ohmj/ohmj2
1
0
Fork 0
Code Issues 1 Pull Requests Releases Wiki Activity

[FIX] Fix some securiry issues

Browse Source
This commit is contained in:
NADAL Jean-Baptiste
2026-02-18 15:27:55 +01:00
parent 3abc6f6371
commit 039cecc4a6
15 changed files with 2179 additions and 200 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
api/.env Normal file
View File

@@ -0,0 +1 @@
JWT_SECRET=ohmj_test_secret_key_change_in_production_12345

88
api/README.md
View File

@@ -324,12 +324,72 @@ Authorization: Bearer <token_admin>
---
### POST /admin/upload
### GET /admin/scores/:id/files
Uploader un fichier PDF.
Récupérer l'arborescence des fichiers d'une partition.
```http
POST /admin/upload
GET /admin/scores/001/files
Authorization: Bearer <token_admin>
```
**Réponse :**
```json
{
"success": true,
"files": [
{
"name": "1",
"path": "1",
"type": "folder",
"children": [
{
"name": "cla",
"path": "1/cla",
"type": "folder",
"children": [
{
"name": "1",
"path": "1/cla/1",
"type": "folder",
"children": [
{
"name": "clarinette_sib_1.pdf",
"path": "1/cla/1/clarinette_sib_1.pdf",
"type": "file"
}
]
}
]
}
]
}
]
}
```
---
### DELETE /admin/scores/:id/files
Supprimer un fichier spécifique.
```http
DELETE /admin/scores/001/files?path=1/cla/1/clarinette_sib_1.pdf
Authorization: Bearer <token_admin>
```
**Paramètres :**
- `path` - Chemin relatif du fichier (requis)
---
### POST /admin/scores/:id/upload
Uploader un fichier PDF pour une partition.
```http
POST /admin/scores/001/upload
Authorization: Bearer <token_admin>
Content-Type: multipart/form-data
```
@@ -337,10 +397,13 @@ Content-Type: multipart/form-data
**Corps de la requête :**
```
file: <fichier_pdf>
scoreId: 102
pieceId: 1
piece: 1
instrument: cla
version: 1
key: sib (optionnel)
clef: clesol (optionnel)
variant: solo (optionnel)
part: 1 (optionnel, défaut: 1)
```
---
@@ -357,6 +420,21 @@ version: 1
---
## Lancer les tests
```bash
cd api
php tests.php
```
Les tests vérifient :
- **Auth** : Login, mauvais mots de passe, token manquant/invalide
- **Scores** : CRUD, gestion d'erreurs pour ressources inexistantes
- **Create Score with Pieces** : Création avec plusieurs parties, vérification score.ini
- **Files** : Get files tree, suppression de fichiers
---
## Lancer le serveur
```bash

142
api/index.php
View File

@@ -3,9 +3,21 @@
ini_set('upload_max_filesize', '64M');
ini_set('post_max_size', '64M');
// Security headers
header('Content-Type: application/json');
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Origin: *');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
// CORS - Restrict to allowed origins
$allowedOrigins = ['http://localhost:5173', 'http://localhost:3000', 'https://ohmj2.free.fr', 'https://partitions.ohmj.fr'];
$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
if (in_array($origin, $allowedOrigins)) {
header("Access-Control-Allow-Origin: $origin");
header('Access-Control-Allow-Credentials: true');
}
header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Authorization, Content-Type');
@@ -14,6 +26,46 @@ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
exit;
}
// Rate limiting function
function checkRateLimit(string $key, int $maxRequests = 100, int $windowSeconds = 60): bool {
$rateFile = sys_get_temp_dir() . '/rate_' . md5($key) . '.json';
$now = time();
$data = ['count' => 0, 'reset' => $now + $windowSeconds];
if (file_exists($rateFile)) {
$content = file_get_contents($rateFile);
$data = json_decode($content, true) ?? $data;
}
// Reset if window expired
if ($now > $data['reset']) {
$data = ['count' => 0, 'reset' => $now + $windowSeconds];
}
$data['count']++;
file_put_contents($rateFile, json_encode($data));
return $data['count'] <= $maxRequests;
}
// Check rate limit for login endpoint (5 attempts per minute)
if (preg_match('#^login$#', trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/')) && $_SERVER['REQUEST_METHOD'] === 'POST') {
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
if (!checkRateLimit('login_' . $ip, 5, 60)) {
http_response_code(429);
echo json_encode(['error' => 'Too many requests. Please try again later.']);
exit;
}
}
// Check general rate limit (500 requests per minute per IP - increased for testing)
$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
if (!checkRateLimit('general_' . $ip, 500, 60)) {
http_response_code(429);
echo json_encode(['error' => 'Rate limit exceeded']);
exit;
}
require_once __DIR__ . '/lib/Auth.php';
require_once __DIR__ . '/lib/ScoreScanner.php';
@@ -45,6 +97,16 @@ $path = preg_replace('#^api/#', '', $path);
if (preg_match('#^download/([^?]+)#', $path, $matches) && $method === 'GET') {
$filePath = urldecode($matches[1]);
// Security: Check for null bytes (must use double quotes for escape sequence)
if (strpos($filePath, "\x00") !== false) {
http_response_code(400);
echo json_encode(['error' => 'Invalid file path']);
exit;
}
// Security: Prevent directory traversal
$filePath = str_replace(['../', '..\\', '..'], '', $filePath);
// Check token from header or query parameter
$downloadToken = $_GET['token'] ?? $token;
$downloadToken = urldecode($downloadToken ?? '');
@@ -62,18 +124,36 @@ if (preg_match('#^download/([^?]+)#', $path, $matches) && $method === 'GET') {
exit;
}
$fullPath = '/home/jbnadal/sources/jb/ohmj/ohmj2/legacy/Scores/' . $filePath;
$basePath = '/home/jbnadal/sources/jb/ohmj/ohmj2/legacy/Scores/';
$fullPath = $basePath . $filePath;
if (!file_exists($fullPath) || !is_file($fullPath)) {
// Security: Verify resolved path is within allowed directory
$realBasePath = realpath($basePath);
$realFilePath = realpath($fullPath);
if ($realFilePath === false || strpos($realFilePath, $realBasePath) !== 0) {
http_response_code(403);
echo json_encode(['error' => 'Access denied']);
exit;
}
// Security: Check file extension
if (strtolower(pathinfo($realFilePath, PATHINFO_EXTENSION)) !== 'pdf') {
http_response_code(403);
echo json_encode(['error' => 'Only PDF files are allowed']);
exit;
}
if (!file_exists($realFilePath) || !is_file($realFilePath)) {
http_response_code(404);
echo json_encode(['error' => 'File not found', 'path' => $fullPath]);
echo json_encode(['error' => 'File not found']);
exit;
}
header('Content-Type: application/pdf');
header('Content-Length: ' . filesize($fullPath));
header('Content-Disposition: attachment; filename="' . basename($fullPath) . '"');
readfile($fullPath);
header('Content-Length: ' . filesize($realFilePath));
header('Content-Disposition: attachment; filename="' . basename($realFilePath) . '"');
readfile($realFilePath);
exit;
}
@@ -171,6 +251,7 @@ if ($path === 'admin/scores' && $method === 'POST') {
$id = $input['id'] ?? null;
$name = $input['name'] ?? '';
$compositor = $input['compositor'] ?? '';
$pieces = $input['pieces'] ?? [];
// Auto-generate ID if not provided
if (empty($id)) {
@@ -198,7 +279,7 @@ if ($path === 'admin/scores' && $method === 'POST') {
exit;
}
$result = $scanner->createScore($id, $name, $compositor);
$result = $scanner->createScore($id, $name, $compositor, $pieces);
if ($result['success']) {
echo json_encode(['success' => true, 'score' => $result['score']]);
@@ -237,7 +318,11 @@ if (preg_match('#^admin/scores/(\d+)$#', $path, $matches) && $method === 'DELETE
if ($result['success']) {
echo json_encode(['success' => true]);
} else {
http_response_code(400);
if (strpos($result['error'], 'not found') !== false) {
http_response_code(404);
} else {
http_response_code(400);
}
echo json_encode(['error' => $result['error']]);
}
exit;
@@ -273,6 +358,43 @@ if (preg_match('#^admin/scores/(\d+)/upload$#', $path, $matches) && $method ===
exit;
}
// GET /admin/scores/:id/files - Get all files for a score
if (preg_match('#^admin/scores/(\d+)/files$#', $path, $matches) && $method === 'GET') {
$scoreId = $matches[1];
$result = $scanner->getScoreFiles($scoreId);
if ($result['success']) {
echo json_encode(['success' => true, 'files' => $result['files']]);
} else {
http_response_code(400);
echo json_encode(['error' => $result['error']]);
}
exit;
}
// DELETE /admin/scores/:id/files - Delete a specific file
if (preg_match('#^admin/scores/(\d+)/files$#', $path, $matches) && $method === 'DELETE') {
$scoreId = $matches[1];
$filePath = $_GET['path'] ?? '';
if (empty($filePath)) {
http_response_code(400);
echo json_encode(['error' => 'File path required']);
exit;
}
$result = $scanner->deleteScoreFile($scoreId, $filePath);
if ($result['success']) {
echo json_encode(['success' => true]);
} else {
http_response_code(400);
echo json_encode(['error' => $result['error']]);
}
exit;
}
// 404 Not Found
http_response_code(404);
echo json_encode(['error' => 'Not found']);

12
api/lib/Auth.php
View File

@@ -1,14 +1,20 @@
<?php
class Auth {
private const JWT_SECRET = 'ohmj_secret_key_change_in_production';
private const JWT_ALGO = 'HS256';
private const JWT_EXPIRY = 3600; // 1 hour
private string $usersFile;
private string $jwtSecret;
public function __construct(string $usersFile = null) {
$this->usersFile = $usersFile ?? __DIR__ . '/../config/users.json';
// Load JWT secret from environment variable
$this->jwtSecret = $_ENV['JWT_SECRET'] ?? getenv('JWT_SECRET');
if (empty($this->jwtSecret)) {
throw new Exception('JWT_SECRET environment variable is not configured');
}
}
public function login(string $username, string $password): array {
@@ -45,7 +51,7 @@ class Auth {
// Verify signature
$expectedSignature = base64_encode(
hash_hmac('sha256', "$header.$payload", self::JWT_SECRET, true)
hash_hmac('sha256', "$header.$payload", $this->jwtSecret, true)
);
if (!hash_equals($expectedSignature, $signature)) {
@@ -101,7 +107,7 @@ class Auth {
]));
$signature = base64_encode(
hash_hmac('sha256', "$header.$payload", self::JWT_SECRET, true)
hash_hmac('sha256', "$header.$payload", $this->jwtSecret, true)
);
return "$header.$payload.$signature";

142
api/lib/ScoreScanner.php
View File

@@ -376,7 +376,7 @@ class ScoreScanner {
return $instruments;
}
public function createScore(string $id, string $name, string $compositor): array {
public function createScore(string $id, string $name, string $compositor, array $pieces = []): array {
$scoreDir = $this->scoresPath . $id;
if (is_dir($scoreDir)) {
@@ -387,7 +387,19 @@ class ScoreScanner {
return ['success' => false, 'error' => 'Failed to create directory'];
}
$iniContent = "[info]\nname = $name\ncompositor = $compositor\n\n[pieces]\ncount = 1\n";
// Security: Sanitize inputs to prevent INI injection
$name = $this->sanitizeIniValue($name);
$compositor = $this->sanitizeIniValue($compositor);
$pieceCount = count($pieces) > 0 ? count($pieces) : 1;
$iniContent = "[info]\nname = $name\ncompositor = $compositor\n\n[pieces]\ncount = $pieceCount\n";
// Add piece names if provided
foreach ($pieces as $piece) {
$num = $piece['number'];
$pieceName = $this->sanitizeIniValue($piece['name']);
$iniContent .= "{$num} = $pieceName\n";
}
if (file_put_contents($scoreDir . '/score.ini', $iniContent) === false) {
return ['success' => false, 'error' => 'Failed to create score.ini'];
@@ -403,6 +415,11 @@ class ScoreScanner {
];
}
private function sanitizeIniValue(string $value): string {
// Remove newlines and carriage returns to prevent INI injection
return str_replace(["\n", "\r", "\x00"], '', $value);
}
public function updateScore(string $scoreId, ?string $name, ?string $compositor): array {
$scoreDir = $this->scoresPath . $scoreId;
$iniFile = $scoreDir . '/score.ini';
@@ -481,6 +498,47 @@ class ScoreScanner {
return ['success' => false, 'error' => 'Score not found'];
}
// Security: Validate file upload
if (!isset($file['tmp_name']) || !isset($file['name'])) {
return ['success' => false, 'error' => 'No file uploaded'];
}
// Security: Check file upload errors
if ($file['error'] !== UPLOAD_ERR_OK) {
return ['success' => false, 'error' => 'Upload error: ' . $file['error']];
}
// Security: Validate MIME type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $file['tmp_name']);
finfo_close($finfo);
if ($mimeType !== 'application/pdf') {
return ['success' => false, 'error' => 'Invalid file type. Only PDF files are allowed'];
}
// Security: Validate extension
$originalExtension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
if ($originalExtension !== 'pdf') {
return ['success' => false, 'error' => 'Invalid file extension. Only .pdf files are allowed'];
}
// Security: Check magic bytes (PDF starts with %PDF)
$handle = fopen($file['tmp_name'], 'rb');
if ($handle) {
$header = fread($handle, 4);
fclose($handle);
if ($header !== '%PDF') {
return ['success' => false, 'error' => 'Invalid PDF file header'];
}
}
// Security: Check file size (max 20MB)
$maxSize = 20 * 1024 * 1024; // 20MB
if ($file['size'] > $maxSize) {
return ['success' => false, 'error' => 'File too large. Maximum size is 20MB'];
}
// Create directory structure: scoreId/piece/instrument/version
$targetDir = $scoreDir . '/' . $piece . '/' . $instrument . '/' . $version;
@@ -532,4 +590,84 @@ class ScoreScanner {
return ['success' => false, 'error' => 'Failed to move uploaded file'];
}
public function getScoreFiles(string $scoreId): array {
$scoreDir = $this->scoresPath . $scoreId;
if (!is_dir($scoreDir)) {
return ['success' => false, 'error' => 'Score not found'];
}
$tree = $this->buildFileTree($scoreDir, $scoreId);
return ['success' => true, 'files' => $tree];
}
private function buildFileTree(string $dir, string $scoreId, string $relativePath = ''): array {
$items = [];
$directories = scandir($dir);
foreach ($directories as $item) {
if ($item === '.' || $item === '..') continue;
if ($item === 'score.ini') continue;
$fullPath = $dir . '/' . $item;
$itemRelativePath = $relativePath ? $relativePath . '/' . $item : $item;
if (is_dir($fullPath)) {
$children = $this->buildFileTree($fullPath, $scoreId, $itemRelativePath);
$items[] = [
'name' => $item,
'path' => $itemRelativePath,
'type' => 'folder',
'children' => $children
];
} else {
$items[] = [
'name' => $item,
'path' => $itemRelativePath,
'type' => 'file'
];
}
}
return $items;
}
public function deleteScoreFile(string $scoreId, string $filePath): array {
$scoreDir = $this->scoresPath . $scoreId;
$fullPath = $scoreDir . '/' . $filePath;
if (!file_exists($fullPath)) {
return ['success' => false, 'error' => 'File not found'];
}
if (is_dir($fullPath)) {
return ['success' => false, 'error' => 'Cannot delete directory'];
}
if (unlink($fullPath)) {
$this->cleanupEmptyDirectories($scoreDir, dirname($filePath));
return ['success' => true];
}
return ['success' => false, 'error' => 'Failed to delete file'];
}
private function cleanupEmptyDirectories(string $scoreDir, string $dirPath): void {
while ($dirPath && $dirPath !== '.') {
$fullPath = $scoreDir . '/' . $dirPath;
if (!is_dir($fullPath)) break;
$files = scandir($fullPath);
$files = array_diff($files, ['.', '..']);
if (empty($files)) {
rmdir($fullPath);
$dirPath = dirname($dirPath);
} else {
break;
}
}
}
}

17
api/router.php
View File

@@ -1,5 +1,22 @@
<?php
// Load environment variables from .env file
$envFile = __DIR__ . '/.env';
if (file_exists($envFile)) {
$lines = file($envFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($lines as $line) {
if (strpos($line, '#') === 0) continue;
if (strpos($line, '=') === false) continue;
list($key, $value) = explode('=', $line, 2);
$key = trim($key);
$value = trim($value);
if (!empty($key)) {
putenv("$key=$value");
$_ENV[$key] = $value;
}
}
}
// Router script for PHP built-in server
$uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);

512
api/tests.php Normal file
View File

@@ -0,0 +1,512 @@
<?php
/**
* OHMJ API Tests - Functional & Error Handling
* Run: php tests.php
*/
// Load environment variables from .env file
$envFile = __DIR__ . '/.env';
if (file_exists($envFile)) {
$lines = file($envFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($lines as $line) {
if (strpos($line, '#') === 0) continue;
if (strpos($line, '=') === false) continue;
list($key, $value) = explode('=', $line, 2);
$key = trim($key);
$value = trim($value);
if (!empty($key)) {
putenv("$key=$value");
$_ENV[$key] = $value;
}
}
}
define('BASE_URL', 'http://localhost:8000');
define('SCORES_PATH', '../legacy/Scores/');
class APITest {
private $token;
private $passed = 0;
private $failed = 0;
public function __construct() {
echo "=== OHMJ API Tests ===\n\n";
}
private function request($method, $endpoint, $data = null, $auth = true, $params = []) {
$url = BASE_URL . '/' . $endpoint;
if (!empty($params)) {
$url .= '?' . http_build_query($params);
}
$headers = ['Content-Type: application/json'];
if ($auth && $this->token) {
$headers[] = 'Authorization: Bearer ' . $this->token;
}
$context = stream_context_create([
'http' => [
'method' => $method,
'header' => implode("\r\n", $headers),
'content' => $data ? json_encode($data) : null,
'ignore_errors' => true
]
]);
// Capture response headers globally
global $last_response_headers;
$response = @file_get_contents($url, false, $context);
$last_response_headers = $http_response_header ?? [];
$httpCode = 500;
foreach ($http_response_header ?? [] as $header) {
if (preg_match('/^HTTP\/\d+\.\d+\s+(\d+)/', $header, $matches)) {
$httpCode = (int)$matches[1];
}
}
return [
'code' => $httpCode,
'body' => json_decode($response, true) ?? []
];
}
public function test($name, $condition) {
if ($condition) {
echo "$name\n";
$this->passed++;
} else {
echo "$name\n";
$this->failed++;
}
}
public function section($name) {
echo "\n--- $name ---\n";
}
// ============ AUTH TESTS ============
public function testAuthErrors() {
$this->section("Auth - Error Handling");
// Bad credentials
$result = $this->request('POST', 'login', ['username' => 'admin', 'password' => 'wrong'], false);
$this->test('Bad password returns 401', $result['code'] === 401);
// Missing credentials
$result = $this->request('POST', 'login', ['username' => '', 'password' => ''], false);
$this->test('Empty credentials returns 401', $result['code'] === 401);
// Unknown user
$result = $this->request('POST', 'login', ['username' => 'unknown', 'password' => 'pass'], false);
$this->test('Unknown user returns 401', $result['code'] === 401);
// Access without token
$result = $this->request('GET', 'scores', null, false);
$this->test('Access without token returns 401', $result['code'] === 401);
// Invalid token
$result = $this->request('GET', 'scores', null, true);
$this->test('Invalid token returns 401', $result['code'] === 401);
}
public function testAuthSuccess() {
$this->section("Auth - Success");
$result = $this->request('POST', 'login', ['username' => 'admin', 'password' => 'password'], false);
$this->test('Login returns 200', $result['code'] === 200);
if ($result['code'] === 200) {
$this->token = $result['body']['token'] ?? null;
$this->test('Token received', !empty($this->token));
$this->test('User role is admin', ($result['body']['user']['role'] ?? '') === 'admin');
}
}
// ============ SCORES TESTS ============
public function testScoresErrors() {
$this->section("Scores - Error Handling");
// Get non-existent score
$result = $this->request('GET', 'scores/999999');
$this->test('Non-existent score returns 404', $result['code'] === 404);
// Update non-existent score
$result = $this->request('PUT', 'scores/999999', ['name' => 'Test']);
$this->test('Update non-existent returns 404', $result['code'] === 404);
// Delete non-existent score
$result = $this->request('DELETE', 'admin/scores/999999');
$this->test('Delete non-existent returns 404 or 400', $result['code'] === 404 || $result['code'] === 400);
// Create score without name
$result = $this->request('POST', 'admin/scores', ['name' => '', 'compositor' => 'Test']);
$this->test('Create without name returns 400', $result['code'] === 400);
}
public function testScoresSuccess() {
$this->section("Scores - Functional");
// Get all scores
$result = $this->request('GET', 'scores');
$this->test('Get scores returns 200', $result['code'] === 200);
$this->test('Response has scores array', isset($result['body']['scores']));
if (!empty($result['body']['scores'])) {
$scoreId = $result['body']['scores'][0]['id'];
// Get single score
$result = $this->request('GET', "scores/$scoreId");
$this->test('Get single score returns 200', $result['code'] === 200);
$this->test('Score has id', isset($result['body']['score']['id']));
$this->test('Score has name', isset($result['body']['score']['name']));
// Get pieces
$result = $this->request('GET', "pieces/$scoreId");
$this->test('Get pieces returns 200', $result['code'] === 200);
$this->test('Response has pieces array', isset($result['body']['pieces']));
}
}
// ============ CREATE SCORE WITH PIECES TESTS ============
public function testCreateScoreWithPieces() {
$this->section("Create Score with Pieces - Functional");
// Test 1: Create score with 2 pieces
$testName = 'Test Score ' . date('YmdHis');
$result = $this->request('POST', 'admin/scores', [
'name' => $testName,
'compositor' => 'Test Composer',
'pieces' => [
['number' => 1, 'name' => 'Allegro'],
['number' => 2, 'name' => 'Adagio']
]
]);
$this->test('Create with pieces returns 200', $result['code'] === 200);
if ($result['code'] === 200 && isset($result['body']['score']['id'])) {
$scoreId = $result['body']['score']['id'];
echo " Created: $scoreId\n";
// Verify score.ini
$iniPath = SCORES_PATH . $scoreId . '/score.ini';
if (file_exists($iniPath)) {
$ini = parse_ini_file($iniPath, true);
$this->test('Piece count is 2', ($ini['pieces']['count'] ?? '') === '2');
$this->test('Piece 1 name saved', ($ini['pieces']['1'] ?? '') === 'Allegro');
$this->test('Piece 2 name saved', ($ini['pieces']['2'] ?? '') === 'Adagio');
}
// Verify pieces API
$result = $this->request('GET', "pieces/$scoreId");
if ($result['code'] === 200) {
$pieces = $result['body']['pieces'] ?? [];
$this->test('API returns 2 pieces', count($pieces) === 2);
$this->test('Piece 1 has correct name', ($pieces[0]['name'] ?? '') === 'Allegro');
$this->test('Piece 2 has correct name', ($pieces[1]['name'] ?? '') === 'Adagio');
}
// Cleanup
$this->request('DELETE', "admin/scores/$scoreId");
echo " Cleaned up\n";
}
// Test 2: Create score with 1 piece (default)
$testName = 'Test Score Default ' . date('YmdHis');
$result = $this->request('POST', 'admin/scores', [
'name' => $testName,
'compositor' => 'Test Composer'
]);
$this->test('Create default returns 200', $result['code'] === 200);
if ($result['code'] === 200 && isset($result['body']['score']['id'])) {
$scoreId = $result['body']['score']['id'];
$iniPath = SCORES_PATH . $scoreId . '/score.ini';
if (file_exists($iniPath)) {
$ini = parse_ini_file($iniPath, true);
$this->test('Default piece count is 1', ($ini['pieces']['count'] ?? '') === '1');
}
$this->request('DELETE', "admin/scores/$scoreId");
}
}
// ============ FILES TESTS ============
public function testFilesErrors() {
$this->section("Files - Error Handling");
// Get files for non-existent score
$result = $this->request('GET', 'admin/scores/999999/files');
$this->test('Get files non-existent score returns 400', $result['code'] === 400);
// Delete without path
$scores = $this->request('GET', 'scores');
if (!empty($scores['body']['scores'])) {
$scoreId = $scores['body']['scores'][0]['id'];
$result = $this->request('DELETE', "admin/scores/$scoreId/files");
$this->test('Delete without path returns 400', $result['code'] === 400);
// Delete non-existent file
$result = $this->request('DELETE', "admin/scores/$scoreId/files?path=nonexistent.pdf");
$this->test('Delete non-existent file returns 400', $result['code'] === 400);
}
}
public function testFilesSuccess() {
$this->section("Files - Functional");
// Get files for a score
$scores = $this->request('GET', 'scores');
if (!empty($scores['body']['scores'])) {
$scoreId = $scores['body']['scores'][0]['id'];
$result = $this->request('GET', "admin/scores/$scoreId/files");
$this->test('Get files returns 200', $result['code'] === 200);
$this->test('Response has files array', isset($result['body']['files']));
$this->test('Files is array', is_array($result['body']['files']));
// Test structure
$files = $result['body']['files'];
if (!empty($files)) {
$this->test('Files have name property', isset($files[0]['name']));
$this->test('Files have path property', isset($files[0]['path']));
$this->test('Files have type property', isset($files[0]['type']));
}
} else {
echo " ⚠ No scores available for file tests\n";
}
}
// ============ SECURITY TESTS ============
public function testSecurityHeaders() {
$this->section("Security - HTTP Headers");
global $last_response_headers;
$result = $this->request('GET', 'scores', null, false);
$headers = $last_response_headers ?? [];
$hasXContentType = false;
$hasXFrameOptions = false;
$hasXXSS = false;
$hasHSTS = false;
foreach ($headers as $header) {
if (stripos($header, 'X-Content-Type-Options:') !== false) $hasXContentType = true;
if (stripos($header, 'X-Frame-Options:') !== false) $hasXFrameOptions = true;
if (stripos($header, 'X-XSS-Protection:') !== false) $hasXXSS = true;
if (stripos($header, 'Strict-Transport-Security:') !== false) $hasHSTS = true;
}
$this->test('X-Content-Type-Options header present', $hasXContentType);
$this->test('X-Frame-Options header present', $hasXFrameOptions);
$this->test('X-XSS-Protection header present', $hasXXSS);
$this->test('Strict-Transport-Security header present', $hasHSTS);
}
public function testCorsPolicy() {
$this->section("Security - CORS Policy");
// Test avec Origin non autorisé
$url = BASE_URL . '/login';
$context = stream_context_create([
'http' => [
'method' => 'OPTIONS',
'header' => "Origin: https://evil.com\r\nAccess-Control-Request-Method: POST",
'ignore_errors' => true
]
]);
@file_get_contents($url, false, $context);
$headers = $http_response_header ?? [];
$hasWildcard = false;
foreach ($headers as $header) {
if (stripos($header, 'Access-Control-Allow-Origin: *') !== false) {
$hasWildcard = true;
}
}
$this->test('CORS does not allow wildcard (*)', !$hasWildcard);
}
public function testDirectoryTraversal() {
$this->section("Security - Directory Traversal");
// Ensure we have a valid token for these tests
if (!$this->token) {
// Clear rate limiting and login fresh
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
$result = $this->request('POST', 'login', ['username' => 'admin', 'password' => 'password'], false);
if ($result['code'] === 200 && isset($result['body']['token'])) {
$this->token = $result['body']['token'];
}
}
// Clear rate limiting to avoid blocking
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
// Test 1: Download avec path traversal
$result = $this->request('GET', 'download/../../../etc/passwd', null, true);
// Accept 401 (no token), 403 (blocked), or 404 (path not found after sanitization)
$blocked = in_array($result['code'], [401, 403, 404]);
$this->test('Directory traversal blocked (../)', $blocked);
// Clear rate limiting between tests
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
// Test 2: Download avec double encoding
$result = $this->request('GET', 'download/%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd', null, true);
$blocked = in_array($result['code'], [401, 403, 404]);
$this->test('Directory traversal blocked (URL encoded)', $blocked);
// Clear rate limiting between tests
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
// Test 3: Download avec null byte (si PHP < 5.3.4)
$result = $this->request('GET', "download/file.pdf%00.jpg", null, true);
$blocked = in_array($result['code'], [400, 401, 403]);
$this->test('Null byte injection blocked', $blocked);
}
public function testRateLimiting() {
$this->section("Security - Rate Limiting");
// Clear any existing rate limiting before test
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
// Test login brute force
$attempts = 0;
$blocked = false;
for ($i = 0; $i < 10; $i++) {
$result = $this->request('POST', 'login', ['username' => 'admin', 'password' => 'wrong'], false);
if ($result['code'] === 429) {
$blocked = true;
break;
}
$attempts++;
}
$this->test('Rate limiting active (429 after attempts)', $blocked);
$this->test('Rate limit triggered within 10 attempts', $attempts < 10);
// IMPORTANT: Clear rate limiting after this test so subsequent tests aren't blocked
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
}
public function testFileUploadSecurity() {
$this->section("Security - File Upload");
// Completely reset rate limiting
array_map('unlink', glob(sys_get_temp_dir() . '/rate_*'));
// Test directly on an existing score (001 should exist)
// This avoids needing to create a score which might be blocked
$result = $this->request('POST', "admin/scores/001/upload");
// Should return 400 (no file), not 404 (score not found) or 200 (success)
$this->test('Upload rejects empty file', $result['code'] === 400);
}
public function testInjectionAttacks() {
$this->section("Security - Injection Protection");
// Test INI injection (newline in name) on a temporary file directly
$testName = "Test\n[injection]\nmalicious=true";
$sanitizedName = str_replace(["\n", "\r", "\x00"], '', $testName);
// Create a temporary score.ini to test the sanitization
$tempDir = sys_get_temp_dir() . '/test_injection_' . time();
mkdir($tempDir);
$iniContent = "[info]\nname = $sanitizedName\ncompositor = Test\n\n[pieces]\ncount = 1\n";
file_put_contents($tempDir . '/score.ini', $iniContent);
// Verify the injection was prevented by parsing the INI file
// If injection worked, we'd have a section called [injection]
$parsed = parse_ini_file($tempDir . '/score.ini', true);
$hasInjectionSection = isset($parsed['injection']);
$this->test('INI injection prevented', !$hasInjectionSection);
// Cleanup
unlink($tempDir . '/score.ini');
rmdir($tempDir);
}
public function testHttpsEnforcement() {
$this->section("Security - HTTPS Enforcement");
// Test que le serveur redirige HTTP vers HTTPS ou refuse
// Note: En local, on vérifie juste le header HSTS
global $last_response_headers;
$result = $this->request('GET', 'scores', null, false);
$headers = $last_response_headers ?? [];
$hasHSTS = false;
foreach ($headers as $header) {
if (stripos($header, 'Strict-Transport-Security:') !== false) {
$hasHSTS = true;
}
}
$this->test('HSTS header present for HTTPS enforcement', $hasHSTS);
}
// ============ SUMMARY ============
public function summary() {
echo "\n=== Summary ===\n";
echo "Passed: {$this->passed}\n";
echo "Failed: {$this->failed}\n";
echo "Total: " . ($this->passed + $this->failed) . "\n";
if ($this->failed > 0) {
echo "\n⚠ Some tests failed!\n";
} else {
echo "\n✓ All tests passed!\n";
}
exit($this->failed > 0 ? 1 : 0);
}
}
// Run tests
$tests = new APITest();
// Auth tests
$tests->testAuthErrors();
$tests->testAuthSuccess();
// Scores tests
$tests->testScoresErrors();
$tests->testScoresSuccess();
// Create score with pieces
$tests->testCreateScoreWithPieces();
// Files tests
$tests->testFilesErrors();
$tests->testFilesSuccess();
// Security tests
$tests->testSecurityHeaders();
$tests->testCorsPolicy();
$tests->testDirectoryTraversal();
$tests->testRateLimiting();
$tests->testFileUploadSecurity();
$tests->testInjectionAttacks();
$tests->testHttpsEnforcement();
// Summary
$tests->summary();