diff --git a/.maestro/security_tests/0_all.yaml b/.maestro/security_tests/0_all.yaml new file mode 100644 index 0000000000..44ad6e7a52 --- /dev/null +++ b/.maestro/security_tests/0_all.yaml @@ -0,0 +1,39 @@ +# all.yaml + +appId: com.duckduckgo.mobile.ios +--- + +# Set up +- clearState +- launchApp +- runFlow: + when: + visible: + text: "Let’s Do It!" + index: 0 + file: ../shared/onboarding.yaml + +# Load Site +- assertVisible: + id: "searchEntry" +- tapOn: + id: "searchEntry" +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/" +- pressKey: Enter + +# Manage onboarding +- runFlow: + when: + visible: + text: "Got It" + index: 0 + file: ../shared/onboarding_browsing.yaml + +# Run AddressBarSpoofing tests +- runFlow: ./1_-_AddressBarSpoof,_basicauth.yaml +- runFlow: ./2_-_AddressBarSpoof,_aboutblank.yaml +- runFlow: ./3_-_AddressBarSpoof,_appschemes.yaml +- runFlow: ./4_-_AddressBarSpoof,_b64_html.yaml +- runFlow: ./5_-_AddressBarSpoof,_downloadpath.yaml +- runFlow: ./6_-_AddressBarSpoof,_formaction.yaml +- runFlow: ./7_-_AddressBarSpoof,_pagerewrite.yaml \ No newline at end of file diff --git a/.maestro/security_tests/1_-_AddressBarSpoof,_basicauth.yaml b/.maestro/security_tests/1_-_AddressBarSpoof,_basicauth.yaml new file mode 100644 index 0000000000..cd2c55bed0 --- /dev/null +++ b/.maestro/security_tests/1_-_AddressBarSpoof,_basicauth.yaml @@ -0,0 +1,35 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +- doubleTapOn: + id: "searchEntry" +- pressKey: Backspace +# Test 1 - using \u2028 character +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-basicauth-2028.html" +- pressKey: Enter +- tapOn: "run" +- assertVisible: "Example Domain" +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText.indexOf("https://www.google.com") != 0} +- tapOn: + id: "searchEntry" +# Test 2 - using \u2029 character +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-basicauth-2029.html" +- pressKey: Enter +- tapOn: "run" +- assertVisible: "Example Domain" +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText.indexOf("https://www.google.com") != 0} +- tapOn: + id: "searchEntry" +# Test 3 - using repeated " " space character +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-basicauth-whitespace.html" +- pressKey: Enter +- tapOn: "run" +- assertVisible: "Example Domain" +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText.indexOf("https://www.google.com") != 0} diff --git a/.maestro/security_tests/2_-_AddressBarSpoof,_aboutblank.yaml b/.maestro/security_tests/2_-_AddressBarSpoof,_aboutblank.yaml new file mode 100644 index 0000000000..c5d7613872 --- /dev/null +++ b/.maestro/security_tests/2_-_AddressBarSpoof,_aboutblank.yaml @@ -0,0 +1,17 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +- doubleTapOn: + id: "searchEntry" +- pressKey: Backspace +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-about-blank-rewrite.html" +- pressKey: Enter +- tapOn: "Start" +# This test is expected to load "about:blank" not spoof the address bar with duckduckgo.com with the spoofed content. +- extendedWaitUntil: + visible: "Not DDG." # Spoofed content is visible + timeout: 10000 +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "about:blank"} \ No newline at end of file diff --git a/.maestro/security_tests/3_-_AddressBarSpoof,_appschemes.yaml b/.maestro/security_tests/3_-_AddressBarSpoof,_appschemes.yaml new file mode 100644 index 0000000000..e2031ca3fa --- /dev/null +++ b/.maestro/security_tests/3_-_AddressBarSpoof,_appschemes.yaml @@ -0,0 +1,30 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +# Test 1 +- tapOn: + id: "searchEntry" +- pressKey: Backspace +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-application-scheme.html" +- pressKey: Enter +- tapOn: "Start" +# This will try to open another app +- assertVisible: "Cancel" +- tapOn: "Cancel" +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "https://duckduckgo.com/"} # Should navigate directly here. +- assertNotVisible: "Not DDG." # HTML content shouldn't be spoofed. +- tapOn: + id: "searchEntry" +# Test 2 +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-unsupported-scheme.html" +- pressKey: Enter +- tapOn: "Start" +# This will try to open another app +- assertVisible: "Cancel" +- tapOn: "Cancel" +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-unsupported-scheme.html"} \ No newline at end of file diff --git a/.maestro/security_tests/4_-_AddressBarSpoof,_b64_html.yaml b/.maestro/security_tests/4_-_AddressBarSpoof,_b64_html.yaml new file mode 100644 index 0000000000..1ff6c2152a --- /dev/null +++ b/.maestro/security_tests/4_-_AddressBarSpoof,_b64_html.yaml @@ -0,0 +1,15 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +# Test 1 +- doubleTapOn: + id: "searchEntry" +- pressKey: Backspace +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-open-b64-html.html" +- pressKey: Enter +- tapOn: "Start" +# This test is expected to do nothing: loading base64 encoded HTML content in a new tab is blocked. +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-open-b64-html.html"} diff --git a/.maestro/security_tests/5_-_AddressBarSpoof,_downloadpath.yaml b/.maestro/security_tests/5_-_AddressBarSpoof,_downloadpath.yaml new file mode 100644 index 0000000000..2e23f09a77 --- /dev/null +++ b/.maestro/security_tests/5_-_AddressBarSpoof,_downloadpath.yaml @@ -0,0 +1,39 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +# Test 1 +- doubleTapOn: + id: "searchEntry" +- pressKey: Backspace +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html" +- pressKey: Enter +- tapOn: "Start" +# Download Acceptance Flow: +- extendedWaitUntil: + visible: "Save to Downloads" + timeout: 10000 +- tapOn: "Save to Downloads" +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "about:blank"} # Downloads should occur in empty origin. +# Restart +- tapOn: + id: "searchEntry" +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html" +- pressKey: Enter +# Download Cancel Flow: +- tapOn: "Start" +- extendedWaitUntil: + visible: "Cancel" + timeout: 10000 +- tapOn: "Cancel" +# Should be on about:blank +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "about:blank"} +# Return to last test page +- tapOn: + id: "searchEntry" +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-download-url.html" +- pressKey: Enter diff --git a/.maestro/security_tests/6_-_AddressBarSpoof,_formaction.yaml b/.maestro/security_tests/6_-_AddressBarSpoof,_formaction.yaml new file mode 100644 index 0000000000..d12b1cb173 --- /dev/null +++ b/.maestro/security_tests/6_-_AddressBarSpoof,_formaction.yaml @@ -0,0 +1,16 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +# Test 1 +- doubleTapOn: + id: "searchEntry" +- pressKey: Backspace +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-form-action.html" +- pressKey: Enter +- tapOn: "run" +# Should navigate to duckduckgo.com without any spoofed HTML document content. +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "https://duckduckgo.com/"} +- assertNotVisible: "Not DDG." \ No newline at end of file diff --git a/.maestro/security_tests/7_-_AddressBarSpoof,_pagerewrite.yaml b/.maestro/security_tests/7_-_AddressBarSpoof,_pagerewrite.yaml new file mode 100644 index 0000000000..fe01f061c3 --- /dev/null +++ b/.maestro/security_tests/7_-_AddressBarSpoof,_pagerewrite.yaml @@ -0,0 +1,16 @@ +appId: com.duckduckgo.mobile.ios +tags: + - securityTest +--- +# Test 1 +- doubleTapOn: + id: "searchEntry" +- pressKey: Backspace +- inputText: "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-page-rewrite.html" +- pressKey: Enter +- tapOn: "Start" +# Now check the address bar hasn't been updated too early resulting in spoofed content +- copyTextFrom: + id: "searchEntry" +- assertTrue: ${maestro.copiedText == "https://privacy-test-pages.site/security/address-bar-spoofing/spoof-js-page-rewrite.html"} +- assertNotVisible: "DDG." \ No newline at end of file