From 40493dfb3aa9c97fddaa630e09373a72b206508e Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 23 Jun 2019 10:38:08 +0200
Subject: [PATCH] simplify logic, adding test cases for all combinations of
 URLs that are regarded as secure context

---
 js/privatebin.js        | 19 ++++-----
 js/test/InitialCheck.js | 90 ++++++++++++++++++++++++-----------------
 tpl/bootstrap.php       |  2 +-
 tpl/page.php            |  2 +-
 4 files changed, 63 insertions(+), 50 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 8c9b6092..51ffbee8 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -4545,20 +4545,17 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             // filter out actually secure connections over HTTP
-            if (
-                url.hostname.endsWith('.onion') ||
-                url.hostname.endsWith('.i2p')
-            ) {
-                return false;
+            for (const tld of ['.onion', '.i2p']) {
+                if (url.hostname.endsWith(tld)) {
+                    return false;
+                }
             }
 
             // whitelist localhost for development
-            if (
-                url.hostname === 'localhost' ||
-                url.hostname === '127.0.0.1' ||
-                url.hostname === '[::1]'
-            ) {
-                return false;
+            for (const hostname of ['localhost', '127.0.0.1', '[::1]']) {
+                if (url.hostname === hostname) {
+                    return false;
+                }
             }
 
             // totally INSECURE http protocol!
diff --git a/js/test/InitialCheck.js b/js/test/InitialCheck.js
index ce46f65b..7931a9ed 100644
--- a/js/test/InitialCheck.js
+++ b/js/test/InitialCheck.js
@@ -28,46 +28,62 @@ describe('InitialCheck', function () {
                     return result1 && result2;
                 }
             ),
-            {tests: 1});
+            {tests: 10});
         });
 
-        it('shows error, if no webcrypto is detected', function () {
-            [true, false].map(
-                function (secureProtocol) {
-                    const clean = jsdom('', {
-                        'url': (secureProtocol ? 'https' : 'http' ) + '://[::1]/'
-                    });
-                    $('body').html(
-                        '<html><body><div id="errormessage" class="hidden"></div>'+
-                        '<div id="oldnotice" class="hidden"></div></body></html>'
-                    );
-                    const crypto = window.crypto;
-                    window.crypto = null;
-                    $.PrivateBin.Alert.init();
-                    assert(!$.PrivateBin.InitialCheck.init());
-                    assert(secureProtocol === $('#errormessage').hasClass('hidden'));
-                    assert(!$('#oldnotice').hasClass('hidden'));
-                    window.crypto = crypto;
-                    clean();
-                }
-            );
-        });
+        jsc.property(
+            'shows error, if no webcrypto is detected',
+            'bool',
+            jsc.elements(['localhost', '127.0.0.1', '[::1]', '']),
+            jsc.nearray(common.jscA2zString()),
+            jsc.elements(['.onion', '.i2p', '']),
+            function (secureProtocol, localhost, domain, tld) {
+                const isDomain = localhost === '',
+                      isSecureContext = secureProtocol || !isDomain || tld.length > 0,
+                      clean = jsdom('', {
+                          'url': (secureProtocol ? 'https' : 'http' ) + '://' +
+                                 (isDomain ? domain.join('') + tld : localhost) + '/'
+                      });
+                $('body').html(
+                    '<html><body><div id="errormessage" class="hidden"></div>'+
+                    '<div id="oldnotice" class="hidden"></div></body></html>'
+                );
+                const crypto = window.crypto;
+                window.crypto = null;
+                $.PrivateBin.Alert.init();
+                const result1 = !$.PrivateBin.InitialCheck.init(),
+                      result2 = isSecureContext === $('#errormessage').hasClass('hidden'),
+                      result3 = !$('#oldnotice').hasClass('hidden');
+                window.crypto = crypto;
+                clean();
+                return result1 && result2 && result3;
+            }
+        );
 
-        it('shows error, if HTTP only site is detected', function () {
-            [true, false].map(
-                function (secureProtocol) {
-                    const clean = jsdom('', {
-                        'url': (secureProtocol ? 'https' : 'http' ) + '://[::1]/'
-                    });
-                    $('body').html(
-                        '<html><body><div id="httpnotice" class="hidden"></div></body></html>'
-                    );
-                    assert($.PrivateBin.InitialCheck.init());
-                    assert(secureProtocol === $('#httpnotice').hasClass('hidden'));
-                    clean();
-                }
-            );
-        });
+        jsc.property(
+            'shows error, if HTTP only site is detected',
+            'bool',
+            jsc.elements(['localhost', '127.0.0.1', '[::1]', '']),
+            jsc.nearray(common.jscA2zString()),
+            jsc.elements(['.onion', '.i2p', '']),
+            function (secureProtocol, localhost, domain, tld) {
+                const isDomain = localhost === '',
+                      isSecureContext = secureProtocol || !isDomain || tld.length > 0,
+                      clean = jsdom('', {
+                          'url': (secureProtocol ? 'https' : 'http' ) + '://' +
+                               (isDomain ? domain.join('') + tld : localhost) + '/'
+                      });
+                $('body').html(
+                    '<html><body><div id="httpnotice" class="hidden"></div>'+
+                    '</body></html>'
+                );
+                $.PrivateBin.Alert.init();
+                const result1 = $.PrivateBin.InitialCheck.init(),
+                      result2 = isSecureContext === $('#httpnotice').hasClass('hidden');
+                clean();
+                return result1 && result2;
+            }
+        );
     });
 });
 
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 3e090f50..c428ceb2 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3ztSV/4pvPksAzHBo/tSKzDa6wLomQpV6gZgzHCwzS7DgRJ8ckw7oO1sxiNI/H3Imh4wGHFKNaqCkbYU7JTdRA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V0v5OOCcrMFtPsP9xWbKjoaRBobWrMdKdiDPn1tK8Kq8uzbEOK8tY0JXCbEqVpPyJ3/hVrtfjdXhgGaxeMUj3g==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 8c9f1b0c..e535f6f2 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.10.js" integrity="sha512-CqskSFXERL38A1PJP9BlO04me7kmwgDIhN1+k24RoFiisEwXA0BMdm0lzJC7g5jCRZ4k5OYdOJGEqW9CwDl4CA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-3ztSV/4pvPksAzHBo/tSKzDa6wLomQpV6gZgzHCwzS7DgRJ8ckw7oO1sxiNI/H3Imh4wGHFKNaqCkbYU7JTdRA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-V0v5OOCcrMFtPsP9xWbKjoaRBobWrMdKdiDPn1tK8Kq8uzbEOK8tY0JXCbEqVpPyJ3/hVrtfjdXhgGaxeMUj3g==" crossorigin="anonymous"></script>
 		<!--[if IE]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;}</style>
 		<![endif]-->