InputValidationTest.java

/**
 * Copyright (c) Codice Foundation
 * <p>
 * This is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser
 * General Public License as published by the Free Software Foundation, either version 3 of the
 * License, or any later version.
 * <p>
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without
 * even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details. A copy of the GNU Lesser General Public License
 * is distributed along with this program and can be found at
 * <http://www.gnu.org/licenses/lgpl.html>.
 **/
package org.codice.ddf.platform.util;

import static org.hamcrest.CoreMatchers.is;
import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;

import static junit.framework.TestCase.assertFalse;

import org.junit.Before;
import org.junit.Test;

public class InputValidationTest {

    private static final String BAD_FILE = "../.././myfile.exe.bat.unk";

    private static final String BAD_FILE1 = "/../myfile.exe/.bat.exe";

    private static final String BAD_FILE2 = ".";

    private static final String SANI_BAD_FILE = "myfile.bin.bin.unk";

    private static final String SANI_BAD_FILE1 = "bin.bin";

    private static final String GOOD_FILE = "myfile.bin";

    private static final String KNOWN_BAD_FILE = ".htaccess";

    private static final String DEFAULT_FILE = "file.bin";

    private static final String GOOD_MIME = "application/pdf";

    private static final String BAD_MIME = "text/html";

    @Before
    public void setup() {
        System.setProperty("bad.files",
                "crossdomain.xml,clientaccesspolicy.xml,.htaccess,.htpasswd,hosts,passwd,group,resolv.conf,nfs.conf,ftpd.conf,ntp.conf,web.config,robots.txt");
        System.setProperty("bad.file.extensions",
                ".exe,.jsp,.html,.js,.php,.phtml,.php3,.php4,.php5,.phps,.shtml,.jhtml,.pl,.py,.cgi,.msi,.com,.scr,.gadget,.application,.pif,.hta,.cpl,.msc,.jar,.kar,.bat,.cmd,.vb,.vbs,.vbe,.jse,.ws,.wsf,.wsc,.wsh,.ps1,.ps1xml,.ps2,.ps2xml,.psc1,.psc2,.msh,.msh1,.msh2,.mshxml,.msh1xml,.msh2xml,.scf,.lnk,.inf,.reg,.dll,.vxd,.cpl,.cfg,.config,.crt,.cert,.pem,.jks,.p12,.p7b,.key,.der,.csr,.jsb,.mhtml,.mht,.xhtml,.xht");
        System.setProperty("bad.mime.types",
                "text/html,text/javascript,text/x-javascript,application/x-shellscript,text/scriptlet,application/x-msdownload,application/x-msmetafile");
    }

    @Test
    public void testSanitizeFilenameBad() {
        String sanitizedName = InputValidation.sanitizeFilename(BAD_FILE);
        assertThat(sanitizedName, is(SANI_BAD_FILE));
    }

    @Test
    public void testSanitizeFilenameBad1() {
        String sanitizedName = InputValidation.sanitizeFilename(BAD_FILE1);
        assertThat(sanitizedName, is(SANI_BAD_FILE1));
    }

    @Test
    public void testSanitizeFilenameBad2() {
        String sanitizedName = InputValidation.sanitizeFilename(BAD_FILE2);
        assertThat(sanitizedName, is(DEFAULT_FILE));
    }

    @Test
    public void testSanitizeFilenameGood() {
        String sanitizedName = InputValidation.sanitizeFilename(GOOD_FILE);
        assertThat(sanitizedName, is(GOOD_FILE));
    }

    @Test
    public void testSanitizeFilenameKnownBad() {
        String sanitizedName = InputValidation.sanitizeFilename(KNOWN_BAD_FILE);
        assertThat(sanitizedName, is(DEFAULT_FILE));
    }

    @Test
    public void testCheckForClientSideVulnerableMimeTypeBad() {
        boolean result = InputValidation.checkForClientSideVulnerableMimeType(BAD_MIME);
        assertFalse(result);
    }

    @Test
    public void testCheckForClientSideVulnerableMimeTypeGood() {
        boolean result = InputValidation.checkForClientSideVulnerableMimeType(GOOD_MIME);
        assertTrue(result);
    }
}