def testDirective_generateDirective_incompatibleType(self):
violatedWrongInlineType = Directive("object-src", [])
violatedWrongEvalType = Directive("style-src", [])
assert violatedWrongInlineType.generateDirective(
"inline", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedWrongEvalType.generateDirective(
"eval", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirectiveParser_parse_empty(self):
assert DirectiveParser(strict=True).parse(" ") == Directive.INVALID()
assert DirectiveParser(strict=False).parse(" ") == Directive.INVALID()
assert DirectiveParser(
strict=True).parse("img-src ") == Directive.INVALID()
assert DirectiveParser(
strict=False).parse("img-src ") == Directive.INVALID()
def testDirective_eq(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = URISourceExpression("https", "seclab.nu", 443, "/")
directive1a = Directive("object-src", [srcExpr1, srcExpr2])
directive1b = Directive("object-src", [srcExpr2, srcExpr1])
directive2 = Directive("frame-src", [srcExpr1, srcExpr2])
directive3 = Directive("object-src", [srcExpr2])
directive4a = Directive("script-src",
(SourceExpression.UNSAFE_INLINE(), ))
directive4b = Directive("script-src",
(SourceExpression("unsafe-inline"), ))
assert directive1a == directive1b
assert hash(directive1a) == hash(directive1b)
assert directive1a != directive2
assert directive1a != directive3
assert directive2 != directive3
assert directive4a == directive4b
assert hash(directive4a) == hash(directive4b)
assert Directive.INVALID() == Directive.INVALID()
assert Directive.INVALID() not in (directive1a, directive1b,
directive2, directive3)
assert Directive.INLINE_STYLE_BASE_RESTRICTION() not in (directive1a,
directive1b,
directive2,
directive3)
def testDirective_generateDirective_incompatibleURI(self):
violatedRegular = Directive("object-src", [])
violatedInline = Directive("style-src", [])
violatedEval = Directive("script-src", [])
assert violatedRegular.generateDirective(
"regular", URI.EMPTY()) == Directive.INVALID()
assert violatedRegular.generateDirective(
"regular", URI.INVALID()) == Directive.INVALID()
#assert violatedInline.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedInline.generateDirective(
"inline", URI.INVALID()) == Directive.INVALID()
#assert violatedEval.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedEval.generateDirective(
"eval", URI.INVALID()) == Directive.INVALID()
def testPolicy_init_removeNotRegularDirective(self):
pol = Policy([
PolicyTest.sampleDirective1a,
Directive.INVALID(),
Directive.EVAL_SCRIPT_BASE_RESTRICTION()
])
expected = Policy([PolicyTest.sampleDirective1a])
assert pol == expected
def testDirective_isRegularDirective(self):
assert Directive.INVALID().isRegularDirective() == False
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isRegularDirective(
) == False
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().isRegularDirective(
) == False
assert Directive.INLINE_STYLE_BASE_RESTRICTION().isRegularDirective(
) == False
assert Directive("default-src", []).isRegularDirective() == True
def testDirective_withoutPaths(self):
withPaths = Directive(
"script-src",
[DirectiveTest.sampleSrcExpr2,
SelfSourceExpression.SELF()])
withoutPaths = Directive("script-src", [
DirectiveTest.sampleSrcExpr2.removePath(),
SelfSourceExpression.SELF()
])
assert withPaths.withoutPaths() == withoutPaths
assert withoutPaths.withoutPaths() == withoutPaths
assert Directive.INVALID().withoutPaths() == Directive.INVALID()
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().withoutPaths(
) == Directive.EVAL_SCRIPT_BASE_RESTRICTION()
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().withoutPaths(
) == Directive.INLINE_SCRIPT_BASE_RESTRICTION()
assert Directive.INLINE_STYLE_BASE_RESTRICTION().withoutPaths(
) == Directive.INLINE_STYLE_BASE_RESTRICTION()
def testDirective_asBasicDirectives_single(self):
assert Directive.INVALID().asBasicDirectives() == set([])
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().asBasicDirectives(
) == set([])
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().asBasicDirectives(
) == set([])
assert Directive.INLINE_STYLE_BASE_RESTRICTION().asBasicDirectives(
) == set([])
sampleDirective = Directive("img-src", [DirectiveTest.sampleSrcExpr1b])
assert sampleDirective.asBasicDirectives() == set([sampleDirective])
def testDirective_isBasicDirective(self):
assert Directive.INVALID().isBasicDirective() == False
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isBasicDirective(
) == False
assert Directive("default-src", ()).isBasicDirective() == True
assert Directive(
"script-src",
[DirectiveTest.sampleSrcExpr2]).isBasicDirective() == True
assert Directive(
"object-src",
[DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3
]).isBasicDirective() == False
def testDirective_matches_special(self):
"""An invalid/special directive matches nothing."""
selfURI = DirectiveTest.sampleURI2
assert not Directive.INVALID().matches(URI.EMPTY(), selfURI)
assert not Directive.INVALID().matches(URI.INVALID(), selfURI)
assert not Directive.INVALID().matches(URI.INLINE(), selfURI)
assert not Directive.INVALID().matches(URI.EVAL(), selfURI)
assert not Directive.INVALID().matches(DirectiveTest.sampleURI1,
selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.EMPTY(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.INVALID(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.INLINE(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.EVAL(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
DirectiveTest.sampleURI1, selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.EMPTY(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.INVALID(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.INLINE(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.EVAL(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
DirectiveTest.sampleURI1, selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.EMPTY(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.INVALID(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.INLINE(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.EVAL(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
DirectiveTest.sampleURI1, selfURI)
def testDirectiveParser_parse_inline(self):
"""'unsafe-inline' keyword allowed only in 'script-src' and 'style-src' and 'default-src'"""
scriptSrcWithInline = """script-src 'self' 'unsafe-inline' http://me.com/"""
styleSrcWithInline = """style-src 'unsafe-inline' http://other"""
styleSrcWithInlineOnly = """style-src 'unsafe-inline'"""
defaultSrcWithInlineOnly = """default-src 'unsafe-inline'"""
invalidObjectSrcWithInline = """object-src 'self' 'unsafe-inline'"""
invalidObjectSrcWithInlineOnly = """object-src 'unsafe-inline'"""
assert str(DirectiveParser().parse(
scriptSrcWithInline)) == scriptSrcWithInline
assert str(
DirectiveParser().parse(styleSrcWithInline)) == styleSrcWithInline
assert str(DirectiveParser().parse(
styleSrcWithInlineOnly)) == styleSrcWithInlineOnly
assert str(DirectiveParser().parse(
defaultSrcWithInlineOnly)) == defaultSrcWithInlineOnly
assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInline) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInline)) \
== "object-src 'self'"
assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInlineOnly) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInlineOnly)) \
== "object-src 'none'"
def testDirective_combine_notRegularURI(self):
direct = Directive("style-src", [SelfSourceExpression.SELF()])
assert direct.combinedDirective(
Directive.INVALID()) == Directive.INVALID()
assert Directive.INVALID().combinedDirective(
direct) == Directive.INVALID()
assert direct.combinedDirective(
Directive.EVAL_SCRIPT_BASE_RESTRICTION()) == Directive.INVALID()
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().combinedDirective(
direct) == Directive.INVALID()
def testDirectiveParser_parse_eval(self):
"""'unsafe-eval' keyword allowed only in 'script-src' and 'default-src'"""
scriptSrcWithEval = """script-src 'self' 'unsafe-eval' 'unsafe-inline'"""
scriptSrcWithEvalOnly = """script-src 'unsafe-eval'"""
defaultSrcWithInlineAndEvalOnly = """default-src 'unsafe-eval' 'unsafe-inline'"""
invalidImgSrcWithEval = """img-src http://example/path 'unsafe-eval'"""
assert str(
DirectiveParser().parse(scriptSrcWithEval)) == scriptSrcWithEval
assert str(DirectiveParser().parse(
scriptSrcWithEvalOnly)) == scriptSrcWithEvalOnly
assert str(DirectiveParser().parse(defaultSrcWithInlineAndEvalOnly)) \
== defaultSrcWithInlineAndEvalOnly
assert DirectiveParser(strict=True).parse(invalidImgSrcWithEval) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidImgSrcWithEval)) \
== "img-src http://example/path"
def testDirective_generateDirective_invalidDirective(self):
assert Directive.INVALID().generateDirective(
"eval", URI.EMPTY()) == Directive.INVALID()
def testDirectiveParser_parse_invalidSourceExpression_strict(self):
"""In strict mode, only valid source expressions may be used."""
invalidDirective = """img-src http://url 'blah'"""
assert DirectiveParser(strict=True).parse(invalidDirective) \
== Directive.INVALID()
def testDirectiveParser_parse_none_syntaxerror_strict(self):
"""If 'none' appears in a directive parsed strictly, no other values are permitted."""
noneDirectiveInvalid = """default-src http://one 'None' http://two"""
assert DirectiveParser(strict=True).parse(noneDirectiveInvalid) \
== Directive.INVALID()
def testDirectiveParser_parse_ignore(self):
"""Report URIs are not supported in CSP Directives."""
ignoredDirective = "report-uri http://localhost/saveme.exe"
assert DirectiveParser().parse(ignoredDirective) is Directive.INVALID()
def testDirectiveParser_parse_invalid(self):
invalidDirective = "blah"
assert DirectiveParser().parse(invalidDirective) is Directive.INVALID()
def testDirective_generateDirective_defaultSrcNotAllowed(self):
violated = Directive("default-src", [])
assert violated.generateDirective(
"regular", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_generateDirective_invalidType(self):
violated = Directive("script-src", [DirectiveTest.sampleSrcExpr1a])
assert violated.generateDirective("evaluate",
URI.EMPTY()) == Directive.INVALID()
def testDirective_str_invalid(self):
assert str(Directive.INVALID()) == "[invalid]"
def testDirective_combine_differentType(self):
direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a])
direct2 = Directive("script-src", [DirectiveTest.sampleSrcExpr2])
assert direct1.combinedDirective(direct2) == Directive.INVALID()
assert direct2.combinedDirective(direct1) == Directive.INVALID()