1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdint.h>
6
7 #include <iterator>
8
9 #include "base/base64.h"
10 #include "base/stl_util.h"
11 #include "base/strings/string_piece.h"
12 #include "crypto/sha2.h"
13 #include "net/base/host_port_pair.h"
14 #include "net/base/test_completion_callback.h"
15 #include "net/http/http_security_headers.h"
16 #include "net/http/http_util.h"
17 #include "net/http/transport_security_state.h"
18 #include "net/ssl/ssl_info.h"
19 #include "testing/gtest/include/gtest/gtest.h"
20
21 namespace net {
22
23 namespace {
24
25 namespace test_default {
26 #include "base/time/time.h"
27 #include "net/http/transport_security_state_static_unittest_default.h"
28 }
29
30 } // anonymous namespace
31
32 class HttpSecurityHeadersTest : public testing::Test {
33 public:
~HttpSecurityHeadersTest()34 ~HttpSecurityHeadersTest() override {
35 SetTransportSecurityStateSourceForTesting(nullptr);
36 }
37 };
38
39
TEST_F(HttpSecurityHeadersTest,BogusHeaders)40 TEST_F(HttpSecurityHeadersTest, BogusHeaders) {
41 base::TimeDelta max_age;
42 bool include_subdomains = false;
43
44 EXPECT_FALSE(
45 ParseHSTSHeader(std::string(), &max_age, &include_subdomains));
46 EXPECT_FALSE(ParseHSTSHeader(" ", &max_age, &include_subdomains));
47 EXPECT_FALSE(ParseHSTSHeader("abc", &max_age, &include_subdomains));
48 EXPECT_FALSE(ParseHSTSHeader(" abc", &max_age, &include_subdomains));
49 EXPECT_FALSE(ParseHSTSHeader(" abc ", &max_age, &include_subdomains));
50 EXPECT_FALSE(ParseHSTSHeader("max-age", &max_age, &include_subdomains));
51 EXPECT_FALSE(ParseHSTSHeader(" max-age", &max_age,
52 &include_subdomains));
53 EXPECT_FALSE(ParseHSTSHeader(" max-age ", &max_age,
54 &include_subdomains));
55 EXPECT_FALSE(ParseHSTSHeader("max-age=", &max_age, &include_subdomains));
56 EXPECT_FALSE(ParseHSTSHeader(" max-age=", &max_age,
57 &include_subdomains));
58 EXPECT_FALSE(ParseHSTSHeader(" max-age =", &max_age,
59 &include_subdomains));
60 EXPECT_FALSE(ParseHSTSHeader(" max-age= ", &max_age,
61 &include_subdomains));
62 EXPECT_FALSE(ParseHSTSHeader(" max-age = ", &max_age,
63 &include_subdomains));
64 EXPECT_FALSE(ParseHSTSHeader(" max-age = xy", &max_age,
65 &include_subdomains));
66 EXPECT_FALSE(ParseHSTSHeader(" max-age = 3488a923", &max_age,
67 &include_subdomains));
68 EXPECT_FALSE(ParseHSTSHeader("max-age=3488a923 ", &max_age,
69 &include_subdomains));
70 EXPECT_FALSE(ParseHSTSHeader("max-ag=3488923", &max_age,
71 &include_subdomains));
72 EXPECT_FALSE(ParseHSTSHeader("max-aged=3488923", &max_age,
73 &include_subdomains));
74 EXPECT_FALSE(ParseHSTSHeader("max-age==3488923", &max_age,
75 &include_subdomains));
76 EXPECT_FALSE(ParseHSTSHeader("amax-age=3488923", &max_age,
77 &include_subdomains));
78 EXPECT_FALSE(ParseHSTSHeader("max-age=-3488923", &max_age,
79 &include_subdomains));
80 EXPECT_FALSE(
81 ParseHSTSHeader("max-age=+3488923", &max_age, &include_subdomains));
82 EXPECT_FALSE(
83 ParseHSTSHeader("max-age=13####", &max_age, &include_subdomains));
84 EXPECT_FALSE(ParseHSTSHeader("max-age=9223372036854775807#####", &max_age,
85 &include_subdomains));
86 EXPECT_FALSE(ParseHSTSHeader("max-age=18446744073709551615####", &max_age,
87 &include_subdomains));
88 EXPECT_FALSE(ParseHSTSHeader("max-age=999999999999999999999999$.&#!",
89 &max_age, &include_subdomains));
90 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 e", &max_age,
91 &include_subdomains));
92 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain",
93 &max_age, &include_subdomains));
94 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923includesubdomains",
95 &max_age, &include_subdomains));
96 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923=includesubdomains",
97 &max_age, &include_subdomains));
98 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomainx",
99 &max_age, &include_subdomains));
100 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain=",
101 &max_age, &include_subdomains));
102 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomain=true",
103 &max_age, &include_subdomains));
104 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomainsx",
105 &max_age, &include_subdomains));
106 EXPECT_FALSE(ParseHSTSHeader("max-age=3488923 includesubdomains x",
107 &max_age, &include_subdomains));
108 EXPECT_FALSE(ParseHSTSHeader("max-age=34889.23 includesubdomains",
109 &max_age, &include_subdomains));
110 EXPECT_FALSE(ParseHSTSHeader("max-age=34889 includesubdomains",
111 &max_age, &include_subdomains));
112 EXPECT_FALSE(ParseHSTSHeader(";;;; ;;;",
113 &max_age, &include_subdomains));
114 EXPECT_FALSE(ParseHSTSHeader(";;;; includeSubDomains;;;",
115 &max_age, &include_subdomains));
116 EXPECT_FALSE(ParseHSTSHeader(" includeSubDomains; ",
117 &max_age, &include_subdomains));
118 EXPECT_FALSE(ParseHSTSHeader(";",
119 &max_age, &include_subdomains));
120 EXPECT_FALSE(ParseHSTSHeader("max-age; ;",
121 &max_age, &include_subdomains));
122
123 // Check the out args were not updated by checking the default
124 // values for its predictable fields.
125 EXPECT_EQ(0, max_age.InSeconds());
126 EXPECT_FALSE(include_subdomains);
127 }
128
TEST_F(HttpSecurityHeadersTest,ValidSTSHeaders)129 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {
130 base::TimeDelta max_age;
131 base::TimeDelta expect_max_age;
132 bool include_subdomains = false;
133
134 EXPECT_TRUE(ParseHSTSHeader("max-age=243", &max_age,
135 &include_subdomains));
136 expect_max_age = base::Seconds(243);
137 EXPECT_EQ(expect_max_age, max_age);
138 EXPECT_FALSE(include_subdomains);
139
140 EXPECT_TRUE(ParseHSTSHeader("max-age=3488923;", &max_age,
141 &include_subdomains));
142
143 EXPECT_TRUE(ParseHSTSHeader(" Max-agE = 567", &max_age,
144 &include_subdomains));
145 expect_max_age = base::Seconds(567);
146 EXPECT_EQ(expect_max_age, max_age);
147 EXPECT_FALSE(include_subdomains);
148
149 EXPECT_TRUE(ParseHSTSHeader(" mAx-aGe = 890 ", &max_age,
150 &include_subdomains));
151 expect_max_age = base::Seconds(890);
152 EXPECT_EQ(expect_max_age, max_age);
153 EXPECT_FALSE(include_subdomains);
154
155 EXPECT_TRUE(ParseHSTSHeader("max-age=123;incLudesUbdOmains", &max_age,
156 &include_subdomains));
157 expect_max_age = base::Seconds(123);
158 EXPECT_EQ(expect_max_age, max_age);
159 EXPECT_TRUE(include_subdomains);
160
161 EXPECT_TRUE(ParseHSTSHeader("incLudesUbdOmains; max-age=123", &max_age,
162 &include_subdomains));
163 expect_max_age = base::Seconds(123);
164 EXPECT_EQ(expect_max_age, max_age);
165 EXPECT_TRUE(include_subdomains);
166
167 EXPECT_TRUE(ParseHSTSHeader(" incLudesUbdOmains; max-age=123",
168 &max_age, &include_subdomains));
169 expect_max_age = base::Seconds(123);
170 EXPECT_EQ(expect_max_age, max_age);
171 EXPECT_TRUE(include_subdomains);
172
173 EXPECT_TRUE(ParseHSTSHeader(
174 " incLudesUbdOmains; max-age=123; pumpkin=kitten", &max_age,
175 &include_subdomains));
176 expect_max_age = base::Seconds(123);
177 EXPECT_EQ(expect_max_age, max_age);
178 EXPECT_TRUE(include_subdomains);
179
180 EXPECT_TRUE(ParseHSTSHeader(
181 " pumpkin=894; incLudesUbdOmains; max-age=123 ", &max_age,
182 &include_subdomains));
183 expect_max_age = base::Seconds(123);
184 EXPECT_EQ(expect_max_age, max_age);
185 EXPECT_TRUE(include_subdomains);
186
187 EXPECT_TRUE(ParseHSTSHeader(
188 " pumpkin; incLudesUbdOmains; max-age=123 ", &max_age,
189 &include_subdomains));
190 expect_max_age = base::Seconds(123);
191 EXPECT_EQ(expect_max_age, max_age);
192 EXPECT_TRUE(include_subdomains);
193
194 EXPECT_TRUE(ParseHSTSHeader(
195 " pumpkin; incLudesUbdOmains; max-age=\"123\" ", &max_age,
196 &include_subdomains));
197 expect_max_age = base::Seconds(123);
198 EXPECT_EQ(expect_max_age, max_age);
199 EXPECT_TRUE(include_subdomains);
200
201 EXPECT_TRUE(ParseHSTSHeader(
202 "animal=\"squirrel; distinguished\"; incLudesUbdOmains; max-age=123",
203 &max_age, &include_subdomains));
204 expect_max_age = base::Seconds(123);
205 EXPECT_EQ(expect_max_age, max_age);
206 EXPECT_TRUE(include_subdomains);
207
208 EXPECT_TRUE(ParseHSTSHeader("max-age=394082; incLudesUbdOmains",
209 &max_age, &include_subdomains));
210 expect_max_age = base::Seconds(394082);
211 EXPECT_EQ(expect_max_age, max_age);
212 EXPECT_TRUE(include_subdomains);
213
214 EXPECT_TRUE(ParseHSTSHeader(
215 "max-age=39408299 ;incLudesUbdOmains", &max_age,
216 &include_subdomains));
217 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 39408299u));
218 EXPECT_EQ(expect_max_age, max_age);
219 EXPECT_TRUE(include_subdomains);
220
221 EXPECT_TRUE(ParseHSTSHeader(
222 "max-age=394082038 ; incLudesUbdOmains", &max_age,
223 &include_subdomains));
224 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 394082038u));
225 EXPECT_EQ(expect_max_age, max_age);
226 EXPECT_TRUE(include_subdomains);
227
228 EXPECT_TRUE(ParseHSTSHeader(
229 "max-age=394082038 ; incLudesUbdOmains;", &max_age,
230 &include_subdomains));
231 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 394082038u));
232 EXPECT_EQ(expect_max_age, max_age);
233 EXPECT_TRUE(include_subdomains);
234
235 EXPECT_TRUE(ParseHSTSHeader(
236 ";; max-age=394082038 ; incLudesUbdOmains; ;", &max_age,
237 &include_subdomains));
238 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 394082038u));
239 EXPECT_EQ(expect_max_age, max_age);
240 EXPECT_TRUE(include_subdomains);
241
242 EXPECT_TRUE(ParseHSTSHeader(
243 ";; max-age=394082038 ;", &max_age,
244 &include_subdomains));
245 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 394082038u));
246 EXPECT_EQ(expect_max_age, max_age);
247 EXPECT_FALSE(include_subdomains);
248
249 EXPECT_TRUE(ParseHSTSHeader(
250 ";; ; ; max-age=394082038;;; includeSubdomains ;; ;", &max_age,
251 &include_subdomains));
252 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 394082038u));
253 EXPECT_EQ(expect_max_age, max_age);
254 EXPECT_TRUE(include_subdomains);
255
256 EXPECT_TRUE(ParseHSTSHeader(
257 "incLudesUbdOmains ; max-age=394082038 ;;", &max_age,
258 &include_subdomains));
259 expect_max_age = base::Seconds(std::min(kMaxHSTSAgeSecs, 394082038u));
260 EXPECT_EQ(expect_max_age, max_age);
261 EXPECT_TRUE(include_subdomains);
262
263 EXPECT_TRUE(ParseHSTSHeader(
264 " max-age=0 ; incLudesUbdOmains ", &max_age,
265 &include_subdomains));
266 expect_max_age = base::Seconds(0);
267 EXPECT_EQ(expect_max_age, max_age);
268 EXPECT_TRUE(include_subdomains);
269
270 EXPECT_TRUE(ParseHSTSHeader(
271 " max-age=999999999999999999999999999999999999999999999 ;"
272 " incLudesUbdOmains ", &max_age, &include_subdomains));
273 expect_max_age = base::Seconds(kMaxHSTSAgeSecs);
274 EXPECT_EQ(expect_max_age, max_age);
275 EXPECT_TRUE(include_subdomains);
276 }
277
278 } // namespace net
279