Added mod_rewrite for nginx module
This commit is contained in:
alexey
170
cms/joomla/test-joomla-rewriterules.sh
Executable file
170
cms/joomla/test-joomla-rewriterules.sh
Executable file
@@ -0,0 +1,170 @@
|
||||
#!/bin/bash
|
||||
|
||||
# ============================================
|
||||
# Joomla .htaccess Rules Test Script
|
||||
# ============================================
|
||||
# This script tests each rule from cms/joomla/.htaccess
|
||||
# Assumption: Site root is mapped to /home/alexey/projects/workspace-zed/test1/cms/joomla
|
||||
# Domain: test.my.brp
|
||||
# ============================================
|
||||
|
||||
BASE_URL="http://test.my.brp"
|
||||
|
||||
echo "=============================================="
|
||||
echo "Joomla .htaccess Rules Test Suite"
|
||||
echo "=============================================="
|
||||
echo ""
|
||||
|
||||
# Function to test a rule and report result (status only)
|
||||
test_rule() {
|
||||
local description="$1"
|
||||
local url="$2"
|
||||
local expected_status="$3" # e.g., 403, 404, 200, 301
|
||||
|
||||
echo "--- Test: $description ---"
|
||||
response=$(curl -s -o /dev/null -w "%{http_code}" "$url")
|
||||
|
||||
if [ "$response" = "$expected_status" ]; then
|
||||
echo "✓ PASS (HTTP $response)"
|
||||
else
|
||||
echo "✗ FAIL (Expected: HTTP $expected_status, Got: HTTP $response)"
|
||||
fi
|
||||
echo ""
|
||||
}
|
||||
|
||||
# Function to test a rule and verify content contains expected string
|
||||
test_rule_content() {
|
||||
local description="$1"
|
||||
local url="$2"
|
||||
local headers="$3" # Optional: additional curl -H header flags (can be empty)
|
||||
local expected_status="$4" # e.g., 403, 404, 200, 301
|
||||
local expected_content="$5" # Expected substring in response body
|
||||
|
||||
echo "--- Test: $description ---"
|
||||
|
||||
if [ -n "$headers" ]; then
|
||||
response=$(curl -s -H "$headers" "$url")
|
||||
http_code=$(curl -s -H "$headers" -o /dev/null -w "%{http_code}" "$url")
|
||||
else
|
||||
response=$(curl -s "$url")
|
||||
http_code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
|
||||
fi
|
||||
|
||||
# Check status code
|
||||
if [ "$http_code" != "$expected_status" ]; then
|
||||
echo "✗ FAIL (Status: HTTP $http_code, Expected: HTTP $expected_status)"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Check content contains expected substring
|
||||
if [[ "$response" == *"$expected_content"* ]]; then
|
||||
echo "✓ PASS (HTTP $http_code, Content matches '$expected_content')"
|
||||
else
|
||||
echo "✗ FAIL (Content missing: '$expected_content') - Response:"
|
||||
echo "$response" | head -5
|
||||
fi
|
||||
echo ""
|
||||
}
|
||||
|
||||
echo "=============================================="
|
||||
echo "1. Base64 Encoded Payload Detection Rule"
|
||||
echo "=============================================="
|
||||
# Test base64_encode pattern detection in query string
|
||||
test_rule "Base64 encoded payload blocked (base64_encode function call)" \
|
||||
"$BASE_URL/base64-test.php?data=base64_encode(secret_password)" \
|
||||
"403"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "2. Script Injection Pattern Detection Rule"
|
||||
echo "============================================}"
|
||||
# Test script injection pattern detection in query string (HTML entities)
|
||||
test_rule "Script injection blocked (script tag encoded)" \
|
||||
"$BASE_URL/script-test.php?q=%3Cscript%3Ealert(1)%3E" \
|
||||
"403"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "3. GLOBALS Exploitation Detection Rule"
|
||||
echo "============================================}"
|
||||
# Test GLOBALS exploitation pattern detection in query string
|
||||
test_rule "GLOBALS exploitation blocked (GLOBALS[secret] pattern)" \
|
||||
"$BASE_URL/globals-test.php?GLOBALS%5Buser%5D=admin" \
|
||||
"403"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "4. _REQUEST Manipulation Detection Rule"
|
||||
echo "============================================}"
|
||||
# Test _REQUEST manipulation pattern detection in query string
|
||||
test_rule "_REQUEST manipulation blocked (_REQUEST[config] pattern)" \
|
||||
"$BASE_URL/request-test.php?_REQUEST%5Badmin%5D=true" \
|
||||
"403"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "5. HTTP Authorization Header Passing Rule"
|
||||
echo "============================================}"
|
||||
# Test that Authorization header is properly handled by Joomla REST API
|
||||
test_rule_content "Joomla handles Authorization header (API request)" \
|
||||
"$BASE_URL/rest/api/v1" \
|
||||
"Authorization: Bearer joomla_token_abc" \
|
||||
"200" \
|
||||
"Joomla Content Route"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "6. Joomla API Routing Rule (/api/)"
|
||||
echo "============================================}"
|
||||
# Test /api/index.php routing - should route to api/index.php (!-f, !-d pass for non-existing files)
|
||||
test_rule_content "API index.php routing (routes to /api/index.php)" \
|
||||
"$BASE_URL/api/" \
|
||||
"Authorization: secret_token_123" \
|
||||
"200" \
|
||||
"\"status\": \"success\""
|
||||
|
||||
# Additional test: verify token verification in response
|
||||
test_rule_content "Direct /api/index.php file access" \
|
||||
"$BASE_URL/api/index.php" \
|
||||
"" \
|
||||
"401" \
|
||||
"\"message\": \"unauth\""
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "7. Main Joomla Routing Rule (/index.php exclusion)"
|
||||
echo "============================================}"
|
||||
# Test that /api/index.php is NOT routed to main index.php (!^/api/index\.php passes)
|
||||
test_rule_content "/api/index.php excluded from main routing (direct file access)" \
|
||||
"$BASE_URL/api/index.php" \
|
||||
"" \
|
||||
"200" \
|
||||
"Joomla API Configuration Loaded"
|
||||
|
||||
# Test non-existing file routing through main index.php (!-f AND !-d pass)
|
||||
test_rule_content "Non-existing page routing (routes to /index.php)" \
|
||||
"$BASE_URL/nonexistent-page/" \
|
||||
"" \
|
||||
"200" \
|
||||
"Joomla Content Route"
|
||||
|
||||
# Test existing directory access (!-d condition passes) - should return 200 OK
|
||||
test_rule "Existing directory access (somedir/)" \
|
||||
"$BASE_URL/somedir/" \
|
||||
"200"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "8. Joomla index.php reditercting"
|
||||
echo "============================================}"
|
||||
# Test that /api/index.php is NOT routed to main index.php (!^/api/index\.php passes)
|
||||
test_rule_content "/index.php/component/config?view=modules accessing" \
|
||||
"$BASE_URL/index.php/component/config?view=modules" \
|
||||
"" \
|
||||
"200" \
|
||||
"Joomla Content Route"
|
||||
|
||||
echo ""
|
||||
echo "=============================================="
|
||||
echo "Test Suite Complete"
|
||||
echo "=============================================="
|
||||
Reference in New Issue
Block a user