/**
* Copyright (c) 2000-present Liferay, Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or modify it under
* the terms of the GNU Lesser General Public License as published by the Free
* Software Foundation; either version 2.1 of the License, or (at your option)
* any later version.
*
* This library is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
* details.
*/
package com.liferay.portal.util;
import com.liferay.portal.kernel.util.HttpUtil;
import com.liferay.portal.kernel.util.ReflectionUtil;
import java.lang.reflect.Field;
import java.util.Set;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.powermock.api.mockito.PowerMockito;
/**
* @author Tomas Polesovsky
*/
public class PortalImplEscapeRedirectTest extends PowerMockito {
@BeforeClass
public static void setUpClass() throws Exception {
HttpUtil httpUtil = new HttpUtil();
httpUtil.setHttp(new HttpImpl());
}
@Test
public void testEscapeRedirectWithDomains() throws Exception {
String[] redirectURLDomainsAllowed =
PropsValues.REDIRECT_URL_DOMAINS_ALLOWED;
String redirectURLSecurityMode = PropsValues.REDIRECT_URL_SECURITY_MODE;
setPropsValuesValue("REDIRECT_URL_SECURITY_MODE", "domain");
setPropsValuesValue(
"REDIRECT_URL_DOMAINS_ALLOWED",
new String[] {"google.com", "localhost"});
try {
Assert.assertEquals(
"/web/guest", _portalImpl.escapeRedirect("/web/guest"));
Assert.assertEquals(
"/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect("/a/b;c=d?e=f&g=h#x=y"));
Assert.assertEquals(
"http://localhost",
_portalImpl.escapeRedirect("http://localhost"));
Assert.assertEquals(
"https://localhost:8080/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://localhost:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertEquals(
"google.com", _portalImpl.escapeRedirect("google.com"));
Assert.assertEquals(
"http://google.com",
_portalImpl.escapeRedirect("http://google.com"));
Assert.assertEquals(
"https://google.com:8080/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://google.com:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertNull(_portalImpl.escapeRedirect("liferay.com"));
Assert.assertNull(_portalImpl.escapeRedirect("http://liferay.com"));
Assert.assertNull(
_portalImpl.escapeRedirect(
"https://liferay.com:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertNull(_portalImpl.escapeRedirect("google.comsuffix"));
Assert.assertNull(_portalImpl.escapeRedirect("google.com.suffix"));
Assert.assertNull(_portalImpl.escapeRedirect("prefixgoogle.com"));
Assert.assertNull(_portalImpl.escapeRedirect("prefix.google.com"));
}
finally {
setPropsValuesValue(
"REDIRECT_URL_DOMAINS_ALLOWED", redirectURLDomainsAllowed);
setPropsValuesValue(
"REDIRECT_URL_SECURITY_MODE", redirectURLSecurityMode);
}
}
@Test
public void testEscapeRedirectWithIPs() throws Exception {
String[] redirectURLIPsAllowed = PropsValues.REDIRECT_URL_IPS_ALLOWED;
String redirectURLSecurityMode = PropsValues.REDIRECT_URL_SECURITY_MODE;
setPropsValuesValue("REDIRECT_URL_SECURITY_MODE", "ip");
setPropsValuesValue(
"REDIRECT_URL_IPS_ALLOWED",
new String[] {"127.0.0.1", "SERVER_IP"});
try {
Assert.assertEquals(
"/web/guest", _portalImpl.escapeRedirect("/web/guest"));
Assert.assertEquals(
"/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect("/a/b;c=d?e=f&g=h#x=y"));
Assert.assertEquals(
"http://localhost",
_portalImpl.escapeRedirect("http://localhost"));
Assert.assertEquals(
"https://localhost:8080/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://localhost:8080/a/b;c=d?e=f&g=h#x=y"));
Set<String> computerAddresses = _portalImpl.getComputerAddresses();
for (String computerAddress : computerAddresses) {
Assert.assertEquals(
"http://" + computerAddress,
_portalImpl.escapeRedirect("http://" + computerAddress));
Assert.assertEquals(
"https://" + computerAddress + "/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://" + computerAddress + "/a/b;c=d?e=f&g=h#x=y"));
}
Assert.assertNull(_portalImpl.escapeRedirect("liferay.com"));
Assert.assertNull(_portalImpl.escapeRedirect("http://liferay.com"));
Assert.assertNull(
_portalImpl.escapeRedirect(
"https://liferay.com:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertNull(_portalImpl.escapeRedirect("127.0.0.1suffix"));
Assert.assertNull(_portalImpl.escapeRedirect("127.0.0.1.suffix"));
Assert.assertNull(_portalImpl.escapeRedirect("prefix127.0.0.1"));
Assert.assertNull(_portalImpl.escapeRedirect("prefix.127.0.0.1"));
}
finally {
setPropsValuesValue(
"REDIRECT_URL_IPS_ALLOWED", redirectURLIPsAllowed);
setPropsValuesValue(
"REDIRECT_URL_SECURITY_MODE", redirectURLSecurityMode);
}
}
@Test
public void testEscapeRedirectWithSubdomains() throws Exception {
String[] redirectURLDomainsAllowed =
PropsValues.REDIRECT_URL_DOMAINS_ALLOWED;
String redirectURLSecurityMode = PropsValues.REDIRECT_URL_SECURITY_MODE;
setPropsValuesValue("REDIRECT_URL_SECURITY_MODE", "domain");
setPropsValuesValue(
"REDIRECT_URL_DOMAINS_ALLOWED",
new String[] {"*.test.liferay.com", "google.com"});
try {
Assert.assertEquals(
"/web/guest", _portalImpl.escapeRedirect("/web/guest"));
Assert.assertEquals(
"/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect("/a/b;c=d?e=f&g=h#x=y"));
Assert.assertEquals(
"test.liferay.com",
_portalImpl.escapeRedirect("test.liferay.com"));
Assert.assertEquals(
"http://test.liferay.com",
_portalImpl.escapeRedirect("http://test.liferay.com"));
Assert.assertEquals(
"https://test.liferay.com:8080/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://test.liferay.com:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertEquals(
"second.test.liferay.com",
_portalImpl.escapeRedirect("second.test.liferay.com"));
Assert.assertEquals(
"http://second.test.liferay.com",
_portalImpl.escapeRedirect("http://second.test.liferay.com"));
Assert.assertEquals(
"https://second.test.liferay.com:8080/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://second.test.liferay.com:8080/a/b;c=d?e=f&g=h#x=" +
"y"));
Assert.assertEquals(
"google.com", _portalImpl.escapeRedirect("google.com"));
Assert.assertEquals(
"http://google.com",
_portalImpl.escapeRedirect("http://google.com"));
Assert.assertEquals(
"https://google.com:8080/a/b;c=d?e=f&g=h#x=y",
_portalImpl.escapeRedirect(
"https://google.com:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertNull(_portalImpl.escapeRedirect("liferay.com"));
Assert.assertNull(_portalImpl.escapeRedirect("http://liferay.com"));
Assert.assertNull(
_portalImpl.escapeRedirect(
"https://liferay.com:8080/a/b;c=d?e=f&g=h#x=y"));
Assert.assertNull(
_portalImpl.escapeRedirect("test.liferay.comsuffix"));
Assert.assertNull(
_portalImpl.escapeRedirect("test.liferay.com.suffix"));
Assert.assertNull(
_portalImpl.escapeRedirect("prefixtest.liferay.com"));
Assert.assertNull(_portalImpl.escapeRedirect("google.comsuffix"));
Assert.assertNull(_portalImpl.escapeRedirect("google.com.suffix"));
Assert.assertNull(_portalImpl.escapeRedirect("prefixgoogle.com"));
Assert.assertNull(_portalImpl.escapeRedirect("prefix.google.com"));
}
finally {
setPropsValuesValue(
"REDIRECT_URL_DOMAINS_ALLOWED", redirectURLDomainsAllowed);
setPropsValuesValue(
"REDIRECT_URL_SECURITY_MODE", redirectURLSecurityMode);
}
}
protected void setPropsValuesValue(String name, Object value)
throws Exception {
Field field = ReflectionUtil.unfinalField(
field(PropsValues.class, name));
field.set(PropsValues.class, value);
}
private final PortalImpl _portalImpl = new PortalImpl();
}