def test_allowed_hosts_str(self):
self.assertIs(
is_safe_url('http://good.com/good', allowed_hosts='good.com'),
True)
self.assertIs(
is_safe_url('http://good.co/evil', allowed_hosts='good.com'),
False)
def test_no_allowed_hosts(self):
# A path without host is allowed.
self.assertIs(
is_safe_url('/confirm/[email protected]', allowed_hosts=None), True)
# Basic auth without host is not allowed.
self.assertIs(
is_safe_url(r'http://testserver\@example.com', allowed_hosts=None),
False)
def test_secure_param_non_https_urls(self):
insecure_urls = (
'http://example.com/p',
'ftp://example.com/p',
'//example.com/p',
)
for url in insecure_urls:
with self.subTest(url=url):
self.assertIs(
is_safe_url(url,
allowed_hosts={'example.com'},
require_https=True), False)
def test_secure_param_https_urls(self):
secure_urls = (
'https://example.com/p',
'HTTPS://example.com/p',
'/view/?param=http://example.com',
)
for url in secure_urls:
with self.subTest(url=url):
self.assertIs(
is_safe_url(url,
allowed_hosts={'example.com'},
require_https=True), True)
def test_good_urls(self):
good_urls = (
'/view/?param=http://example.com',
'/view/?param=https://example.com',
'/view?param=ftp://example.com',
'view/?param=//example.com',
'https://testserver/',
'HTTPS://testserver/',
'//testserver/',
'http://testserver/[email protected]',
'/url%20with%20spaces/',
'path/http:2222222222',
)
for good_url in good_urls:
with self.subTest(url=good_url):
self.assertIs(
is_safe_url(good_url,
allowed_hosts={'otherserver', 'testserver'}),
True)
def test_bad_urls(self):
bad_urls = (
'http://example.com',
'http:///example.com',
'https://example.com',
'ftp://example.com',
r'\\example.com',
r'\\\example.com',
r'/\\/example.com',
r'\\\example.com',
r'\\example.com',
r'\\//example.com',
r'/\/example.com',
r'\/example.com',
r'/\example.com',
'http:///example.com',
r'http:/\//example.com',
r'http:\/example.com',
r'http:/\example.com',
'javascript:alert("XSS")',
'\njavascript:alert(x)',
'\x08//example.com',
r'http://otherserver\@example.com',
r'http:\\testserver\@example.com',
r'http://testserver\me:[email protected]',
r'http://testserver\@example.com',
r'http:\\testserver\confirm\[email protected]',
'http:999999999',
'ftp:9999999999',
'\n',
'http://[2001:cdba:0000:0000:0000:0000:3257:9652/',
'http://2001:cdba:0000:0000:0000:0000:3257:9652]/',
)
for bad_url in bad_urls:
with self.subTest(url=bad_url):
self.assertIs(
is_safe_url(bad_url,
allowed_hosts={'testserver', 'testserver2'}),
False)
def test_basic_auth(self):
# Valid basic auth credentials are allowed.
self.assertIs(
is_safe_url(r'http://*****:*****@testserver/',
allowed_hosts={'user:pass@testserver'}), True)