Skip to content

Commit 51c1ee1

Browse files
kenjiskenjis
committed
test: add tests for CSRF protection
1 parent e14e145 commit 51c1ee1

File tree

1 file changed

+102
-61
lines changed

1 file changed

+102
-61
lines changed

tests/system/Helpers/FormHelperTest.php

Lines changed: 102 additions & 61 deletions
Original file line numberDiff line numberDiff line change
@@ -52,25 +52,40 @@ private function setRequest(): void
5252
Services::injectMock('request', $request);
5353
}
5454

55+
private function setCsrfFilter(): void
56+
{
57+
$filters = config(Filters::class);
58+
$filters->globals['before'][] = 'csrf';
59+
service('filters')->initialize();
60+
}
61+
5562
public function testFormOpenBasic(): void
5663
{
5764
$this->setRequest();
5865

59-
$before = (new Filters())->globals['before'];
60-
if (in_array('csrf', $before, true) || array_key_exists('csrf', $before)) {
61-
$Value = csrf_hash();
62-
$Name = csrf_token();
63-
$expected = <<<EOH
64-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
65-
<input type="hidden" name="{$Name}" value="{$Value}" style="display:none;">
66+
$expected = <<<'EOH'
67+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
68+
69+
EOH;
70+
$attributes = [
71+
'name' => 'form',
72+
'id' => 'form',
73+
'method' => 'POST',
74+
];
75+
$this->assertSame($expected, form_open('foo/bar', $attributes));
76+
}
6677

67-
EOH;
68-
} else {
69-
$expected = <<<'EOH'
70-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
78+
public function testFormOpenBasicWithCSRF(): void
79+
{
80+
$this->setRequest();
81+
$this->setCsrfFilter();
7182

72-
EOH;
73-
}
83+
$Value = csrf_hash();
84+
$Name = csrf_token();
85+
$expected = <<<EOH
86+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
87+
<input type="hidden" name="{$Name}" value="{$Value}">
88+
EOH;
7489

7590
$attributes = [
7691
'name' => 'form',
@@ -116,11 +131,7 @@ public function testFormOpenWithoutAction(): void
116131
public function testFormOpenWithoutActionWithCSRF(): void
117132
{
118133
$this->setRequest();
119-
120-
// Sets csrf filter.
121-
$filters = config(Filters::class);
122-
$filters->globals['before'][] = 'csrf';
123-
service('filters')->initialize();
134+
$this->setCsrfFilter();
124135

125136
$Value = csrf_hash();
126137
$Name = csrf_token();
@@ -140,22 +151,29 @@ public function testFormOpenWithoutMethod(): void
140151
{
141152
$this->setRequest();
142153

143-
$before = (new Filters())->globals['before'];
144-
if (in_array('csrf', $before, true) || array_key_exists('csrf', $before)) {
145-
$Value = csrf_hash();
146-
$Name = csrf_token();
147-
$expected = <<<EOH
148-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="post" accept-charset="utf-8">
149-
<input type="hidden" name="{$Name}" value="{$Value}" style="display:none;">
154+
$expected = <<<'EOH'
155+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="post" accept-charset="utf-8">
150156

151-
EOH;
152-
} else {
153-
$expected = <<<'EOH'
154-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="post" accept-charset="utf-8">
157+
EOH;
158+
159+
$attributes = [
160+
'name' => 'form',
161+
'id' => 'form',
162+
];
163+
$this->assertSame($expected, form_open('foo/bar', $attributes));
164+
}
155165

156-
EOH;
157-
}
166+
public function testFormOpenWithoutMethodWithCSRF(): void
167+
{
168+
$this->setRequest();
169+
$this->setCsrfFilter();
158170

171+
$Value = csrf_hash();
172+
$Name = csrf_token();
173+
$expected = <<<EOH
174+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="post" accept-charset="utf-8">
175+
<input type="hidden" name="{$Name}" value="{$Value}">
176+
EOH;
159177
$attributes = [
160178
'name' => 'form',
161179
'id' => 'form',
@@ -167,25 +185,36 @@ public function testFormOpenWithHidden(): void
167185
{
168186
$this->setRequest();
169187

170-
$before = (new Filters())->globals['before'];
171-
if (in_array('csrf', $before, true) || array_key_exists('csrf', $before)) {
172-
$Value = csrf_hash();
173-
$Name = csrf_token();
174-
$expected = <<<EOH
175-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
176-
<input type="hidden" name="foo" value="bar">
177-
<input type="hidden" name="{$Name}" value="{$Value}">
188+
$expected = <<<'EOH'
189+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
190+
191+
<input type="hidden" name="foo" value="bar">
178192

179-
EOH;
180-
} else {
181-
$expected = <<<'EOH'
182-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
193+
EOH;
194+
$attributes = [
195+
'name' => 'form',
196+
'id' => 'form',
197+
'method' => 'POST',
198+
];
199+
$hidden = [
200+
'foo' => 'bar',
201+
];
202+
$this->assertSame($expected, form_open('foo/bar', $attributes, $hidden));
203+
}
183204

184-
<input type="hidden" name="foo" value="bar">
205+
public function testFormOpenWithHiddenWithCSRF(): void
206+
{
207+
$this->setRequest();
208+
$this->setCsrfFilter();
185209

186-
EOH;
187-
}
210+
$Value = csrf_hash();
211+
$Name = csrf_token();
212+
$expected = <<<EOH
213+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
214+
<input type="hidden" name="{$Name}" value="{$Value}">
215+
<input type="hidden" name="foo" value="bar">
188216
217+
EOH;
189218
$attributes = [
190219
'name' => 'form',
191220
'id' => 'form',
@@ -201,21 +230,33 @@ public function testFormOpenMultipart(): void
201230
{
202231
$this->setRequest();
203232

204-
$before = (new Filters())->globals['before'];
205-
if (in_array('csrf', $before, true) || array_key_exists('csrf', $before)) {
206-
$Value = csrf_hash();
207-
$Name = csrf_token();
208-
$expected = <<<EOH
209-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" enctype="multipart/form-data" accept-charset="utf-8">
210-
<input type="hidden" name="{$Name}" value="{$Value}" style="display:none;">
211-
212-
EOH;
213-
} else {
214-
$expected = <<<'EOH'
215-
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" enctype="multipart/form-data" accept-charset="utf-8">
216-
217-
EOH;
218-
}
233+
$expected = <<<'EOH'
234+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" enctype="multipart/form-data" accept-charset="utf-8">
235+
236+
EOH;
237+
$attributes = [
238+
'name' => 'form',
239+
'id' => 'form',
240+
'method' => 'POST',
241+
];
242+
$this->assertSame($expected, form_open_multipart('foo/bar', $attributes));
243+
244+
// make sure it works with attributes as a string too
245+
$attributesString = 'name="form" id="form" method="POST"';
246+
$this->assertSame($expected, form_open_multipart('foo/bar', $attributesString));
247+
}
248+
249+
public function testFormOpenMultipartWithCSRF(): void
250+
{
251+
$this->setRequest();
252+
$this->setCsrfFilter();
253+
254+
$Value = csrf_hash();
255+
$Name = csrf_token();
256+
$expected = <<<EOH
257+
<form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" enctype="multipart/form-data" accept-charset="utf-8">
258+
<input type="hidden" name="{$Name}" value="{$Value}">
259+
EOH;
219260
$attributes = [
220261
'name' => 'form',
221262
'id' => 'form',

0 commit comments

Comments
 (0)