Project

General

Profile

Enhancement(機能追加・改善) #1741

XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える

Added by Kousuke Ebihara over 10 years ago. Updated almost 10 years ago.

Status:
Fixed(完了)
Priority:
Normal(通常)
Target version:
Start date:
2010-10-26
Due date:
2011-06-24
% Done:

100%


Description

XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える

http://www.openpne.jp/archives/5532/#m-5 も参照のこと。

  • XSS 脆弱性のテストをできるかぎりテンプレート化する
  • CSRF 脆弱性のテストをできるかぎりテンプレート化する
  • これらのテストの動作を妨げないように、既存の functional test をメンテナンスする
  • XSS, CSRF 脆弱性のテストの書き方についてマニュアルを作り、人海戦術ですべてのアクションについての両脆弱性のテストを完備できるようにする

Related issues

Related to opFavoritePlugin - Enhancement(機能追加・改善) #1746: XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える Fixed(完了) 2010-10-27
Related to opIntroFriendPlugin - Enhancement(機能追加・改善) #1748: XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える Fixed(完了) 2010-10-28
Related to opRankingPlugin - Enhancement(機能追加・改善) #1750: XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える Fixed(完了) 2010-10-28
Related to opMessagePlugin - Enhancement(機能追加・改善) #1754: XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える Accepted(着手) 2010-11-02
Related to opOpenSocialPlugin - Enhancement(機能追加・改善) #1805: Create Test for security countermeasures Fixed(完了) 2010-11-23
Related to OpenPNE 3 - Enhancement(機能追加・改善) #1817: #1741 で作成された XSS 脆弱性、CSRF 脆弱性のテストのmasterへの取り込み Fixed(完了) 2010-11-30
Related to opDiaryPlugin - Enhancement(機能追加・改善) #1875: XSS 脆弱性、 CSRF 脆弱性のテストを完備できるように体制を整える Fixed(完了) 2011-01-18
Related to OpenPNE 3 - Bug(バグ) #1877: functional test で特定のパラメータで checkElement() を呼び出すとエラーになる Fixed(完了) 2011-01-19

Associated revisions

Revision 8e5da569 (diff)
Added by Kousuke Ebihara over 10 years ago

fixed test for uploading member profile image doesn't work (refs #1741)

Revision b0173c5d (diff)
Added by Kousuke Ebihara over 10 years ago

changed repositories in the current connection before executing functional test (refs #1741)

Revision a96c3958 (diff)
Added by Kousuke Ebihara over 10 years ago

added the opTesterHtmlEscape class and I've tried this class in member/profile and community/search (refs #1741)

Revision fbb6aebe (diff)
Added by Kousuke Ebihara over 10 years ago

fixed some functional tests for pc_frontend is broken (refs #1741)

Revision c806cfd7 (diff)
Added by Masato Nagasawa over 10 years ago

fixed functional test in pc_backend, added CSRF check (refs #1741)

Revision fb7cd9dc (diff)
Added by Masato Nagasawa over 10 years ago

fixed supported the i18n in checkCSRF() (refs #1741)

Revision 2bece83c (diff)
Added by Masato Nagasawa over 10 years ago

CSRF check method changed to the regular expression (refs #1741)

Revision 65e82c9d (diff)
Added by Masato Nagasawa over 10 years ago

added community of the pc_backend to the functional test (refs #1741)

Revision a433f356 (diff)
Added by Masato Nagasawa over 10 years ago

added member of the backend actions to the functional test (refs #1741)

Revision 82227859 (diff)
Added by Masato Nagasawa over 10 years ago

added the profile actions of pc_backend for the functional test (refs #1741)

Revision f9325ac2 (diff)
Added by Masato Nagasawa over 10 years ago

added the sns/changeRichTextareaButtonOrder action of pc_backend for the functional test (refs #1741)

Revision b464b7f4 (diff)
Added by Masato Nagasawa over 10 years ago

added the connection actions of pc_backend for the functional test (refs #1741)

Revision c4cae9d9 (diff)
Added by Masato Nagasawa over 10 years ago

added design/editGadget action of pc_backend for the functional test (refs #1741)

Revision f4935d41 (diff)
Added by Masato Nagasawa over 10 years ago

added the admin actions of pc_backend for the functional test (refs #1741)

Revision f095d1c9 (diff)
Added by Masato Nagasawa over 10 years ago

added the navigation/sort action of pc_backend for the functional test (refs #1741)

Revision 320bda95 (diff)
Added by Masato Nagasawa over 10 years ago

added the default actions of pc_backend for the functional test (refs #1741)

Revision 4722f6fb (diff)
Added by Masato Nagasawa over 10 years ago

added the monitoring actions of pc_backend for the functional test (refs #1741)

Revision fbf7f0d7 (diff)
Added by Masato Nagasawa over 10 years ago

fixed removed 'echo' (refs #1741)

Revision 32d8fa89 (diff)
Added by Masato Nagasawa over 10 years ago

added the friend actions of pc_frontend for the functional test (refs #1741)

Revision d946a010 (diff)
Added by Masato Nagasawa over 10 years ago

added the community actions of pc_frontend for the functional test (refs #1741)

Revision ab428e5a (diff)
Added by Masato Nagasawa over 10 years ago

added the member actions of pc_frontend for the functional test (refs #1741)

Revision eea5c453 (diff)
Added by Masato Nagasawa over 10 years ago

added the member actions of pc_frontend for the functional test (refs #1741)

Revision 9fb7596a (diff)
Added by Masato Nagasawa over 10 years ago

added the connection actions of pc_frontend for the functional test (refs #1741)

Revision af270d33 (diff)
Added by Kousuke Ebihara over 10 years ago

added the XSS/CSRF functional tests for oauth module in the pc_frontend application (refs #1741)

Revision d4eba212 (diff)
Added by Kousuke Ebihara over 10 years ago

added a XSS test for connection/show in pc_frontend (refs #1741)

Revision 9378217b (diff)
Added by Kousuke Ebihara over 10 years ago

fixed the form for modifying consumer that doesn't display some localized form error message (refs #1741)

Revision 77f526c3 (diff)
Added by Kousuke Ebihara over 10 years ago

fixed the deprecated error message make generate invalid array keys (refs #1741)

Revision 6f0ca49b (diff)
Added by Kousuke Ebihara over 10 years ago

fixed failed tests of the member module that have mistakes in test and / or test data (refs #1741)

Revision c64610b5 (diff)
Added by Kousuke Ebihara over 10 years ago

changed to reset repositories in current connection for unit test (refs #1741)

Revision 140172db (diff)
Added by Masato Nagasawa over 10 years ago

added confirmation/list action of pc_frontend for the functional test (refs #1741)

Revision 87579ef0 (diff)
Added by Masato Nagasawa over 10 years ago

fixed from the parameters you can specify additional selectors (refs #1741)

Revision 10226c53 (diff)
Added by Kousuke Ebihara almost 10 years ago

fixed test for uploading member profile image doesn't work (refs #1741)
(cherry picked from commit 8e5da56988dfa09feef6ab4d3d0716a8798ef60a)

Revision c88d0d6b (diff)
Added by Kousuke Ebihara almost 10 years ago

changed repositories in the current connection before executing functional test (refs #1741)
(cherry picked from commit b0173c5dff1c7f653d789c708fc264d6c8d87131)

Revision e2615715 (diff)
Added by Kousuke Ebihara almost 10 years ago

added the opTesterHtmlEscape class and I've tried this class in member/profile and community/search (refs #1741)
(cherry picked from commit a96c395850668970bf0783c5bcbc7bdf590e7ceb)

Revision 6e4f8d06 (diff)
Added by Kousuke Ebihara almost 10 years ago

fixed some functional tests for pc_frontend is broken (refs #1741) (cherry picked from commit fbb6aebedd18366313c62abe3f0d51084d856517)

Conflicts:

test/functional/pc_frontend/confirmationActionsTest.php
test/functional/pc_frontend/friendActionsTest.php

Revision a2164da0 (diff)
Added by Masato Nagasawa almost 10 years ago

fixed functional test in pc_backend, added CSRF check (refs #1741) (cherry picked from commit c806cfd7568d12a6c5a6417f4aab7cde0e60997f)

Conflicts:

lib/test/opTestFunctional.class.php
test/functional/pc_backend/monitoringActionsTest.php

Revision 205980cd (diff)
Added by Masato Nagasawa almost 10 years ago

fixed supported the i18n in checkCSRF() (refs #1741)
(cherry picked from commit fb7cd9dcfd6fc4f13ecda3d500d5a2fe8f8e98c5)

Revision 415590c7 (diff)
Added by Masato Nagasawa almost 10 years ago

CSRF check method changed to the regular expression (refs #1741)
(cherry picked from commit 2bece83c67dcb5ee51242d73c7461a3c6ce5b89b)

Revision 1f9b9ed1 (diff)
Added by Masato Nagasawa almost 10 years ago

added community of the pc_backend to the functional test (refs #1741)
(cherry picked from commit 65e82c9d909643dfee8dad9eb718cfb0cbac8662)

Revision a4d8c128
Added by Masato Nagasawa almost 10 years ago

added community of the pc_backend to the functional test (refs #1741) (cherry picked from commit 65e82c9d909643dfee8dad9eb718cfb0cbac8662)

Revision 6d9777cb (diff)
Added by Masato Nagasawa almost 10 years ago

added the profile actions of pc_backend for the functional test (refs #1741)
(cherry picked from commit 8222785930a86b369c36397c097461f30d528f3d)

Revision 2ac73e81 (diff)
Added by Masato Nagasawa almost 10 years ago

added the sns/changeRichTextareaButtonOrder action of pc_backend for the functional test (refs #1741) (cherry picked from commit f9325ac2f6b2d682d957c722bca9a5685772f0e1)

Conflicts:

test/functional/pc_backend/snsActionsTest.php

Revision adc35e70 (diff)
Added by Masato Nagasawa almost 10 years ago

added the connection actions of pc_backend for the functional test (refs #1741)
(cherry picked from commit b464b7f4cdbcbf88b85cbb9e490e55f461971904)

Revision a3450935 (diff)
Added by Masato Nagasawa almost 10 years ago

added design/editGadget action of pc_backend for the functional test (refs #1741)
(cherry picked from commit c4cae9d994c9975afcb8bd53ba5379acf55497a8)

Revision d367a9a6 (diff)
Added by Masato Nagasawa almost 10 years ago

added the admin actions of pc_backend for the functional test (refs #1741)
(cherry picked from commit f4935d411eda95c5c785c1cf2600e5d9ab9d64f5)

Revision 2b2fcf09 (diff)
Added by Masato Nagasawa almost 10 years ago

added the navigation/sort action of pc_backend for the functional test (refs #1741)
(cherry picked from commit f095d1c93c946c1d08a6154cb56ede9f8d328c92)

Revision cee99c90 (diff)
Added by Masato Nagasawa almost 10 years ago

added the default actions of pc_backend for the functional test (refs #1741)
(cherry picked from commit 320bda95fb8de33fa85481a92b755cfa96560023)

Revision 9f5088a0 (diff)
Added by Masato Nagasawa almost 10 years ago

added the monitoring actions of pc_backend for the functional test (refs #1741)
(cherry picked from commit 4722f6fbe718778d3d2429593aad2c469aee8a32)

Revision c2f94069 (diff)
Added by Masato Nagasawa almost 10 years ago

fixed removed 'echo' (refs #1741)
(cherry picked from commit fbf7f0d7df273d147c3176fdfc5ff67002a3a8df)

Revision 0e19ed8a (diff)
Added by Masato Nagasawa almost 10 years ago

added the friend actions of pc_frontend for the functional test (refs #1741)
(cherry picked from commit 32d8fa89929b9c6780c3cd27735d0759adf9f94a)

Revision a237dc5a (diff)
Added by Masato Nagasawa almost 10 years ago

added the community actions of pc_frontend for the functional test (refs #1741) (cherry picked from commit d946a010edd8a57bd0f12ea4ed759900ddbddfdc)

Conflicts:

test/functional/pc_frontend/communityActionsTest.php

Revision 3b6c7f0c (diff)
Added by Masato Nagasawa almost 10 years ago

added the member actions of pc_frontend for the functional test (refs #1741) (cherry picked from commit ab428e5ac1ab1c4b908e4d28d0db6626a500a553)

Conflicts:

test/functional/pc_frontend/memberActionsTest.php

Revision 9e33bc88 (diff)
Added by Masato Nagasawa almost 10 years ago

added the member actions of pc_frontend for the functional test (refs #1741)
(cherry picked from commit eea5c45392dc5cceeba6f1ee0a88e95bdc043516)

Revision c280d910 (diff)
Added by Masato Nagasawa almost 10 years ago

added the connection actions of pc_frontend for the functional test (refs #1741)
(cherry picked from commit 9fb7596a8317089a6ae45b412c9f5cfddaccf268)

Revision b00b7684 (diff)
Added by Kousuke Ebihara almost 10 years ago

added the XSS/CSRF functional tests for oauth module in the pc_frontend application (refs #1741) (cherry picked from commit af270d338cc36dfbc5edd2cf1e046aec8bbf7554)

Conflicts:

test/fixtures/xss_test_data.yml

Revision ea3efe3a (diff)
Added by Kousuke Ebihara almost 10 years ago

added a XSS test for connection/show in pc_frontend (refs #1741)
(cherry picked from commit d4eba212bf281f9780a2edb4327d34d5aea79733)

Revision d34ae85f (diff)
Added by Kousuke Ebihara almost 10 years ago

fixed the form for modifying consumer that doesn't display some localized form error message (refs #1741)
(cherry picked from commit 9378217b99386200a4007190c2666b1d963b1b24)

Revision 0df150de (diff)
Added by Kousuke Ebihara almost 10 years ago

fixed the deprecated error message make generate invalid array keys (refs #1741)
(cherry picked from commit 77f526c3b987e790ef7930edf13a3abb44b89e1d)

Revision e54f59d2 (diff)
Added by Kousuke Ebihara almost 10 years ago

fixed failed tests of the member module that have mistakes in test and / or test data (refs #1741)
(cherry picked from commit 6f0ca49bb2f402846bf83abe06efa476eaf79a76)

Revision d3aa53a4 (diff)
Added by Kousuke Ebihara almost 10 years ago

changed to reset repositories in current connection for unit test (refs #1741)
(cherry picked from commit c64610b5946f4cb58f34319634f674bb3cf2a7a2)

Revision d8c32049 (diff)
Added by Masato Nagasawa almost 10 years ago

added confirmation/list action of pc_frontend for the functional test (refs #1741) (cherry picked from commit 140172db71d044f6f84d4d9baf326bbdaaa30b57)

Conflicts:

test/functional/pc_frontend/confirmationActionsTest.php

Revision df70b592 (diff)
Added by Masato Nagasawa almost 10 years ago

fixed from the parameters you can specify additional selectors (refs #1741)
(cherry picked from commit 87579ef032ad3911c2edeeb64caf5875a84c510a)

History

#1 Updated by Kousuke Ebihara over 10 years ago

XSS 脆弱性のテストについては http://github.com/ebihara/OpenPNE3/commits/36-functional-test-improvement にて動いています。

#2 Updated by Kousuke Ebihara over 10 years ago

マニュアルはこんな感じか

テスト作成手順

まずリストを確認し、 XSS の functional test が作られていないアクションについて、テストを作成します。

作業に入る前に、リストのテストを作成したいアクションの欄をマークしてください。

リストの更新が終わったら、そのアクションの全テンプレートを確認します。テンプレート中にユーザ入力値に基づいて動的に生成される箇所があれば、その出力についてテストを記述する必要があります。

本来はユーザ入力値に限らず、動的な値を埋め込むすべての場所に対して、 HTML 出力を意図している場合を除いて、 HTML 特殊文字のエスケープがおこなわれているかどうかを確認するべきですが、作業量や難易度等を考慮し、今回はそこまではおこなわず、あくまでユーザ入力値に限定します。

DB 内データの出力に関するテスト

まず、そのテンプレート中でモデルから得られる値を埋め込んでいるすべての箇所を列挙します。

XSS 脆弱性テスト用のテストデータ (test/fixtures/xss_test_data.yml) を確認し、テストに必要な情報がなければ作成します。

テストデータは以下のような形式になっています。

Member:
  html_member_1:
    id: 1055 # it means "XSS (X-55)" 
    name: "<&\"'>Member.name ESCAPING HTML TEST DATA" 
    is_active: 1

文字列を受け入れるフィールドに対して、テスト用の文字列を指定する以外には普通の fixture と変わらずに記述できます。

テスト用の文字列は、かならず、以下のような書式でなければなりません。

<&"'>モデル名.カラム名 ESCAPING HTML TEST DATA

こうして挿入されたテストデータが表示されるアクションのためのテストにおいて、 opTesterHtmlEscape が提供するメソッド群を利用することで、意図通りのエスケープがおこなわれているかどうかを確認することができます。

そのアクションの出力に存在する、「Member.name」の値がすべてエスケープされているかどうかを確認するには、以下のように opTesterHtmlEscape::isAllEscapedData() を実行します。

$browser = new opTestFunctional(new opBrowser(), new lime_test(null, new lime_output_color()));
$browser
->info('member/profile')
->get('member/1055')
->with('html_escape')->begin()
  ->isAllEscapedData('Member', 'name')
->end()

反対に、そのアクションの出力に存在する、「Member.name」の値がすべてエスケープ*されていないかどうか*を確認するには、 opTesterHtmlEscape::isAllRawData() を実行してください。

$browser = new opTestFunctional(new opBrowser(), new lime_test(null, new lime_output_color()));
$browser
->info('member/profile')
->get('member/1055')
->with('html_escape')->begin()
  ->isAllRawData('Member', 'name')
->end()

また、モデルの値の出力が op_truncate() によって truncate される場合は、 opTesterHtmlEscape::countEscapedData() や opTesterHtmlEscape::countRawData() を用いてください。これは、モデル名やカラム名の他に、期待するデータの数や op_truncate() に渡されている引数も受け付けます。以下は、 op_truncate($string, $width = 36, $etc = '', $rows = 3) を使用したモデルの値の出力が 3 つ存在することをテストする場合の例です。

$browser = new opTestFunctional(new opBrowser(), new lime_test(null, new lime_output_color()));
$browser
->info('member/profile')
->get('member/1055')
->with('html_escape')->begin()
  ->countEscapedData(3, 'Member', 'name', array(
    'width' => 36,
    'etc'   => '',
    'rows'  => 3,
  ))
->end()

それ以外のユーザ入力値に関するテスト

それ以外のユーザ入力値についても、変則的ではありますが、同じようにしてテストをおこなうことができます。

たとえば、アクションの出力中に含まれるリクエストパラメータ html の出力をテストしたい場合、以下のように記述してください。

$browser = new opTestFunctional(new opBrowser(), new lime_test(null, new lime_output_color()));
$browser
->info('member/profile')
->get('member/1055', array('html' => opTesterHtmlEscape::getRawTestData('request', 'html')))
->with('html_escape')->begin()
  ->isAllEscapedData('request', 'html')
->end()

これにより、 <&"'>request.html ESCAPING HTML TEST DATA という値の出力をテストすることになります。

opTesterHtmlEscape::getRawTestData() および opTesterHtmlEscape::isAllEscapedData() の第一引数や第二引数の値は、そのアクション内でユニークなものになっていればなんでも構いません。

#3 Updated by Kousuke Ebihara over 10 years ago

対応するべきアクションの一覧(作業進捗状況の一覧になるべきもの)は http://spreadsheets.google.com/pub?key=0Ain-euBnqQDLdElHWS1DbFBzRWthMnZUdmZxTlpnQnc&hl=en&output=html にあります (まだ作成途中です)

#4 Updated by Kousuke Ebihara over 10 years ago

https://spreadsheets.google.com/pub?key=0Ain-euBnqQDLdGxzMnoyOFhBaUlQUVJnS0Y0YXNzZlE&output=html

ここで進捗管理がおこなえるようにしました。この扱い方等のルールについても、なるべく早く準備します。

とり急ぎ。

#5 Updated by Kousuke Ebihara over 10 years ago

http://redmine.openpne.jp/projects/op3/wiki/Rule_of_functional_test_for_36x

この作業についてのルールを書きました。

#6 Updated by Kousuke Ebihara over 10 years ago

  • Target version changed from OpenPNE 3.6beta7 to OpenPNE 3.6beta8

#7 Updated by Kousuke Ebihara over 10 years ago

  • Target version changed from OpenPNE 3.6beta8 to OpenPNE3.6beta9

#8 Updated by Kousuke Ebihara over 10 years ago

  • Status changed from Accepted(着手) to Fixed(完了)
  • % Done changed from 0 to 100

完了済み

#9 Updated by Kousuke Ebihara about 10 years ago

  • Target version changed from OpenPNE3.6beta9 to OpenPNE3.6beta11

#10 Updated by Masato Nagasawa about 10 years ago

  • Target version changed from OpenPNE3.6beta11 to OpenPNE 3.6.0

#11 Updated by Masato Nagasawa about 10 years ago

  • Target version changed from OpenPNE 3.6.0 to OpenPNE3.6beta11

#12 Updated by Kousuke Ebihara almost 10 years ago

  • Due date set to 2011-06-24

#13 Updated by 誠二 天重 almost 7 years ago

  • Related to Bug(バグ) #1877: functional test で特定のパラメータで checkElement() を呼び出すとエラーになる added

Also available in: Atom PDF