tests: check for valid HTTP/1.x response headers where applicable

defanator · defanator · commit 0bf13559227f · 2021-02-02T16:55:16.000+03:00
diff --git a/tests/modsecurity-config-merge.t b/tests/modsecurity-config-merge.t
@@ -160,7 +160,7 @@ $t->plan(10);
 ###############################################################################
 
 like(http_get_body('/', 'GOOD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "http level defaults, pass");
-like(http_get_body('/', 'VERY BAD BODY'), qr/403 Forbidden/, "http level defaults, block");
+like(http_get_body('/', 'VERY BAD BODY'), qr/^HTTP.*403/, "http level defaults, block");
 
 like(http_get_body('/modsec-disabled', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRuleEngine, pass");
 like(http_get_body('/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "location override for SecRequestBodyAccess, pass");
diff --git a/tests/modsecurity-config.t b/tests/modsecurity-config.t
@@ -95,18 +95,18 @@ $t->plan(9);
 
 
 # Performing requests at root
-like(http_get('/index.html?what=root'), qr/302 Moved Temporarily/, 'redirect 302 - root');
+like(http_get('/index.html?what=root'), qr/^HTTP.*302/, 'redirect 302 - root');
 like(http_get('/index.html?what=subfolder1'), qr/should be moved\/blocked before this./, 'nothing - requested subfolder1 at root');
 like(http_get('/index.html?what=subfolder2'), qr/should be moved\/blocked before this./, 'nothing - requested subfolder2 at root');
 
 # Performing requests at subfolder1
 like(http_get('/subfolder1/index.html?what=root'), qr/should be moved\/blocked before this./, 'nothing - requested root at subfolder 1');
-like(http_get('/subfolder1/index.html?what=subfolder1'), qr/302 Moved Temporarily/, 'redirect 302 - subfolder 1');
+like(http_get('/subfolder1/index.html?what=subfolder1'), qr/^HTTP.*302/, 'redirect 302 - subfolder 1');
 like(http_get('/subfolder1/index.html?what=subfolder2'), qr/should be moved\/blocked before this./, 'nothing - requested subfolder2 at subfolder1');
 
 # Performing requests at subfolder2
 like(http_get('/subfolder1/subfolder2/index.html?what=root'), qr/should be moved\/blocked before this./, 'nothing - requested root at subfolder 2');
-like(http_get('/subfolder1/subfolder2/index.html?what=subfolder1'), qr/302 Moved Temporarily/, 'redirect 302 - subfolder 2');
-like(http_get('/subfolder1/subfolder2/index.html?what=subfolder2'), qr/302 Moved Temporarily/, 'redirect 302 - subfolder 2');
+like(http_get('/subfolder1/subfolder2/index.html?what=subfolder1'), qr/^HTTP.*302/, 'redirect 302 - subfolder 2');
+like(http_get('/subfolder1/subfolder2/index.html?what=subfolder2'), qr/^HTTP.*302/, 'redirect 302 - subfolder 2');
 
 
diff --git a/tests/modsecurity-proxy.t b/tests/modsecurity-proxy.t
@@ -114,27 +114,27 @@ unlike(http_head('/'), qr/SEE-THIS/, 'proxy head request');
 
 
 # Redirect (302)
-like(http_get('/phase1?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 1');
-like(http_get('/phase2?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 2');
-like(http_get('/phase3?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 3');
+like(http_get('/phase1?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 1');
+like(http_get('/phase2?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 2');
+like(http_get('/phase3?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 3');
 is(http_get('/phase4?what=redirect302'), '', 'redirect 302 - phase 4');
 
 # Redirect (301)
-like(http_get('/phase1?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 1');
-like(http_get('/phase2?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 2');
-like(http_get('/phase3?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 3');
+like(http_get('/phase1?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 1');
+like(http_get('/phase2?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 2');
+like(http_get('/phase3?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 3');
 is(http_get('/phase4?what=redirect301'), '', 'redirect 301 - phase 4');
 
 # Block (401)
-like(http_get('/phase1?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 1');
-like(http_get('/phase2?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 2');
-like(http_get('/phase3?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 3');
+like(http_get('/phase1?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 1');
+like(http_get('/phase2?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 2');
+like(http_get('/phase3?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 3');
 is(http_get('/phase4?what=block401'), '', 'block 401 - phase 4');
 
 # Block (403)
-like(http_get('/phase1?what=block403'), qr/403 Forbidden/, 'block 403 - phase 1');
-like(http_get('/phase2?what=block403'), qr/403 Forbidden/, 'block 403 - phase 2');
-like(http_get('/phase3?what=block403'), qr/403 Forbidden/, 'block 403 - phase 3');
+like(http_get('/phase1?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 1');
+like(http_get('/phase2?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 2');
+like(http_get('/phase3?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 3');
 is(http_get('/phase4?what=block403'), '', 'block 403 - phase 4');
 
 # Nothing to detect
diff --git a/tests/modsecurity-request-body.t b/tests/modsecurity-request-body.t
@@ -130,13 +130,13 @@ $t->plan(40);
 
 foreach my $method (('GET', 'POST', 'PUT', 'DELETE')) {
 like(http_req_body($method, '/bodyaccess', 'GOOD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access on, pass");
-like(http_req_body($method, '/bodyaccess', 'VERY BAD BODY'), qr/403 Forbidden/, "$method request body access on, block");
+like(http_req_body($method, '/bodyaccess', 'VERY BAD BODY'), qr/^HTTP.*403/, "$method request body access on, block");
 like(http_req_body($method, '/nobodyaccess', 'VERY BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access off, pass");
 like(http_req_body_postargs($method, '/nobodyaccess', 'BAD ARG'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body access off (ARGS_POST), pass");
 like(http_req_body($method, '/bodylimitreject', 'BODY' x 32), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body limit reject, pass");
-like(http_req_body($method, '/bodylimitreject', 'BODY' x 33), qr/403 Forbidden/, "$method request body limit reject, block");
+like(http_req_body($method, '/bodylimitreject', 'BODY' x 33), qr/^HTTP.*403/, "$method request body limit reject, block");
 like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 32 . 'BAD BODY'), qr/TEST-OK-IF-YOU-SEE-THIS/, "$method request body limit process partial, pass");
-like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 30 . 'BAD BODY' x 32), qr/403 Forbidden/, "$method request body limit process partial, block");
+like(http_req_body($method, '/bodylimitprocesspartial', 'BODY' x 30 . 'BAD BODY' x 32), qr/^HTTP.*403/, "$method request body limit process partial, block");
 }
 
 like(http_req_body('POST', '/useauth', 'BODY' x 16), qr/TEST-OK-IF-YOU-SEE-THIS/, "POST with auth_request (request size < client_header_buffer_size)");
@@ -167,7 +167,7 @@ like(
 );
 
 foreach my $method (('GET', 'POST', 'PUT', 'DELETE')) {
-like(http_req_body($method, '/bodylimitrejectserver', 'BODY' x 33), qr/403 Forbidden/, "$method request body limit reject, block (inherited SecRequestBodyLimit)");
+like(http_req_body($method, '/bodylimitrejectserver', 'BODY' x 33), qr/^HTTP.*403/, "$method request body limit reject, block (inherited SecRequestBodyLimit)");
 }
 
 ###############################################################################
diff --git a/tests/modsecurity-response-body.t b/tests/modsecurity-response-body.t
@@ -64,6 +64,6 @@ $t->plan(1);
 TODO: {
 local $TODO = 'not yet';
 
-like(http_get('/body1'), qr/403 Forbidden/, 'response body (block)');
+like(http_get('/body1'), qr/^HTTP.*403/, 'response body (block)');
 }
 
diff --git a/tests/modsecurity-scoring.t b/tests/modsecurity-scoring.t
@@ -71,9 +71,9 @@ $t->plan(5);
 ###############################################################################
 
 like(http_get('/absolute?what=badarg1'), qr/should be moved\/blocked before this./, 'absolute scoring 1 (pass)');
-like(http_get('/absolute?what=badarg2'), qr/403 Forbidden/, 'absolute scoring 2 (block)');
+like(http_get('/absolute?what=badarg2'), qr/^HTTP.*403/, 'absolute scoring 2 (block)');
 
 like(http_get('/iterative?arg1=badarg1'), qr/should be moved\/blocked before this./, 'iterative scoring 1 (pass)');
 like(http_get('/iterative?arg1=badarg1&arg2=badarg2'), qr/should be moved\/blocked before this./, 'iterative scoring 2 (pass)');
-like(http_get('/iterative?arg1=badarg1&arg2=badarg2&arg3=badarg3'), qr/403 Forbidden/, 'iterative scoring 3 (block)');
+like(http_get('/iterative?arg1=badarg1&arg2=badarg2&arg3=badarg3'), qr/^HTTP.*403/, 'iterative scoring 3 (block)');
 
diff --git a/tests/modsecurity.t b/tests/modsecurity.t
@@ -121,27 +121,27 @@ $t->plan(20);
 
 
 # Redirect (302)
-like(http_get('/phase1?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 1');
-like(http_get('/phase2?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 2');
-like(http_get('/phase3?what=redirect302'), qr/302 Moved Temporarily/, 'redirect 302 - phase 3');
+like(http_get('/phase1?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 1');
+like(http_get('/phase2?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 2');
+like(http_get('/phase3?what=redirect302'), qr/^HTTP.*302/, 'redirect 302 - phase 3');
 is(http_get('/phase4?what=redirect302'), '', 'redirect 302 - phase 4');
 
 # Redirect (301)
-like(http_get('/phase1?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 1');
-like(http_get('/phase2?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 2');
-like(http_get('/phase3?what=redirect301'), qr/301 Moved Permanently/, 'redirect 301 - phase 3');
+like(http_get('/phase1?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 1');
+like(http_get('/phase2?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 2');
+like(http_get('/phase3?what=redirect301'), qr/^HTTP.*301/, 'redirect 301 - phase 3');
 is(http_get('/phase4?what=redirect301'), '', 'redirect 301 - phase 4');
 
 # Block (401)
-like(http_get('/phase1?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 1');
-like(http_get('/phase2?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 2');
-like(http_get('/phase3?what=block401'), qr/401 Unauthorized/, 'block 401 - phase 3');
+like(http_get('/phase1?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 1');
+like(http_get('/phase2?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 2');
+like(http_get('/phase3?what=block401'), qr/^HTTP.*401/, 'block 401 - phase 3');
 is(http_get('/phase4?what=block401'), '', 'block 401 - phase 4');
 
 # Block (403)
-like(http_get('/phase1?what=block403'), qr/403 Forbidden/, 'block 403 - phase 1');
-like(http_get('/phase2?what=block403'), qr/403 Forbidden/, 'block 403 - phase 2');
-like(http_get('/phase3?what=block403'), qr/403 Forbidden/, 'block 403 - phase 3');
+like(http_get('/phase1?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 1');
+like(http_get('/phase2?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 2');
+like(http_get('/phase3?what=block403'), qr/^HTTP.*403/, 'block 403 - phase 3');
 is(http_get('/phase4?what=block403'), '', 'block 403 - phase 4');
 
 # Nothing to detect

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,6 @@ $t->plan(1);`
`64`	`64`	`TODO: {`
`65`	`65`	`local $TODO = 'not yet';`
`66`	`66`
`67`		`-like(http_get('/body1'), qr/403 Forbidden/, 'response body (block)');`
	`67`	`+like(http_get('/body1'), qr/^HTTP.*403/, 'response body (block)');`
`68`	`68`	`}`
`69`	`69`