github/hedgedoc
1
0
Fork 0
mirror of https://github.com/hedgedoc/hedgedoc.git synced 2024-11-22 09:46:30 -05:00
Code Issues Projects Releases Packages Wiki Activity
hedgedoc/test/csp.js

144 lines
4.9 KiB
JavaScript
Raw Normal View History

Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
/* eslint-env node, mocha */
'use strict'
const assert = require('assert')
const crypto = require('crypto')
const fs = require('fs')
const path = require('path')
const mock = require('mock-require')
describe('Content security policies', function () {
let defaultConfig, csp
before(function () {
csp = require('../lib/csp')
})
beforeEach(function () {
// Reset config to make sure we don't influence other tests
defaultConfig = {
csp: {
enable: true,
directives: {
},
addDefaults: true,
addDisqus: true,
addGoogleAnalytics: true,
upgradeInsecureRequests: 'auto',
reportURI: undefined
},
Added dropbox.appKey to test config to fix failing tests Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-22 19:35:45 -04:00
dropbox: {
appKey: undefined
}
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
}
})
afterEach(function () {
mock.stop('../lib/config')
csp = mock.reRequire('../lib/csp')
})
after(function () {
mock.stopAll()
csp = mock.reRequire('../lib/csp')
})
it('Disable Google Analytics', function () {
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 03:42:51 -05:00
const testconfig = defaultConfig
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
testconfig.csp.addGoogleAnalytics = false
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
assert(!csp.computeDirectives().scriptSrc.includes('https://www.google-analytics.com'))
})
Disable GA and Disqus in default CSP Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 14:06:44 -04:00
it('Enable Google Analytics', function () {
const testconfig = defaultConfig
testconfig.csp.addGoogleAnalytics = true
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
assert(csp.computeDirectives().scriptSrc.includes('https://www.google-analytics.com'))
})
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
it('Disable Disqus', function () {
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 03:42:51 -05:00
const testconfig = defaultConfig
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
testconfig.csp.addDisqus = false
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
assert(!csp.computeDirectives().scriptSrc.includes('https://disqus.com'))
assert(!csp.computeDirectives().scriptSrc.includes('https://*.disqus.com'))
assert(!csp.computeDirectives().scriptSrc.includes('https://*.disquscdn.com'))
assert(!csp.computeDirectives().styleSrc.includes('https://*.disquscdn.com'))
assert(!csp.computeDirectives().fontSrc.includes('https://*.disquscdn.com'))
})
Disable GA and Disqus in default CSP Signed-off-by: David Mehren <git@herrmehren.de>
2021-06-07 14:06:44 -04:00
it('Enable Disqus', function () {
const testconfig = defaultConfig
testconfig.csp.addDisqus = true
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
assert(csp.computeDirectives().scriptSrc.includes('https://disqus.com'))
assert(csp.computeDirectives().scriptSrc.includes('https://*.disqus.com'))
assert(csp.computeDirectives().scriptSrc.includes('https://*.disquscdn.com'))
assert(csp.computeDirectives().styleSrc.includes('https://*.disquscdn.com'))
assert(csp.computeDirectives().fontSrc.includes('https://*.disquscdn.com'))
})
Add test for dropbox csp rule Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-22 19:41:55 -04:00
it('Include dropbox if configured', function () {
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 03:42:51 -05:00
const testconfig = defaultConfig
Add test for dropbox csp rule Signed-off-by: Erik Michelson <github@erik.michelson.eu>
2020-08-22 19:41:55 -04:00
testconfig.dropbox.appKey = 'hedgedoc'
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
assert(csp.computeDirectives().scriptSrc.includes('https://www.dropbox.com'))
assert(csp.computeDirectives().scriptSrc.includes('\'unsafe-inline\''))
})
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
it('Set ReportURI', function () {
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 03:42:51 -05:00
const testconfig = defaultConfig
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
testconfig.csp.reportURI = 'https://example.com/reportURI'
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
assert.strictEqual(csp.computeDirectives().reportUri, 'https://example.com/reportURI')
})
it('Set own directives', function () {
Linter: Fix all lint errors Signed-off-by: Philip Molares <philip.molares@udo.edu>
2021-02-15 03:42:51 -05:00
const testconfig = defaultConfig
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
mock('../lib/config', defaultConfig)
csp = mock.reRequire('../lib/csp')
const unextendedCSP = csp.computeDirectives()
testconfig.csp.directives = {
defaultSrc: ['https://default.example.com'],
scriptSrc: ['https://script.example.com'],
imgSrc: ['https://img.example.com'],
styleSrc: ['https://style.example.com'],
fontSrc: ['https://font.example.com'],
objectSrc: ['https://object.example.com'],
mediaSrc: ['https://media.example.com'],
childSrc: ['https://child.example.com'],
connectSrc: ['https://connect.example.com']
}
mock('../lib/config', testconfig)
csp = mock.reRequire('../lib/csp')
const variations = ['default', 'script', 'img', 'style', 'font', 'object', 'media', 'child', 'connect']
for (let i = 0; i < variations.length; i++) {
Fix CSP tests by filtering out empty array fields In 25f5fd2a the `media-src`, `child-src` and `connect-src` settings were removed, as they are filled with the `default-src` automatically. This caused a bug in the test code, as it now tried to access a nonexistent field of `unextendedCSP`. This commit adds a filter that removes the empty array field before converting to a string. Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-08 12:19:37 -04:00
assert.strictEqual(csp.computeDirectives()[variations[i] + 'Src'].toString(), ['https://' + variations[i] + '.example.com'].concat(unextendedCSP[variations[i] + 'Src']).filter(x => x != null).toString())
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
}
})
/*
* This test reminds us to update the CSP hash for the speaker notes
*/
it('Unchanged hash for reveal.js speaker notes plugin', function () {
const hash = crypto.createHash('sha1')
hash.update(fs.readFileSync(path.resolve(__dirname, '../node_modules/reveal.js/plugin/notes/notes.html'), 'utf8'), 'utf8')
Update RevealJS to version 3.9.2 This update of revealJS helps us to get rid of the headjs depedency integration using webpack. It updates reveal.js to 3.9.2 and updates the csp hash accordingly for using the slide mode. Background for this update is the critical security vulnerability described by snyk in their disclosure: https://snyk.io/vuln/SNYK-JS-REVEALJS-543841 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-02-01 06:50:07 -05:00
assert.strictEqual(hash.digest('hex'), 'd5d872ae49b5db27f638b152e6e528837204d380')
Add tests for csp.js Since we lack of tests but got some great point to start, let's write more tests. This patch provides some basic tests for our CSP library. It's more an integration than a unit test, but gets the job done. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2019-01-18 22:57:18 -05:00
})
})
Reference in a new issue Copy permalink