system-test: forbidden filters

test/nginx_system_test.sh

@@ -1027,6 +1027,61 @@ echo http_proxy=$SECONDARY_HOSTNAME $WGET_DUMP $URL
 CSS_OUT=$(http_proxy=$SECONDARY_HOSTNAME $WGET_DUMP $URL)
 check_from "$CSS_OUT" fgrep -q "Cache-Control: max-age=31536000"
 
+# Test ForbidFilters, which is set in the config for the VHost
+# forbidden.example.com, where we've forbidden remove_quotes, remove_comments,
+# collapse_whitespace, rewrite_css, and resize_images; we've also disabled
+# inline_css so the link doesn't get inlined since we test that it still has all
+# its quotes.
+FORBIDDEN_TEST_ROOT=http://forbidden.example.com/mod_pagespeed_test
+function test_forbid_filters() {
+  QUERYP="$1"
+  HEADER="$2"
+  URL="$FORBIDDEN_TEST_ROOT/forbidden.html"
+  OUTFILE="$TEMPDIR/test_forbid_filters.$$"
+  echo http_proxy=$SECONDARY_HOSTNAME $WGET $HEADER $URL$QUERYP
+  http_proxy=$SECONDARY_HOSTNAME $WGET -q -O $OUTFILE $HEADER $URL$QUERYP
+  check egrep -q '<link rel="stylesheet' $OUTFILE
+  check egrep -q '<!--'                  $OUTFILE
+  check egrep -q '    <li>'              $OUTFILE
+  rm -f $OUTFILE
+}
+start_test ForbidFilters baseline check.
+test_forbid_filters "" ""
+start_test ForbidFilters query parameters check.
+QUERYP="?ModPagespeedFilters="
+QUERYP="${QUERYP}+remove_quotes,+remove_comments,+collapse_whitespace"
+test_forbid_filters $QUERYP ""
+start_test "ForbidFilters request headers check."
+HEADER="--header=ModPagespeedFilters:"
+HEADER="${HEADER}+remove_quotes,+remove_comments,+collapse_whitespace"
+test_forbid_filters "" $HEADER
+
+start_test ForbidFilters disallows direct resource rewriting.
+FORBIDDEN_EXAMPLE_ROOT=http://forbidden.example.com/mod_pagespeed_example
+FORBIDDEN_STYLES_ROOT=$FORBIDDEN_EXAMPLE_ROOT/styles
+FORBIDDEN_IMAGES_ROOT=$FORBIDDEN_EXAMPLE_ROOT/images
+# .ce. is allowed
+ALLOWED="$FORBIDDEN_STYLES_ROOT/all_styles.css.pagespeed.ce.n7OstQtwiS.css"
+OUT=$(http_proxy=$SECONDARY_HOSTNAME $WGET -O /dev/null $ALLOWED 2>&1)
+check_from "$OUT" fgrep -q "200 OK"
+# .cf. is forbidden
+FORBIDDEN=$FORBIDDEN_STYLES_ROOT/A.all_styles.css.pagespeed.cf.UH8L-zY4b4.css
+OUT=$(http_proxy=$SECONDARY_HOSTNAME $WGET -O /dev/null $FORBIDDEN 2>&1)
+check_from "$OUT" fgrep -q "404 Not Found"
+# The image will be optimized but NOT resized to the much smaller size,
+# so it will be >200k (optimized) rather than <20k (resized).
+# Use a blocking fetch to force all -allowed- rewriting to be done.
+RESIZED=$FORBIDDEN_IMAGES_ROOT/256x192xPuzzle.jpg.pagespeed.ic.8AB3ykr7Of.jpg
+HEADERS="$OUTDIR/headers.$$"
+http_proxy=$SECONDARY_HOSTNAME $WGET -q --server-response -O /dev/null \
+  --header 'X-PSA-Blocking-Rewrite: psatest' $RESIZED >& $HEADERS
+LENGTH=$(grep '^ *Content-Length:' $HEADERS | sed -e 's/.*://')
+check test -n "$LENGTH"
+check test $LENGTH -gt 200000
+CCONTROL=$(grep '^ *Cache-Control:' $HEADERS | sed -e 's/.*://')
+check_from "$CCONTROL" grep -w max-age=300
+check_from "$CCONTROL" grep -w private
+
 run_post_cache_flush
 
 check_failures_and_exit

test/pagespeed_test.conf.template

@@ -57,6 +57,24 @@ http {
     }
   }
 
+  server {
+    # Sets up a virtual host where we can specify forbidden filters without
+    # affecting any other hosts.
+    listen @@SECONDARY_PORT@@;
+    server_name forbidden.example.com;
+    pagespeed FileCachePath "@@FILE_CACHE@@";
+
+    pagespeed BlockingRewriteKey psatest;
+
+    # Start with all core filters enabled ...
+    pagespeed RewriteLevel CoreFilters;
+    # ... then forbid these filters ...
+    pagespeed ForbidFilters remove_quotes,remove_comments,collapse_whitespace;
+    pagespeed ForbidFilters rewrite_css,resize_images;
+    # ... and disable but not forbid this one (to ensure we retain its URL).
+    pagespeed DisableFilters inline_css;
+  }
+
   server {
     listen 127.0.0.2:@@SECONDARY_PORT@@;
     server_name loopbackfetch.example.com;