jcarr
/
noVNC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Avoiding internal variables for security tests 

A good test uses only input and output, so let's avoid assuming internal
variable names or behaviours.
This commit is contained in:
Pierre Ossman 2022-08-18 13:31:44 +02:00
parent 5671072dfe
commit 6719b932cf
1 changed files with 60 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

139
tests/test.rfb.js
View File

@ -1026,17 +1026,21 @@ describe('Remote Frame Buffer Protocol Client', function () {
client._rfbConnectionState = 'connecting'; client._rfbConnectionState = 'connecting';
}); });
describe('ProtocolVersion', function () { function sendVer(ver, client) {
function sendVer(ver, client) { const arr = new Uint8Array(12);
const arr = new Uint8Array(12); for (let i = 0; i < ver.length; i++) {
for (let i = 0; i < ver.length; i++) { arr[i+4] = ver.charCodeAt(i);
arr[i+4] = ver.charCodeAt(i);
}
arr[0] = 'R'; arr[1] = 'F'; arr[2] = 'B'; arr[3] = ' ';
arr[11] = '\n';
client._sock._websocket._receiveData(arr);
} }
arr[0] = 'R'; arr[1] = 'F'; arr[2] = 'B'; arr[3] = ' ';
arr[11] = '\n';
client._sock._websocket._receiveData(arr);
}
function sendSecurity(type, cl) {
cl._sock._websocket._receiveData(new Uint8Array([1, type]));
}
describe('ProtocolVersion', function () {
describe('version parsing', function () { describe('version parsing', function () {
it('should interpret version 003.003 as version 3.3', function () { it('should interpret version 003.003 as version 3.3', function () {
sendVer('003.003', client); sendVer('003.003', client);
@ -1127,44 +1131,32 @@ describe('Remote Frame Buffer Protocol Client', function () {
describe('Security', function () { describe('Security', function () {
beforeEach(function () { beforeEach(function () {
client._rfbInitState = 'Security'; sendVer('003.008\n', client);
}); client._sock._websocket._getSentData();
it('should simply receive the auth scheme when for versions < 3.7', function () {
client._rfbVersion = 3.6;
const authSchemeRaw = [1, 2, 3, 4];
const authScheme = (authSchemeRaw[0] << 24) + (authSchemeRaw[1] << 16) +
(authSchemeRaw[2] << 8) + authSchemeRaw[3];
client._sock._websocket._receiveData(new Uint8Array(authSchemeRaw));
expect(client._rfbAuthScheme).to.equal(authScheme);
}); });
it('should prefer no authentication is possible', function () { it('should prefer no authentication is possible', function () {
client._rfbVersion = 3.7;
const authSchemes = [2, 1, 3]; const authSchemes = [2, 1, 3];
client._sock._websocket._receiveData(new Uint8Array(authSchemes)); client._sock._websocket._receiveData(new Uint8Array(authSchemes));
expect(client._rfbAuthScheme).to.equal(1); expect(client._rfbAuthScheme).to.equal(1);
expect(client._sock).to.have.sent(new Uint8Array([1])); expect(client._sock).to.have.sent(new Uint8Array([1]));
}); });
it('should choose for the most prefered scheme possible for versions >= 3.7', function () { it('should choose for the most prefered scheme possible', function () {
client._rfbVersion = 3.7;
const authSchemes = [2, 22, 16]; const authSchemes = [2, 22, 16];
client._sock._websocket._receiveData(new Uint8Array(authSchemes)); client._sock._websocket._receiveData(new Uint8Array(authSchemes));
expect(client._rfbAuthScheme).to.equal(22); expect(client._rfbAuthScheme).to.equal(22);
expect(client._sock).to.have.sent(new Uint8Array([22])); expect(client._sock).to.have.sent(new Uint8Array([22]));
}); });
it('should fail if there are no supported schemes for versions >= 3.7', function () { it('should fail if there are no supported schemes', function () {
sinon.spy(client, "_fail"); sinon.spy(client, "_fail");
client._rfbVersion = 3.7;
const authSchemes = [1, 32]; const authSchemes = [1, 32];
client._sock._websocket._receiveData(new Uint8Array(authSchemes)); client._sock._websocket._receiveData(new Uint8Array(authSchemes));
expect(client._fail).to.have.been.calledOnce; expect(client._fail).to.have.been.calledOnce;
}); });
it('should fail with the appropriate message if no types are sent for versions >= 3.7', function () { it('should fail with the appropriate message if no types are sent', function () {
client._rfbVersion = 3.7;
const failureData = [0, 0, 0, 0, 6, 119, 104, 111, 111, 112, 115]; const failureData = [0, 0, 0, 0, 6, 119, 104, 111, 111, 112, 115];
sinon.spy(client, '_fail'); sinon.spy(client, '_fail');
client._sock._websocket._receiveData(new Uint8Array(failureData)); client._sock._websocket._receiveData(new Uint8Array(failureData));
@ -1175,7 +1167,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
it('should transition to the Authentication state and continue on successful negotiation', function () { it('should transition to the Authentication state and continue on successful negotiation', function () {
client._rfbVersion = 3.7;
const authSchemes = [1, 1]; const authSchemes = [1, 1];
client._negotiateAuthentication = sinon.spy(); client._negotiateAuthentication = sinon.spy();
client._sock._websocket._receiveData(new Uint8Array(authSchemes)); client._sock._websocket._receiveData(new Uint8Array(authSchemes));
@ -1184,17 +1175,8 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
}); });
describe('Authentication', function () { describe('Legacy Authentication', function () {
beforeEach(function () {
client._rfbInitState = 'Security';
});
function sendSecurity(type, cl) {
cl._sock._websocket._receiveData(new Uint8Array([1, type]));
}
it('should fail on auth scheme 0 (pre 3.7) with the given message', function () { it('should fail on auth scheme 0 (pre 3.7) with the given message', function () {
client._rfbVersion = 3.6;
const errMsg = "Whoopsies"; const errMsg = "Whoopsies";
const data = [0, 0, 0, 0]; const data = [0, 0, 0, 0];
const errLen = errMsg.length; const errLen = errMsg.length;
@ -1203,37 +1185,42 @@ describe('Remote Frame Buffer Protocol Client', function () {
data.push(errMsg.charCodeAt(i)); data.push(errMsg.charCodeAt(i));
} }
sendVer('003.006\n', client);
client._sock._websocket._getSentData();
sinon.spy(client, '_fail'); sinon.spy(client, '_fail');
client._sock._websocket._receiveData(new Uint8Array(data)); client._sock._websocket._receiveData(new Uint8Array(data));
expect(client._fail).to.have.been.calledWith( expect(client._fail).to.have.been.calledWith(
'Security negotiation failed on authentication scheme (reason: Whoopsies)'); 'Security negotiation failed on authentication scheme (reason: Whoopsies)');
}); });
it('should transition straight to SecurityResult on "no auth" (1) for versions >= 3.7', function () { it('should transition straight to ServerInitialisation on "no auth" for versions < 3.7', function () {
client._rfbVersion = 3.7; sendVer('003.006\n', client);
client._sock._websocket._getSentData();
client._sock._websocket._receiveData(new Uint8Array([0, 0, 0, 1]));
expect(client._rfbInitState).to.equal('ServerInitialisation');
});
});
describe('Authentication', function () {
beforeEach(function () {
sendVer('003.008\n', client);
client._sock._websocket._getSentData();
});
it('should transition straight to SecurityResult on "no auth" (1)', function () {
sendSecurity(1, client); sendSecurity(1, client);
expect(client._rfbInitState).to.equal('SecurityResult'); expect(client._rfbInitState).to.equal('SecurityResult');
}); });
it('should transition straight to ServerInitialisation on "no auth" for versions < 3.7', function () {
client._rfbVersion = 3.6;
client._sock._websocket._receiveData(new Uint8Array([0, 0, 0, 1]));
expect(client._rfbInitState).to.equal('ServerInitialisation');
});
it('should fail on an unknown auth scheme', function () { it('should fail on an unknown auth scheme', function () {
sinon.spy(client, "_fail"); sinon.spy(client, "_fail");
client._rfbVersion = 3.8;
sendSecurity(57, client); sendSecurity(57, client);
expect(client._fail).to.have.been.calledOnce; expect(client._fail).to.have.been.calledOnce;
}); });
describe('VNC Authentication (type 2) Handler', function () { describe('VNC Authentication (type 2) Handler', function () {
beforeEach(function () {
client._rfbInitState = 'Security';
client._rfbVersion = 3.8;
});
it('should fire the credentialsrequired event if missing a password', function () { it('should fire the credentialsrequired event if missing a password', function () {
const spy = sinon.spy(); const spy = sinon.spy();
client.addEventListener("credentialsrequired", spy); client.addEventListener("credentialsrequired", spy);
@ -1274,12 +1261,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
describe('ARD Authentication (type 30) Handler', function () { describe('ARD Authentication (type 30) Handler', function () {
beforeEach(function () {
client._rfbInitState = 'Security';
client._rfbVersion = 3.8;
});
it('should fire the credentialsrequired event if all credentials are missing', function () { it('should fire the credentialsrequired event if all credentials are missing', function () {
const spy = sinon.spy(); const spy = sinon.spy();
client.addEventListener("credentialsrequired", spy); client.addEventListener("credentialsrequired", spy);
@ -1347,11 +1328,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
describe('XVP Authentication (type 22) Handler', function () { describe('XVP Authentication (type 22) Handler', function () {
beforeEach(function () {
client._rfbInitState = 'Security';
client._rfbVersion = 3.8;
});
it('should fall through to standard VNC authentication upon completion', function () { it('should fall through to standard VNC authentication upon completion', function () {
client._rfbCredentials = { username: 'user', client._rfbCredentials = { username: 'user',
target: 'target', target: 'target',
@ -1400,8 +1376,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
describe('TightVNC Authentication (type 16) Handler', function () { describe('TightVNC Authentication (type 16) Handler', function () {
beforeEach(function () { beforeEach(function () {
client._rfbInitState = 'Security';
client._rfbVersion = 3.8;
sendSecurity(16, client); sendSecurity(16, client);
client._sock._websocket._getSentData(); // skip the security reply client._sock._websocket._getSentData(); // skip the security reply
}); });
@ -1487,8 +1461,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
describe('VeNCrypt Authentication (type 19) Handler', function () { describe('VeNCrypt Authentication (type 19) Handler', function () {
beforeEach(function () { beforeEach(function () {
client._rfbInitState = 'Security';
client._rfbVersion = 3.8;
sendSecurity(19, client); sendSecurity(19, client);
expect(client._sock).to.have.sent(new Uint8Array([19])); expect(client._sock).to.have.sent(new Uint8Array([19]));
}); });
@ -1582,9 +1554,30 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
}); });
describe('Legacy SecurityResult', function () {
beforeEach(function () {
sendVer('003.007\n', client);
client._sock._websocket._getSentData();
sendSecurity(1, client);
client._sock._websocket._getSentData();
});
it('should not include reason in securityfailure event', function () {
const spy = sinon.spy();
client.addEventListener("securityfailure", spy);
client._sock._websocket._receiveData(new Uint8Array([0, 0, 0, 2]));
expect(spy).to.have.been.calledOnce;
expect(spy.args[0][0].detail.status).to.equal(2);
expect('reason' in spy.args[0][0].detail).to.be.false;
});
});
describe('SecurityResult', function () { describe('SecurityResult', function () {
beforeEach(function () { beforeEach(function () {
client._rfbInitState = 'SecurityResult'; sendVer('003.008\n', client);
client._sock._websocket._getSentData();
sendSecurity(1, client);
client._sock._websocket._getSentData();
}); });
it('should fall through to ServerInitialisation on a response code of 0', function () { it('should fall through to ServerInitialisation on a response code of 0', function () {
@ -1593,7 +1586,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
it('should include reason when provided in securityfailure event', function () { it('should include reason when provided in securityfailure event', function () {
client._rfbVersion = 3.8;
const spy = sinon.spy(); const spy = sinon.spy();
client.addEventListener("securityfailure", spy); client.addEventListener("securityfailure", spy);
const failureData = [0, 0, 0, 1, 0, 0, 0, 12, 115, 117, 99, 104, const failureData = [0, 0, 0, 1, 0, 0, 0, 12, 115, 117, 99, 104,
@ -1605,7 +1597,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
}); });
it('should not include reason when length is zero in securityfailure event', function () { it('should not include reason when length is zero in securityfailure event', function () {
client._rfbVersion = 3.8;
const spy = sinon.spy(); const spy = sinon.spy();
client.addEventListener("securityfailure", spy); client.addEventListener("securityfailure", spy);
const failureData = [0, 0, 0, 1, 0, 0, 0, 0]; const failureData = [0, 0, 0, 1, 0, 0, 0, 0];
@ -1614,16 +1605,6 @@ describe('Remote Frame Buffer Protocol Client', function () {
expect(spy.args[0][0].detail.status).to.equal(1); expect(spy.args[0][0].detail.status).to.equal(1);
expect('reason' in spy.args[0][0].detail).to.be.false; expect('reason' in spy.args[0][0].detail).to.be.false;
}); });
it('should not include reason in securityfailure event for version < 3.8', function () {
client._rfbVersion = 3.7;
const spy = sinon.spy();
client.addEventListener("securityfailure", spy);
client._sock._websocket._receiveData(new Uint8Array([0, 0, 0, 2]));
expect(spy).to.have.been.calledOnce;
expect(spy.args[0][0].detail.status).to.equal(2);
expect('reason' in spy.args[0][0].detail).to.be.false;
});
}); });
describe('ClientInitialisation', function () { describe('ClientInitialisation', function () {