Skip to content

Commit

Permalink
Change check to !getHelper().isSuccess(msg) and add stub implementati…
Browse files Browse the repository at this point in the history 
…on for all tests
  • Loading branch information
@atezet
atezet committed Nov 28, 2024
1 parent ac74dc3 commit 2500a96
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 6 deletions.
7 changes: 4 additions & 3 deletions ...lesBeta/src/main/java/org/zaproxy/zap/extension/pscanrulesBeta/SiteIsolationScanRule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,11 @@ public void scanHttpResponseReceive(HttpMessage msg, int id, Source source) {
// Specs don't state that errors pages should be excluded. However, successful responses are
// associated to a resource that should be protected, while error pages are not. Therefore,
// only consider HTTP Status code 2XX to avoid a False Positive
if (HttpStatusCode.isSuccess(msg.getResponseHeader().getStatusCode())
|| getHelper().isPage200(msg)) {
rules.forEach(s -> s.build(msg.getResponseHeader()).forEach(AlertBuilder::raise));
if (!getHelper().isSuccess(msg)) {
return;
}

rules.forEach(s -> s.build(msg.getResponseHeader()).forEach(AlertBuilder::raise));
}

@Override
Expand Down
57 changes: 54 additions & 3 deletions ...eta/src/test/java/org/zaproxy/zap/extension/pscanrulesBeta/SiteIsolationScanRuleTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ void shouldRaiseCorpAlertGivenSiteIsNotIsolated() throws Exception {
HttpMessage msg = new HttpMessage();
msg.setRequestHeader("GET / HTTP/1.1");
msg.setResponseHeader("HTTP/1.1 200 OK\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -64,7 +65,7 @@ void shouldNotRaiseAlertGivenSiteIsIsolated() throws Exception {
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isPage200(any())).willReturn(false);
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -84,7 +85,7 @@ void shouldNotRaiseAlertGivenSiteIsIsolatedWhenSuccessIdentifiedByCustomPage()
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isPage200(any())).willReturn(true);
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -104,7 +105,7 @@ void shouldNotRaiseAlertGivenSiteIsIsolatedWhenSuccessAndIdentifiedByCustomPage(
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isPage200(any())).willReturn(true);
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -113,6 +114,42 @@ void shouldNotRaiseAlertGivenSiteIsIsolatedWhenSuccessAndIdentifiedByCustomPage(
assertThat(alertsRaised, hasSize(0));
}

@Test
void shouldNotRaiseAlertGivenSiteIsNotIsolatedWhenSuccessNotIdentifiedByCustomPage()
throws Exception {
// Given
HttpMessage msg = new HttpMessage();
msg.setRequestHeader("GET / HTTP/1.1");
msg.setResponseHeader(
"HTTP/1.1 200 OK\r\n"
+ "Content-Type: text/html\r\n");
given(passiveScanData.isSuccess(any())).willReturn(false);

// When
scanHttpResponseReceive(msg);

// Then
assertThat(alertsRaised, hasSize(0));
}

@Test
void shouldRaiseAlertGivenSiteIsNotIsolatedWhenSuccessIdentifiedByCustomPage()
throws Exception {
// Given
HttpMessage msg = new HttpMessage();
msg.setRequestHeader("GET / HTTP/1.1");
msg.setResponseHeader(
"HTTP/1.1 400 OK\r\n"
+ "Content-Type: text/html\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);

// Then
assertThat(alertsRaised, hasSize(3));
}

@Test
void shouldRaiseCorpAlertGivenResponseDoesntSendCorpHeader() throws Exception {
// Given
Expand All @@ -122,6 +159,7 @@ void shouldRaiseCorpAlertGivenResponseDoesntSendCorpHeader() throws Exception {
"HTTP/1.1 200 OK\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -144,6 +182,7 @@ void shouldRaiseCorpAlertGivenCorpHeaderIsSetForSameSite() throws Exception {
+ "Cross-Origin-Resource-Policy: same-site\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -166,6 +205,7 @@ void shouldRaiseCorpAlertGivenCorpHeaderContentIsUnexpected() throws Exception {
+ "Cross-Origin-Resource-Policy: unexpected\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -188,6 +228,7 @@ void shouldRaiseCorpAlertCaseInsensitive() throws Exception {
+ "Cross-Origin-Resource-Policy: same-SITE\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -211,6 +252,7 @@ void shouldNotRaiseCorpAlertGivenCorpHeaderIsSetForCrossOrigin() throws Exceptio
+ "Cross-Origin-Resource-Policy: cross-origin\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -225,6 +267,7 @@ void shouldRaiseCorpAlertOnlyForSuccessfulQueries() throws Exception {
HttpMessage msg = new HttpMessage();
msg.setRequestHeader("GET / HTTP/1.1");
msg.setResponseHeader("HTTP/1.1 500 Internal Server Error\r\n");
given(passiveScanData.isSuccess(any())).willReturn(false);

// When
scanHttpResponseReceive(msg);
Expand All @@ -245,6 +288,7 @@ void shouldNotRaiseCorpAlertGivenCorsHeaderIsSet(String corsFieldName) throws Ex
+ ": *\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -263,6 +307,7 @@ void shouldRaiseAlertGivenCoepHeaderIsMissing() throws Exception {
+ "Content-Type: application/xml\r\n"
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -286,6 +331,7 @@ void shouldRaiseAlertGivenCoepHeaderIsNotEqualsToRequireCorp() throws Exception
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Embedder-Policy: unsafe-none\r\n"
+ "Cross-Origin-Opener-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -308,6 +354,7 @@ void shouldRaiseAlertGivenCoopHeaderIsMissing() throws Exception {
+ "Content-Type: text/html;charset=utf-8\r\n"
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -331,6 +378,7 @@ void shouldRaiseAlertGivenCoopHeaderIsNotSameOrigin() throws Exception {
+ "Cross-Origin-Resource-Policy: same-origin\r\n"
+ "Cross-Origin-Embedder-Policy: require-corp\r\n"
+ "Cross-Origin-Opener-Policy: same-origin-allow-popups\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -353,6 +401,7 @@ void shouldNotRaiseCoepOrCoopAlertGivenResourceIsNotAnHtmlOrXmlDocument() throws
"HTTP/1.1 200 OK\r\n"
+ "Content-Type: application/json\r\n"
+ "Cross-Origin-Resource-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -371,6 +420,7 @@ void shouldNotRaiseAlertGivenNoHeaderContentTypeIsPresent() throws Exception {
msg.setRequestHeader("GET / HTTP/1.1");
msg.setResponseHeader(
"HTTP/1.1 200 OK\r\n" + "Cross-Origin-Resource-Policy: same-origin\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand All @@ -390,6 +440,7 @@ void shouldNotRaiseAlertForReportingAPI() throws Exception {
+ "cross-origin-embedder-policy: require-corp;report-to=\"coep\"\r\n"
+ "cross-origin-opener-policy: same-origin;report-to=\"coop\"\r\n"
+ "Cross-Origin-Resource-Policy: same-origin;report-to=\"corp\"\r\n");
given(passiveScanData.isSuccess(any())).willReturn(true);

// When
scanHttpResponseReceive(msg);
Expand Down

0 comments on commit 2500a96

Please sign in to comment.