Home Explore Help
Sign In
LBP
/
FressRSS
mirror of https://github.com/FreshRSS/FreshRSS.git
4
0
Fork 0
Files Issues 0 Wiki
Tree: 6b5304b825
Branches Tags
FressRSS
/
tests
/
app
/
Models
/
UserDAOTest.php

UserDAOTest.php 2.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778 
  1. <?php
    2. 

  2. declare(strict_types=1);
    3. 

  3. 

  4. use PHPUnit\Framework\Attributes\DataProvider;
    5. 

  5. use PHPUnit\Framework\TestCase;
    6. 

  6. 

  7. class UserDAOTest extends TestCase {
    8. 

  8. 

  9. 	#[DataProvider('pathTraversalPayloadsProvider')]
    10. 

  10. 	public function testExistsRejectsPathTraversal(string $payload): void {
    11. 

  11. 		self::assertFalse(FreshRSS_UserDAO::exists($payload));
    12. 

  12. 	}
    13. 

  13. 

  14. 	#[DataProvider('pathTraversalPayloadsProvider')]
    15. 

  15. 	public function testMtimeRejectsPathTraversal(string $payload): void {
    16. 

  16. 		self::assertSame(0, FreshRSS_UserDAO::mtime($payload));
    17. 

  17. 	}
    18. 

  18. 

  19. 	#[DataProvider('pathTraversalPayloadsProvider')]
    20. 

  20. 	public function testCtimeRejectsPathTraversal(string $payload): void {
    21. 

  21. 		self::assertSame(0, FreshRSS_UserDAO::ctime($payload));
    22. 

  22. 	}
    23. 

  23. 

  24. 	/**
    25. 

  25. 	 * @return array<string,array<int,string>>
    26. 

  26. 	 */
    27. 

  27. 	public static function pathTraversalPayloadsProvider(): array {
    28. 

  28. 		return [
    29. 

  29. 			'parent directory' => ['../'],
    30. 

  30. 			'double parent directory' => ['../../'],
    31. 

  31. 			'traversal to app' => ['../../app'],
    32. 

  32. 			'traversal to etc' => ['../../../etc'],
    33. 

  33. 			'traversal with null byte' => ["../\0"],
    34. 

  34. 			'absolute path' => ['/etc/passwd'],
    35. 

  35. 			'dot only' => ['.'],
    36. 

  36. 			'double dot' => ['..'],
    37. 

  37. 			'slash in name' => ['user/config'],
    38. 

  38. 			'backslash traversal' => ['..\\..\\app'],
    39. 

  39. 			'encoded traversal' => ['%2e%2e%2f'],
    40. 

  40. 			'mixed traversal' => ['valid/../invalid'],
    41. 

  41. 			'empty string' => [''],
    42. 

  42. 		];
    43. 

  43. 	}
    44. 

  44. 

  45. 	#[DataProvider('validUsernamesProvider')]
    46. 

  46. 	public function testExistsAcceptsValidUsernames(string $username): void {
    47. 

  47. 		$result = FreshRSS_UserDAO::exists($username);
    48. 

  48. 		self::assertIsBool($result);
    49. 

  49. 	}
    50. 

  50. 

  51. 	#[DataProvider('validUsernamesProvider')]
    52. 

  52. 	public function testMtimeAcceptsValidUsernames(string $username): void {
    53. 

  53. 		$result = FreshRSS_UserDAO::mtime($username);
    54. 

  54. 		self::assertIsInt($result);
    55. 

  55. 	}
    56. 

  56. 

  57. 	#[DataProvider('validUsernamesProvider')]
    58. 

  58. 	public function testCtimeAcceptsValidUsernames(string $username): void {
    59. 

  59. 		$result = FreshRSS_UserDAO::ctime($username);
    60. 

  60. 		self::assertIsInt($result);
    61. 

  61. 	}
    62. 

  62. 

  63. 	/**
    64. 

  64. 	 * @return array<string,array<int,string>>
    65. 

  65. 	 */
    66. 

  66. 	public static function validUsernamesProvider(): array {
    67. 

  67. 		return [
    68. 

  68. 			'simple' => ['alice'],
    69. 

  69. 			'with numbers' => ['user123'],
    70. 

  70. 			'with underscore' => ['test_user'],
    71. 

  71. 			'with dot' => ['user.name'],
    72. 

  72. 			'with hyphen' => ['user-name'],
    73. 

  73. 			'with at' => ['user@domain'],
    74. 

  74. 			'single char' => ['a'],
    75. 

  75. 			'max length' => [str_repeat('a', 39)],
    76. 

  76. 		];
    77. 

  77. 	}
    78. 

  78. }
    79.