summaryrefslogtreecommitdiff
path: root/src/test
diff options
context:
space:
mode:
Diffstat (limited to 'src/test')
-rw-r--r--src/test/Policy_test.js29
-rw-r--r--src/test/Test.js43
-rw-r--r--src/test/XSS_test.js16
-rw-r--r--src/test/run.js8
4 files changed, 96 insertions, 0 deletions
diff --git a/src/test/Policy_test.js b/src/test/Policy_test.js
new file mode 100644
index 0000000..f658379
--- /dev/null
+++ b/src/test/Policy_test.js
@@ -0,0 +1,29 @@
+{
+ let p1 = new Policy();
+ p1.set("noscript.net", new Permissions(["script"], true));
+ p1.set("https://noscript.net", new Permissions(["script", "object"]));
+ p1.set("maone.net", p1.TRUSTED.tempTwin);
+ p1.set(Sites.secureDomainKey("secure.informaction.com"), p1.TRUSTED);
+ p1.set("https://flashgot.net", p1.TRUSTED);
+ p1.set("http://flashgot.net", p1.UNTRUSTED);
+ p1.set("perchè.com", p1.TRUSTED);
+ let p2 = new Policy(p1.dry());
+ debug("p1", JSON.stringify(p1.dry()));
+ debug("p2", JSON.stringify(p2.dry()));
+
+ for(let t of [
+ () => p2.can("https://noscript.net"),
+ () => !p2.can("http://noscript.net"),
+ () => p2.can("https://noscript.net", "object"),
+ () => p1.snapshot !== p2.snapshot,
+ () => JSON.stringify(p1.dry()) === JSON.stringify(p2.dry()),
+ () => p1.can("http://perchè.com/test") /* IDN encoding */,
+ () => Sites.toExternal(new URL("https://perché.com/test")) ===
+ "https://perché.com/test" /* IDN decoding */,
+ () => !p1.can("http://secure.informaction.com"),
+ () => p1.can("https://secure.informaction.com"),
+ () => p1.can("https://www.secure.informaction.com"),
+ ]) Test.run(t);
+
+ Test.report();
+}
diff --git a/src/test/Test.js b/src/test/Test.js
new file mode 100644
index 0000000..8ca2ed7
--- /dev/null
+++ b/src/test/Test.js
@@ -0,0 +1,43 @@
+var Test = (() => {
+ 'use strict';
+ return {
+ passed: 0,
+ failed: 0,
+ async include(tests) {
+ for(let test of tests) {
+ let src = `/test/${test}_test.js`;
+ log(`Testing ${test}`);
+ this.passed = this.failed = 0;
+ try {
+ await include(src);
+ } catch (e) {
+ // we might omit some tests in publicly available code for Security
+ // reasons, e.g. XSS_test.js
+ log("Missing test ", test);
+ continue;
+ }
+ }
+ },
+ async run(test, msg = "", callback = null) {
+ let r = false;
+ try {
+ r = await test();
+ } catch(e) {
+ error(e);
+ }
+ this[r ? "passed" : "failed"]++;
+ log(`${r ? "PASSED" : "FAILED"} ${msg || uneval(test)}`);
+ if (typeof callback === "function") try {
+ callback(r, test, msg);
+ } catch(e) {
+ error(e);
+ }
+ },
+
+ report() {
+ let {passed, failed} = this;
+ log(`FAILED: ${failed}, PASSED: ${passed}, TOTAL ${passed + failed}.`);
+ }
+ };
+
+})();
diff --git a/src/test/XSS_test.js b/src/test/XSS_test.js
new file mode 100644
index 0000000..99cbb3d
--- /dev/null
+++ b/src/test/XSS_test.js
@@ -0,0 +1,16 @@
+{
+ let y = async (url, originUrl = '') => await XSS.maybe({originUrl, url, method: "GET"});
+ let n = async (...args) => !await y(...args);
+ Promise.all([
+ () => y("https://noscript.net/<script"),
+ () => n("https://noscript.net/<script", "https://noscript.net/"),
+ () => y("https://vulnerabledoma.in/char_test?body=%80%3Cscript%3Ealert(1)%3C/script%3E"),
+ () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3Ejavascrip%3Cx%3Et:alert(%3Cx%3E1)%3C/p%3E%3Cmath%3E%3Ca%20href=%22%23*/=x.innerText,a%22%20xml:base=javascript:location/*%3EClick%20HERE"),
+ () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23%250ax.innerText%20xml:base=javascript:%3C!--%3EClick%20HERE"),
+ () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23*/x.innerText%20xml:base=%01javascript:/*%3EClick%20HERE"),
+ () => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"),
+ () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"),
+ () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"),
+ ].map(t => Test.run(t))
+ ).then(() => Test.report());
+}
diff --git a/src/test/run.js b/src/test/run.js
new file mode 100644
index 0000000..4325a40
--- /dev/null
+++ b/src/test/run.js
@@ -0,0 +1,8 @@
+(async () => {
+ await include("/test/Test.js");
+ Test.include([
+ "Policy",
+ "XSS",
+ "embargoed/XSS",
+ ]);
+})();