// Copyright 2013 The Closure Library Authors. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS-IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. /** * @fileoverview Unit tests for goog.html.SafeUrl and its builders. */ goog.provide('goog.html.safeUrlTest'); goog.require('goog.html.SafeUrl'); goog.require('goog.html.TrustedResourceUrl'); goog.require('goog.i18n.bidi.Dir'); goog.require('goog.object'); goog.require('goog.string.Const'); goog.require('goog.testing.jsunit'); goog.require('goog.userAgent'); goog.setTestOnly('goog.html.safeUrlTest'); function testSafeUrl() { var safeUrl = goog.html.SafeUrl.fromConstant( goog.string.Const.from('javascript:trusted();')); var extracted = goog.html.SafeUrl.unwrap(safeUrl); assertEquals('javascript:trusted();', extracted); assertEquals('javascript:trusted();', goog.html.SafeUrl.unwrap(safeUrl)); assertEquals('SafeUrl{javascript:trusted();}', String(safeUrl)); // URLs are always LTR. assertEquals(goog.i18n.bidi.Dir.LTR, safeUrl.getDirection()); // Interface markers are present. assertTrue(safeUrl.implementsGoogStringTypedString); assertTrue(safeUrl.implementsGoogI18nBidiDirectionalString); } function testSafeUrlFromBlob_withSafeType() { if (isIE9OrLower()) { return; } assertBlobTypeIsSafe('image/png', true); assertBlobTypeIsSafe('iMage/pNg', true); assertBlobTypeIsSafe('video/mpeg', true); assertBlobTypeIsSafe('video/ogg', true); assertBlobTypeIsSafe('video/mp4', true); assertBlobTypeIsSafe('video/ogg', true); assertBlobTypeIsSafe('video/webm', true); } function testSafeUrlFromBlob_withUnsafeType() { if (isIE9OrLower()) { return; } assertBlobTypeIsSafe('', false); assertBlobTypeIsSafe('ximage/png', false); assertBlobTypeIsSafe('image/pngx', false); assertBlobTypeIsSafe('video/whatever', false); assertBlobTypeIsSafe('video/', false); } /** @return {boolean} True if running on IE9 or lower. */ function isIE9OrLower() { return goog.userAgent.IE && !goog.userAgent.isVersionOrHigher('10'); } /** * Tests creating a SafeUrl from a blob with the given MIME type, asserting * whether or not the SafeUrl returned is innocuous or not depending on the * given boolean. * @param {string} type MIME type to test * @param {boolean} isSafe Whether the given MIME type should be considered safe * by {@link SafeUrl.fromBlob}. */ function assertBlobTypeIsSafe(type, isSafe) { var safeUrl = goog.html.SafeUrl.fromBlob(new Blob(['test'], {type: type})); var extracted = goog.html.SafeUrl.unwrap(safeUrl); if (isSafe) { assertEquals('blob:', extracted.substring(0, 5)); } else { assertEquals(goog.html.SafeUrl.INNOCUOUS_STRING, extracted); } } function testSafeUrlFromDataUrl_withSafeType() { assertDataUrlIsSafe( 'data:image/png;base64,' + 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=', true); assertDataUrlIsSafe('dATa:iMage/pNg;bASe64,abc===', true); assertDataUrlIsSafe('data:image/webp;base64,abc===', true); assertDataUrlIsSafe('data:video/mpeg;base64,abc', true); assertDataUrlIsSafe('data:video/ogg;base64,z=', true); assertDataUrlIsSafe('data:video/mp4;base64,z=', true); assertDataUrlIsSafe('data:video/ogg;base64,z=', true); assertDataUrlIsSafe('data:video/webm;base64,z=', true); } function testSafeUrlFromDataUrl_withUnsafeType() { assertDataUrlIsSafe('', false); assertDataUrlIsSafe(':', false); assertDataUrlIsSafe('data:', false); assertDataUrlIsSafe('not-data:image/png;base64,z=', false); assertDataUrlIsSafe(' data:image/png;base64,z=', false); assertDataUrlIsSafe('data:image/png;base64,z= ', false); assertDataUrlIsSafe('data:ximage/png', false); assertDataUrlIsSafe('data:ximage/png;base64,z=', false); assertDataUrlIsSafe('data:image/pngx;base64,z=', false); assertDataUrlIsSafe('data:video/whatever;base64,z=', false); assertDataUrlIsSafe('data:video/;base64,z=', false); assertDataUrlIsSafe('data:image/png;base64,', false); assertDataUrlIsSafe('data:image/png;base64,abc=!', false); assertDataUrlIsSafe('data:image/png;base64,$$', false); assertDataUrlIsSafe('data:image/png;base64,\0', false); assertDataUrlIsSafe('data:video/mp4;baze64,z=', false); assertDataUrlIsSafe('data:video/mp4;,z=', false); assertDataUrlIsSafe('data:text/html,sdfsdfsdfsfsdfs;base64,anything', false); // Valid base64 image URL, but with disallowed mime-type. assertDataUrlIsSafe('data:image/svg+xml;base64,abc', false); } /** * Tests creating a SafeUrl from a data URL, asserting whether or not the * SafeUrl returned is innocuous or not depending on the given boolean. * @param {string} url URL to test. * @param {boolean} isSafe Whether the given URL type should be considered safe * by {@link SafeUrl.fromDataUrl}. */ function assertDataUrlIsSafe(url, isSafe) { var safeUrl = goog.html.SafeUrl.fromDataUrl(url); assertEquals( isSafe ? url : goog.html.SafeUrl.INNOCUOUS_STRING, goog.html.SafeUrl.unwrap(safeUrl)); } function testSafeUrlFromTelUrl_withSafeType() { assertTelUrlIsSafe('tEl:+1(23)129-29192A.ABC#;eXt=29', true); assertTelUrlIsSafe('tEL:123;randmomparam=123', true); } function testSafeUrlFromTelUrl_withUnsafeType() { assertTelUrlIsSafe('', false); assertTelUrlIsSafe(':', false); assertTelUrlIsSafe('tell:', false); assertTelUrlIsSafe('not-tel:+1', false); assertTelUrlIsSafe(' tel:+1', false); } /** * Tests creating a SafeUrl from a tel URL, asserting whether or not the * SafeUrl returned is innocuous or not depending on the given boolean. * @param {string} url URL to test. * @param {boolean} isSafe Whether the given URL type should be considered safe * by {@link SafeUrl.fromTelUrl}. */ function assertTelUrlIsSafe(url, isSafe) { var safeUrl = goog.html.SafeUrl.fromTelUrl(url); assertEquals( isSafe ? url : goog.html.SafeUrl.INNOCUOUS_STRING, goog.html.SafeUrl.unwrap(safeUrl)); } function testFromTrustedResourceUrl() { var url = goog.string.Const.from('test'); var trustedResourceUrl = goog.html.TrustedResourceUrl.fromConstant(url); var safeUrl = goog.html.SafeUrl.fromTrustedResourceUrl(trustedResourceUrl); assertEquals( goog.string.Const.unwrap(url), goog.html.SafeUrl.unwrap(safeUrl)); } /** @suppress {checkTypes} */ function testUnwrap() { var privateFieldName = 'privateDoNotAccessOrElseSafeHtmlWrappedValue_'; var markerFieldName = 'SAFE_URL_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_'; var propNames = goog.object.getKeys(goog.html.SafeUrl.sanitize('')); assertContains(privateFieldName, propNames); assertContains(markerFieldName, propNames); var evil = {}; evil[privateFieldName] = 'javascript:evil()'; evil[markerFieldName] = {}; var exception = assertThrows(function() { goog.html.SafeUrl.unwrap(evil); }); assertContains('expected object of type SafeUrl', exception.message); } /** * Assert that url passes through sanitization unchanged. * @param {string|!goog.string.TypedString} url The URL to sanitize. */ function assertGoodUrl(url) { var expected = url; if (url.implementsGoogStringTypedString) { expected = url.getTypedStringValue(); } var safeUrl = goog.html.SafeUrl.sanitize(url); var extracted = goog.html.SafeUrl.unwrap(safeUrl); assertEquals(expected, extracted); } /** * Assert that url fails sanitization. * @param {string|!goog.string.TypedString} url The URL to sanitize. */ function assertBadUrl(url) { assertEquals( goog.html.SafeUrl.INNOCUOUS_STRING, goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(url))); } function testSafeUrlSanitize_validatesUrl() { // Whitelisted schemes. assertGoodUrl('http://example.com/'); assertGoodUrl('https://example.com'); assertGoodUrl('mailto:foo@example.com'); assertGoodUrl('ftp://example.com'); assertGoodUrl('ftp://username@example.com'); assertGoodUrl('ftp://username:password@example.com'); // Scheme is case-insensitive assertGoodUrl('HTtp://example.com/'); // Different URL components go through. assertGoodUrl('https://example.com/path?foo=bar#baz'); // Scheme-less URL with authority. assertGoodUrl('//example.com/path'); // Absolute path with no authority. assertGoodUrl('/path'); assertGoodUrl('/path?foo=bar#baz'); // Relative path. assertGoodUrl('path'); assertGoodUrl('path?foo=bar#baz'); assertGoodUrl('p//ath'); assertGoodUrl('p//ath?foo=bar#baz'); assertGoodUrl('#baz'); // Restricted character ':' after [/?#]. assertGoodUrl('?:'); // .sanitize() works on program constants. assertGoodUrl(goog.string.Const.from('http://example.com/')); // Non-whitelisted schemes. assertBadUrl('javascript:evil();'); assertBadUrl('javascript:evil();//\nhttp://good.com/'); assertBadUrl('data:blah'); // Restricted character before [/?#]. assertBadUrl(':'); // '\' is not treated like '/': no restricted characters allowed after it. assertBadUrl('\\:'); // Regex anchored to the left: doesn't match on '/:'. assertBadUrl(':/:'); // Regex multiline not enabled: first line would match but second one // wouldn't. assertBadUrl('path\n:'); // .sanitize() does not exempt values known to be program constants. assertBadUrl(goog.string.Const.from('data:blah')); } function testSafeUrlSanitize_idempotentForSafeUrlArgument() { // This matches the safe prefix. var safeUrl = goog.html.SafeUrl.sanitize('https://www.google.com/'); var safeUrl2 = goog.html.SafeUrl.sanitize(safeUrl); assertEquals( goog.html.SafeUrl.unwrap(safeUrl), goog.html.SafeUrl.unwrap(safeUrl2)); // This doesn't match the safe prefix, getting converted into an innocuous // string. safeUrl = goog.html.SafeUrl.sanitize('disallowed:foo'); safeUrl2 = goog.html.SafeUrl.sanitize(safeUrl); assertEquals( goog.html.SafeUrl.unwrap(safeUrl), goog.html.SafeUrl.unwrap(safeUrl2)); }