brepo/ngx_http_apache_rewrite_module
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
0d2c6277e103a87da5462ba8ec07abab80bc0da3
ngx_http_apache_rewrite_module/cms/joomla/test-joomla-rewriterules.sh
alexey 0d2c6277e1 Added mod_rewrite for nginx module
2026-03-23 01:15:59 +03:00

171 lines
6.0 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# ============================================
# Joomla .htaccess Rules Test Script
# ============================================
# This script tests each rule from cms/joomla/.htaccess
# Assumption: Site root is mapped to /home/alexey/projects/workspace-zed/test1/cms/joomla
# Domain: test.my.brp
# ============================================
BASE_URL="http://test.my.brp"
echo "=============================================="
echo "Joomla .htaccess Rules Test Suite"
echo "=============================================="
echo ""
# Function to test a rule and report result (status only)
test_rule() {
local description="$1"
local url="$2"
local expected_status="$3" # e.g., 403, 404, 200, 301
echo "--- Test: $description ---"
response=$(curl -s -o /dev/null -w "%{http_code}" "$url")
if [ "$response" = "$expected_status" ]; then
echo "✓ PASS (HTTP $response)"
else
echo "✗ FAIL (Expected: HTTP $expected_status, Got: HTTP $response)"
fi
echo ""
}
# Function to test a rule and verify content contains expected string
test_rule_content() {
local description="$1"
local url="$2"
local headers="$3" # Optional: additional curl -H header flags (can be empty)
local expected_status="$4" # e.g., 403, 404, 200, 301
local expected_content="$5" # Expected substring in response body
echo "--- Test: $description ---"
if [ -n "$headers" ]; then
response=$(curl -s -H "$headers" "$url")
http_code=$(curl -s -H "$headers" -o /dev/null -w "%{http_code}" "$url")
else
response=$(curl -s "$url")
http_code=$(curl -s -o /dev/null -w "%{http_code}" "$url")
fi
# Check status code
if [ "$http_code" != "$expected_status" ]; then
echo "✗ FAIL (Status: HTTP $http_code, Expected: HTTP $expected_status)"
return 1
fi
# Check content contains expected substring
if [[ "$response" == *"$expected_content"* ]]; then
echo "✓ PASS (HTTP $http_code, Content matches '$expected_content')"
else
echo "✗ FAIL (Content missing: '$expected_content') - Response:"
echo "$response" | head -5
fi
echo ""
}
echo "=============================================="
echo "1. Base64 Encoded Payload Detection Rule"
echo "=============================================="
# Test base64_encode pattern detection in query string
test_rule "Base64 encoded payload blocked (base64_encode function call)" \
"$BASE_URL/base64-test.php?data=base64_encode(secret_password)" \
"403"
echo ""
echo "=============================================="
echo "2. Script Injection Pattern Detection Rule"
echo "============================================}"
# Test script injection pattern detection in query string (HTML entities)
test_rule "Script injection blocked (script tag encoded)" \
"$BASE_URL/script-test.php?q=%3Cscript%3Ealert(1)%3E" \
"403"
echo ""
echo "=============================================="
echo "3. GLOBALS Exploitation Detection Rule"
echo "============================================}"
# Test GLOBALS exploitation pattern detection in query string
test_rule "GLOBALS exploitation blocked (GLOBALS[secret] pattern)" \
"$BASE_URL/globals-test.php?GLOBALS%5Buser%5D=admin" \
"403"
echo ""
echo "=============================================="
echo "4. _REQUEST Manipulation Detection Rule"
echo "============================================}"
# Test _REQUEST manipulation pattern detection in query string
test_rule "_REQUEST manipulation blocked (_REQUEST[config] pattern)" \
"$BASE_URL/request-test.php?_REQUEST%5Badmin%5D=true" \
"403"
echo ""
echo "=============================================="
echo "5. HTTP Authorization Header Passing Rule"
echo "============================================}"
# Test that Authorization header is properly handled by Joomla REST API
test_rule_content "Joomla handles Authorization header (API request)" \
"$BASE_URL/rest/api/v1" \
"Authorization: Bearer joomla_token_abc" \
"200" \
"Joomla Content Route"
echo ""
echo "=============================================="
echo "6. Joomla API Routing Rule (/api/)"
echo "============================================}"
# Test /api/index.php routing - should route to api/index.php (!-f, !-d pass for non-existing files)
test_rule_content "API index.php routing (routes to /api/index.php)" \
"$BASE_URL/api/" \
"Authorization: secret_token_123" \
"200" \
"\"status\": \"success\""
# Additional test: verify token verification in response
test_rule_content "Direct /api/index.php file access" \
"$BASE_URL/api/index.php" \
"" \
"401" \
"\"message\": \"unauth\""
echo ""
echo "=============================================="
echo "7. Main Joomla Routing Rule (/index.php exclusion)"
echo "============================================}"
# Test that /api/index.php is NOT routed to main index.php (!^/api/index\.php passes)
test_rule_content "/api/index.php excluded from main routing (direct file access)" \
"$BASE_URL/api/index.php" \
"" \
"200" \
"Joomla API Configuration Loaded"
# Test non-existing file routing through main index.php (!-f AND !-d pass)
test_rule_content "Non-existing page routing (routes to /index.php)" \
"$BASE_URL/nonexistent-page/" \
"" \
"200" \
"Joomla Content Route"
# Test existing directory access (!-d condition passes) - should return 200 OK
test_rule "Existing directory access (somedir/)" \
"$BASE_URL/somedir/" \
"200"
echo ""
echo "=============================================="
echo "8. Joomla index.php reditercting"
echo "============================================}"
# Test that /api/index.php is NOT routed to main index.php (!^/api/index\.php passes)
test_rule_content "/index.php/component/config?view=modules accessing" \
"$BASE_URL/index.php/component/config?view=modules" \
"" \
"200" \
"Joomla Content Route"
echo ""
echo "=============================================="
echo "Test Suite Complete"
echo "=============================================="
Reference in New Issue View Git Blame Copy Permalink