#include #include #include "eval.hh" #include "tests/libexpr.hh" namespace nix { TEST(nix_isAllowedURI, http_example_com) { Strings allowed; allowed.push_back("http://example.com"); ASSERT_TRUE(isAllowedURI("http://example.com", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com/foo", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com/foo/", allowed)); ASSERT_FALSE(isAllowedURI("/", allowed)); ASSERT_FALSE(isAllowedURI("http://example.co", allowed)); ASSERT_FALSE(isAllowedURI("http://example.como", allowed)); ASSERT_FALSE(isAllowedURI("http://example.org", allowed)); ASSERT_FALSE(isAllowedURI("http://example.org/foo", allowed)); } TEST(nix_isAllowedURI, http_example_com_foo) { Strings allowed; allowed.push_back("http://example.com/foo"); ASSERT_TRUE(isAllowedURI("http://example.com/foo", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com/foo/", allowed)); ASSERT_FALSE(isAllowedURI("/foo", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com", allowed)); ASSERT_FALSE(isAllowedURI("http://example.como", allowed)); ASSERT_FALSE(isAllowedURI("http://example.org/foo", allowed)); // Broken? // ASSERT_TRUE(isAllowedURI("http://example.com/foo?ok=1", allowed)); } TEST(nix_isAllowedURI, http) { Strings allowed; allowed.push_back("http://"); ASSERT_TRUE(isAllowedURI("http://", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com/foo", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com/foo/", allowed)); ASSERT_TRUE(isAllowedURI("http://example.com", allowed)); ASSERT_FALSE(isAllowedURI("/", allowed)); ASSERT_FALSE(isAllowedURI("https://", allowed)); ASSERT_FALSE(isAllowedURI("http:foo", allowed)); } TEST(nix_isAllowedURI, https) { Strings allowed; allowed.push_back("https://"); ASSERT_TRUE(isAllowedURI("https://example.com", allowed)); ASSERT_TRUE(isAllowedURI("https://example.com/foo", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com/https:", allowed)); } TEST(nix_isAllowedURI, absolute_path) { Strings allowed; allowed.push_back("/var/evil"); // bad idea ASSERT_TRUE(isAllowedURI("/var/evil", allowed)); ASSERT_TRUE(isAllowedURI("/var/evil/", allowed)); ASSERT_TRUE(isAllowedURI("/var/evil/foo", allowed)); ASSERT_TRUE(isAllowedURI("/var/evil/foo/", allowed)); ASSERT_FALSE(isAllowedURI("/", allowed)); ASSERT_FALSE(isAllowedURI("/var/evi", allowed)); ASSERT_FALSE(isAllowedURI("/var/evilo", allowed)); ASSERT_FALSE(isAllowedURI("/var/evilo/", allowed)); ASSERT_FALSE(isAllowedURI("/var/evilo/foo", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com/var/evil", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com//var/evil", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com//var/evil/foo", allowed)); } TEST(nix_isAllowedURI, file_url) { Strings allowed; allowed.push_back("file:///var/evil"); // bad idea ASSERT_TRUE(isAllowedURI("file:///var/evil", allowed)); ASSERT_TRUE(isAllowedURI("file:///var/evil/", allowed)); ASSERT_TRUE(isAllowedURI("file:///var/evil/foo", allowed)); ASSERT_TRUE(isAllowedURI("file:///var/evil/foo/", allowed)); ASSERT_FALSE(isAllowedURI("/", allowed)); ASSERT_FALSE(isAllowedURI("/var/evi", allowed)); ASSERT_FALSE(isAllowedURI("/var/evilo", allowed)); ASSERT_FALSE(isAllowedURI("/var/evilo/", allowed)); ASSERT_FALSE(isAllowedURI("/var/evilo/foo", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com/var/evil", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com//var/evil", allowed)); ASSERT_FALSE(isAllowedURI("http://example.com//var/evil/foo", allowed)); ASSERT_FALSE(isAllowedURI("http://var/evil", allowed)); ASSERT_FALSE(isAllowedURI("http:///var/evil", allowed)); ASSERT_FALSE(isAllowedURI("http://var/evil/", allowed)); ASSERT_FALSE(isAllowedURI("file:///var/evi", allowed)); ASSERT_FALSE(isAllowedURI("file:///var/evilo", allowed)); ASSERT_FALSE(isAllowedURI("file:///var/evilo/", allowed)); ASSERT_FALSE(isAllowedURI("file:///var/evilo/foo", allowed)); ASSERT_FALSE(isAllowedURI("file:///", allowed)); ASSERT_FALSE(isAllowedURI("file://", allowed)); } } // namespace nix