Skip to content

Commit

Permalink
Adding a test case for the SecurityMiddleware
Browse files Browse the repository at this point in the history
  • Loading branch information
@burzum
burzum committed Apr 3, 2017
1 parent f2b0d8c commit 60e8f23
Show file tree
Hide file tree
Showing 2 changed files with 81 additions and 6 deletions.
14 changes: 8 additions & 6 deletions src/Routing/Middleware/SecurityMiddleware.php
View file
Expand Up @@ -96,7 +96,7 @@ public function setReferrerPolicy($policy = 'same-origin')
*
* Available Value: 'deny', 'sameorigin', 'allow-from <uri>'
*
* @param string $mode Mode value
* @param string $option Option value
* @param string $url URL if mode is `allow-from`
* @return $this
*/
Expand Down Expand Up @@ -126,13 +126,15 @@ public function setXFrameOptions($option = 'sameorigin', $url = null)
* @param string $mode Mode value
* @return $this
*/
public function setXssProtection($mode = '1; mode=block')
public function setXssProtection($mode = 'block')
{
$mode = (string)$mode;

if ($mode === 'block') {
$mode = '1; mode=block';
}

$this->checkValues($mode, ['all', 'none', 'master-only', 'by-content-type', 'by-ftp-filename']);
$this->checkValues($mode, ['1', '0', '1; mode=block']);
$this->headers['x-permitted-cross-domain-policies'] = $mode;

return $this;
Expand All @@ -159,16 +161,16 @@ public function setCrossDomainPolicy($policy = 'all')
/**
* Convenience method to check if a value is in the list of allowed args
*
* @throws \InvalidArgumentException Thown when a value is invalid.
* @throws \InvalidArgumentException Thrown when a value is invalid.
* @param string $value
* @param array $allowed
* @return void
*/
protected function checkValues($value, array $allowed)
{
if (!in_array($value, $allowed)) {
throw new InvalidArgumentException(
sprintf('Invalid arg `%s`, use one of these: %s',
throw new InvalidArgumentException(sprintf(
'Invalid arg `%s`, use one of these: %s',
$value,
implode(', ', $allowed)
)
Expand Down
73 changes: 73 additions & 0 deletions tests/TestCase/Routing/Middleware/SecurityMiddlewareTest.php
View file
@@ -0,0 +1,73 @@
<?php
/**
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
*
* Licensed under The MIT License
* For full copyright and license information, please see the LICENSE.txt
* Redistributions of files must retain the above copyright notice.
*
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
* @link http://cakephp.org CakePHP(tm) Project
* @since 3.5.0
* @license http://www.opensource.org/licenses/mit-license.php MIT License
*/
namespace Cake\Test\TestCase\Routing\Middleware;

use Cake\Http\ServerRequestFactory;
use Cake\Routing\Middleware\SecurityMiddleware;
use Cake\TestSuite\TestCase;
use Zend\Diactoros\Response;

/**
* Test for SecurityMiddleware
*/
class SecurityMiddlewareTest extends TestCase {

/**
* Test adding the security headers
*
* @return void
*/
public function testAddingSecurityHeaders()
{
$request = ServerRequestFactory::fromGlobals([
'REQUEST_URI' => '/',
]);
$response = new Response();
$next = function ($req, $res) {
return $res;
};

$middleware = new SecurityMiddleware();
$middleware
->setCrossDomainPolicy()
->setReferrerPolicy()
->setXFrameOptions()
->setXssProtection()
->noOpen()
->noSniff();

$expected = [
'x-permitted-cross-domain-policies' => [
0 => '1; mode=block'
],
'referrer-policy' => [
0 => 'same-origin'
],
'x-frame-options' => [
0 => 'sameorigin'
],
'x-download-options' => [
0 => 'noopen'
],
'x-content-type-options' => [
0 => 'nosniff'
]

];

$result = $middleware($request, $response, $next);
$this->assertEquals($expected, $result->getHeaders());
}
}

0 comments on commit 60e8f23

Please sign in to comment.