|
| 1 | +#!/usr/bin/perl |
| 2 | + |
| 3 | +# (C) Andrei Belov |
| 4 | + |
| 5 | +# Tests for ModSecurity module (HTTP/2). |
| 6 | + |
| 7 | +############################################################################### |
| 8 | + |
| 9 | +use warnings; |
| 10 | +use strict; |
| 11 | + |
| 12 | +use Test::More; |
| 13 | + |
| 14 | +BEGIN { use FindBin; chdir($FindBin::Bin); } |
| 15 | + |
| 16 | +use lib 'lib'; |
| 17 | +use Test::Nginx; |
| 18 | +use Test::Nginx::HTTP2; |
| 19 | + |
| 20 | +############################################################################### |
| 21 | + |
| 22 | +select STDERR; $| = 1; |
| 23 | +select STDOUT; $| = 1; |
| 24 | + |
| 25 | +my $t = Test::Nginx->new()->has(qw/http http_v2/); |
| 26 | + |
| 27 | +$t->write_file_expand('nginx.conf', <<'EOF'); |
| 28 | +
|
| 29 | +%%TEST_GLOBALS%% |
| 30 | +
|
| 31 | +daemon off; |
| 32 | +
|
| 33 | +events { |
| 34 | +} |
| 35 | +
|
| 36 | +http { |
| 37 | + %%TEST_GLOBALS_HTTP%% |
| 38 | +
|
| 39 | + server { |
| 40 | + listen 127.0.0.1:8080 http2; |
| 41 | + server_name localhost; |
| 42 | +
|
| 43 | + location / { |
| 44 | + modsecurity on; |
| 45 | + modsecurity_rules ' |
| 46 | + SecRuleEngine On |
| 47 | + SecRule ARGS "@streq whee" "id:10,phase:2" |
| 48 | + SecRule ARGS "@streq whee" "id:11,phase:2" |
| 49 | + '; |
| 50 | + } |
| 51 | + location /phase1 { |
| 52 | + modsecurity on; |
| 53 | + modsecurity_rules ' |
| 54 | + SecRuleEngine On |
| 55 | + SecDefaultAction "phase:1,log,deny,status:403" |
| 56 | + SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.modsecurity.org" |
| 57 | + SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.modsecurity.org" |
| 58 | + SecRule ARGS "@streq block401" "id:3,phase:1,status:401,block" |
| 59 | + SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block" |
| 60 | + '; |
| 61 | + } |
| 62 | + location /phase2 { |
| 63 | + modsecurity on; |
| 64 | + modsecurity_rules ' |
| 65 | + SecRuleEngine On |
| 66 | + SecDefaultAction "phase:2,log,deny,status:403" |
| 67 | + SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.modsecurity.org" |
| 68 | + SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.modsecurity.org" |
| 69 | + SecRule ARGS "@streq block401" "id:3,phase:2,status:401,block" |
| 70 | + SecRule ARGS "@streq block403" "id:4,phase:2,status:403,block" |
| 71 | + '; |
| 72 | + } |
| 73 | + location /phase3 { |
| 74 | + modsecurity on; |
| 75 | + modsecurity_rules ' |
| 76 | + SecRuleEngine On |
| 77 | + SecDefaultAction "phase:3,log,deny,status:403" |
| 78 | + SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.modsecurity.org" |
| 79 | + SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.modsecurity.org" |
| 80 | + SecRule ARGS "@streq block401" "id:3,phase:3,status:401,block" |
| 81 | + SecRule ARGS "@streq block403" "id:4,phase:3,status:403,block" |
| 82 | + '; |
| 83 | + } |
| 84 | + location /phase4 { |
| 85 | + modsecurity on; |
| 86 | + modsecurity_rules ' |
| 87 | + SecRuleEngine On |
| 88 | + SecResponseBodyAccess On |
| 89 | + SecDefaultAction "phase:4,log,deny,status:403" |
| 90 | + SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.modsecurity.org" |
| 91 | + SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.modsecurity.org" |
| 92 | + SecRule ARGS "@streq block401" "id:3,phase:4,status:401,block" |
| 93 | + SecRule ARGS "@streq block403" "id:4,phase:4,status:403,block" |
| 94 | + '; |
| 95 | + } |
| 96 | + } |
| 97 | +} |
| 98 | +EOF |
| 99 | + |
| 100 | +$t->write_file("/phase1", "should be moved/blocked before this."); |
| 101 | +$t->write_file("/phase2", "should be moved/blocked before this."); |
| 102 | +$t->write_file("/phase3", "should be moved/blocked before this."); |
| 103 | +$t->write_file("/phase4", "should not be moved/blocked, headers delivered before phase 4."); |
| 104 | +$t->run(); |
| 105 | +$t->todo_alerts(); |
| 106 | +$t->plan(20); |
| 107 | + |
| 108 | +############################################################################### |
| 109 | + |
| 110 | +my ($phase, $s, $sid, $frames, $frame); |
| 111 | + |
| 112 | +# Redirect (302) |
| 113 | + |
| 114 | +for $phase (1 .. 3) { |
| 115 | + $s = Test::Nginx::HTTP2->new(); |
| 116 | + $sid = $s->new_stream({ path => "/phase${phase}?what=redirect302" }); |
| 117 | + $frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 118 | + ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
| 119 | + is($frame->{headers}->{':status'}, 302, "redirect 302 - phase ${phase}"); |
| 120 | +} |
| 121 | + |
| 122 | +SKIP: { |
| 123 | +skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE}; |
| 124 | + |
| 125 | +$s = Test::Nginx::HTTP2->new(); |
| 126 | +$sid = $s->new_stream({ path => '/phase4?what=redirect302' }); |
| 127 | +$frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 128 | +($frame) = grep { $_->{type} eq "DATA" } @$frames; |
| 129 | +is($frame, undef, 'redirect 302 - phase 4'); |
| 130 | +} |
| 131 | + |
| 132 | +# Redirect (301) |
| 133 | + |
| 134 | +for $phase (1 .. 3) { |
| 135 | + $s = Test::Nginx::HTTP2->new(); |
| 136 | + $sid = $s->new_stream({ path => "/phase${phase}?what=redirect301" }); |
| 137 | + $frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 138 | + ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
| 139 | + is($frame->{headers}->{':status'}, 301, "redirect 301 - phase ${phase}"); |
| 140 | +} |
| 141 | + |
| 142 | +SKIP: { |
| 143 | +skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE}; |
| 144 | + |
| 145 | +$s = Test::Nginx::HTTP2->new(); |
| 146 | +$sid = $s->new_stream({ path => '/phase4?what=redirect301' }); |
| 147 | +$frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 148 | +($frame) = grep { $_->{type} eq "DATA" } @$frames; |
| 149 | +is($frame, undef, 'redirect 301 - phase 4'); |
| 150 | +} |
| 151 | + |
| 152 | +# Block (401) |
| 153 | + |
| 154 | +for $phase (1 .. 3) { |
| 155 | + $s = Test::Nginx::HTTP2->new(); |
| 156 | + $sid = $s->new_stream({ path => "/phase${phase}?what=block401" }); |
| 157 | + $frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 158 | + ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
| 159 | + is($frame->{headers}->{':status'}, 401, "block 401 - phase ${phase}"); |
| 160 | +} |
| 161 | + |
| 162 | +SKIP: { |
| 163 | +skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE}; |
| 164 | + |
| 165 | +$s = Test::Nginx::HTTP2->new(); |
| 166 | +$sid = $s->new_stream({ path => '/phase4?what=block401' }); |
| 167 | +$frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 168 | +($frame) = grep { $_->{type} eq "DATA" } @$frames; |
| 169 | +is($frame, undef, 'block 401 - phase 4'); |
| 170 | +} |
| 171 | + |
| 172 | +# Block (403) |
| 173 | + |
| 174 | +for $phase (1 .. 3) { |
| 175 | + $s = Test::Nginx::HTTP2->new(); |
| 176 | + $sid = $s->new_stream({ path => "/phase${phase}?what=block403" }); |
| 177 | + $frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 178 | + ($frame) = grep { $_->{type} eq "HEADERS" } @$frames; |
| 179 | + is($frame->{headers}->{':status'}, 403, "block 403 - phase ${phase}"); |
| 180 | +} |
| 181 | + |
| 182 | +SKIP: { |
| 183 | +skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE}; |
| 184 | + |
| 185 | +$s = Test::Nginx::HTTP2->new(); |
| 186 | +$sid = $s->new_stream({ path => '/phase4?what=block403' }); |
| 187 | +$frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 188 | +($frame) = grep { $_->{type} eq "DATA" } @$frames; |
| 189 | +is($frame, undef, 'block 403 - phase 4'); |
| 190 | +} |
| 191 | + |
| 192 | +# Nothing to detect |
| 193 | + |
| 194 | +for $phase (1 .. 3) { |
| 195 | + $s = Test::Nginx::HTTP2->new(); |
| 196 | + $sid = $s->new_stream({ path => "/phase${phase}?what=nothing" }); |
| 197 | + $frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 198 | + ($frame) = grep { $_->{type} eq "DATA" } @$frames; |
| 199 | + is($frame->{data}, "should be moved\/blocked before this.", "nothing phase ${phase}"); |
| 200 | +} |
| 201 | + |
| 202 | +$s = Test::Nginx::HTTP2->new(); |
| 203 | +$sid = $s->new_stream({ path => "/phase4?what=nothing" }); |
| 204 | +$frames = $s->read(all => [{ sid => $sid, fin => 1 }]); |
| 205 | +($frame) = grep { $_->{type} eq "DATA" } @$frames; |
| 206 | +is($frame->{data}, "should not be moved\/blocked, headers delivered before phase 4.", 'nothing phase 4'); |
0 commit comments