Initial commit starting at version 10.1.8.3rc4.

author: hackademix 2018-07-01 01:01:23 +0200
committer: hackademix 2018-07-01 01:01:23 +0200
commit: eceae7187a6f0e9510bc1165f6977256b87f490f (patch)
tree: d943f1ec73c09efa70954dcedb55eac82a726148 /src/test
download: noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.tar.gz
noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.tar.xz
noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.zip
4 files changed, 96 insertions, 0 deletions
diff --git a/src/test/Policy_test.js b/src/test/Policy_test.js
new file mode 100644
index 0000000..f658379
--- /dev/null
+++ b/src/test/Policy_test.js
@@ -0,0 +1,29 @@
+{
+  let p1 = new Policy();
+  p1.set("noscript.net", new Permissions(["script"], true));
+  p1.set("https://noscript.net", new Permissions(["script", "object"]));
+  p1.set("maone.net", p1.TRUSTED.tempTwin);
+  p1.set(Sites.secureDomainKey("secure.informaction.com"), p1.TRUSTED);
+  p1.set("https://flashgot.net", p1.TRUSTED);
+  p1.set("http://flashgot.net", p1.UNTRUSTED);
+  p1.set("perchè.com", p1.TRUSTED);
+  let p2 = new Policy(p1.dry());
+  debug("p1", JSON.stringify(p1.dry()));
+  debug("p2", JSON.stringify(p2.dry()));
+
+  for(let t of [
+    () => p2.can("https://noscript.net"),
+    () => !p2.can("http://noscript.net"),
+    () => p2.can("https://noscript.net", "object"),
+    () => p1.snapshot !== p2.snapshot,
+    () => JSON.stringify(p1.dry()) === JSON.stringify(p2.dry()),
+    () => p1.can("http://perchè.com/test") /* IDN encoding */,
+    () => Sites.toExternal(new URL("https://perché.com/test")) ===
+          "https://perché.com/test" /* IDN decoding */,
+    () => !p1.can("http://secure.informaction.com"),
+    () => p1.can("https://secure.informaction.com"),
+    () => p1.can("https://www.secure.informaction.com"),
+  ]) Test.run(t);
+  
+  Test.report();
+}
diff --git a/src/test/Test.js b/src/test/Test.js
new file mode 100644
index 0000000..8ca2ed7
--- /dev/null
+++ b/src/test/Test.js
@@ -0,0 +1,43 @@
+var Test = (() => {
+  'use strict';
+  return {
+    passed: 0,
+    failed: 0,
+    async include(tests) {
+      for(let test of tests) {
+        let src = `/test/${test}_test.js`;
+        log(`Testing ${test}`);
+        this.passed = this.failed = 0;
+        try {
+          await include(src);
+        } catch (e) {
+          // we might omit some tests in publicly available code for Security
+          // reasons, e.g. XSS_test.js
+          log("Missing test ", test);
+          continue;
+        }
+      }
+    },
+    async run(test, msg = "", callback = null) {
+      let r = false;
+      try {
+        r = await test();
+      } catch(e) {
+        error(e);
+      }
+      this[r ? "passed" : "failed"]++;
+      log(`${r ? "PASSED" : "FAILED"} ${msg || uneval(test)}`);
+      if (typeof callback === "function") try {
+        callback(r, test, msg);
+      } catch(e) {
+        error(e);
+      }
+    },
+
+    report() {
+      let {passed, failed} = this;
+      log(`FAILED: ${failed}, PASSED: ${passed}, TOTAL ${passed + failed}.`);
+    }
+  };
+
+})();
diff --git a/src/test/XSS_test.js b/src/test/XSS_test.js
new file mode 100644
index 0000000..99cbb3d
--- /dev/null
+++ b/src/test/XSS_test.js
@@ -0,0 +1,16 @@
+{
+  let y = async (url, originUrl = '') => await XSS.maybe({originUrl, url, method: "GET"});
+  let n = async (...args) => !await y(...args);
+  Promise.all([
+      () => y("https://noscript.net/<script"),
+      () => n("https://noscript.net/<script", "https://noscript.net/"),
+      () => y("https://vulnerabledoma.in/char_test?body=%80%3Cscript%3Ealert(1)%3C/script%3E"),
+      () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3Ejavascrip%3Cx%3Et:alert(%3Cx%3E1)%3C/p%3E%3Cmath%3E%3Ca%20href=%22%23*/=x.innerText,a%22%20xml:base=javascript:location/*%3EClick%20HERE"),
+      () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23%250ax.innerText%20xml:base=javascript:%3C!--%3EClick%20HERE"),
+      () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23*/x.innerText%20xml:base=%01javascript:/*%3EClick%20HERE"),
+      () => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"),
+      () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
+      () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
+      ].map(t => Test.run(t))
+    ).then(() => Test.report());
+}
diff --git a/src/test/run.js b/src/test/run.js
new file mode 100644
index 0000000..4325a40
--- /dev/null
+++ b/src/test/run.js
@@ -0,0 +1,8 @@
+(async () => {
+  await include("/test/Test.js");
+  Test.include([
+    "Policy",
+    "XSS",
+    "embargoed/XSS",
+  ]);
+})();
author	hackademix	2018-07-01 01:01:23 +0200
committer	hackademix	2018-07-01 01:01:23 +0200
commit	eceae7187a6f0e9510bc1165f6977256b87f490f (patch)
tree	d943f1ec73c09efa70954dcedb55eac82a726148 /src/test
download	noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.tar.gz noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.tar.xz noscript-eceae7187a6f0e9510bc1165f6977256b87f490f.zip