github.com/TeaOSLab/EdgeNode@v1.3.8/internal/waf/injectionutils/utils_xss_test.go (about) 1 // Copyright 2023 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn . 2 3 package injectionutils_test 4 5 import ( 6 "github.com/TeaOSLab/EdgeNode/internal/waf/injectionutils" 7 "github.com/TeaOSLab/EdgeNode/internal/waf/utils" 8 "github.com/iwind/TeaGo/assert" 9 "runtime" 10 "testing" 11 ) 12 13 func TestDetectXSS(t *testing.T) { 14 var a = assert.NewAssertion(t) 15 a.IsFalse(injectionutils.DetectXSS("", true)) 16 a.IsFalse(injectionutils.DetectXSS("abc", true)) 17 a.IsTrue(injectionutils.DetectXSS("<script>", true)) 18 a.IsTrue(injectionutils.DetectXSS("<link>", true)) 19 a.IsFalse(injectionutils.DetectXSS("<html><span>", true)) 20 a.IsFalse(injectionutils.DetectXSS("<script>", true)) 21 a.IsTrue(injectionutils.DetectXSS("/path?onmousedown=a", true)) 22 a.IsTrue(injectionutils.DetectXSS("/path?onkeyup=a", true)) 23 a.IsTrue(injectionutils.DetectXSS("onkeyup=a", true)) 24 a.IsTrue(injectionutils.DetectXSS("<iframe scrolling='no'>", true)) 25 a.IsFalse(injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", true)) 26 a.IsTrue(injectionutils.DetectXSS("name=s&description=%3Cscript+src%3D%22a.js%22%3Edddd%3C%2Fscript%3E", true)) 27 a.IsFalse(injectionutils.DetectXSS(`<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="XMP Core 6.0.0"> 28 <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> 29 <rdf:Description rdf:about="" 30 xmlns:tiff="http://ns.adobe.com/tiff/1.0/"> 31 <tiff:Orientation>1</tiff:Orientation> 32 </rdf:Description> 33 </rdf:RDF> 34 </x:xmpmeta>`, true)) // included in some photo files 35 a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false)) 36 } 37 38 func TestDetectXSS_Strict(t *testing.T) { 39 var a = assert.NewAssertion(t) 40 a.IsFalse(injectionutils.DetectXSS(`<xml></xml>`, false)) 41 a.IsTrue(injectionutils.DetectXSS(`<xml></xml>`, true)) 42 a.IsFalse(injectionutils.DetectXSS(`<img src=\"\"/>`, false)) 43 a.IsFalse(injectionutils.DetectXSS(`<img src=\"test.jpg\"/>`, true)) 44 a.IsFalse(injectionutils.DetectXSS(`<a href="aaaa"></a>`, true)) 45 a.IsFalse(injectionutils.DetectXSS(`<span style="color: red"></span>`, false)) 46 a.IsTrue(injectionutils.DetectXSS(`<span style="color: red"></span>`, true)) 47 a.IsFalse(injectionutils.DetectXSS("https://example.com?style=list", false)) 48 a.IsTrue(injectionutils.DetectXSS("https://example.com?style=list", true)) 49 } 50 51 func BenchmarkDetectXSS_MISS(b *testing.B) { 52 var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", false) 53 if result { 54 b.Fatal("'result' should not be 'true'") 55 } 56 57 runtime.GOMAXPROCS(4) 58 59 b.RunParallel(func(pb *testing.PB) { 60 for pb.Next() { 61 _ = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", false) 62 } 63 }) 64 } 65 66 func BenchmarkDetectXSS_MISS_Cache(b *testing.B) { 67 var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span></body></html>", false) 68 if result { 69 b.Fatal("'result' should not be 'true'") 70 } 71 72 runtime.GOMAXPROCS(4) 73 74 b.RunParallel(func(pb *testing.PB) { 75 for pb.Next() { 76 _ = injectionutils.DetectXSSCache("<html><body><span>RequestId: 1234567890</span></body></html>", false, utils.CacheMiddleLife) 77 } 78 }) 79 } 80 81 func BenchmarkDetectXSS_HIT(b *testing.B) { 82 var result = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>", false) 83 if !result { 84 b.Fatal("'result' should not be 'false'") 85 } 86 87 runtime.GOMAXPROCS(4) 88 89 b.RunParallel(func(pb *testing.PB) { 90 for pb.Next() { 91 _ = injectionutils.DetectXSS("<html><body><span>RequestId: 1234567890</span><script src=\"\"></script></body></html>", false) 92 } 93 }) 94 }