_encode($_POST));
$stored = $this->_model->read($response['id']);
foreach (array('data', 'attachment', 'attachmentname') as $key) {
$this->assertEquals($original->$key, $stored->$key);
}
$this->assertEquals(
hash_hmac('sha256', $response['id'], $stored->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
}
/**
@@ -459,12 +461,13 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
$paste = $this->_model->read($response['id']);
$this->assertEquals(
hash_hmac('sha1', $response['id'], serversalt::get()),
hash_hmac('sha256', $response['id'], $paste->meta->salt),
$response['deletetoken'],
'outputs valid delete token'
);
$this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
}
/**
@@ -705,6 +708,7 @@ class zerobinTest extends PHPUnit_Framework_TestCase
ob_start();
new zerobin;
$content = ob_get_contents();
unset($burnPaste['meta']['salt']);
$this->assertContains(
'<div id="cipherdata" class="hidden">' .
htmlspecialchars(helper::getPasteAsJson($burnPaste['meta']), ENT_NOQUOTES) .
@@ -796,6 +800,7 @@ class zerobinTest extends PHPUnit_Framework_TestCase
new zerobin;
$content = ob_get_contents();
$oldPaste['meta']['formatter'] = 'plaintext';
unset($oldPaste['meta']['salt']);
$this->assertContains(
'<div id="cipherdata" class="hidden">' .
htmlspecialchars(helper::getPasteAsJson($oldPaste['meta']), ENT_NOQUOTES) .
@@ -813,8 +818,9 @@ class zerobinTest extends PHPUnit_Framework_TestCase
$this->reset();
$this->_model->create(helper::getPasteId(), helper::getPaste());
$this->assertTrue($this->_model->exists(helper::getPasteId()), 'paste exists before deleting data');
$paste = $this->_model->read(helper::getPasteId());
$_GET['pasteid'] = helper::getPasteId();
$_GET['deletetoken'] = hash_hmac('sha1', helper::getPasteId(), serversalt::get());
$_GET['deletetoken'] = hash_hmac('sha256', helper::getPasteId(), $paste->meta->salt);
ob_start();
new zerobin;
$content = ob_get_contents();
@@ -947,4 +953,27 @@ class zerobinTest extends PHPUnit_Framework_TestCase
);
$this->assertFalse($this->_model->exists(helper::getPasteId()), 'paste successfully deleted');
}
/**
* @runInSeparateProcess
*/
public function testDeleteMissingPerPasteSalt()
{
$this->reset();
$paste = helper::getPaste();
unset($paste['meta']['salt']);
$this->_model->create(helper::getPasteId(), $paste);
$this->assertTrue($this->_model->exists(helper::getPasteId()), 'paste exists before deleting data');
$_GET['pasteid'] = helper::getPasteId();
$_GET['deletetoken'] = hash_hmac('sha256', helper::getPasteId(), serversalt::get());
ob_start();
new zerobin;
$content = ob_get_contents();
$this->assertRegExp(
'#<div[^>]*id="status"[^>]*>.*Paste was properly deleted[^<]*</div>#s',
$content,
'outputs deleted status correctly'
);
$this->assertFalse($this->_model->exists(helper::getPasteId()), 'paste successfully deleted');
}
}