Skip to content

Commit 81bf1b8

Browse files
defanatorFelipe Zimmerle
defanator
authored and
Felipe Zimmerle
committed
Tests: added base tests for HTTP/2
1 parent f1a7ab6 commit 81bf1b8

File tree

1 file changed

+206
-0
lines changed

1 file changed

+206
-0
lines changed

tests/modsecurity-h2.t

Lines changed: 206 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,206 @@
1+
#!/usr/bin/perl
2+
3+
# (C) Andrei Belov
4+
5+
# Tests for ModSecurity module (HTTP/2).
6+
7+
###############################################################################
8+
9+
use warnings;
10+
use strict;
11+
12+
use Test::More;
13+
14+
BEGIN { use FindBin; chdir($FindBin::Bin); }
15+
16+
use lib 'lib';
17+
use Test::Nginx;
18+
use Test::Nginx::HTTP2;
19+
20+
###############################################################################
21+
22+
select STDERR; $| = 1;
23+
select STDOUT; $| = 1;
24+
25+
my $t = Test::Nginx->new()->has(qw/http http_v2/);
26+
27+
$t->write_file_expand('nginx.conf', <<'EOF');
28+
29+
%%TEST_GLOBALS%%
30+
31+
daemon off;
32+
33+
events {
34+
}
35+
36+
http {
37+
%%TEST_GLOBALS_HTTP%%
38+
39+
server {
40+
listen 127.0.0.1:8080 http2;
41+
server_name localhost;
42+
43+
location / {
44+
modsecurity on;
45+
modsecurity_rules '
46+
SecRuleEngine On
47+
SecRule ARGS "@streq whee" "id:10,phase:2"
48+
SecRule ARGS "@streq whee" "id:11,phase:2"
49+
';
50+
}
51+
location /phase1 {
52+
modsecurity on;
53+
modsecurity_rules '
54+
SecRuleEngine On
55+
SecDefaultAction "phase:1,log,deny,status:403"
56+
SecRule ARGS "@streq redirect301" "id:1,phase:1,status:301,redirect:http://www.modsecurity.org"
57+
SecRule ARGS "@streq redirect302" "id:2,phase:1,status:302,redirect:http://www.modsecurity.org"
58+
SecRule ARGS "@streq block401" "id:3,phase:1,status:401,block"
59+
SecRule ARGS "@streq block403" "id:4,phase:1,status:403,block"
60+
';
61+
}
62+
location /phase2 {
63+
modsecurity on;
64+
modsecurity_rules '
65+
SecRuleEngine On
66+
SecDefaultAction "phase:2,log,deny,status:403"
67+
SecRule ARGS "@streq redirect301" "id:1,phase:2,status:301,redirect:http://www.modsecurity.org"
68+
SecRule ARGS "@streq redirect302" "id:2,phase:2,status:302,redirect:http://www.modsecurity.org"
69+
SecRule ARGS "@streq block401" "id:3,phase:2,status:401,block"
70+
SecRule ARGS "@streq block403" "id:4,phase:2,status:403,block"
71+
';
72+
}
73+
location /phase3 {
74+
modsecurity on;
75+
modsecurity_rules '
76+
SecRuleEngine On
77+
SecDefaultAction "phase:3,log,deny,status:403"
78+
SecRule ARGS "@streq redirect301" "id:1,phase:3,status:301,redirect:http://www.modsecurity.org"
79+
SecRule ARGS "@streq redirect302" "id:2,phase:3,status:302,redirect:http://www.modsecurity.org"
80+
SecRule ARGS "@streq block401" "id:3,phase:3,status:401,block"
81+
SecRule ARGS "@streq block403" "id:4,phase:3,status:403,block"
82+
';
83+
}
84+
location /phase4 {
85+
modsecurity on;
86+
modsecurity_rules '
87+
SecRuleEngine On
88+
SecResponseBodyAccess On
89+
SecDefaultAction "phase:4,log,deny,status:403"
90+
SecRule ARGS "@streq redirect301" "id:1,phase:4,status:301,redirect:http://www.modsecurity.org"
91+
SecRule ARGS "@streq redirect302" "id:2,phase:4,status:302,redirect:http://www.modsecurity.org"
92+
SecRule ARGS "@streq block401" "id:3,phase:4,status:401,block"
93+
SecRule ARGS "@streq block403" "id:4,phase:4,status:403,block"
94+
';
95+
}
96+
}
97+
}
98+
EOF
99+
100+
$t->write_file("/phase1", "should be moved/blocked before this.");
101+
$t->write_file("/phase2", "should be moved/blocked before this.");
102+
$t->write_file("/phase3", "should be moved/blocked before this.");
103+
$t->write_file("/phase4", "should not be moved/blocked, headers delivered before phase 4.");
104+
$t->run();
105+
$t->todo_alerts();
106+
$t->plan(20);
107+
108+
###############################################################################
109+
110+
my ($phase, $s, $sid, $frames, $frame);
111+
112+
# Redirect (302)
113+
114+
for $phase (1 .. 3) {
115+
$s = Test::Nginx::HTTP2->new();
116+
$sid = $s->new_stream({ path => "/phase${phase}?what=redirect302" });
117+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
118+
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
119+
is($frame->{headers}->{':status'}, 302, "redirect 302 - phase ${phase}");
120+
}
121+
122+
SKIP: {
123+
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
124+
125+
$s = Test::Nginx::HTTP2->new();
126+
$sid = $s->new_stream({ path => '/phase4?what=redirect302' });
127+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
128+
($frame) = grep { $_->{type} eq "DATA" } @$frames;
129+
is($frame, undef, 'redirect 302 - phase 4');
130+
}
131+
132+
# Redirect (301)
133+
134+
for $phase (1 .. 3) {
135+
$s = Test::Nginx::HTTP2->new();
136+
$sid = $s->new_stream({ path => "/phase${phase}?what=redirect301" });
137+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
138+
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
139+
is($frame->{headers}->{':status'}, 301, "redirect 301 - phase ${phase}");
140+
}
141+
142+
SKIP: {
143+
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
144+
145+
$s = Test::Nginx::HTTP2->new();
146+
$sid = $s->new_stream({ path => '/phase4?what=redirect301' });
147+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
148+
($frame) = grep { $_->{type} eq "DATA" } @$frames;
149+
is($frame, undef, 'redirect 301 - phase 4');
150+
}
151+
152+
# Block (401)
153+
154+
for $phase (1 .. 3) {
155+
$s = Test::Nginx::HTTP2->new();
156+
$sid = $s->new_stream({ path => "/phase${phase}?what=block401" });
157+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
158+
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
159+
is($frame->{headers}->{':status'}, 401, "block 401 - phase ${phase}");
160+
}
161+
162+
SKIP: {
163+
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
164+
165+
$s = Test::Nginx::HTTP2->new();
166+
$sid = $s->new_stream({ path => '/phase4?what=block401' });
167+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
168+
($frame) = grep { $_->{type} eq "DATA" } @$frames;
169+
is($frame, undef, 'block 401 - phase 4');
170+
}
171+
172+
# Block (403)
173+
174+
for $phase (1 .. 3) {
175+
$s = Test::Nginx::HTTP2->new();
176+
$sid = $s->new_stream({ path => "/phase${phase}?what=block403" });
177+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
178+
($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
179+
is($frame->{headers}->{':status'}, 403, "block 403 - phase ${phase}");
180+
}
181+
182+
SKIP: {
183+
skip 'long test', 1 unless $ENV{TEST_NGINX_UNSAFE};
184+
185+
$s = Test::Nginx::HTTP2->new();
186+
$sid = $s->new_stream({ path => '/phase4?what=block403' });
187+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
188+
($frame) = grep { $_->{type} eq "DATA" } @$frames;
189+
is($frame, undef, 'block 403 - phase 4');
190+
}
191+
192+
# Nothing to detect
193+
194+
for $phase (1 .. 3) {
195+
$s = Test::Nginx::HTTP2->new();
196+
$sid = $s->new_stream({ path => "/phase${phase}?what=nothing" });
197+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
198+
($frame) = grep { $_->{type} eq "DATA" } @$frames;
199+
is($frame->{data}, "should be moved\/blocked before this.", "nothing phase ${phase}");
200+
}
201+
202+
$s = Test::Nginx::HTTP2->new();
203+
$sid = $s->new_stream({ path => "/phase4?what=nothing" });
204+
$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
205+
($frame) = grep { $_->{type} eq "DATA" } @$frames;
206+
is($frame->{data}, "should not be moved\/blocked, headers delivered before phase 4.", 'nothing phase 4');

0 commit comments

Comments
 (0)