public void EvaluateReturnsIgnoreAppropriatelyWhenRequestIsAjax()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.RawUrl).Returns("/getdata/");
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity resultForNonAjaxRequest = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
var queryString = new NameValueCollection {
{ RequestEvaluator.XRequestedWithHeaderKey, RequestEvaluator.AjaxRequestHeaderValue }
};
mockRequest.Setup(req => req.QueryString).Returns(queryString);
RequestSecurity resultForAjaxRequest = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
_fixture.Settings.IgnoreAjaxRequests = false;
RequestSecurity resultForAjaxRequestWithIgnoreOff = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
// Assert.
Assert.NotEqual(RequestSecurity.Ignore, resultForNonAjaxRequest);
Assert.Equal(RequestSecurity.Ignore, resultForAjaxRequest);
Assert.NotEqual(RequestSecurity.Ignore, resultForAjaxRequestWithIgnoreOff);
}
public void EvaluateReturnsIgnoreAppropriatelyWhenRequestPathIndicatesImage()
{
// Arrange.
var pathsToTest = new[] {
"/non-typical-image.psd",
"/Media/Document.pdf",
"/Images/SomeService/",
"/Images/SomeService/?someKey=someValue",
"/images/img-handler.ashx",
"/images/img-handler.ashx?some-key=some-value",
"/Manage/Images/indicator-alert.bmp",
"/info/signs/sign1.gif",
"/faavicon.ico",
"/Media/logo.jpg",
"/Media/other-logo.jpeg",
"/SomeImage.png",
"/drawings/machine.design.svg",
"/Info/some-image.tiff",
"/Info/another-image.tif",
"/OtherResource.axd/resourceImage.webp",
"/OddBall.xbm",
"/Manage/Images/indicator-alert.bmp?someKey=someValue",
"/info/signs/sign1.gif#hash",
"/faavicon.ico?flag",
"/Media/logo.jpg?some-key=some-value&other-key=other-value",
"/Media/other-logo.jpeg?someKey=someValue#here",
"/SomeImage.png?someKey=someValue&otherKey=otherValue#here-nor-there",
"/drawings/machine.design.svg#hash.sub",
"/Info/some-image.tiff?some.key=some.value",
"/Info/another-image.tif?some.key=some.value#hash.sub",
"/OtherResource.axd/resourceImage.webp?",
"/OddBall.xbm?#"
};
var results = new RequestSecurity[pathsToTest.Length];
var mockRequest = new Mock <HttpRequestBase>();
var requestEvaluator = new RequestEvaluator();
// Act.
for (int index = 0; index < pathsToTest.Length; index++)
{
string path = pathsToTest[index];
mockRequest.SetupGet(req => req.RawUrl).Returns(path);
results[index] = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
}
// Assert.
for (int i = 0; i < 2; i++)
{
Assert.NotEqual(RequestSecurity.Ignore, results[i]);
}
for (int i = 2; i < results.Length; i++)
{
Assert.Equal(RequestSecurity.Ignore, results[i]);
}
}
public void EvaluateReturnsInsecureWhenNoSettingsPathsMatchRequestPath()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.RawUrl).Returns("/Info/AboutUs.aspx");
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
// Assert.
Assert.Equal(RequestSecurity.Insecure, security);
}
public void EvaluateReturnsIgnoreAppropriatelyWhenRequestPathIndicatesStyleSheet()
{
// Arrange.
var pathsToTest = new[] {
"/non-typical-image.psd",
"/Media/Document.pdf",
"/Styles/SomeService/",
"/StyleSheets/SomeService/?someKey=someValue",
"/styles/img-handler.ashx",
"/stylesheets/img-handler.ashx?some-key=some-value",
"/normalize.css",
"/Media/Styles/Site.css",
"/normalize.css?someKey=someValue",
"/Media/Styles/Site.css#hash",
"/normalize.css?flag",
"/Media/Styles/Site.css?some-key=some-value&other-key=other-value",
"/normalize.css?someKey=someValue#here",
"/Media/Styles/Site.css?someKey=someValue&otherKey=otherValue#here-nor-there",
"/normalize.alternative.css#hash.sub",
"/Media/Styles/Site.css?some.key=some.value",
"/normalize.css?some.key=some.value#hash.sub",
"/Media/Styles/Site.css/resourceImage.webp?",
"/normalize.css?#"
};
var results = new RequestSecurity[pathsToTest.Length];
var mockRequest = new Mock <HttpRequestBase>();
var requestEvaluator = new RequestEvaluator();
// Act.
for (int index = 0; index < pathsToTest.Length; index++)
{
string path = pathsToTest[index];
mockRequest.SetupGet(req => req.RawUrl).Returns(path);
results[index] = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
}
// Assert.
for (int i = 0; i < 2; i++)
{
Assert.NotEqual(RequestSecurity.Ignore, results[i]);
}
for (int i = 2; i < results.Length; i++)
{
Assert.Equal(RequestSecurity.Ignore, results[i]);
}
}
public void EvaluateReturnsSecureWhenASecureSettingsPathMatchesRequestPath()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.RawUrl).Returns("/login/");
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
// Assert.
Assert.Equal(RequestSecurity.Secure, security);
}
public void EvaluateReturnsIgnoreWhenModeIsOff()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
var settings = new Settings {
Mode = Mode.Off
};
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, settings);
// Assert.
Assert.Equal(RequestSecurity.Ignore, security);
}
public void EvaluateReturnsIgnoreWhenModeIsLocalOnlyAndRequestIsRemote()
{
// Arrange.
var mockRequest = new Mock <HttpRequestBase>();
mockRequest.SetupGet(req => req.IsLocal).Returns(false);
var settings = new Settings {
Mode = Mode.LocalOnly
};
var requestEvaluator = new RequestEvaluator();
// Act.
RequestSecurity security = requestEvaluator.Evaluate(mockRequest.Object, settings);
// Assert.
Assert.Equal(RequestSecurity.Ignore, security);
}
public void EvaluateReturnsIgnoreAppropriatelyWhenRequestIsSystemHandler()
{
// Arrange.
var pathsToTest = new[] {
"/",
"/Default.aspx",
"/Info/AboutUs.aspx",
"/info/aboutus/",
"/Manage/DownloadThatFile.axd",
"/Info/WebResource.axd?i=C3E19B2A-15F0-4174-A245-20F08C1DF4B8",
"/OtherResource.axd/additional/info",
"/trace.axd#details"
};
var results = new RequestSecurity[pathsToTest.Length];
var mockRequest = new Mock <HttpRequestBase>();
var requestEvaluator = new RequestEvaluator();
// Act.
for (int index = 0; index < pathsToTest.Length; index++)
{
string path = pathsToTest[index];
mockRequest.SetupGet(req => req.RawUrl).Returns(path);
results[index] = requestEvaluator.Evaluate(mockRequest.Object, _fixture.Settings);
}
// Assert.
for (int i = 0; i < 4; i++)
{
Assert.NotEqual(RequestSecurity.Ignore, results[i]);
}
for (int i = 4; i < results.Length; i++)
{
Assert.Equal(RequestSecurity.Ignore, results[i]);
}
}