public void ProtectedDataDoesNotViolateOwaspRule942440(string data)
{
var byteData = Encoding.UTF8.GetBytes(data);
var violationPattern = new Regex("(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)", RegexOptions.ECMAScript);
var serializer = new Mock <IDataSerializer <string> >();
var protector = new Mock <IDataProtector>();
var formatter = new OpenIdConnectNonceStringDataFormat(serializer.Object, protector.Object);
// Use the raw byte data as the protected result to, hopefully, increase the chances that
// it would potentially result in an invalid sequence.
serializer
.Setup(instance => instance.Serialize(It.Is <string>(val => val == data)))
.Returns(byteData)
.Verifiable();
protector
.Setup(instance => instance.Protect(It.Is <byte[]>(val => val == byteData)))
.Returns(byteData)
.Verifiable();
var protectedData = formatter.Protect(data);
protectedData.Should().NotBeNullOrEmpty("because the data should have been protected");
violationPattern.IsMatch(protectedData).Should().BeFalse("because the data should not violate the rule");
}
public void UnprotectTakesNoActionOnMissingData(string data)
{
var serializer = new Mock <IDataSerializer <string> >();
var protector = new Mock <IDataProtector>();
var formatter = new OpenIdConnectNonceStringDataFormat(serializer.Object, protector.Object);
formatter.Unprotect(data).Should().Be(data, "because no action should be taken to unprotect missing data");
}
public void ProtectInvokesTheDataProtector()
{
var data = "ABSECSOASJERC";
var expectedBytes = new byte[] { 0x11, 0x22, 0x12, 0x21 };
var serializer = new Mock <IDataSerializer <string> >();
var protector = new Mock <IDataProtector>();
var formatter = new OpenIdConnectNonceStringDataFormat(serializer.Object, protector.Object);
serializer
.Setup(instance => instance.Serialize(It.Is <string>(val => val == data)))
.Returns(expectedBytes);
formatter.Protect(data);
protector.Verify(instance => instance.Protect(It.Is <byte[]>(val => val == expectedBytes)), Times.Once);
}
public void ProtectInvokesTheDataProtectorWhenAPurposeIsPassed(string data,
string purpose)
{
var expectedBytes = new byte[] { 0x11, 0x22, 0x12, 0x21 };
var serializer = new Mock <IDataSerializer <string> >();
var protector = new Mock <IDataProtector>();
var formatter = new OpenIdConnectNonceStringDataFormat(serializer.Object, protector.Object);
serializer
.Setup(instance => instance.Serialize(It.Is <string>(val => val == data)))
.Returns(expectedBytes);
protector
.Setup(instance => instance.CreateProtector(It.Is <string>(val => val == purpose)))
.Returns(protector.Object);
formatter.Protect(data, purpose);
protector.Verify(instance => instance.Protect(It.Is <byte[]>(val => val == expectedBytes)), Times.Once);
}
public void ProtectedDataCanBeUnprotected()
{
var data = "ABSECSOASJERC";
var byteData = Encoding.UTF8.GetBytes(data);
var protectedBytes = Encoding.UTF8.GetBytes("This is a protected string");
var serializer = new Mock <IDataSerializer <string> >();
var protector = new Mock <IDataProtector>();
var formatter = new OpenIdConnectNonceStringDataFormat(serializer.Object, protector.Object);
serializer
.Setup(instance => instance.Serialize(It.Is <string>(val => val == data)))
.Returns(byteData)
.Verifiable();
serializer
.Setup(instance => instance.Deserialize(It.Is <byte[]>(val => Enumerable.SequenceEqual(val, byteData))))
.Returns(data)
.Verifiable();
protector
.Setup(instance => instance.Protect(It.Is <byte[]>(val => val == byteData)))
.Returns(protectedBytes)
.Verifiable();
protector
.Setup(instance => instance.Unprotect(It.Is <byte[]>(val => Enumerable.SequenceEqual(val, protectedBytes))))
.Returns(byteData)
.Verifiable();
var protectedData = formatter.Protect(data);
protectedData.Should().NotBeNullOrEmpty("because the data should have been protected");
formatter.Unprotect(protectedData).Should().Be(data, "because a protect/unprotect cycle should result in the source data being restored");
serializer.VerifyAll();
protector.VerifyAll();
}
