tests/unit/UrlTest.php

   1 <?php
   2
   3 declare(strict_types=1);
   4
   5 namespace PhpMyAdmin\Tests;
   6
   7 use PhpMyAdmin\Config;
   8 use PhpMyAdmin\Current;
   9 use PhpMyAdmin\Url;
  10 use PHPUnit\Framework\Attributes\CoversClass;
  11 use PHPUnit\Framework\Attributes\DataProvider;
  12 use ReflectionProperty;
  13
  14 use function ini_get;
  15 use function parse_str;
  16 use function str_repeat;
  17 use function urldecode;
  18
  19 #[CoversClass(Url::class)]
  20 class UrlTest extends AbstractTestCase
  21 {
  22     /** @var string|false|null */
  23     private static string|bool|null $inputArgSeparator = null;
  24
  25     /**
  26      * Sets up the fixture, for example, opens a network connection.
  27      * This method is called before a test is executed.
  28      */
  29     protected function setUp(): void
  30     {
  31         parent::setUp();
  32
  33         $this->setLanguage();
  34
  35         unset($_COOKIE['pma_lang']);
  36         Config::getInstance()->set('URLQueryEncryption', false);
  37     }
  38
  39     /**
  40      * Test for Url::getCommon for DB only
  41      */
  42     public function testDbOnly(): void
  43     {
  44         Current::$server = 2;
  45         Config::getInstance()->settings['ServerDefault'] = 3;
  46
  47         $separator = Url::getArgSeparator();
  48         $expected = 'server=2' . $separator . 'lang=en';
  49
  50         $expected = '?db=db'
  51             . $separator . $expected;
  52
  53         self::assertSame($expected, Url::getCommon(['db' => 'db']));
  54     }
  55
  56     /**
  57      * Test for Url::getCommon with new style
  58      */
  59     public function testNewStyle(): void
  60     {
  61         Current::$server = 2;
  62         Config::getInstance()->settings['ServerDefault'] = 3;
  63
  64         $separator = Url::getArgSeparator();
  65         $expected = 'server=2' . $separator . 'lang=en';
  66
  67         $expected = '?db=db'
  68             . $separator . 'table=table'
  69             . $separator . $expected;
  70         $params = ['db' => 'db', 'table' => 'table'];
  71         self::assertSame($expected, Url::getCommon($params));
  72     }
  73
  74     /**
  75      * Test for Url::getCommon with alternate divider
  76      */
  77     public function testWithAlternateDivider(): void
  78     {
  79         Current::$server = 2;
  80         Config::getInstance()->settings['ServerDefault'] = 3;
  81
  82         $separator = Url::getArgSeparator();
  83         $expected = 'server=2' . $separator . 'lang=en';
  84
  85         $expected = '#ABC#db=db' . $separator . 'table=table' . $separator
  86             . $expected;
  87         self::assertSame(
  88             $expected,
  89             Url::getCommonRaw(
  90                 ['db' => 'db', 'table' => 'table'],
  91                 '#ABC#',
  92             ),
  93         );
  94     }
  95
  96     /**
  97      * Test for Url::getCommon
  98      */
  99     public function testDefault(): void
 100     {
 101         Current::$server = 2;
 102         Config::getInstance()->settings['ServerDefault'] = 3;
 103
 104         $separator = Url::getArgSeparator();
 105         $expected = '?server=2' . $separator . 'lang=en';
 106         self::assertSame($expected, Url::getCommon());
 107     }
 108
 109     /**
 110      * Test for Url::getFromRoute
 111      */
 112     public function testGetFromRoute(): void
 113     {
 114         $generatedUrl = Url::getFromRoute('/test', [
 115             'db' => '%3\$s',
 116             'table' => '%2\$s',
 117             'field' => '%1\$s',
 118             'change_column' => 1,
 119         ]);
 120         self::assertSame(
 121             'index.php?route=/test&db=%253%5C%24s&table=%252%5C%24s&field=%251%5C%24s&change_column=1&lang=en',
 122             $generatedUrl,
 123         );
 124     }
 125
 126     /**
 127      * Test for Url::getFromRoute
 128      */
 129     public function testGetFromRouteSpecialDbName(): void
 130     {
 131         $generatedUrl = Url::getFromRoute('/test', [
 132             'db' => '&test=_database=',
 133             'table' => '&test=_database=',
 134             'field' => '&test=_database=',
 135             'change_column' => 1,
 136         ]);
 137         $expectedUrl = 'index.php?route=/test&db=%26test%3D_database%3D'
 138         . '&table=%26test%3D_database%3D&field=%26test%3D_database%3D&change_column=1&lang=en';
 139         self::assertSame($expectedUrl, $generatedUrl);
 140
 141         self::assertSame(
 142             'index.php?route=/test&db=&test=_database=&table=&'
 143             . 'test=_database=&field=&test=_database=&change_column=1&lang=en',
 144             urldecode(
 145                 $expectedUrl,
 146             ),
 147         );
 148     }
 149
 150     /**
 151      * Test for Url::getFromRoute
 152      */
 153     public function testGetFromRouteMaliciousScript(): void
 154     {
 155         $generatedUrl = Url::getFromRoute('/test', [
 156             'db' => '<script src="https://domain.tld/svn/trunk/html5.js"></script>',
 157             'table' => '<script src="https://domain.tld/maybeweshouldusegit/trunk/html5.js"></script>',
 158             'field' => true,
 159             'trees' => 1,
 160             'book' => false,
 161             'worm' => false,
 162         ]);
 163         self::assertSame(
 164             'index.php?route=/test&db=%3Cscript+src%3D%22https%3A%2F%2Fdomain.tld%2Fsvn'
 165             . '%2Ftrunk%2Fhtml5.js%22%3E%3C%2Fscript%3E&table=%3Cscript+src%3D%22'
 166             . 'https%3A%2F%2Fdomain.tld%2Fmaybeweshouldusegit%2Ftrunk%2Fhtml5.js%22%3E%3C%2F'
 167             . 'script%3E&field=1&trees=1&book=0&worm=0&lang=en',
 168             $generatedUrl,
 169         );
 170     }
 171
 172     public function testGetHiddenFields(): void
 173     {
 174         $_SESSION = [];
 175         self::assertSame('', Url::getHiddenFields([]));
 176
 177         $_SESSION = [' PMA_token ' => '<b>token</b>'];
 178         self::assertSame(
 179             '<input type="hidden" name="token" value="&lt;b&gt;token&lt;/b&gt;">',
 180             Url::getHiddenFields([]),
 181         );
 182     }
 183
 184     public function testBuildHttpQueryWithUrlQueryEncryptionDisabled(): void
 185     {
 186         Config::getInstance()->set('URLQueryEncryption', false);
 187         $params = ['db' => 'test_db', 'table' => 'test_table', 'pos' => 0];
 188         self::assertSame('db=test_db&table=test_table&pos=0', Url::buildHttpQuery($params));
 189     }
 190
 191     public function testBuildHttpQueryWithUrlQueryEncryptionEnabled(): void
 192     {
 193         $_SESSION = [];
 194         $config = Config::getInstance();
 195         $config->set('URLQueryEncryption', true);
 196         $config->set('URLQueryEncryptionSecretKey', str_repeat('a', 32));
 197
 198         $params = ['db' => 'test_db', 'table' => 'test_table', 'pos' => 0];
 199         $query = Url::buildHttpQuery($params);
 200         self::assertStringStartsWith('pos=0&eq=', $query);
 201         parse_str($query, $queryParams);
 202         self::assertCount(2, $queryParams);
 203         self::assertSame('0', $queryParams['pos']);
 204         self::assertIsString($queryParams['eq']);
 205         self::assertNotSame('', $queryParams['eq']);
 206         self::assertMatchesRegularExpression('/^[a-zA-Z0-9-_=]+$/', $queryParams['eq']);
 207
 208         $decrypted = Url::decryptQuery($queryParams['eq']);
 209         self::assertNotNull($decrypted);
 210         self::assertJson($decrypted);
 211         self::assertSame('{"db":"test_db","table":"test_table"}', $decrypted);
 212     }
 213
 214     public function testQueryEncryption(): void
 215     {
 216         $_SESSION = [];
 217         $config = Config::getInstance();
 218         $config->set('URLQueryEncryption', true);
 219         $config->set('URLQueryEncryptionSecretKey', str_repeat('a', 32));
 220
 221         $query = '{"db":"test_db","table":"test_table"}';
 222         $encrypted = Url::encryptQuery($query);
 223         self::assertNotSame($query, $encrypted);
 224         self::assertNotSame('', $encrypted);
 225         self::assertMatchesRegularExpression('/^[a-zA-Z0-9-_=]+$/', $encrypted);
 226
 227         $decrypted = Url::decryptQuery($encrypted);
 228         self::assertSame($query, $decrypted);
 229     }
 230
 231     /** @param string|false $iniValue */
 232     #[DataProvider('getArgSeparatorProvider')]
 233     public function testGetArgSeparator(string $expected, string|bool $iniValue, string|null $cacheValue): void
 234     {
 235         $property = new ReflectionProperty(Url::class, 'inputArgSeparator');
 236         $property->setValue(null, $cacheValue);
 237
 238         self::$inputArgSeparator = $iniValue;
 239         self::assertSame($expected, Url::getArgSeparator());
 240
 241         self::$inputArgSeparator = null;
 242         $property->setValue(null, null);
 243     }
 244
 245     /** @psalm-return array<string, array{string, string|false, string|null}> */
 246     public static function getArgSeparatorProvider(): array
 247     {
 248         return [
 249             'ampersand' => ['&', '&', null],
 250             'semicolon' => [';', ';', null],
 251             'prefer ampersand' => ['&', '+;&$', null],
 252             'prefer semicolon' => [';', '+;$', null],
 253             'first char' => ['+', '+$', null],
 254             'cache' => ['$', '&', '$'],
 255             'empty value' => ['&', '', null],
 256             'false' => ['&', false, null],
 257         ];
 258     }
 259
 260     /**
 261      * Test double for ini_get('arg_separator.input') as it can't be changed using ini_set()
 262      *
 263      * @see Url::getArgSeparatorValueFromIni
 264      *
 265      * @return string|false
 266      */
 267     public static function getInputArgSeparator(): string|bool
 268     {
 269         return self::$inputArgSeparator ?? ini_get('arg_separator.input');
 270     }
 271 }