MaxSem has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/352238 )
Change subject: Add tests around map data sanitization
......................................................................
Add tests around map data sanitization
Change-Id: I87c95e63855fd6fb0e65d299a1337b28c768291c
---
M includes/JCMapDataContent.php
A tests/phpunit/JCMapDataContentTest.php
2 files changed, 155 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/JsonConfig
refs/changes/38/352238/1
diff --git a/includes/JCMapDataContent.php b/includes/JCMapDataContent.php
index 4eee87f..ad181ae 100644
--- a/includes/JCMapDataContent.php
+++ b/includes/JCMapDataContent.php
@@ -47,6 +47,7 @@
$ssp = new SimpleStyleParser( $wgParser );
$dummy = [ $data->data ];
$ssp->normalizeAndSanitize( $dummy );
+ $data->data = $dummy[0];
return $data;
}
diff --git a/tests/phpunit/JCMapDataContentTest.php
b/tests/phpunit/JCMapDataContentTest.php
new file mode 100644
index 0000000..5230ab0
--- /dev/null
+++ b/tests/phpunit/JCMapDataContentTest.php
@@ -0,0 +1,154 @@
+<?php
+
+namespace JsonConfig\Tests;
+
+use Exception;
+use JsonConfig\JCMapDataContent;
+use Language;
+use MediaWikiTestCase;
+
+/**
+ * @group JsonConfig
+ * @covers JCMapDataContent
+ */
+class JCMapDataContentTest extends MediaWikiTestCase {
+ const CONTENT_STUB = '{
+ "description": {
+ "en": "[[Do not parse]]"
+ },
+ "license": "CC0-1.0",
+ "zoom": 0,
+ "latitude": 0,
+ "longitude": 0
+ }';
+
+ /**
+ * @dataProvider provideGetSafeData
+ * @param string $input
+ * @param string $expected
+ */
+ public function testGetSafeData( $input, $expected ) {
+ $data = json_decode( self::CONTENT_STUB );
+ $data->data = json_decode( $input );
+
+ $content = new JCMapDataContent( json_encode( $data ), 'some
model', true );
+ $localized = $content->getLocalizedData( Language::factory(
'en' ) );
+ $sanitized = json_encode( $content->getSafeData( $localized
)->data, JSON_PRETTY_PRINT );
+ $expected = json_encode( json_decode( $expected ),
JSON_PRETTY_PRINT );
+
+ if ( !$content->isValid() ) {
+ throw new Exception( html_entity_decode(
$content->getStatus()->getWikiText() ) );
+ }
+
+ self::assertEquals( $expected, $sanitized );
+ }
+
+ public function provideGetSafeData() {
+ return [
+ [
+ '{
+ "type": "Point",
+ "coordinates": [ 10, 20 ],
+ "properties": {
+ "title": "[[link]]",
+ "description": "<img src=x
onerror=alert(1)> \'\'\'Bold\'\'\'"
+ }
+ }',
+ '{
+ "type": "Point",
+ "coordinates": [ 10, 20 ],
+ "properties": {
+ "title": "<a
href=\"\/w\/index.php?title=Link&action=edit&redlink=1\" class=\"new\"
title=\"Link (page does not exist)\">link<\/a>",
+ "description": "<img src=x
onerror=alert(1)> <b>Bold<\/b>"
+ }
+ }',
+ ],
+ [
+ '{
+ "type": "Point",
+ "coordinates": [ 10, 20 ],
+ "properties": {
+ "title": {
+ "en": "[[link]]"
+ },
+ "description": {
+ "ru": "Unexpected",
+ "en": "<img src=x
onerror=alert(1)> \'\'\'Bold\'\'\'"
+ }
+ }
+ }',
+ '{
+ "type": "Point",
+ "coordinates": [ 10, 20 ],
+ "properties": {
+ "title": "<a
href=\"\/w\/index.php?title=Link&action=edit&redlink=1\" class=\"new\"
title=\"Link (page does not exist)\">link<\/a>",
+ "description": "<img src=x
onerror=alert(1)> <b>Bold<\/b>"
+ }
+ }',
+ ],
+ [
+ '{
+ "type": "GeometryCollection",
+ "geometries": [
+ {
+ "type": "Point",
+ "coordinates": [ 10, 20
],
+ "properties": {
+ "title":
"[[link]]",
+ "description":
"<img src=x onerror=alert(1)> \'\'\'Bold\'\'\'"
+ }
+ },
+ {
+ "type": "Point",
+ "coordinates": [ 30, 40
],
+ "properties": {
+ "title": {
+ "en":
"[[link]]"
+ },
+ "description": {
+ "ru":
"Unexpected",
+ "en":
"<img src=x onerror=alert(1)> \'\'\'Bold\'\'\'"
+ }
+ }
+ }
+ ]
+ }',
+ '{
+ "type": "GeometryCollection",
+ "geometries": [
+ {
+ "type": "Point",
+ "coordinates": [ 10, 20
],
+ "properties": {
+ "title": "<a
href=\"\/w\/index.php?title=Link&action=edit&redlink=1\" class=\"new\"
title=\"Link (page does not exist)\">link<\/a>",
+ "description":
"<img src=x onerror=alert(1)> <b>Bold<\/b>"
+ }
+ },
+ {
+ "type": "Point",
+ "coordinates": [ 30, 40
],
+ "properties": {
+ "title": "<a
href=\"\/w\/index.php?title=Link&action=edit&redlink=1\" class=\"new\"
title=\"Link (page does not exist)\">link<\/a>",
+ "description":
"<img src=x onerror=alert(1)> <b>Bold<\/b>"
+ }
+ }
+ ]
+ }',
+ ],
+ [
+ '{
+ "type": "ExternalData",
+ "service": "geoshape",
+ "should not": "be here",
+ "ids": 123,
+ "url": "http://potentially.malicious"
+ }',
+ '{
+ "type": "ExternalData",
+ "service": "geoshape",
+ "url":
"https:\/\/maps.wikimedia.org\/geoshape?getgeojson=1&ids=123"
+ }'
+ ],
+ ];
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/352238
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I87c95e63855fd6fb0e65d299a1337b28c768291c
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/JsonConfig
Gerrit-Branch: master
Gerrit-Owner: MaxSem <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits