fix: DockerSecretsResolver - don't normalize absolute paths like /var/www/html/...
Some checks failed
Deploy Application / deploy (push) Has been cancelled
Some checks failed
Deploy Application / deploy (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,158 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
use App\Framework\Http\Session\FormIdGenerator;
|
||||
use App\Framework\Http\Session\SessionId;
|
||||
use App\Framework\Http\Session\SessionInterface;
|
||||
use App\Framework\Http\Session\SessionManager;
|
||||
use App\Framework\View\Response\FormDataResponseProcessor;
|
||||
|
||||
beforeEach(function () {
|
||||
$this->formIdGenerator = new FormIdGenerator();
|
||||
$this->sessionManager = Mockery::mock(SessionManager::class);
|
||||
|
||||
$this->processor = new FormDataResponseProcessor(
|
||||
$this->formIdGenerator,
|
||||
$this->sessionManager
|
||||
);
|
||||
|
||||
// Mock session
|
||||
$this->session = Mockery::mock(SessionInterface::class);
|
||||
$this->csrfProtection = Mockery::mock();
|
||||
|
||||
$this->session->shouldReceive('csrf')->andReturn($this->csrfProtection);
|
||||
$this->sessionManager->shouldReceive('saveSessionData')->andReturnNull();
|
||||
});
|
||||
|
||||
it('replaces token placeholder with DOM processing', function () {
|
||||
$formId = 'form_abc123def456';
|
||||
$token = str_repeat('a', 64);
|
||||
|
||||
$html = <<<HTML
|
||||
<form>
|
||||
<input type="hidden" name="_form_id" value="{$formId}">
|
||||
<input type="hidden" name="_token" value="___TOKEN_{$formId}___">
|
||||
</form>
|
||||
HTML;
|
||||
|
||||
$this->csrfProtection->shouldReceive('generateToken')
|
||||
->with($formId)
|
||||
->once()
|
||||
->andReturn(\App\Framework\Security\CsrfToken::fromString($token));
|
||||
|
||||
$result = $this->processor->process($html, $this->session);
|
||||
|
||||
expect($result)->toContain($token);
|
||||
expect($result)->not->toContain("___TOKEN_{$formId}___");
|
||||
});
|
||||
|
||||
it('handles token placeholder without quotes', function () {
|
||||
$formId = 'form_abc123def456';
|
||||
$token = str_repeat('b', 64);
|
||||
|
||||
$html = <<<HTML
|
||||
<form>
|
||||
<input type="hidden" name="_form_id" value="{$formId}">
|
||||
<input type="hidden" name="_token" value=___TOKEN_{$formId}___>
|
||||
</form>
|
||||
HTML;
|
||||
|
||||
$this->csrfProtection->shouldReceive('generateToken')
|
||||
->with($formId)
|
||||
->once()
|
||||
->andReturn(\App\Framework\Security\CsrfToken::fromString($token));
|
||||
|
||||
$result = $this->processor->process($html, $this->session);
|
||||
|
||||
expect($result)->toContain('value="' . $token . '"');
|
||||
expect($result)->not->toContain("___TOKEN_{$formId}___");
|
||||
});
|
||||
|
||||
it('falls back to regex when DOM processing fails', function () {
|
||||
$formId = 'form_abc123def456';
|
||||
$token = str_repeat('c', 64);
|
||||
|
||||
// Malformed HTML that might cause DOM parsing issues
|
||||
$html = <<<HTML
|
||||
<form>
|
||||
<input type="hidden" name="_form_id" value="{$formId}">
|
||||
<input type="hidden" name="_token" value="___TOKEN_{$formId}___">
|
||||
<unclosed-tag>
|
||||
</form>
|
||||
HTML;
|
||||
|
||||
$this->csrfProtection->shouldReceive('generateToken')
|
||||
->with($formId)
|
||||
->once()
|
||||
->andReturn(\App\Framework\Security\CsrfToken::fromString($token));
|
||||
|
||||
// Should not throw exception, should fall back to regex
|
||||
$result = $this->processor->process($html, $this->session);
|
||||
|
||||
// Should still replace token (via regex fallback)
|
||||
expect($result)->toContain($token);
|
||||
});
|
||||
|
||||
it('processes multiple forms independently', function () {
|
||||
$formId1 = 'form_abc123def456';
|
||||
$formId2 = 'form_xyz789ghi012';
|
||||
$token1 = str_repeat('d', 64);
|
||||
$token2 = str_repeat('e', 64);
|
||||
|
||||
$html = <<<HTML
|
||||
<form>
|
||||
<input type="hidden" name="_form_id" value="{$formId1}">
|
||||
<input type="hidden" name="_token" value="___TOKEN_{$formId1}___">
|
||||
</form>
|
||||
<form>
|
||||
<input type="hidden" name="_form_id" value="{$formId2}">
|
||||
<input type="hidden" name="_token" value="___TOKEN_{$formId2}___">
|
||||
</form>
|
||||
HTML;
|
||||
|
||||
$this->csrfProtection->shouldReceive('generateToken')
|
||||
->with($formId1)
|
||||
->once()
|
||||
->andReturn(\App\Framework\Security\CsrfToken::fromString($token1));
|
||||
|
||||
$this->csrfProtection->shouldReceive('generateToken')
|
||||
->with($formId2)
|
||||
->once()
|
||||
->andReturn(\App\Framework\Security\CsrfToken::fromString($token2));
|
||||
|
||||
$result = $this->processor->process($html, $this->session);
|
||||
|
||||
expect($result)->toContain($token1);
|
||||
expect($result)->toContain($token2);
|
||||
expect($result)->not->toContain("___TOKEN_{$formId1}___");
|
||||
expect($result)->not->toContain("___TOKEN_{$formId2}___");
|
||||
});
|
||||
|
||||
it('validates token length after replacement', function () {
|
||||
$formId = 'form_abc123def456';
|
||||
$token = str_repeat('f', 64);
|
||||
|
||||
$html = <<<HTML
|
||||
<form>
|
||||
<input type="hidden" name="_form_id" value="{$formId}">
|
||||
<input type="hidden" name="_token" value="___TOKEN_{$formId}___">
|
||||
</form>
|
||||
HTML;
|
||||
|
||||
$this->csrfProtection->shouldReceive('generateToken')
|
||||
->with($formId)
|
||||
->once()
|
||||
->andReturn(\App\Framework\Security\CsrfToken::fromString($token));
|
||||
|
||||
$result = $this->processor->process($html, $this->session);
|
||||
|
||||
// Extract token from result
|
||||
preg_match('/name="_token"[^>]*value="([^"]+)"/', $result, $matches);
|
||||
|
||||
if (isset($matches[1])) {
|
||||
expect(strlen($matches[1]))->toBe(64);
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user