@@ -316,7 +316,7 @@ public function testGetters(): void
316316 $ this assertIsBool ($ securityshouldRedirect ());
317317 }
318318
319- public function testGetPostedTokenReturnsTokenWhenValid (): void
319+ public function testGetPostedTokenReturnsTokenFromPost (): void
320320 {
321321 $ _POST 'csrf_test_name ' ] = '8b9218a55906f9dcc1dc263dce7f005a ' ;
322322 $ request$ this createIncomingRequest ();
@@ -325,25 +325,16 @@ public function testGetPostedTokenReturnsTokenWhenValid(): void
325325 $ this assertSame ('8b9218a55906f9dcc1dc263dce7f005a ' , $ method$ request
326326 }
327327
328- public function testGetPostedTokenReturnsNullWhenEmpty (): void
328+ public function testGetPostedTokenReturnsTokenFromHeader (): void
329329 {
330330 $ _POST
331- $ request$ this createIncomingRequest ();
331+ $ request$ this createIncomingRequest ()-> setHeader ( ' X-CSRF-TOKEN ' , ' 8b9218a55906f9dcc1dc263dce7f005a ' ) ;
332332 $ method$ this getPrivateMethodInvoker ($ this createMockSecurity (), 'getPostedToken ' );
333333
334- $ this assertNull ($ method$ request
335- }
336-
337- public function testGetPostedTokenReturnsNullWhenMaliciousData (): void
338- {
339- $ _POST 'csrf_test_name ' ] = ['malicious ' => 'data ' ];
340- $ request$ this createIncomingRequest ();
341- $ method$ this getPrivateMethodInvoker ($ this createMockSecurity (), 'getPostedToken ' );
342-
343- $ this assertNull ($ method$ request
334+ $ this assertSame ('8b9218a55906f9dcc1dc263dce7f005a ' , $ method$ request
344335 }
345336
346- public function testGetPostedTokenReturnsTokenFromJsonInput (): void
337+ public function testGetPostedTokenReturnsTokenFromJsonBody (): void
347338 {
348339 $ _POST
349340 $ jsonBodyjson_encode (['csrf_test_name ' => '8b9218a55906f9dcc1dc263dce7f005a ' ]);
@@ -353,7 +344,7 @@ public function testGetPostedTokenReturnsTokenFromJsonInput(): void
353344 $ this assertSame ('8b9218a55906f9dcc1dc263dce7f005a ' , $ method$ request
354345 }
355346
356- public function testGetPostedTokenReturnsTokenFromFormEncodedInput (): void
347+ public function testGetPostedTokenReturnsTokenFromFormBody (): void
357348 {
358349 $ _POST
359350 $ formBody'csrf_test_name=8b9218a55906f9dcc1dc263dce7f005a ' ;
@@ -363,13 +354,24 @@ public function testGetPostedTokenReturnsTokenFromFormEncodedInput(): void
363354 $ this assertSame ('8b9218a55906f9dcc1dc263dce7f005a ' , $ method$ request
364355 }
365356
366- public function testGetPostedTokenReturnsNullFromMaliciousJsonInput (): void
357+ public function testGetPostedTokenReturnsNullForInvalidInputs (): void
367358 {
368- $ _POST
369- $ maliciousJsonjson_encode (['csrf_test_name ' => ['malicious ' => 'data ' ]]);
370- $ request$ this createIncomingRequest ()->setBody ($ maliciousJson
371- $ method$ this getPrivateMethodInvoker ($ this createMockSecurity (), 'getPostedToken ' );
372-
373- $ this assertNull ($ method$ request
359+ $ method$ this getPrivateMethodInvoker ($ this createMockSecurity (), 'getPostedToken ' );
360+ $ testCases
361+ 'empty_post ' => $ this createIncomingRequest (),
362+ 'malicious_post ' => $ this createIncomingRequest ()->setGlobal ('post ' , ['csrf_test_name ' => ['malicious ' => 'data ' ]]),
363+ 'empty_header ' => $ this createIncomingRequest ()->setHeader ('X-CSRF-TOKEN ' , '' ),
364+ 'malicious_json ' => $ this createIncomingRequest ()->setBody (json_encode (['csrf_test_name ' => ['malicious ' => 'data ' ]])),
365+ 'invalid_json ' => $ this createIncomingRequest ()->setBody ('{invalid json} ' ),
366+ 'missing_token_in_body ' => $ this createIncomingRequest ()->setBody ('other=value&another=test ' ),
367+ 'malicious_form ' => $ this createIncomingRequest ()->setBody ('csrf_test_name[]=malicious ' ),
368+ ];
369+
370+ foreach ($ testCasesas $ case$ request
371+ $ this assertNull (
372+ $ method$ request
373+ "Failed asserting that {$ case returns null "
374+ );
375+ }
374376 }
375377}
0 commit comments