From 7ff2228d6f81ef1359b2eadd08ec07bc0861dacb Mon Sep 17 00:00:00 2001 From: jrfnl Date: Mon, 30 Aug 2021 20:51:26 +0200 Subject: [PATCH 1/2] FilteredIteratorTest: improve the tests * Add docblocks to the test methods. * Add `@covers` tags. * Use more specific assertions. * Add the `$message` parameter to each assertion to allow for distinguishing which one failed more easily. * Use named data sets and indexed array items in the data provider. --- tests/Utility/FilteredIteratorTest.php | 38 ++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 6 deletions(-) diff --git a/tests/Utility/FilteredIteratorTest.php b/tests/Utility/FilteredIteratorTest.php index f20df7030..574b28d9a 100644 --- a/tests/Utility/FilteredIteratorTest.php +++ b/tests/Utility/FilteredIteratorTest.php @@ -8,8 +8,17 @@ use WpOrg\Requests\Utility\FilteredIterator; final class FilteredIteratorTest extends TestCase { + /** + * Tests against insecure deserialization of untrusted data. + * + * @link https://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54 + * * @dataProvider dataSerializeDeserializeObjects + * + * @param \ArrayIterator $value Value to test with. + * + * @return void */ public function testDeserializeRequestUtilityFilteredIteratorObjects($value) { $serialized = serialize($value); @@ -19,18 +28,35 @@ public function testDeserializeRequestUtilityFilteredIteratorObjects($value) { $property = $reflection->getProperty('callback'); $property->setAccessible(true); $callback_value = $property->getValue($new_value); - $this->assertSame(null, $callback_value); + $this->assertNull($callback_value, 'Callback is not null'); } else { - $this->assertEquals($value->count(), unserialize($serialized)->count()); + $this->assertSame( + $value->count(), + unserialize($serialized)->count(), + 'Unserialized count is not equivalent' + ); } } + /** + * Data provider. + * + * @return array + */ public function dataSerializeDeserializeObjects() { return array( - array(new FilteredIterator(array(1), 'md5')), - array(new FilteredIterator(array(1, 2), 'sha1')), - array(new FilteredIterator(array(1, 2, 3), 'doesnotexist')), - array(new ArrayIterator(array(1, 2, 3))), + 'FilteredIterator object with one value, callback: md5' => array( + 'value' => new FilteredIterator(array(1), 'md5'), + ), + 'FilteredIterator object with two values, callback: sha1' => array( + 'value' => new FilteredIterator(array(1, 2), 'sha1'), + ), + 'FilteredIterator object with three values, non-existent callback' => array( + 'value' => new FilteredIterator(array(1, 2, 3), 'doesnotexist'), + ), + 'ArrayIterator object with three values, no callback' => array( + 'value' => new ArrayIterator(array(1, 2, 3)), + ), ); } } From 24ae98eba76d5a818e305be0d44047c8c9bf63b7 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Mon, 30 Aug 2021 21:21:48 +0200 Subject: [PATCH 2/2] FilteredIteratorTest: add `@covers` tags --- tests/Utility/FilteredIteratorTest.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/Utility/FilteredIteratorTest.php b/tests/Utility/FilteredIteratorTest.php index 574b28d9a..53574e1ce 100644 --- a/tests/Utility/FilteredIteratorTest.php +++ b/tests/Utility/FilteredIteratorTest.php @@ -7,6 +7,9 @@ use WpOrg\Requests\Tests\TestCase; use WpOrg\Requests\Utility\FilteredIterator; +/** + * @coversDefaultClass \WpOrg\Requests\Utility\FilteredIterator + */ final class FilteredIteratorTest extends TestCase { /** @@ -14,6 +17,10 @@ final class FilteredIteratorTest extends TestCase { * * @link https://github.com/WordPress/Requests/security/advisories/GHSA-52qp-jpq7-6c54 * + * @covers ::unserialize + * @covers ::__unserialize + * @covers ::__wakeup + * * @dataProvider dataSerializeDeserializeObjects * * @param \ArrayIterator $value Value to test with.