moxxy/moxxy
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f116c93311
moxxy/test/xmpp_test.dart

573 lines
20 KiB
Dart
Raw Normal View History

xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
import "dart:async";
import "package:moxxyv2/xmpp/connection.dart";
import "package:moxxyv2/xmpp/settings.dart";
import "package:moxxyv2/xmpp/stringxml.dart";
xmpp: Use classes instead of strings for the JID
2021-12-30 19:06:20 +00:00
import "package:moxxyv2/xmpp/jid.dart";
refactor: Remove the stanzas/ folder
2022-01-25 14:50:25 +00:00
import "package:moxxyv2/xmpp/stanza.dart";
xmpp: Implement plain resource binding
2022-01-21 08:34:38 +00:00
import "package:moxxyv2/xmpp/presence.dart";
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
import "package:moxxyv2/xmpp/roster.dart";
refactor: Move all XmppEvents into events.dart
2022-01-25 14:56:20 +00:00
import "package:moxxyv2/xmpp/events.dart";
xmpp: Implement the basic negotiator system
2022-07-15 17:27:28 +00:00
import "package:moxxyv2/xmpp/ping.dart";
xmpp: Add support for setting reconnection policies
2022-05-30 14:26:34 +00:00
import "package:moxxyv2/xmpp/reconnect.dart";
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
import "package:moxxyv2/xmpp/managers/attributes.dart";
xmpp: Rework the stanza handler
2022-03-11 20:39:42 +00:00
import "package:moxxyv2/xmpp/managers/data.dart";
xmpp: Fix resource binding
2022-07-16 11:09:35 +00:00
import "package:moxxyv2/xmpp/negotiators/resource_binding.dart";
xmpp: Move Sasl code into the negotiators directory
2022-07-15 19:33:04 +00:00
import "package:moxxyv2/xmpp/negotiators/sasl/plain.dart";
import "package:moxxyv2/xmpp/negotiators/sasl/scram.dart";
xmpp: Make xep_0030.dart a bit cleaner
2022-02-17 11:41:45 +00:00
import "package:moxxyv2/xmpp/xeps/xep_0030/xep_0030.dart";
xmpp: Rework the stanza handler
2022-03-11 20:39:42 +00:00
import "package:moxxyv2/xmpp/xeps/xep_0030/cachemanager.dart";
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
test: Add helper for enabling logging
2022-07-15 19:48:32 +00:00
import "helpers/logging.dart";
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
import "helpers/xmpp.dart";
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
import "package:test/test.dart";
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
/// Returns true if the roster manager triggeres an event for a given stanza
Future<bool> testRosterManager(String bareJid, String resource, String stanzaString) async {
bool eventTriggered = false;
final roster = RosterManager();
roster.register(XmppManagerAttributes(
style: Fix a lot of linter warnings
2022-04-10 20:57:04 +00:00
sendStanza: (_, { StanzaFromType addFrom = StanzaFromType.full, bool addId = true, bool retransmitted = false, bool awaitable = true }) async => XMLNode(tag: "hallo"),
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
sendEvent: (event) {
eventTriggered = true;
},
sendNonza: (_) {},
sendRawXml: (_) {},
getConnectionSettings: () => ConnectionSettings(
jid: JID.fromString(bareJid),
password: "password",
useDirectTLS: true,
allowPlainAuth: false,
),
getManagerById: (_) => null,
xmpp: Implement Message Carbons
2022-03-01 19:26:55 +00:00
isFeatureSupported: (_) => false,
xmpp: Move the ping management out of [StreamManagementManager] This allows the socket to say whether whitespace pings are allowed and whether it manages its own keepalives or not.
2022-04-20 20:52:32 +00:00
getFullJID: () => JID.fromString("$bareJid/$resource"),
test: Adapt to changes in [XmppManagerAttributes]
2022-05-07 21:48:51 +00:00
getSocket: () => StubTCPSocket(play: []),
test: Fix linter issues
2022-07-16 10:43:21 +00:00
getConnection: () => XmppConnection(TestingReconnectionPolicy()),
// TODO
getNegotiatorById: (id) => null,
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
));
final stanza = Stanza.fromXMLNode(XMLNode.fromString(stanzaString));
xmpp: Rework the stanza handler
2022-03-11 20:39:42 +00:00
for (final handler in roster.getIncomingStanzaHandlers()) {
if (handler.matches(stanza)) await handler.callback(stanza, StanzaHandlerData(false, stanza));
}
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
return eventTriggered;
}
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
void main() {
test: Add helper for enabling logging
2022-07-15 19:48:32 +00:00
initLogger();
xmpp: Implement plain resource binding
2022-01-21 08:34:38 +00:00
test("Test a successful login attempt with no SM", () async {
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
final fakeSocket = StubTCPSocket(
play: [
Expectation(
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"to": "test.server",
"xml:lang": "en"
},
closeTag: false
),
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"from": "test.server",
"xml:lang": "en"
},
closeTag: false,
children: [
XMLNode.xmlns(
tag: "stream:features",
xmlns: "http://etherx.jabber.org/streams",
children: [
XMLNode.xmlns(
tag: "mechanisms",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
children: [
XMLNode(tag: "mechanism", text: "PLAIN")
]
)
]
)
]
)
),
xmpp: Implement plain resource binding
2022-01-21 08:34:38 +00:00
Expectation(XMLNode.xmlns(
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
tag: "auth",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
attributes: {
"mechanism": "PLAIN"
},
text: "AHBvbHlub21kaXZpc2lvbgBhYWFh"
),
XMLNode.xmlns(
tag: "success",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl"
)
),
Expectation(
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"to": "test.server",
"xml:lang": "en"
},
closeTag: false
),
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"from": "test.server",
"xml:lang": "en"
},
closeTag: false,
children: [
XMLNode.xmlns(
tag: "stream:features",
xmlns: "http://etherx.jabber.org/streams",
children: [
XMLNode.xmlns(
tag: "bind",
xmlns: "urn:ietf:params:xml:ns:xmpp-bind",
children: [
XMLNode(tag: "required")
]
),
XMLNode.xmlns(
tag: "session",
xmlns: "urn:ietf:params:xml:ns:xmpp-session",
children: [
XMLNode(tag: "optional")
]
),
XMLNode.xmlns(
tag: "csi",
xmlns: "urn:xmpp:csi:0",
)
]
)
]
),
),
Expectation(
XMLNode.xmlns(
tag: "iq",
xmlns: "jabber:client",
attributes: { "type": "set", "id": "a" },
children: [
XMLNode.xmlns(
tag: "bind",
xmlns: "urn:ietf:params:xml:ns:xmpp-bind"
)
]
),
XMLNode.xmlns(
tag: "iq",
xmlns: "jabber:client",
xmpp: Huge rework of stanza handling Instead of putting everything into [XmppConnection], let's put everything into its own [XmppManagerBase] base subclass. - Improves testability - Makes extensions easier - Allows easier usage of lib/xmpp as its own library
2022-01-19 14:59:48 +00:00
attributes: { "type": "result" },
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
children: [
xmpp: Huge rework of stanza handling Instead of putting everything into [XmppConnection], let's put everything into its own [XmppManagerBase] base subclass. - Improves testability - Makes extensions easier - Allows easier usage of lib/xmpp as its own library
2022-01-19 14:59:48 +00:00
XMLNode.xmlns(
tag: "bind",
xmlns: "urn:ietf:params:xml:ns:xmpp-bind",
children: [
XMLNode(
tag: "jid",
text: "polynomdivision@test.server/MU29eEZn"
)
]
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
)
]
)
),
Expectation(
XMLNode.xmlns(
tag: "presence",
xmlns: "jabber:client",
attributes: { "from": "polynomdivision@test.server/MU29eEZn" },
children: [
XMLNode(
tag: "show",
xmpp: Implement plain resource binding
2022-01-21 08:34:38 +00:00
text: "chat"
),
XMLNode.xmlns(
tag: "c",
xmlns: "http://jabber.org/protocol/caps",
attributes: {
// TODO: Somehow make the test ignore this attribute
xmpp: Factor out moxxy specific disco features
2022-01-23 15:17:00 +00:00
"ver": "QRTBC5cg/oYd+UOTYazSQR4zb/I=",
xmpp: Implement plain resource binding
2022-01-21 08:34:38 +00:00
"node": "http://moxxy.im",
"hash": "sha-1"
}
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
)
]
),
XMLNode(
tag: "presence",
)
),
]
);
xmpp: Rework the stanza handler
2022-03-11 20:39:42 +00:00
// TODO: This test is broken since we query the server and enable carbons
xmpp: Add support for setting reconnection policies
2022-05-30 14:26:34 +00:00
final XmppConnection conn = XmppConnection(TestingReconnectionPolicy(), socket: fakeSocket);
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
conn.setConnectionSettings(ConnectionSettings(
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
jid: JID.fromString("polynomdivision@test.server"),
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
password: "aaaa",
useDirectTLS: true,
test: Fix them
2022-01-20 12:18:34 +00:00
allowPlainAuth: true
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
));
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
conn.registerManagers([
PresenceManager(),
RosterManager(),
DiscoManager(),
DiscoCacheManager(),
PingManager(),
]);
xmpp: Factor out moxxy specific disco features
2022-01-23 15:17:00 +00:00
xmpp: Make SASL kinda work
2022-07-15 18:39:10 +00:00
conn.registerFeatureNegotiators(
[
xmpp: Migrate scram to the negotiator design
2022-07-15 19:09:33 +00:00
SaslPlainNegotiator(),
xmpp: Fix resource binding
2022-07-16 11:09:35 +00:00
SaslScramNegotiator(10, "", "", ScramHashType.sha512),
ResourceBindingNegotiator(),
xmpp: Make SASL kinda work
2022-07-15 18:39:10 +00:00
]
);
xmpp: Implement StartTLS
2022-03-08 20:50:21 +00:00
await conn.connect();
style: Spent 6h fixing linter warnings
2022-01-21 16:44:48 +00:00
await Future.delayed(const Duration(seconds: 3), () {
xmpp: Implement plain resource binding
2022-01-21 08:34:38 +00:00
expect(fakeSocket.getState(), 5);
test: Modularize the StubSocket
2022-01-16 12:33:52 +00:00
});
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
});
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
test("Test a failed SASL auth", () async {
final fakeSocket = StubTCPSocket(
play: [
Expectation(
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"to": "test.server",
"xml:lang": "en"
},
closeTag: false
),
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"from": "test.server",
"xml:lang": "en"
},
closeTag: false,
children: [
XMLNode.xmlns(
tag: "stream:features",
xmlns: "http://etherx.jabber.org/streams",
children: [
XMLNode.xmlns(
tag: "mechanisms",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
children: [
XMLNode(tag: "mechanism", text: "PLAIN")
]
)
]
)
]
)
),
Expectation(XMLNode.xmlns(
tag: "auth",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
attributes: {
"mechanism": "PLAIN"
},
text: "AHBvbHlub21kaXZpc2lvbgBhYWFh"
),
XMLNode.xmlns(
tag: "failure",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
children: [
XMLNode(tag: "not-authorized")
]
)
)
]
);
bool receivedEvent = false;
xmpp: Add support for setting reconnection policies
2022-05-30 14:26:34 +00:00
final XmppConnection conn = XmppConnection(TestingReconnectionPolicy(), socket: fakeSocket);
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
conn.setConnectionSettings(ConnectionSettings(
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
jid: JID.fromString("polynomdivision@test.server"),
password: "aaaa",
useDirectTLS: true,
allowPlainAuth: true
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
));
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
conn.registerManagers([
PresenceManager(),
RosterManager(),
DiscoManager(),
PingManager(),
]);
conn.registerFeatureNegotiators([
SaslPlainNegotiator()
]);
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
conn.asBroadcastStream().listen((event) {
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
if (event is AuthenticationFailedEvent && event.saslError == "not-authorized") {
receivedEvent = true;
}
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
});
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
xmpp: Implement StartTLS
2022-03-08 20:50:21 +00:00
await conn.connect();
style: Spent 6h fixing linter warnings
2022-01-21 16:44:48 +00:00
await Future.delayed(const Duration(seconds: 3), () {
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
expect(receivedEvent, true);
});
});
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
test("Test another failed SASL auth", () async {
final fakeSocket = StubTCPSocket(
play: [
Expectation(
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"to": "test.server",
"xml:lang": "en"
},
closeTag: false
),
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"from": "test.server",
"xml:lang": "en"
},
closeTag: false,
children: [
XMLNode.xmlns(
tag: "stream:features",
xmlns: "http://etherx.jabber.org/streams",
children: [
XMLNode.xmlns(
tag: "mechanisms",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
children: [
XMLNode(tag: "mechanism", text: "PLAIN")
]
)
]
)
]
)
),
Expectation(XMLNode.xmlns(
tag: "auth",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
attributes: {
"mechanism": "PLAIN"
},
text: "AHBvbHlub21kaXZpc2lvbgBhYWFh"
),
XMLNode.xmlns(
tag: "failure",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
children: [
XMLNode(tag: "mechanism-too-weak")
]
)
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
)
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
]
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
);
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
bool receivedEvent = false;
xmpp: Add support for setting reconnection policies
2022-05-30 14:26:34 +00:00
final XmppConnection conn = XmppConnection(TestingReconnectionPolicy(), socket: fakeSocket);
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
conn.setConnectionSettings(ConnectionSettings(
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
jid: JID.fromString("polynomdivision@test.server"),
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
password: "aaaa",
useDirectTLS: true,
allowPlainAuth: true
));
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
conn.registerManagers([
PresenceManager(),
RosterManager(),
DiscoManager(),
PingManager(),
]);
conn.registerFeatureNegotiators([
SaslPlainNegotiator()
]);
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
conn.asBroadcastStream().listen((event) {
if (event is AuthenticationFailedEvent && event.saslError == "mechanism-too-weak") {
receivedEvent = true;
}
});
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
xmpp: Implement StartTLS
2022-03-08 20:50:21 +00:00
await conn.connect();
style: Spent 6h fixing linter warnings
2022-01-21 16:44:48 +00:00
await Future.delayed(const Duration(seconds: 3), () {
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
expect(receivedEvent, true);
});
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
});
xmpp: Use classes instead of strings for the JID
2021-12-30 19:06:20 +00:00
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
test("Test choosing SCRAM-SHA-1", () async {
final fakeSocket = StubTCPSocket(
play: [
Expectation(
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"to": "test.server",
"xml:lang": "en"
},
closeTag: false
),
XMLNode(
tag: "stream:stream",
attributes: {
"xmlns": "jabber:client",
"version": "1.0",
"xmlns:stream": "http://etherx.jabber.org/streams",
"from": "test.server",
"xml:lang": "en"
},
closeTag: false,
children: [
XMLNode.xmlns(
tag: "stream:features",
xmlns: "http://etherx.jabber.org/streams",
children: [
XMLNode.xmlns(
tag: "mechanisms",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
children: [
XMLNode(tag: "mechanism", text: "PLAIN"),
XMLNode(tag: "mechanism", text: "SCRAM-SHA-1")
]
)
]
)
]
)
),
Expectation(XMLNode.xmlns(
tag: "auth",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
attributes: {
"mechanism": "SCRAM-SHA-1"
},
text: "..."
),
XMLNode.xmlns(
tag: "challenge",
xmlns: "urn:ietf:params:xml:ns:xmpp-sasl",
attributes: {
"mechanism": "SCRAM-SHA-1"
},
text: "cj02ZDQ0MmI1ZDllNTFhNzQwZjM2OWUzZGNlY2YzMTc4ZWMxMmIzOTg1YmJkNGE4ZTZmODE0YjQyMmFiNzY2NTczLHM9UVNYQ1IrUTZzZWs4YmY5MixpPTQwOTY="
),
justCheckAttributes: {
"mechanism": "SCRAM-SHA-1"
}
)
]
);
xmpp: Add support for setting reconnection policies
2022-05-30 14:26:34 +00:00
final XmppConnection conn = XmppConnection(TestingReconnectionPolicy(), socket: fakeSocket);
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
conn.setConnectionSettings(ConnectionSettings(
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
jid: JID.fromString("polynomdivision@test.server"),
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
password: "aaaa",
useDirectTLS: true,
allowPlainAuth: false
));
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
conn.registerManagers([
PresenceManager(),
RosterManager(),
DiscoManager(),
PingManager(),
]);
conn.registerFeatureNegotiators([
SaslPlainNegotiator(),
SaslScramNegotiator(10, "", "", ScramHashType.sha1),
]);
xmpp: Factor out moxxy specific disco features
2022-01-23 15:17:00 +00:00
xmpp: Implement StartTLS
2022-03-08 20:50:21 +00:00
await conn.connect();
style: Spent 6h fixing linter warnings
2022-01-21 16:44:48 +00:00
await Future.delayed(const Duration(seconds: 3), () {
expect(fakeSocket.getState(), 2);
});
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
});
group("Test roster pushes", () {
test("Test for a CVE-2015-8688 style vulnerability", () async {
bool eventTriggered = false;
final roster = RosterManager();
roster.register(XmppManagerAttributes(
style: Fix a lot of linter warnings
2022-04-10 20:57:04 +00:00
sendStanza: (_, { StanzaFromType addFrom = StanzaFromType.full, bool addId = true, bool retransmitted = false, bool awaitable = true }) async => XMLNode(tag: "hallo"),
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
sendEvent: (event) {
eventTriggered = true;
},
sendNonza: (_) {},
sendRawXml: (_) {},
getConnectionSettings: () => ConnectionSettings(
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
jid: JID.fromString("some.user@example.server"),
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
password: "password",
useDirectTLS: true,
allowPlainAuth: false,
),
getManagerById: (_) => null,
xmpp: Implement Message Carbons
2022-03-01 19:26:55 +00:00
isFeatureSupported: (_) => false,
xmpp: Move the ping management out of [StreamManagementManager] This allows the socket to say whether whitespace pings are allowed and whether it manages its own keepalives or not.
2022-04-20 20:52:32 +00:00
getFullJID: () => JID.fromString("some.user@example.server/aaaaa"),
test: Adapt to changes in [XmppManagerAttributes]
2022-05-07 21:48:51 +00:00
getSocket: () => StubTCPSocket(play: []),
test: Uncomment all xmpp_test tests
2022-07-16 16:42:45 +00:00
getConnection: () => XmppConnection(TestingReconnectionPolicy()),
getNegotiatorById: (_) => null,
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
));
// NOTE: Based on https://gultsch.de/gajim_roster_push_and_message_interception.html
xmpp: Fix the roster code
2022-02-22 15:25:12 +00:00
// NOTE: Added a from attribute as a server would add it itself.
final maliciousStanza = Stanza.fromXMLNode(XMLNode.fromString("<iq type=\"set\" from=\"eve@siacs.eu/bbbbb\" to=\"some.user@example.server/aaaaa\"><query xmlns='jabber:iq:roster'><item subscription=\"both\" jid=\"eve@siacs.eu\" name=\"Bob\" /></query></iq>"));
xmpp: Rework the stanza handler
2022-03-11 20:39:42 +00:00
for (final handler in roster.getIncomingStanzaHandlers()) {
if (handler.matches(maliciousStanza)) await handler.callback(maliciousStanza, StanzaHandlerData(false, maliciousStanza));
}
xmpp: Improve tests and fix our first vulnerability In order to test the [RosterManager], I decided to add a test to ensure vulnerabilities like CVE-2015-8688 won't happen. But as it turns out, I got the logic wrong in the [RosterManager] base implementation which would've allowed a malicious actor to inject a roster push. oof.
2022-01-21 10:23:09 +00:00
expect(eventTriggered, false, reason: "Was able to inject a malicious roster push");
});
xmpp: Fix roster pushes again
2022-02-22 20:21:31 +00:00
test("The manager should accept pushes from our bare jid", () async {
final result = await testRosterManager("test.user@server.example", "aaaaa", "<iq from='test.user@server.example' type='result' id='82c2aa1e-cac3-4f62-9e1f-bbe6b057daf3' to='test.user@server.example/aaaaa' xmlns='jabber:client'><query ver='64' xmlns='jabber:iq:roster'><item jid='some.other.user@server.example' subscription='to' /></query></iq>");
expect(result, true, reason: "Roster pushes from our bare JID should be accepted");
});
test("The manager should accept pushes from a jid that, if the resource is stripped, is our bare jid", () async {
final result1 = await testRosterManager("test.user@server.example", "aaaaa", "<iq from='test.user@server.example/aaaaa' type='result' id='82c2aa1e-cac3-4f62-9e1f-bbe6b057daf3' to='test.user@server.example/aaaaa' xmlns='jabber:client'><query ver='64' xmlns='jabber:iq:roster'><item jid='some.other.user@server.example' subscription='to' /></query></iq>");
expect(result1, true, reason: "Roster pushes should be accepted if the bare JIDs are the same");
final result2 = await testRosterManager("test.user@server.example", "aaaaa", "<iq from='test.user@server.example/bbbbb' type='result' id='82c2aa1e-cac3-4f62-9e1f-bbe6b057daf3' to='test.user@server.example/aaaaa' xmlns='jabber:client'><query ver='64' xmlns='jabber:iq:roster'><item jid='some.other.user@server.example' subscription='to' /></query></iq>");
expect(result2, true, reason: "Roster pushes should be accepted if the bare JIDs are the same");
});
xmpp: Use classes instead of strings for the JID
2021-12-30 19:06:20 +00:00
});
xmpp: Implement my own XMPP library
2021-12-30 18:49:01 +00:00
}
Reference in New Issue Copy Permalink