test/plugs/http_security_plug_test.exs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

# Pleroma: A lightweight social networking server
# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
  use Pleroma.Web.ConnCase

  alias Pleroma.Config
  alias Plug.Conn

  describe "http security enabled" do
    setup do: clear_config([:http_security, :enabled], true)

    test "it sends CSP headers when enabled", %{conn: conn} do
      conn = get(conn, "/api/v1/instance")

      refute Conn.get_resp_header(conn, "x-xss-protection") == []
      refute Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
      refute Conn.get_resp_header(conn, "x-frame-options") == []
      refute Conn.get_resp_header(conn, "x-content-type-options") == []
      refute Conn.get_resp_header(conn, "x-download-options") == []
      refute Conn.get_resp_header(conn, "referrer-policy") == []
      refute Conn.get_resp_header(conn, "content-security-policy") == []
    end

    test "it sends STS headers when enabled", %{conn: conn} do
      clear_config([:http_security, :sts], true)

      conn = get(conn, "/api/v1/instance")

      refute Conn.get_resp_header(conn, "strict-transport-security") == []
      refute Conn.get_resp_header(conn, "expect-ct") == []
    end

    test "it does not send STS headers when disabled", %{conn: conn} do
      clear_config([:http_security, :sts], false)

      conn = get(conn, "/api/v1/instance")

      assert Conn.get_resp_header(conn, "strict-transport-security") == []
      assert Conn.get_resp_header(conn, "expect-ct") == []
    end

    test "referrer-policy header reflects configured value", %{conn: conn} do
      resp = get(conn, "/api/v1/instance")

      assert Conn.get_resp_header(resp, "referrer-policy") == ["same-origin"]

      clear_config([:http_security, :referrer_policy], "no-referrer")

      resp = get(conn, "/api/v1/instance")

      assert Conn.get_resp_header(resp, "referrer-policy") == ["no-referrer"]
    end

    test "it sends `report-to` & `report-uri` CSP response headers", %{conn: conn} do
      conn = get(conn, "/api/v1/instance")

      [csp] = Conn.get_resp_header(conn, "content-security-policy")

      assert csp =~ ~r|report-uri https://endpoint.com;report-to csp-endpoint;|

      [reply_to] = Conn.get_resp_header(conn, "reply-to")

      assert reply_to ==
               "{\"endpoints\":[{\"url\":\"https://endpoint.com\"}],\"group\":\"csp-endpoint\",\"max-age\":10886400}"
    end

    test "default values for img-src and media-src with disabled media proxy", %{conn: conn} do
      conn = get(conn, "/api/v1/instance")

      [csp] = Conn.get_resp_header(conn, "content-security-policy")
      assert csp =~ "media-src 'self' https:;"
      assert csp =~ "img-src 'self' data: blob: https:;"
    end
  end

  describe "img-src and media-src" do
    setup do
      clear_config([:http_security, :enabled], true)
      clear_config([:media_proxy, :enabled], true)
      clear_config([:media_proxy, :proxy_opts, :redirect_on_failure], false)
    end

    test "media_proxy with base_url", %{conn: conn} do
      url = "https://example.com"
      clear_config([:media_proxy, :base_url], url)
      assert_media_img_src(conn, url)
    end

    test "upload with base url", %{conn: conn} do
      url = "https://example2.com"
      clear_config([Pleroma.Upload, :base_url], url)
      assert_media_img_src(conn, url)
    end

    test "with S3 public endpoint", %{conn: conn} do
      url = "https://example3.com"
      clear_config([Pleroma.Uploaders.S3, :public_endpoint], url)
      assert_media_img_src(conn, url)
    end

    test "with captcha endpoint", %{conn: conn} do
      clear_config([Pleroma.Captcha.Mock, :endpoint], "https://captcha.com")
      assert_media_img_src(conn, "https://captcha.com")
    end

    test "with media_proxy whitelist", %{conn: conn} do
      clear_config([:media_proxy, :whitelist], ["https://example6.com", "https://example7.com"])
      assert_media_img_src(conn, "https://example7.com https://example6.com")
    end

    # TODO: delete after removing support bare domains for media proxy whitelist
    test "with media_proxy bare domains whitelist (deprecated)", %{conn: conn} do
      clear_config([:media_proxy, :whitelist], ["example4.com", "example5.com"])
      assert_media_img_src(conn, "example5.com example4.com")
    end
  end

  defp assert_media_img_src(conn, url) do
    conn = get(conn, "/api/v1/instance")
    [csp] = Conn.get_resp_header(conn, "content-security-policy")
    assert csp =~ "media-src 'self' #{url};"
    assert csp =~ "img-src 'self' data: blob: #{url};"
  end

  test "it does not send CSP headers when disabled", %{conn: conn} do
    clear_config([:http_security, :enabled], false)

    conn = get(conn, "/api/v1/instance")

    assert Conn.get_resp_header(conn, "x-xss-protection") == []
    assert Conn.get_resp_header(conn, "x-permitted-cross-domain-policies") == []
    assert Conn.get_resp_header(conn, "x-frame-options") == []
    assert Conn.get_resp_header(conn, "x-content-type-options") == []
    assert Conn.get_resp_header(conn, "x-download-options") == []
    assert Conn.get_resp_header(conn, "referrer-policy") == []
    assert Conn.get_resp_header(conn, "content-security-policy") == []
  end
end