Skip to content

C
coconva2118
Switch branch/tag
Find file
Normal viewHistoryPermalink
XssPhtmlTemplateTest.php 3.45 KB
EditWeb IDE
Newer Older
Ketan's avatar
added files
f012f907
 
Ketan committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 
<?php
/**
 * Copyright © Magento, Inc. All rights reserved.
 * See COPYING.txt for license details.
 */

namespace Magento\Test\Php;

use Magento\Framework\App\Utility\Files;
use Magento\TestFramework\Utility\XssOutputValidator;
use Magento\Framework\Component\ComponentRegistrar;

/**
 * Find not escaped output in phtml templates
 */
class XssPhtmlTemplateTest extends \PHPUnit\Framework\TestCase
{
    /**
     * @return void
     */
    public function testXssSensitiveOutput()
    {
        $invoker = new \Magento\Framework\App\Utility\AggregateInvoker($this);
        $xssOutputValidator = new XssOutputValidator();
        $invoker(
            /**
             * Static test will cover the following cases:
             *
             * 1. /\* @noEscape \*\/ before output. Output doesn't require escaping. Test is green.
             * 2. Methods which contains "html" in their names (e.g. echo $object->{suffix}Html{postfix}() ).
             *    Data is ready for the HTML output. Test is green.
             * 3. AbstractBlock methods escapeHtml, escapeUrl, escapeQuote, escapeXssInUrl are allowed. Test is green.
             * 4. Type casting and php function count() are allowed
             *    (e.g. echo (int)$var, echo (float)$var, echo (bool)$var, echo count($var)). Test is green.
             * 5. Output in single quotes (e.g. echo 'some text'). Test is green.
             * 6. Output in double quotes without variables (e.g. echo "some text"). Test is green.
             * 7. Other of p.1-6. Output is not escaped. Test is red.
             *
             * @param string $file
             */
            function ($file) use ($xssOutputValidator) {
                $lines = $xssOutputValidator->getLinesWithXssSensitiveOutput($file);
                $this->assertEmpty(
                    $lines,
                    "Potentially XSS vulnerability. " .
                    "Please verify that output is escaped at lines " . $lines
                );
            },
            Files::init()->getPhtmlFiles()
        );
    }

    /**
     * @return void
     */
    public function testAbsenceOfEscapeNotVerifiedAnnotationInRefinedModules()
    {
        $componentRegistrar = new ComponentRegistrar();
        $exemptModules = [];
        foreach (array_diff(scandir(__DIR__ . '/_files/whitelist/exempt_modules'), ['..', '.']) as $file) {
            $exemptModules = array_merge(
                $exemptModules,
                include(__DIR__ . '/_files/whitelist/exempt_modules/' . $file)
            );
        }

        $result = "";
        foreach ($componentRegistrar->getPaths(ComponentRegistrar::MODULE) as $moduleName => $modulePath) {
            if (in_array($moduleName, $exemptModules)) {
                continue;
            }
            foreach (Files::init()->getFiles([$modulePath], '*.phtml') as $file) {
                $fileContents = file_get_contents($file);
                $pattern = "/\\/* @escapeNotVerified \\*\\/ echo (?!__).+/";
                $instances = preg_grep($pattern, explode("\n", $fileContents));
                if (!empty($instances)) {
                    foreach (array_keys($instances) as $line) {
                        $result .= $file . ':' . ($line + 1) . "\n";
                    }
                }
            }
        }
        $this->assertEmpty(
            $result,
            "@escapeNotVerified annotation detected.\n" .
            "Please use the correct escape strategy and remove annotation at:\n" . $result
        );
    }
}