admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d5b08aaae291ee8d24d1ccb259b0b1662a194dbb
e-ticket/tests/Controller/CspReportControllerTest.php
Serreau Jovann 97ef920514 Ignore CSP violations from browser userscripts (source-file: user-script) 
Add 'user-script' to ignored source files in CspReportController to filter
out false positive CSP violations triggered by browser extensions/userscripts.
Add corresponding test case.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 11:33:09 +02:00

109 lines
3.3 KiB
PHP
Raw Blame History

<?php
namespace App\Tests\Controller;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use Symfony\Component\Mailer\MailerInterface;
class CspReportControllerTest extends WebTestCase
{
public function testInvalidPayloadReturnsBadRequest(): void
{
$client = static::createClient();
$client->request('POST', '/my-csp-report', [], [], [
'CONTENT_TYPE' => 'application/json',
], '');
self::assertResponseStatusCodeSame(400);
}
public function testBrowserExtensionViolationIsIgnored(): void
{
$client = static::createClient();
$payload = json_encode([
'csp-report' => [
'source-file' => 'chrome-extension://abc',
'blocked-uri' => 'inline',
'document-uri' => 'https://e-cosplay.fr/',
'violated-directive' => 'script-src',
],
]);
$client->request('POST', '/my-csp-report', [], [], [
'CONTENT_TYPE' => 'application/json',
], $payload);
self::assertResponseStatusCodeSame(204);
}
public function testUserScriptViolationIsIgnored(): void
{
$client = static::createClient();
$payload = json_encode([
'csp-report' => [
'source-file' => 'user-script',
'blocked-uri' => 'eval',
'document-uri' => 'https://e-cosplay.fr/page',
'violated-directive' => 'script-src',
],
]);
$client->request('POST', '/my-csp-report', [], [], [
'CONTENT_TYPE' => 'application/json',
], $payload);
self::assertResponseStatusCodeSame(204);
}
public function testRealViolationIsProcessed(): void
{
$client = static::createClient();
$payload = json_encode([
'csp-report' => [
'source-file' => 'https://evil.com/script.js',
'blocked-uri' => 'https://evil.com',
'document-uri' => 'https://e-cosplay.fr/page',
'violated-directive' => 'script-src',
],
]);
$client->request('POST', '/my-csp-report', [], [], [
'CONTENT_TYPE' => 'application/json',
], $payload);
self::assertResponseStatusCodeSame(204);
}
public function testRealViolationHandlesMailerFailure(): void
{
$client = static::createClient();
$mailer = $this->createMock(MailerInterface::class);
$mailer->method('send')->willThrowException(new \RuntimeException('SMTP down'));
static::getContainer()->set(MailerInterface::class, $mailer);
$payload = json_encode([
'csp-report' => [
'source-file' => 'https://evil.com/script.js',
'blocked-uri' => 'https://evil.com',
'document-uri' => 'https://e-cosplay.fr/page',
'violated-directive' => 'script-src',
],
]);
$client->request('POST', '/my-csp-report', [], [], [
'CONTENT_TYPE' => 'application/json',
], $payload);
self::assertResponseStatusCodeSame(204);
}
public function testGetRequestReturns204(): void
{
$client = static::createClient();
$client->request('GET', '/my-csp-report');
self::assertResponseStatusCodeSame(204);
}
}
Reference in New Issue View Git Blame Copy Permalink