diff options
Diffstat (limited to 'src/test')
-rw-r--r-- | src/test/Policy_test.js | 29 | ||||
-rw-r--r-- | src/test/Test.js | 43 | ||||
-rw-r--r-- | src/test/XSS_test.js | 16 | ||||
-rw-r--r-- | src/test/run.js | 8 |
4 files changed, 96 insertions, 0 deletions
diff --git a/src/test/Policy_test.js b/src/test/Policy_test.js new file mode 100644 index 0000000..f658379 --- /dev/null +++ b/src/test/Policy_test.js @@ -0,0 +1,29 @@ +{ + let p1 = new Policy(); + p1.set("noscript.net", new Permissions(["script"], true)); + p1.set("https://noscript.net", new Permissions(["script", "object"])); + p1.set("maone.net", p1.TRUSTED.tempTwin); + p1.set(Sites.secureDomainKey("secure.informaction.com"), p1.TRUSTED); + p1.set("https://flashgot.net", p1.TRUSTED); + p1.set("http://flashgot.net", p1.UNTRUSTED); + p1.set("perchè.com", p1.TRUSTED); + let p2 = new Policy(p1.dry()); + debug("p1", JSON.stringify(p1.dry())); + debug("p2", JSON.stringify(p2.dry())); + + for(let t of [ + () => p2.can("https://noscript.net"), + () => !p2.can("http://noscript.net"), + () => p2.can("https://noscript.net", "object"), + () => p1.snapshot !== p2.snapshot, + () => JSON.stringify(p1.dry()) === JSON.stringify(p2.dry()), + () => p1.can("http://perchè.com/test") /* IDN encoding */, + () => Sites.toExternal(new URL("https://perché.com/test")) === + "https://perché.com/test" /* IDN decoding */, + () => !p1.can("http://secure.informaction.com"), + () => p1.can("https://secure.informaction.com"), + () => p1.can("https://www.secure.informaction.com"), + ]) Test.run(t); + + Test.report(); +} diff --git a/src/test/Test.js b/src/test/Test.js new file mode 100644 index 0000000..8ca2ed7 --- /dev/null +++ b/src/test/Test.js @@ -0,0 +1,43 @@ +var Test = (() => { + 'use strict'; + return { + passed: 0, + failed: 0, + async include(tests) { + for(let test of tests) { + let src = `/test/${test}_test.js`; + log(`Testing ${test}`); + this.passed = this.failed = 0; + try { + await include(src); + } catch (e) { + // we might omit some tests in publicly available code for Security + // reasons, e.g. XSS_test.js + log("Missing test ", test); + continue; + } + } + }, + async run(test, msg = "", callback = null) { + let r = false; + try { + r = await test(); + } catch(e) { + error(e); + } + this[r ? "passed" : "failed"]++; + log(`${r ? "PASSED" : "FAILED"} ${msg || uneval(test)}`); + if (typeof callback === "function") try { + callback(r, test, msg); + } catch(e) { + error(e); + } + }, + + report() { + let {passed, failed} = this; + log(`FAILED: ${failed}, PASSED: ${passed}, TOTAL ${passed + failed}.`); + } + }; + +})(); diff --git a/src/test/XSS_test.js b/src/test/XSS_test.js new file mode 100644 index 0000000..99cbb3d --- /dev/null +++ b/src/test/XSS_test.js @@ -0,0 +1,16 @@ +{ + let y = async (url, originUrl = '') => await XSS.maybe({originUrl, url, method: "GET"}); + let n = async (...args) => !await y(...args); + Promise.all([ + () => y("https://noscript.net/<script"), + () => n("https://noscript.net/<script", "https://noscript.net/"), + () => y("https://vulnerabledoma.in/char_test?body=%80%3Cscript%3Ealert(1)%3C/script%3E"), + () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3Ejavascrip%3Cx%3Et:alert(%3Cx%3E1)%3C/p%3E%3Cmath%3E%3Ca%20href=%22%23*/=x.innerText,a%22%20xml:base=javascript:location/*%3EClick%20HERE"), + () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23%250ax.innerText%20xml:base=javascript:%3C!--%3EClick%20HERE"), + () => y("https://vulnerabledoma.in/char_test?body=%3Cp%20id=x%3E%26lt%3Bsv%3Cx%3Eg%20o%3Cx%3Enload=alert(%3Cx%3E1)%3E%3C/p%3E%3Cmath%3E%3Ca%20href=%23*/x.innerText%20xml:base=%01javascript:/*%3EClick%20HERE"), + () => y("https://vulnerabledoma.in/char_test?body=%3Ca%20href=javascript%26colo%u0000n%3balert%281%u0029%3ECLICK"), + () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"), + () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"), + ].map(t => Test.run(t)) + ).then(() => Test.report()); +} diff --git a/src/test/run.js b/src/test/run.js new file mode 100644 index 0000000..4325a40 --- /dev/null +++ b/src/test/run.js @@ -0,0 +1,8 @@ +(async () => { + await include("/test/Test.js"); + Test.include([ + "Policy", + "XSS", + "embargoed/XSS", + ]); +})(); |