CSRF more tests

michalsn · michalsn · commit 198c2648c07f · 2019-09-27T21:40:41.000+02:00
diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php
@@ -62,7 +62,7 @@ public function testCSRFVerifySetsCookieWhenNotPOST()
 
 	//--------------------------------------------------------------------
 
-	public function testCSRFVerifyThrowsExceptionOnNoMatch()
+	public function testCSRFVerifyPostThrowsExceptionOnNoMatch()
 	{
 		$security = new MockSecurity(new MockAppConfig());
 		$request  = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
@@ -79,19 +79,99 @@ public function testCSRFVerifyThrowsExceptionOnNoMatch()
 
 	//--------------------------------------------------------------------
 
-	public function testCSRFVerifyReturnsSelfOnMatch()
+	public function testCSRFVerifyPostReturnsSelfOnMatch()
 	{
 		$security = new MockSecurity(new MockAppConfig());
 		$request  = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
 
 		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_POST['foo']              = 'bar';
 		$_POST['csrf_test_name']   = '8b9218a55906f9dcc1dc263dce7f005a';
 		$_COOKIE                   = [
 			'csrf_cookie_name' => '8b9218a55906f9dcc1dc263dce7f005a',
 		];
 
 		$this->assertInstanceOf('CodeIgniter\Security\Security', $security->CSRFVerify($request));
 		$this->assertLogged('info', 'CSRF token verified');
+
+		$this->assertTrue(count($_POST) === 1);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testCSRFVerifyHeaderThrowsExceptionOnNoMatch()
+	{
+		$security = new MockSecurity(new MockAppConfig());
+		$request  = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
+
+		$request->setHeader('X-CSRF-TOKEN', '8b9218a55906f9dcc1dc263dce7f005a');
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_COOKIE                   = [
+			'csrf_cookie_name' => '8b9218a55906f9dcc1dc263dce7f005b',
+		];
+
+		$this->expectException(SecurityException::class);
+		$security->CSRFVerify($request);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testCSRFVerifyHeaderReturnsSelfOnMatch()
+	{
+		$security = new MockSecurity(new MockAppConfig());
+		$request  = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
+
+		$request->setHeader('X-CSRF-TOKEN', '8b9218a55906f9dcc1dc263dce7f005a');
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_POST['foo']              = 'bar';
+		$_COOKIE                   = [
+			'csrf_cookie_name' => '8b9218a55906f9dcc1dc263dce7f005a',
+		];
+
+		$this->assertInstanceOf('CodeIgniter\Security\Security', $security->CSRFVerify($request));
+		$this->assertLogged('info', 'CSRF token verified');
+
+		$this->assertTrue(count($_POST) === 1);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testCSRFVerifyJsonThrowsExceptionOnNoMatch()
+	{
+		$security = new MockSecurity(new MockAppConfig());
+		$request  = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
+
+		$request->setBody('{"csrf_test_name":"8b9218a55906f9dcc1dc263dce7f005a"}');
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_COOKIE                   = [
+			'csrf_cookie_name' => '8b9218a55906f9dcc1dc263dce7f005b',
+		];
+
+		$this->expectException(SecurityException::class);
+		$security->CSRFVerify($request);
+	}
+
+	//--------------------------------------------------------------------
+
+	public function testCSRFVerifyJsonReturnsSelfOnMatch()
+	{
+		$security = new MockSecurity(new MockAppConfig());
+		$request  = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
+
+		$request->setBody('{"csrf_test_name":"8b9218a55906f9dcc1dc263dce7f005a","foo":"bar"}');
+
+		$_SERVER['REQUEST_METHOD'] = 'POST';
+		$_COOKIE                   = [
+			'csrf_cookie_name' => '8b9218a55906f9dcc1dc263dce7f005a',
+		];
+
+		$this->assertInstanceOf('CodeIgniter\Security\Security', $security->CSRFVerify($request));
+		$this->assertLogged('info', 'CSRF token verified');
+
+		$this->assertTrue($request->getBody() === '{"foo":"bar"}');
 	}
 
 	//--------------------------------------------------------------------
