sending challenge on paste creation, adding logic to store and check it on view requests
This commit is contained in:
El RIDO
@@ -155,7 +155,7 @@ class Helper
|
||||
public static function getPastePost($version = 2, array $meta = array())
|
||||
{
|
||||
$example = self::getPaste($version, $meta);
|
||||
$example['meta'] = array('expire' => $example['meta']['expire']);
|
||||
$example['meta'] = array_merge(array('expire' => $example['meta']['expire']), $meta);
|
||||
return $example;
|
||||
}
|
||||
|
||||
|
||||
@@ -366,6 +366,30 @@ class ControllerTest extends PHPUnit_Framework_TestCase
|
||||
$this->assertEquals(1, $paste['adata'][2], 'discussion is enabled');
|
||||
}
|
||||
|
||||
/**
|
||||
* @runInSeparateProcess
|
||||
*/
|
||||
public function testCreateInvalidFormat()
|
||||
{
|
||||
$options = parse_ini_file(CONF, true);
|
||||
$options['traffic']['limit'] = 0;
|
||||
Helper::createIniFile(CONF, $options);
|
||||
$paste = Helper::getPasteJson(2, array('challenge' => '$'));
|
||||
$file = tempnam(sys_get_temp_dir(), 'FOO');
|
||||
file_put_contents($file, $paste);
|
||||
Request::setInputStream($file);
|
||||
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
|
||||
$_SERVER['REQUEST_METHOD'] = 'POST';
|
||||
$_SERVER['REMOTE_ADDR'] = '::1';
|
||||
ob_start();
|
||||
new Controller;
|
||||
$content = ob_get_contents();
|
||||
ob_end_clean();
|
||||
$response = json_decode($content, true);
|
||||
$this->assertEquals(1, $response['status'], 'outputs error status');
|
||||
$this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
|
||||
}
|
||||
|
||||
/**
|
||||
* @runInSeparateProcess
|
||||
*/
|
||||
@@ -784,6 +808,56 @@ class ControllerTest extends PHPUnit_Framework_TestCase
|
||||
$this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste successfully deleted');
|
||||
}
|
||||
|
||||
/**
|
||||
* @runInSeparateProcess
|
||||
*/
|
||||
public function testReadBurnAfterReadingWithToken()
|
||||
{
|
||||
$token = base64_encode(hash_hmac(
|
||||
'sha256', Helper::getPasteId(), random_bytes(32)
|
||||
));
|
||||
$burnPaste = Helper::getPaste(2, array('challenge' => $token));
|
||||
$burnPaste['adata'][3] = 1;
|
||||
$this->_data->create(Helper::getPasteId(), $burnPaste);
|
||||
$this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
|
||||
$_SERVER['QUERY_STRING'] = Helper::getPasteId() . '&token=' . $token;
|
||||
$_GET[Helper::getPasteId()] = '';
|
||||
$_GET['token'] = $token;
|
||||
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
|
||||
ob_start();
|
||||
new Controller;
|
||||
$content = ob_get_contents();
|
||||
ob_end_clean();
|
||||
$response = json_decode($content, true);
|
||||
$this->assertEquals(0, $response['status'], 'outputs status');
|
||||
$this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste successfully deleted');
|
||||
}
|
||||
|
||||
/**
|
||||
* @runInSeparateProcess
|
||||
*/
|
||||
public function testReadBurnAfterReadingWithIncorrectToken()
|
||||
{
|
||||
$token = base64_encode(hash_hmac(
|
||||
'sha256', Helper::getPasteId(), random_bytes(32)
|
||||
));
|
||||
$burnPaste = Helper::getPaste(2, array('challenge' => base64_encode(random_bytes(32))));
|
||||
$burnPaste['adata'][3] = 1;
|
||||
$this->_data->create(Helper::getPasteId(), $burnPaste);
|
||||
$this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
|
||||
$_SERVER['QUERY_STRING'] = Helper::getPasteId() . '&token=' . $token;
|
||||
$_GET[Helper::getPasteId()] = '';
|
||||
$_GET['token'] = $token;
|
||||
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
|
||||
ob_start();
|
||||
new Controller;
|
||||
$content = ob_get_contents();
|
||||
ob_end_clean();
|
||||
$response = json_decode($content, true);
|
||||
$this->assertEquals(1, $response['status'], 'outputs status');
|
||||
$this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste not deleted');
|
||||
}
|
||||
|
||||
/**
|
||||
* @runInSeparateProcess
|
||||
*/
|
||||
|
||||
@@ -21,6 +21,10 @@ class FormatV2Test extends PHPUnit_Framework_TestCase
|
||||
$paste['ct'] = '$';
|
||||
$this->assertFalse(FormatV2::isValid($paste), 'invalid base64 encoding of ct');
|
||||
|
||||
$paste = Helper::getPastePost();
|
||||
$paste['meta']['challenge'] = '$';
|
||||
$this->assertFalse(FormatV2::isValid($paste), 'invalid base64 encoding of ct');
|
||||
|
||||
$paste = Helper::getPastePost();
|
||||
$paste['ct'] = 'bm9kYXRhbm9kYXRhbm9kYXRhbm9kYXRhbm9kYXRhCg==';
|
||||
$this->assertFalse(FormatV2::isValid($paste), 'low ct entropy');
|
||||
|
||||
@@ -268,10 +268,48 @@ class ModelTest extends PHPUnit_Framework_TestCase
|
||||
$paste->setData($pasteData);
|
||||
$paste->store();
|
||||
|
||||
$paste = $paste->get();
|
||||
$paste = $this->_model->getPaste(Helper::getPasteId())->get();
|
||||
$this->assertEquals((float) 300, (float) $paste['meta']['time_to_live'], 'remaining time is set correctly', 1.0);
|
||||
}
|
||||
|
||||
public function testToken()
|
||||
{
|
||||
$pasteData = Helper::getPastePost();
|
||||
$pasteData['meta']['challenge'] = base64_encode(random_bytes(32));
|
||||
$token = hash_hmac(
|
||||
'sha256', Helper::getPasteId(), base64_decode($pasteData['meta']['challenge'])
|
||||
);
|
||||
$this->_model->getPaste(Helper::getPasteId())->delete();
|
||||
$paste = $this->_model->getPaste(Helper::getPasteId());
|
||||
$this->assertFalse($paste->exists(), 'paste does not yet exist');
|
||||
|
||||
$paste = $this->_model->getPaste();
|
||||
$paste->setData($pasteData);
|
||||
$paste->store();
|
||||
|
||||
$paste = $this->_model->getPaste(Helper::getPasteId());
|
||||
$this->assertTrue(
|
||||
$paste->isTokenCorrect($token),
|
||||
'token is accepted after store and retrieval'
|
||||
);
|
||||
}
|
||||
|
||||
public function testDeleteToken()
|
||||
{
|
||||
$pasteData = Helper::getPastePost();
|
||||
$this->_model->getPaste(Helper::getPasteId())->delete();
|
||||
$paste = $this->_model->getPaste(Helper::getPasteId());
|
||||
$this->assertFalse($paste->exists(), 'paste does not yet exist');
|
||||
|
||||
$paste = $this->_model->getPaste();
|
||||
$paste->setData($pasteData);
|
||||
$paste->store();
|
||||
$deletetoken = $paste->getDeleteToken();
|
||||
|
||||
$paste = $this->_model->getPaste(Helper::getPasteId());
|
||||
$this->assertTrue($paste->isDeleteTokenCorrect($deletetoken), 'delete token is accepted after store and retrieval');
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException Exception
|
||||
* @expectedExceptionCode 64
|
||||
@@ -287,6 +325,20 @@ class ModelTest extends PHPUnit_Framework_TestCase
|
||||
$paste->getComment(Helper::getPasteId())->delete();
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException Exception
|
||||
* @expectedExceptionCode 75
|
||||
*/
|
||||
public function testInvalidFormat()
|
||||
{
|
||||
$pasteData = Helper::getPastePost();
|
||||
$pasteData['adata'][1] = 'foo';
|
||||
$this->_model->getPaste(Helper::getPasteId())->delete();
|
||||
|
||||
$paste = $this->_model->getPaste();
|
||||
$paste->setData($pasteData);
|
||||
}
|
||||
|
||||
public function testPurge()
|
||||
{
|
||||
$conf = new Configuration;
|
||||
|
||||
@@ -130,6 +130,22 @@ class RequestTest extends PHPUnit_Framework_TestCase
|
||||
$this->assertEquals('read', $request->getOperation());
|
||||
}
|
||||
|
||||
public function testApiReadWithToken()
|
||||
{
|
||||
$this->reset();
|
||||
$id = $this->getRandomId();
|
||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||
$_SERVER['HTTP_ACCEPT'] = 'application/json, text/javascript, */*; q=0.01';
|
||||
$_SERVER['QUERY_STRING'] = $id . '&token=foo';
|
||||
$_GET[$id] = '';
|
||||
$_GET['token'] = 'foo';
|
||||
$request = new Request;
|
||||
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
|
||||
$this->assertEquals($id, $request->getParam('pasteid'));
|
||||
$this->assertEquals('foo', $request->getParam('token'));
|
||||
$this->assertEquals('read', $request->getOperation());
|
||||
}
|
||||
|
||||
public function testApiDelete()
|
||||
{
|
||||
$this->reset();
|
||||
|
||||
Reference in New Issue
Block a user