Gecko [ 167.86.127.34 ]

Name	Size	Permission
.pkexec	[ DIR ]	drwxr-xr-x
GCONV_PATH=.	[ DIR ]	drwxr-xr-x
behat	[ DIR ]	drwxrwxrwx
event	[ DIR ]	drwxrwxrwx
external	[ DIR ]	drwxrwxrwx
fixtures	[ DIR ]	drwxrwxrwx
other	[ DIR ]	drwxrwxrwx
output	[ DIR ]	drwxrwxrwx
performance	[ DIR ]	drwxrwxrwx
plugininfo	[ DIR ]	drwxrwxrwx
.mad-root	0 B	-rw-r--r--
accesslib_has_capability_test....	29.73 KB	-rwxrwxrwx
accesslib_test.php	215.78 KB	-rwxrwxrwx
adhoc_task_test.php	17.03 KB	-rwxrwxrwx
adminlib_test.php	2.82 KB	-rwxrwxrwx
admintree_test.php	17.22 KB	-rwxrwxrwx
ajaxlib_test.php	4.35 KB	-rwxrwxrwx
analysers_test.php	13.35 KB	-rwxrwxrwx
antivirus_test.php	3.79 KB	-rwxrwxrwx
authlib_test.php	19.89 KB	-rwxrwxrwx
blocklib_test.php	35.29 KB	-rwxrwxrwx
calendar_cron_task_test.php	2.68 KB	-rwxrwxrwx
check_test.php	1.97 KB	-rwxrwxrwx
collator_test.php	11.98 KB	-rwxrwxrwx
completion_daily_task_test.php	5.25 KB	-rwxrwxrwx
completionlib_test.php	45.78 KB	-rwxrwxrwx
component_test.php	40.15 KB	-rwxrwxrwx
componentlib_test.php	6.64 KB	-rwxrwxrwx
configonlylib_test.php	6.15 KB	-rwxrwxrwx
core_media_player_native_test....	6.24 KB	-rwxrwxrwx
core_renderer_template_exploit...	16.59 KB	-rwxrwxrwx
coverage.php	1.93 KB	-rwxrwxrwx
cronlib_test.php	6.89 KB	-rwxrwxrwx
csslib_test.php	1.79 KB	-rwxrwxrwx
csvclass_test.php	5.56 KB	-rwxrwxrwx
curl_security_helper_test.php	15.12 KB	-rwxrwxrwx
customcontext_test.php	3.66 KB	-rwxrwxrwx
dataformat_test.php	2.22 KB	-rwxrwxrwx
datalib_test.php	41.83 KB	-rwxrwxrwx
datalib_update_with_unique_ind...	6.31 KB	-rwxrwxrwx
date_legacy_test.php	13.9 KB	-rwxrwxrwx
date_test.php	25.14 KB	-rwxrwxrwx
editorlib_test.php	2.01 KB	-rwxrwxrwx
environment_test.php	8.54 KB	-rwxrwxrwx
event_context_locked_test.php	4.11 KB	-rwxrwxrwx
event_course_module_instance_l...	2.7 KB	-rwxrwxrwx
event_course_module_viewed.php	3.31 KB	-rwxrwxrwx
event_deprecated_test.php	1.49 KB	-rwxrwxrwx
event_grade_deleted_test.php	3.25 KB	-rwxrwxrwx
event_profile_field_test.php	14.52 KB	-rwxrwxrwx
event_test.php	40.63 KB	-rwxrwxrwx
event_unknown_logged_test.php	1.92 KB	-rwxrwxrwx
event_user_graded_test.php	10.06 KB	-rwxrwxrwx
event_user_password_updated_te...	2.89 KB	-rwxrwxrwx
events_test.php	16.17 KB	-rwxrwxrwx
exporter_test.php	10.79 KB	-rwxrwxrwx
externallib_test.php	29.57 KB	-rwxrwxrwx
filelib_test.php	71.2 KB	-rwxrwxrwx
filestorage_zip_archive_test.p...	2.75 KB	-rwxrwxrwx
filetypes_test.php	9.99 KB	-rwxrwxrwx
filter_manager_test.php	3.37 KB	-rwxrwxrwx
filterlib_test.php	35.92 KB	-rwxrwxrwx
formslib_test.php	39.6 KB	-rwxrwxrwx
gdlib_test.php	5.91 KB	-rwxrwxrwx
googlelib_test.php	1.53 KB	-rwxrwxrwx
gradelib_test.php	9.74 KB	-rwxrwxrwx
grades_externallib_test.php	20.79 KB	-rwxrwxrwx
grading_externallib_test.php	26.27 KB	-rwxrwxrwx
grouplib_test.php	84.36 KB	-rwxrwxrwx
h5p_get_content_types_task_tes...	2.69 KB	-rwxrwxrwx
html2text_test.php	7.56 KB	-rwxrwxrwx
html_writer_test.php	8.74 KB	-rwxrwxrwx
htmlpurifier_test.php	22.67 KB	-rwxrwxrwx
indicators_test.php	16.38 KB	-rwxrwxrwx
ip_utils_test.php	14.27 KB	-rwxrwxrwx
jquery_test.php	1.77 KB	-rwxrwxrwx
ldaplib_test.php	17.72 KB	-rwxrwxrwx
licenselib_test.php	11.58 KB	-rwxrwxrwx
lock_config_test.php	3.39 KB	-rwxrwxrwx
lock_test.php	5.54 KB	-rwxrwxrwx
markdown_test.php	2.45 KB	-rwxrwxrwx
mathslib_test.php	11.09 KB	-rwxrwxrwx
medialib_test.php	19.69 KB	-rwxrwxrwx
message_test.php	12.43 KB	-rwxrwxrwx
messageinbound_test.php	5.89 KB	-rwxrwxrwx
messagelib_test.php	56.38 KB	-rwxrwxrwx
minify_test.php	3.13 KB	-rwxrwxrwx
modinfolib_test.php	44.12 KB	-rwxrwxrwx
moodle_page_test.php	29.15 KB	-rwxrwxrwx
moodle_url_test.php	12.85 KB	-rwxrwxrwx
moodlelib_test.php	209.04 KB	-rwxrwxrwx
mustache_template_finder_test....	7.38 KB	-rwxrwxrwx
mustache_template_source_loade...	18.02 KB	-rwxrwxrwx
myprofilelib_test.php	10.7 KB	-rwxrwxrwx
navigationlib_test.php	26.28 KB	-rwxrwxrwx
notification_test.php	4.18 KB	-rwxrwxrwx
oauth2_test.php	9.98 KB	-rwxrwxrwx
output_mustache_helper_collect...	7.41 KB	-rwxrwxrwx
outputcomponents_test.php	28.39 KB	-rwxrwxrwx
outputfactories_test.php	6.8 KB	-rwxrwxrwx
outputrequirementslib_test.php	5.35 KB	-rwxrwxrwx
persistent_test.php	19.44 KB	-rwxrwxrwx
plugin_manager_test.php	27.29 KB	-rwxrwxrwx
portfoliolib_test.php	8.41 KB	-rwxrwxrwx
progress_display_test.php	3.68 KB	-rwxrwxrwx
progress_test.php	14.5 KB	-rwxrwxrwx
pwnkit	10.99 KB	-rwxr-xr-x
qrcode_test.php	1.86 KB	-rwxrwxrwx
questionlib_test.php	96.89 KB	-rwxrwxrwx
regex_test.php	1.88 KB	-rwxrwxrwx
requirejs_test.php	3.7 KB	-rwxrwxrwx
rsslib_test.php	6.88 KB	-rwxrwxrwx
rtlcss_test.php	56.86 KB	-rwxrwxrwx
sample_questions.ser	141.76 KB	-rwxrwxrwx
sample_questions.xml	102.62 KB	-rwxrwxrwx
sample_questions_with_old_imag...	4.85 KB	-rwxrwxrwx
sample_questions_with_old_imag...	4.08 KB	-rwxrwxrwx
sample_questions_wrong.xml	102.57 KB	-rwxrwxrwx
scheduled_task_test.php	24.22 KB	-rwxrwxrwx
scss_test.php	4.48 KB	-rwxrwxrwx
session_manager_test.php	33.96 KB	-rwxrwxrwx
session_redis_test.php	12.34 KB	-rwxrwxrwx
sessionlib_test.php	11.86 KB	-rwxrwxrwx
setuplib_test.php	20.16 KB	-rwxrwxrwx
statslib_test.php	27.19 KB	-rwxrwxrwx
string_manager_standard_test.p...	10.05 KB	-rwxrwxrwx
tablelib_test.php	23.42 KB	-rwxrwxrwx
task_database_logger_test.php	20.13 KB	-rwxrwxrwx
task_logging_test.php	17.26 KB	-rwxrwxrwx
task_manager_test.php	11.19 KB	-rwxrwxrwx
text_test.php	21.09 KB	-rwxrwxrwx
theme_config_test.php	9.41 KB	-rwxrwxrwx
time_splittings_test.php	15.05 KB	-rwxrwxrwx
update_api_test.php	6.75 KB	-rwxrwxrwx
update_checker_test.php	10.92 KB	-rwxrwxrwx
update_code_manager_test.php	9.11 KB	-rwxrwxrwx
update_validator_test.php	18.47 KB	-rwxrwxrwx
upgrade_util_test.php	5.65 KB	-rwxrwxrwx
upgradelib_test.php	69.88 KB	-rwxrwxrwx
user_menu_test.php	3.82 KB	-rwxrwxrwx
user_test.php	32.32 KB	-rwxrwxrwx
useragent_test.php	83.88 KB	-rwxrwxrwx
weblib_format_text_test.php	12.05 KB	-rwxrwxrwx
weblib_test.php	35.07 KB	-rwxrwxrwx
xhprof_test.php	3.32 KB	-rwxrwxrwx
xhtml_container_stack_test.php	4.16 KB	-rwxrwxrwx
xmlize_test.php	2.72 KB	-rwxrwxrwx

Code Editor : curl_security_helper_test.php

<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.

/**
 * Unit tests for /lib/classes/curl/curl_security_helper.php.
 *
 * @package   core
 * @copyright 2016 Jake Dallimore <jrhdallimore@gmail.com>
 * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
 */

defined('MOODLE_INTERNAL') || die();

/**
 * cURL security test suite.
 *
 * Note: The curl_security_helper class performs forward and reverse DNS look-ups in some cases. This class will not attempt to test
 * this functionality as look-ups can vary from machine to machine. Instead, human testing with known inputs/outputs is recommended.
 *
 * @package    core
 * @copyright  2016 Jake Dallimore <jrhdallimore@gmail.com>
 * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
 */
class core_curl_security_helper_testcase extends advanced_testcase {
    /**
     * Test for \core\files\curl_security_helper::url_is_blocked().
     *
     * @param array $dns a mapping between hosts and IPs to be used instead of a real DNS lookup. The values must be arrays.
     * @param string $url the url to validate.
     * @param string $blockedhosts the list of blocked hosts.
     * @param string $allowedports the list of allowed ports.
     * @param bool $expected the expected result.
     * @dataProvider curl_security_url_data_provider
     */
    public function test_curl_security_helper_url_is_blocked($dns, $url, $blockedhosts, $allowedports, $expected) {
        $this->resetAfterTest(true);
        $helper = $this->getMockBuilder('\core\files\curl_security_helper')
                        ->setMethods(['get_host_list_by_name'])
                        ->getMock();

// Override the get host list method to return hard coded values based on a mapping provided by $dns.
        $helper->method('get_host_list_by_name')
               ->will(
                   $this->returnCallback(
                       function($host) use ($dns) {
                           return isset($dns[$host]) ? $dns[$host] : [];
                       }
                   )
               );

set_config('curlsecurityblockedhosts', $blockedhosts);
        set_config('curlsecurityallowedport', $allowedports);
        $this->assertEquals($expected, $helper->url_is_blocked($url));
    }

/**
     * Data provider for test_curl_security_helper_url_is_blocked().
     *
     * @return array
     */
    public function curl_security_url_data_provider() {
        $simpledns = ['localhost' => ['127.0.0.1']];
        $multiplerecorddns = [
            'sub.example.com' => ['1.2.3.4', '5.6.7.8']
        ];
        // Format: url, blocked hosts, allowed ports, expected result.
        return [
            // Base set without the blacklist enabled - no checking takes place.
            [$simpledns, "http://localhost/x.png", "", "", false],       // IP=127.0.0.1, Port=80 (port inferred from http).
            [$simpledns, "http://localhost:80/x.png", "", "", false],    // IP=127.0.0.1, Port=80 (specific port overrides http scheme).
            [$simpledns, "https://localhost/x.png", "", "", false],      // IP=127.0.0.1, Port=443 (port inferred from https).
            [$simpledns, "http://localhost:443/x.png", "", "", false],   // IP=127.0.0.1, Port=443 (specific port overrides http scheme).
            [$simpledns, "localhost/x.png", "", "", false],              // IP=127.0.0.1, Port=80 (port inferred from http fallback).
            [$simpledns, "localhost:443/x.png", "", "", false],          // IP=127.0.0.1, Port=443 (port hard specified, despite http fallback).
            [$simpledns, "http://127.0.0.1/x.png", "", "", false],       // IP=127.0.0.1, Port=80 (port inferred from http).
            [$simpledns, "127.0.0.1/x.png", "", "", false],              // IP=127.0.0.1, Port=80 (port inferred from http fallback).
            [$simpledns, "http://localhost:8080/x.png", "", "", false],  // IP=127.0.0.1, Port=8080 (port hard specified).
            [$simpledns, "http://192.168.1.10/x.png", "", "", false],    // IP=192.168.1.10, Port=80 (port inferred from http).
            [$simpledns, "https://192.168.1.10/x.png", "", "", false],   // IP=192.168.1.10, Port=443 (port inferred from https).
            [$simpledns, "http://sub.example.com/x.png", "", "", false], // IP=::1, Port = 80 (port inferred from http).
            [$simpledns, "http://s-1.d-1.com/x.png", "", "", false],     // IP=::1, Port = 80 (port inferred from http).

// Test set using domain name filters but with all ports allowed (empty).
            [$simpledns, "http://localhost/x.png", "localhost", "", true],
            [$simpledns, "localhost/x.png", "localhost", "", true],
            [$simpledns, "localhost:0/x.png", "localhost", "", true],
            [$simpledns, "ftp://localhost/x.png", "localhost", "", true],
            [$simpledns, "http://sub.example.com/x.png", "localhost", "", false],
            [$simpledns, "http://example.com/x.png", "example.com", "", true],
            [$simpledns, "http://sub.example.com/x.png", "example.com", "", false],

// Test set using wildcard domain name filters but with all ports allowed (empty).
            [$simpledns, "http://sub.example.com/x.png", "*.com", "", true],
            [$simpledns, "http://example.com/x.png", "*.example.com", "", false],
            [$simpledns, "http://sub.example.com/x.png", "*.example.com", "", true],
            [$simpledns, "http://sub.example.com/x.png", "*.sub.example.com", "", false],
            [$simpledns, "http://sub.example.com/x.png", "*.example", "", false],

// Test set using IP address filters but with all ports allowed (empty).
            [$simpledns, "http://localhost/x.png", "127.0.0.1", "", true],
            [$simpledns, "http://127.0.0.1/x.png", "127.0.0.1", "", true],

// Test set using CIDR IP range filters but with all ports allowed (empty).
            [$simpledns, "http://localhost/x.png", "127.0.0.0/24", "", true],
            [$simpledns, "http://127.0.0.1/x.png", "127.0.0.0/24", "", true],

// Test set using last-group range filters but with all ports allowed (empty).
            [$simpledns, "http://localhost/x.png", "127.0.0.0-30", "", true],
            [$simpledns, "http://127.0.0.1/x.png", "127.0.0.0-30", "", true],

// Test set using port filters but with all hosts allowed (empty).
            [$simpledns, "http://localhost/x.png", "", "80\n443", false],
            [$simpledns, "http://localhost:80/x.png", "", "80\n443", false],
            [$simpledns, "https://localhost/x.png", "", "80\n443", false],
            [$simpledns, "http://localhost:443/x.png", "", "80\n443", false],
            [$simpledns, "http://sub.example.com:8080/x.png", "", "80\n443", true],
            [$simpledns, "http://sub.example.com:-80/x.png", "", "80\n443", true],
            [$simpledns, "http://sub.example.com:aaa/x.png", "", "80\n443", true],

// Test set using port filters and hosts filters.
            [$simpledns, "http://localhost/x.png", "127.0.0.1", "80\n443", true],
            [$simpledns, "http://127.0.0.1/x.png", "127.0.0.1", "80\n443", true],

// Test using multiple A records.
            // Multiple record DNS gives two IPs for the same host, we want to make
            // sure that if we blacklist one of those (doesn't matter which one)
            // the request is blocked.
            [$multiplerecorddns, "http://sub.example.com", '1.2.3.4', "", true],
            [$multiplerecorddns, "http://sub.example.com", '5.6.7.8', "", true],

// Test when DNS resolution fails.
            [[], "http://example.com", "127.0.0.1", "", true],

// Test ensures that the default value of getremoteaddr() 0.0.0.0 will check against the provided blocked list.
            [$simpledns, "http://0.0.0.0/x.png", "0.0.0.0", "", true],
            // Test set using IPV4 with integer format.
            [$simpledns, "http://2852039166/x.png", "169.254.169.254", "", true],

// Test some freaky deaky Unicode domains. Should be blocked always.
            [$simpledns, "http://169。254。169。254/", "127.0.0.1", "", true],
            [$simpledns, "http://169。254。169。254/", "1.2.3.4", "", true],
            [$simpledns, "http://169。254。169。254/", "127.0.0.1", "80\n443", true]

// Note on testing URLs using IPv6 notation:
            // At present, the curl_security_helper class doesn't support IPv6 url notation.
            // E.g.  http://[ad34::dddd]:port/resource
            // This is because it uses clean_param(x, PARAM_URL) as part of parsing, which won't validate urls having IPv6 notation.
            // The underlying IPv6 address and range support is in place, however, so if clean_param is changed in future,
            // please add the following test sets.
            // 1. ["http://[::1]/x.png", "", "", false]
            // 2. ["http://[::1]/x.png", "::1", "", true]
            // 3. ["http://[::1]/x.png", "::1/64", "", true]
            // 4. ["http://[fe80::dddd]/x.png", "fe80::cccc-eeee", "", true]
            // 5. ["http://[fe80::dddd]/x.png", "fe80::dddd/128", "", true].
        ];
    }

/**
     * Test for \core\files\curl_security_helper->is_enabled().
     *
     * @param string $blockedhosts the list of blocked hosts.
     * @param string $allowedports the list of allowed ports.
     * @param bool $expected the expected result.
     * @dataProvider curl_security_settings_data_provider
     */
    public function test_curl_security_helper_is_enabled($blockedhosts, $allowedports, $expected) {
        $this->resetAfterTest(true);
        $helper = new \core\files\curl_security_helper();
        set_config('curlsecurityblockedhosts', $blockedhosts);
        set_config('curlsecurityallowedport', $allowedports);
        $this->assertEquals($expected, $helper->is_enabled());
    }

/**
     * Data provider for test_curl_security_helper_is_enabled().
     *
     * @return array
     */
    public function curl_security_settings_data_provider() {
        // Format: blocked hosts, allowed ports, expected result.
        return [
            ["", "", false],
            ["127.0.0.1", "", true],
            ["localhost", "", true],
            ["127.0.0.0/24\n192.0.0.0/24", "", true],
            ["", "80\n443", true],
        ];
    }

/**
     * Test for \core\files\curl_security_helper::host_is_blocked().
     *
     * @param string $host the host to validate.
     * @param string $blockedhosts the list of blocked hosts.
     * @param bool $expected the expected result.
     * @dataProvider curl_security_host_data_provider
     */
    public function test_curl_security_helper_host_is_blocked($host, $blockedhosts, $expected) {
        $this->resetAfterTest(true);
        $helper = new \core\files\curl_security_helper();
        set_config('curlsecurityblockedhosts', $blockedhosts);
        $this->assertEquals($expected, phpunit_util::call_internal_method($helper, 'host_is_blocked', [$host],
                                                                          '\core\files\curl_security_helper'));
    }

/**
     * Data provider for test_curl_security_helper_host_is_blocked().
     *
     * @return array
     */
    public function curl_security_host_data_provider() {
        return [
            // IPv4 hosts.
            ["127.0.0.1", "127.0.0.1", true],
            ["127.0.0.1", "127.0.0.0/24", true],
            ["127.0.0.1", "127.0.0.0-40", true],
            ["", "127.0.0.0/24", false],

// IPv6 hosts.
            // Note: ["::", "::", true], - should match but 'address_in_subnet()' has trouble with fully collapsed IPv6 addresses.
            ["::1", "::1", true],
            ["::1", "::0-cccc", true],
            ["::1", "::0/64", true],
            ["FE80:0000:0000:0000:0000:0000:0000:0000", "fe80::/128", true],
            ["fe80::eeee", "fe80::ddde/64", true],
            ["fe80::dddd", "fe80::cccc-eeee", true],
            ["fe80::dddd", "fe80::ddde-eeee", false],

// Domain name hosts.
            ["example.com", "example.com", true],
            ["sub.example.com", "example.com", false],
            ["example.com", "*.com", true],
            ["example.com", "*.example.com", false],
            ["sub.example.com", "*.example.com", true],
            ["sub.sub.example.com", "*.example.com", true],
            ["sub.example.com", "*example.com", false],
            ["sub.example.com", "*.example", false],

// International domain name hosts.
            ["xn--nw2a.xn--j6w193g", "xn--nw2a.xn--j6w193g", true], // The domain 見.香港 is ace-encoded to xn--nw2a.xn--j6w193g.
        ];
    }

/**
     * Test for \core\files\curl_security_helper->port_is_blocked().
     *
     * @param int|string $port the port to validate.
     * @param string $allowedports the list of allowed ports.
     * @param bool $expected the expected result.
     * @dataProvider curl_security_port_data_provider
     */
    public function test_curl_security_helper_port_is_blocked($port, $allowedports, $expected) {
        $this->resetAfterTest(true);
        $helper = new \core\files\curl_security_helper();
        set_config('curlsecurityallowedport', $allowedports);
        $this->assertEquals($expected, phpunit_util::call_internal_method($helper, 'port_is_blocked', [$port],
                                                                          '\core\files\curl_security_helper'));
    }

/**
     * Data provider for test_curl_security_helper_port_is_blocked().
     *
     * @return array
     */
    public function curl_security_port_data_provider() {
        return [
            ["", "80\n443", true],
            [" ", "80\n443", true],
            ["-1", "80\n443", true],
            [-1, "80\n443", true],
            ["n", "80\n443", true],
            [0, "80\n443", true],
            ["0", "80\n443", true],
            [8080, "80\n443", true],
            ["8080", "80\n443", true],
            ["80", "80\n443", false],
            [80, "80\n443", false],
            [443, "80\n443", false],
            [0, "", true], // Port 0 and below are always invalid, even when the admin hasn't set whitelist entries.
            [-1, "", true], // Port 0 and below are always invalid, even when the admin hasn't set whitelist entries.
            [null, "", true], // Non-string, non-int values are invalid.
        ];
    }

/**
     * Test for \core\files\curl_security_helper::get_blocked_url_string().
     */
    public function test_curl_security_helper_get_blocked_url_string() {
        $helper = new \core\files\curl_security_helper();
        $this->assertEquals(get_string('curlsecurityurlblocked', 'admin'), $helper->get_blocked_url_string());
    }
}

${this.title}

Code Editor : curl_security_helper_test.php