bepsvpt/secure-headers

nonces not cleared when unit testing

wvdongen opened this issue · 1 comments

When running unit tests nonces will be automatically created if applicable. However, the nonces are not cleared between tests. If you have many unit tests this will impact testing performance and resources.

Add the following test (that will fail deliberately) to your application that contains many tests:

public function test_security_headers_just_fail()
{
	$headers = $this->get(route('/'))->headers;
	$this->assertStringContainsString("justfail", $headers->get('content-security-policy'));
}

You will see something similar to:

PHPUnit 8.5.1 by Sebastian Bergmann and contributors.
 ...............................................................  63 / 611 ( 10%)
 ............................................................... 126 / 611 ( 20%)
 ............................................................... 189 / 611 ( 30%)
 ............................................................... 252 / 611 ( 41%)
 ...........F................................................... 315 / 611 ( 51%)
 ............................................................... 378 / 611 ( 61%)
 ............................................................... 441 / 611 ( 72%)
 ............................................................... 504 / 611 ( 82%)
 ............................................................... 567 / 611 ( 92%)
 ........................I...................                    611 / 611 (100%)
 Time: 14.39 minutes, Memory: 184.50 MB
 There was 1 failure:
 1) Tests\Feature\SecurityHeadersTest::test_security_headers_just_fail
 Failed asserting that 'base-uri 'self'; object-src 'none'; script-src 'unsafe-inline' 'nonce-NzY1Mjc5M2EwZGNkNzdlYQ==' 'nonce-ZDc4ODcxYTc0MDIyM2I5Nw==' 'nonce-ZTlmZmE4NjA0MWNjNTMwNw==' 'nonce-ZjRkNGFkNGQ5OTk0NjQ0Yw==' 'nonce-NDE2ZDAyYjcwN2ZiMjE5Yg==' 'nonce-MGQzYmRjNzM2NTUxMDQyMg==' 'nonce-ZTllYWU1NTZkN2U5MTE4Mw==' 'nonce-ZWIzNWExMjc5ZDE0NTAzYQ==' 'nonce-MDU3YzA5ZTU0NDJlODI4MQ==' 'nonce-NzMwOGY1MzllNjVkNTA1Mw==' 'nonce-ZTRiYTQyMTEwMmQwNjUxZQ==' 'nonce-YmE0Nzk5MzA2ZTllZTg3NA==' 'nonce-ZGJlNzQ2YTRjMGFlZTM4NQ==' 'nonce-M2I5NDQ4MTU5NTExNDgwMg==' 'nonce-MDA1YzJlNzc4ZDYxMWYxYg==' 'nonce-OTM2ZGVlNTQ4ZGQ5OTk1OQ==' 'nonce-MTEyZjRkMGYxOTFmNzI0ZQ==' 'nonce-ZTFiMmQ5NWI3Mzc1YjU3Yg==' 'nonce-OGZhZTI1MDFiNDAxMDJhMQ==' 'nonce-ZGM0ZTNhMWI2MDU4MTViYw==' 'nonce-MjRjMThlNTNkYzBhMTE1Yw==' 'nonce-ODE0MjMxMDU1YTVkMTlkZg==' 'nonce-NTQ3YjRkMTU5ZDM0OTJiYQ==' 'nonce-ZjE2ZWUyYTNmMjkyY2NlNA==' 'nonce-ZjY3MzhiZGQxODQxODY1Mg==' 'nonce-YWUzZWUxY2NhMmIyNzA4Nw==' 'nonce-MjY0MDAxMzM0ODUyYzJjMw==' 'nonce-NTQzM2MxOWYxMTIzMDJlZQ==' 'nonce-Yjg3MTY1Mzg3NWEwZGVjYg==' 'nonce-YjE5ZmUxZTAyZDA3NTU3YQ==' 'nonce-MTVhMjVkODc3MDQ4YTZiOA==' 'nonce-ZWUxZmY5YTJhM2RmNWNiYw==' 'nonce-MjE3ODYxZDE3NWEzMTdiMA==' 'nonce-Mjc1OGQ1NDExMTJmMzc5ZQ==' 'nonce-OWNjNzM1Zjk4YWNlMDU5ZQ==' 'nonce-N2NlZmFjZDNmMTUxNDVhNw==' 'nonce-N2FhMzgxNTExYmViNDhiNQ==' 'nonce-ZTljYTE5NjY5Y2Q4YWFkZg==' 'nonce-M2UxNDY5M2Y0NzcxZjE5Mg==' 'nonce-OTUyZDY2OGZkYjkxMGRjYQ==' 'nonce-MDIwYmRiY2YzYjA3OTZhMA==' 'nonce-ZTNhOTRkYzFiMTk4YzVlZg==' 'nonce-MDE3MzM1Zjc0OThmMDc4ZQ==' 'nonce-ZGE5YTY3NGNkOTQ3ZWNkYg==' 'nonce-MzNiZjBjYmU2Zjk5ODhkZQ==' 'nonce-N2IxYmRkOTlhYTBkODI0OA==' 'nonce-ODY2MTQ1NTBkZGNjNzljMQ=='

<...SNIP MANY MANY MORE NONCES HERE...>

 /builds/example/example_app/tests/Feature/SecurityHeadersTest.php:16
 FAILURES!
 Tests: 611, Assertions: 3072, Failures: 1, Incomplete: 1.

Hi @wvdongen,

Thanks for reporting this bug.