This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace OCA\Chat\Controller\OCH; |
||
4 | |||
5 | use \OCA\Chat\Utility\ControllerTestUtility; |
||
6 | use \OCA\Chat\App\Chat; |
||
7 | use \OCA\Chat\App\Container; |
||
8 | use \OCP\IRequest; |
||
9 | use \OCA\Chat\Controller\OCH\ApiController; |
||
10 | |||
11 | |||
12 | function time(){ |
||
13 | return '2324'; |
||
14 | } |
||
15 | |||
16 | /** |
||
17 | * Class UserMock |
||
18 | * This class mocks \OC\User\User |
||
19 | */ |
||
20 | class UserMock { |
||
21 | |||
22 | public function getUID(){ |
||
23 | return 'foo'; |
||
24 | } |
||
25 | |||
26 | } |
||
27 | |||
28 | class ApiControllerTest extends ControllerTestUtility { |
||
0 ignored issues
–
show
|
|||
29 | |||
30 | /** |
||
31 | * @var string |
||
32 | */ |
||
33 | private $appName; |
||
34 | |||
35 | /** |
||
36 | * @var \OCP\Irequest |
||
37 | */ |
||
38 | private $request; |
||
39 | |||
40 | /** |
||
41 | * @var \OCA\Chat\Controller\OCH\ApiController |
||
42 | */ |
||
43 | private $controller; |
||
44 | |||
45 | /** |
||
46 | * @var \OCA\Chat\App\Chat |
||
47 | */ |
||
48 | private $app; |
||
0 ignored issues
–
show
|
|||
49 | |||
50 | public function setUp(){ |
||
51 | $this->appName = 'chat'; |
||
52 | $this->request = $this->getMockBuilder('\OCP\IRequest') |
||
53 | ->disableOriginalConstructor() |
||
54 | ->getMock(); |
||
55 | |||
56 | $this->container = $this->getMockBuilder('\OCA\Chat\App\Container') |
||
0 ignored issues
–
show
The property
container does not exist. Did you maybe forget to declare it?
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { }
$x = new MyClass();
$x->foo = true;
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass {
public $foo;
}
$x = new MyClass();
$x->foo = true;
![]() |
|||
57 | ->disableOriginalConstructor() |
||
58 | ->getMock(); |
||
59 | |||
60 | $this->chat = $this->getMockBuilder('\OCA\Chat\App\Chat') |
||
0 ignored issues
–
show
The property
chat does not exist. Did you maybe forget to declare it?
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { }
$x = new MyClass();
$x->foo = true;
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass {
public $foo;
}
$x = new MyClass();
$x->foo = true;
![]() |
|||
61 | ->disableOriginalConstructor() |
||
62 | ->getMock(); |
||
63 | |||
64 | $this->chatAPI = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI') |
||
0 ignored issues
–
show
The property
chatAPI does not exist. Did you maybe forget to declare it?
In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { }
$x = new MyClass();
$x->foo = true;
Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass {
public $foo;
}
$x = new MyClass();
$x->foo = true;
![]() |
|||
65 | ->disableOriginalConstructor() |
||
66 | ->getMock(); |
||
67 | |||
68 | $this->controller = new ApiController( |
||
69 | $this->appName, |
||
70 | $this->request, |
||
71 | $this->chat, |
||
72 | $this->container |
||
73 | ); |
||
74 | } |
||
75 | |||
76 | public function testRouteAnnotations(){ |
||
77 | $expectedAnnotations = array('NoAdminRequired'); |
||
78 | $this->assertAnnotations($this->controller, 'route', $expectedAnnotations); |
||
79 | } |
||
80 | |||
81 | public function routeProvider(){ |
||
82 | return array( |
||
83 | // test invalid HTTP type |
||
84 | array( |
||
85 | "command::join::response", |
||
86 | array(), |
||
87 | array( |
||
88 | "type" => "command::join::response", |
||
89 | "data" => array( |
||
90 | "status" => "error", |
||
91 | "msg" => ApiController::INVALID_HTTP_TYPE |
||
92 | ) |
||
93 | ) |
||
94 | ), |
||
95 | // test ommitted session id |
||
96 | array( |
||
97 | "command::blub::request", |
||
98 | array(), |
||
99 | array( |
||
100 | "type" => "command::blub::response", |
||
101 | "data" => array( |
||
102 | "status" => "error", |
||
103 | "msg" => ApiController::NO_SESSION_ID |
||
104 | ) |
||
105 | ) |
||
106 | ), |
||
107 | // test ommited user |
||
108 | array( |
||
109 | "command::blub::request", |
||
110 | array( |
||
111 | "session_id" => md5(time()) |
||
112 | ), |
||
113 | array( |
||
114 | "type" => "command::blub::response", |
||
115 | "data" => array( |
||
116 | "status" => "error", |
||
117 | "msg" => ApiController::NO_USER |
||
118 | ) |
||
119 | ) |
||
120 | ), |
||
121 | // test invalid http type with data as requesttype |
||
122 | array( |
||
123 | "data::join::response", |
||
124 | array(), |
||
125 | array( |
||
126 | "type" => "data::join::response", |
||
127 | "data" => array( |
||
128 | "status" => "error", |
||
129 | "msg" => ApiController::INVALID_HTTP_TYPE |
||
130 | ) |
||
131 | ) |
||
132 | ), |
||
133 | // test ommitted session id with data as requesttype |
||
134 | array( |
||
135 | "data::blub::request", |
||
136 | array(), |
||
137 | array( |
||
138 | "type" => "data::blub::response", |
||
139 | "data" => array( |
||
140 | "status" => "error", |
||
141 | "msg" => ApiController::NO_SESSION_ID |
||
142 | ) |
||
143 | ) |
||
144 | ), |
||
145 | // test ommitted user with data as requesttype |
||
146 | array( |
||
147 | "data::blub::request", |
||
148 | array( |
||
149 | "session_id" => md5(time()) |
||
150 | ), |
||
151 | array( |
||
152 | "type" => "data::blub::response", |
||
153 | "data" => array( |
||
154 | "status" => "error", |
||
155 | "msg" => ApiController::NO_USER |
||
156 | ) |
||
157 | ) |
||
158 | ), |
||
159 | // test invalid http type with push as requesttype |
||
160 | array( |
||
161 | "push::join::response", |
||
162 | array(), |
||
163 | array( |
||
164 | "type" => "push::join::response", |
||
165 | "data" => array( |
||
166 | "status" => "error", |
||
167 | "msg" => ApiController::INVALID_HTTP_TYPE |
||
168 | ) |
||
169 | ) |
||
170 | ), |
||
171 | // test ommitted session id with push as requesttype |
||
172 | array( |
||
173 | "push::blub::request", |
||
174 | array(), |
||
175 | array( |
||
176 | "type" => "push::blub::response", |
||
177 | "data" => array( |
||
178 | "status" => "error", |
||
179 | "msg" => ApiController::NO_SESSION_ID |
||
180 | ) |
||
181 | ) |
||
182 | ), |
||
183 | // test ommitted user with push as requesttype |
||
184 | array( |
||
185 | "push::blub::request", |
||
186 | array( |
||
187 | "session_id" => md5(time()) |
||
188 | ), |
||
189 | array( |
||
190 | "type" => "push::blub::response", |
||
191 | "data" => array( |
||
192 | "status" => "error", |
||
193 | "msg" => ApiController::NO_USER |
||
194 | ) |
||
195 | ) |
||
196 | ), |
||
197 | // test not existent command |
||
198 | array( |
||
199 | "command::blub::request", |
||
200 | array( |
||
201 | "session_id" => md5(time()), |
||
202 | "user" => array( |
||
203 | 'id' => 'foo', |
||
204 | 'displayname' => 'foo', |
||
205 | 'backends' => array ( |
||
206 | 'email' => array ( |
||
207 | 'id' => NULL, |
||
208 | 'displayname' => 'E-mail', |
||
209 | 'protocol' => 'email', |
||
210 | 'namespace' => ' email', |
||
211 | 'value' => array ( |
||
212 | 0 => array ( |
||
213 | ), |
||
214 | ), |
||
215 | ), |
||
216 | 'och' => array ( |
||
217 | 'id' => NULL, |
||
218 | 'displayname' => 'ownCloud Handle', |
||
219 | 'protocol' => 'x-owncloud-handle', |
||
220 | 'namespace' => 'och', |
||
221 | 'value' => 'foo', |
||
222 | ), |
||
223 | ), |
||
224 | 'address_book_id' => 'local', |
||
225 | 'address_book_backend' => '', |
||
226 | ), |
||
227 | ), |
||
228 | array( |
||
229 | "type" => "command::blub::response", |
||
230 | "data" => array( |
||
231 | "status" => "error", |
||
232 | "msg" => ApiController::COMMAND_NOT_FOUND |
||
233 | ) |
||
234 | ) |
||
235 | ), |
||
236 | // test not existent data request |
||
237 | array( |
||
238 | "data::blub::request", |
||
239 | array( |
||
240 | "session_id" => md5(time()), |
||
241 | "user" => array( |
||
242 | 'id' => 'foo', |
||
243 | 'displayname' => 'foo', |
||
244 | 'backends' => array ( |
||
245 | 'email' => array ( |
||
246 | 'id' => NULL, |
||
247 | 'displayname' => 'E-mail', |
||
248 | 'protocol' => 'email', |
||
249 | 'namespace' => ' email', |
||
250 | 'value' => array ( |
||
251 | 0 => array ( |
||
252 | ), |
||
253 | ), |
||
254 | ), |
||
255 | 'och' => array ( |
||
256 | 'id' => NULL, |
||
257 | 'displayname' => 'ownCloud Handle', |
||
258 | 'protocol' => 'x-owncloud-handle', |
||
259 | 'namespace' => 'och', |
||
260 | 'value' => 'foo', |
||
261 | ), |
||
262 | ), |
||
263 | 'address_book_id' => 'local', |
||
264 | 'address_book_backend' => '', |
||
265 | ), |
||
266 | ), |
||
267 | array( |
||
268 | "type" => "data::blub::response", |
||
269 | "data" => array( |
||
270 | "status" => "error", |
||
271 | "msg" => ApiController::DATA_ACTION_NOT_FOUND |
||
272 | ) |
||
273 | ) |
||
274 | ), |
||
275 | // test not existent push request |
||
276 | array( |
||
277 | "push::blub::request", |
||
278 | array( |
||
279 | "session_id" => md5(time()), |
||
280 | "user" => array( |
||
281 | 'id' => 'foo', |
||
282 | 'displayname' => 'foo', |
||
283 | 'backends' => array ( |
||
284 | 'email' => array ( |
||
285 | 'id' => NULL, |
||
286 | 'displayname' => 'E-mail', |
||
287 | 'protocol' => 'email', |
||
288 | 'namespace' => ' email', |
||
289 | 'value' => array ( |
||
290 | 0 => array ( |
||
291 | ), |
||
292 | ), |
||
293 | ), |
||
294 | 'och' => array ( |
||
295 | 'id' => NULL, |
||
296 | 'displayname' => 'ownCloud Handle', |
||
297 | 'protocol' => 'x-owncloud-handle', |
||
298 | 'namespace' => 'och', |
||
299 | 'value' => 'foo', |
||
300 | ), |
||
301 | ), |
||
302 | 'address_book_id' => 'local', |
||
303 | 'address_book_backend' => '', |
||
304 | ), |
||
305 | ), |
||
306 | array( |
||
307 | "type" => "push::blub::response", |
||
308 | "data" => array( |
||
309 | "status" => "error", |
||
310 | "msg" => ApiController::PUSH_ACTION_NOT_FOUND |
||
311 | ) |
||
312 | ) |
||
313 | ), |
||
314 | // test user not equal to the logged in OC user |
||
315 | array( |
||
316 | "push::get::request", |
||
317 | array( |
||
318 | "session_id" => md5(time()), |
||
319 | "user" => array( |
||
320 | 'id' => 'bar', |
||
321 | 'displayname' => 'bar', |
||
322 | 'backends' => array ( |
||
323 | 'email' => array ( |
||
324 | 'id' => NULL, |
||
325 | 'displayname' => 'E-mail', |
||
326 | 'protocol' => 'email', |
||
327 | 'namespace' => ' email', |
||
328 | 'value' => array ( |
||
329 | 0 => array ( |
||
330 | ), |
||
331 | ), |
||
332 | ), |
||
333 | 'och' => array ( |
||
334 | 'id' => NULL, |
||
335 | 'displayname' => 'ownCloud Handle', |
||
336 | 'protocol' => 'x-owncloud-handle', |
||
337 | 'namespace' => 'och', |
||
338 | 'value' => 'bar', |
||
339 | ), |
||
340 | ), |
||
341 | 'address_book_id' => 'local', |
||
342 | 'address_book_backend' => '', |
||
343 | ), |
||
344 | ), |
||
345 | array( |
||
346 | "type" => "push::get::response", |
||
347 | "data" => array( |
||
348 | "status" => "error", |
||
349 | "msg" => ApiController::USER_NOT_EQUAL_TO_OC_USER |
||
350 | ) |
||
351 | ) |
||
352 | ), |
||
353 | ); |
||
354 | } |
||
355 | |||
356 | /** |
||
357 | * Test if wrong request data will result in the correct error |
||
358 | * @dataProvider routeProvider |
||
359 | */ |
||
360 | public function testError($type, $data, $expectedData){ |
||
361 | $this->chat->expects($this->any()) |
||
362 | ->method('getUserId') |
||
363 | ->will($this->returnValue('foo')); |
||
364 | |||
365 | $this->container->expects($this->any()) |
||
366 | ->method('query') |
||
367 | ->will($this->returnValue($this->chatAPI)); |
||
368 | |||
369 | $response = $this->controller->route($type, $data); |
||
370 | $this->assertInstanceOf('\OCA\Chat\OCH\Responses\Error', $response); |
||
371 | $this->assertEquals($expectedData, $response->getData()); |
||
372 | } |
||
373 | |||
374 | public function commandExecutionProivder(){ |
||
375 | return array( |
||
376 | array( |
||
377 | "command::join::request", |
||
378 | array( |
||
379 | "conv_id" => md5(time() + 2343), |
||
380 | "timestamp" => time(), |
||
381 | "user" => array( |
||
382 | 'id' => 'foo', |
||
383 | 'displayname' => 'foo', |
||
384 | 'backends' => array ( |
||
385 | 'email' => array ( |
||
386 | 'id' => NULL, |
||
387 | 'displayname' => 'E-mail', |
||
388 | 'protocol' => 'email', |
||
389 | 'namespace' => ' email', |
||
390 | 'value' => array ( |
||
391 | 0 => array ( |
||
392 | ), |
||
393 | ), |
||
394 | ), |
||
395 | 'och' => array ( |
||
396 | 'id' => NULL, |
||
397 | 'displayname' => 'ownCloud Handle', |
||
398 | 'protocol' => 'x-owncloud-handle', |
||
399 | 'namespace' => 'och', |
||
400 | 'value' => 'foo', |
||
401 | ), |
||
402 | ), |
||
403 | 'address_book_id' => 'local', |
||
404 | 'address_book_backend' => '', |
||
405 | ), |
||
406 | "session_id" => md5(time() -324234) |
||
407 | ), |
||
408 | 'join', |
||
409 | 'command' |
||
410 | ), |
||
411 | ); |
||
412 | } |
||
413 | |||
414 | /** |
||
415 | * Test if the correct class is executed when asked |
||
416 | * @dataProvider commandExecutionProivder |
||
417 | */ |
||
418 | public function testCommandExecution($type, $data, $className, $requestType){ |
||
419 | $this->chat->expects($this->any()) |
||
420 | ->method('getUserId') |
||
421 | ->will($this->returnValue('foo')); |
||
422 | |||
423 | $this->container->expects($this->any()) |
||
424 | ->method('query') |
||
425 | ->will($this->returnCallback(function() use($className, $requestType, $data){ |
||
426 | $class = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI') |
||
427 | ->disableOriginalConstructor() |
||
428 | ->getMock(); |
||
429 | |||
430 | $class->expects($this->once()) |
||
431 | ->method('setRequestData') |
||
432 | ->with($this->equalTo($data)) |
||
433 | ->will($this->returnValue(true)); |
||
434 | |||
435 | $class->expects($this->once()) |
||
436 | ->method('execute') |
||
437 | ->will($this->returnValue(null)); |
||
438 | |||
439 | return $class; |
||
440 | })); |
||
441 | |||
442 | |||
443 | $response = $this->controller->route($type, $data); |
||
444 | $this->assertInstanceOf('\OCA\Chat\OCH\Responses\Success', $response); |
||
445 | $this->assertEquals(array("type" => $requestType . '::' . $className . '::response', "data" => array("status" => "success")), $response->getData()); |
||
446 | |||
447 | } |
||
448 | |||
449 | public function dataExecutionProvider(){ |
||
450 | return array( |
||
451 | array( |
||
452 | "data::get_users::request", |
||
453 | array( |
||
454 | "conv_id" => md5(time() + 2343), |
||
455 | "timestamp" => time(), |
||
456 | "user" => array( |
||
457 | 'id' => 'foo', |
||
458 | 'displayname' => 'foo', |
||
459 | 'backends' => array ( |
||
460 | 'email' => array ( |
||
461 | 'id' => NULL, |
||
462 | 'displayname' => 'E-mail', |
||
463 | 'protocol' => 'email', |
||
464 | 'namespace' => ' email', |
||
465 | 'value' => array ( |
||
466 | 0 => array ( |
||
467 | ), |
||
468 | ), |
||
469 | ), |
||
470 | 'och' => array ( |
||
471 | 'id' => NULL, |
||
472 | 'displayname' => 'ownCloud Handle', |
||
473 | 'protocol' => 'x-owncloud-handle', |
||
474 | 'namespace' => 'och', |
||
475 | 'value' => 'foo', |
||
476 | ), |
||
477 | ), |
||
478 | 'address_book_id' => 'local', |
||
479 | 'address_book_backend' => '', |
||
480 | ), |
||
481 | "session_id" => md5(time() -324234) |
||
482 | ), |
||
483 | 'GetUsers', |
||
484 | 'data', |
||
485 | array('dummy' => 'dummydata'), |
||
486 | 'get_users' |
||
487 | ), |
||
488 | ); |
||
489 | } |
||
490 | |||
491 | /** |
||
492 | * @dataProvider dataExecutionProvider |
||
493 | */ |
||
494 | public function testDataExecution($type, $data, $className, $requestType, $dummyData, $commandName){ |
||
495 | $this->chat->expects($this->any()) |
||
496 | ->method('getUserId') |
||
497 | ->will($this->returnValue('foo')); |
||
498 | |||
499 | $this->container->expects($this->any()) |
||
500 | ->method('query') |
||
501 | ->will($this->returnCallback(function() use($className, $requestType, $data, $dummyData){ |
||
502 | $class = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI') |
||
503 | ->disableOriginalConstructor() |
||
504 | ->getMock(); |
||
505 | |||
506 | $class->expects($this->once()) |
||
507 | ->method('setRequestData') |
||
508 | ->with($this->equalTo($data)) |
||
509 | ->will($this->returnValue(true)); |
||
510 | |||
511 | $class->expects($this->once()) |
||
512 | ->method('execute') |
||
513 | ->will($this->returnValue($dummyData)); |
||
514 | |||
515 | return $class; |
||
516 | })); |
||
517 | |||
518 | $response = $this->controller->route($type, $data); |
||
519 | $expectedData = array( |
||
520 | "type" => $requestType . '::' . $commandName . '::response', |
||
521 | "data" => $dummyData |
||
522 | ); |
||
523 | $expectedData['data']["status"] = "success"; |
||
524 | $this->assertInstanceOf('\OCA\Chat\OCH\Responses\Success', $response); |
||
525 | $this->assertEquals($expectedData, $response->getData()); |
||
526 | |||
527 | } |
||
528 | |||
529 | public function pushExecutionProvider(){ |
||
530 | return array( |
||
531 | array( |
||
532 | "push::get::request", |
||
533 | array( |
||
534 | "conv_id" => md5(time() + 2343), |
||
535 | "timestamp" => time(), |
||
536 | "user" => array( |
||
537 | 'id' => 'foo', |
||
538 | 'displayname' => 'foo', |
||
539 | 'backends' => array ( |
||
540 | 'email' => array ( |
||
541 | 'id' => NULL, |
||
542 | 'displayname' => 'E-mail', |
||
543 | 'protocol' => 'email', |
||
544 | 'namespace' => ' email', |
||
545 | 'value' => array ( |
||
546 | 0 => array ( |
||
547 | ), |
||
548 | ), |
||
549 | ), |
||
550 | 'och' => array ( |
||
551 | 'id' => NULL, |
||
552 | 'displayname' => 'ownCloud Handle', |
||
553 | 'protocol' => 'x-owncloud-handle', |
||
554 | 'namespace' => 'och', |
||
555 | 'value' => 'foo', |
||
556 | ), |
||
557 | ), |
||
558 | 'address_book_id' => 'local', |
||
559 | 'address_book_backend' => '', |
||
560 | ), |
||
561 | "session_id" => md5(time() -324234) |
||
562 | ), |
||
563 | 'get', |
||
564 | 'push', |
||
565 | array('dummy' => 'dummydata'), |
||
566 | ), |
||
567 | ); |
||
568 | } |
||
569 | |||
570 | /** |
||
571 | * @dataProvider pushExecutionProvider |
||
572 | */ |
||
573 | public function testPushExecution($type, $data, $className, $requestType, $dummyData){ |
||
574 | $this->chat->expects($this->any()) |
||
575 | ->method('getUserId') |
||
576 | ->will($this->returnValue('foo')); |
||
577 | |||
578 | $this->container->expects($this->any()) |
||
579 | ->method('query') |
||
580 | ->will($this->returnCallback(function() use($className, $requestType, $data, $dummyData){ |
||
581 | $class = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI') |
||
582 | ->disableOriginalConstructor() |
||
583 | ->getMock(); |
||
584 | |||
585 | $class->expects($this->once()) |
||
586 | ->method('setRequestData') |
||
587 | ->with($this->equalTo($data)) |
||
588 | ->will($this->returnValue(true)); |
||
589 | |||
590 | $class->expects($this->once()) |
||
591 | ->method('execute') |
||
592 | ->will($this->returnValue($dummyData)); |
||
593 | |||
594 | return $class; |
||
595 | })); |
||
596 | |||
597 | $response = $this->controller->route($type, $data); |
||
598 | $expectedData = array( |
||
599 | 'dummy' => 'dummydata' |
||
600 | ); |
||
601 | $this->assertEquals($expectedData, $response); |
||
602 | } |
||
603 | |||
604 | } |
Having each class in a dedicated file usually plays nice with PSR autoloaders and is therefore a well established practice. If you use other autoloaders, you might not want to follow this rule.