def test_coerce_blocked_uri_if_missing(self):
result = Csp.to_python(
dict(
document_uri='http://example.com',
effective_directive='script-src',
))
assert result.blocked_uri == 'self'
def interface(self):
return Csp.to_python(
dict(
document_uri='http://example.com',
violated_directive='style-src cdn.example.com',
blocked_uri='http://example.com/lol.css',
effective_directive='style-src',
))
def test_coerce_blocked_uri_if_missing(self):
result = Csp.to_python(
dict(
document_uri='http://example.com',
effective_directive='script-src',
)
)
assert result.blocked_uri == 'self'
def test_get_message(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='http://google.com/foo',
))
assert result.get_message() == "Blocked 'image' from 'google.com'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='style-src',
blocked_uri='',
))
assert result.get_message() == "Blocked inline 'style'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-inline'",
))
assert result.get_message() == "Blocked unsafe inline 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-eval'",
))
assert result.get_message() == "Blocked unsafe eval() 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src example.com",
))
assert result.get_message(
) == "Blocked unsafe (eval() or inline) 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D',
))
assert result.get_message() == "Blocked 'script' from 'data:'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data',
))
assert result.get_message() == "Blocked 'script' from 'data:'"
def test_get_hash(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
)
)
assert result.get_hash() == ['script-src', "'self'"]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='self',
)
)
assert result.get_hash() == ['script-src', "'self'"]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='http://example.com/lol.js',
)
)
assert result.get_hash() == ['script-src', 'example.com']
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='data:foo',
)
)
assert result.get_hash() == ['img-src', 'data:']
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='ftp://example.com/foo',
)
)
assert result.get_hash() == ['img-src', 'ftp://example.com']
def interface(self):
return Csp.to_python(
dict(
document_uri='http://example.com',
violated_directive='style-src cdn.example.com',
blocked_uri='http://example.com/lol.css',
effective_directive='style-src',
)
)
def test_get_tags_stripe(self):
result = Csp.to_python(
dict(
blocked_uri='https://api.stripe.com/v1/tokens?card[number]=xxx',
effective_directive='script-src',
))
assert result.get_tags() == [
('effective-directive', 'script-src'),
('blocked-uri', 'https://api.stripe.com/v1/tokens'),
]
def test_get_tags_stripe(self):
result = Csp.to_python(
dict(
blocked_uri='https://api.stripe.com/v1/tokens?card[number]=xxx',
effective_directive='script-src',
)
)
assert result.get_tags() == [
('effective-directive', 'script-src'),
('blocked-uri', 'https://api.stripe.com/v1/tokens'),
]
def get_metadata(self):
from sentry.interfaces.security import Csp
# TODO(dcramer): pull get message into here to avoid instantiation
# or ensure that these get interfaces passed instead of raw data
csp = Csp.to_python(self.data['csp'])
return {
'directive': csp.effective_directive,
'uri': csp._normalized_blocked_uri,
'message': csp.get_message(),
}
def get_metadata(self, data):
from sentry.interfaces.security import Csp
# TODO(dcramer): pull get message into here to avoid instantiation
# or ensure that these get interfaces passed instead of raw data
csp = Csp.to_python(data['csp'])
return {
'directive': csp.effective_directive,
'uri': csp.normalized_blocked_uri,
'message': csp.get_message(),
}
def test_compute_hashes(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
))
assert result.compute_hashes() == [['script-src', "'self'"]]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='self',
))
assert result.compute_hashes() == [['script-src', "'self'"]]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='http://example.com/lol.js',
))
assert result.compute_hashes() == [['script-src', 'example.com']]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='data:foo',
))
assert result.compute_hashes() == [['img-src', 'data:']]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='ftp://example.com/foo',
))
assert result.compute_hashes() == [['img-src', 'ftp://example.com']]
def test_get_culprit(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src http://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='https://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src https://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src https://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src 'self'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example2.com example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src http://example2.com 'self'"
def test_get_culprit(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src http://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='https://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src https://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src https://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src 'self'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example2.com example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src http://example2.com 'self'"
def test_real_report(make_csp_snapshot):
raw_report = {
"csp-report": {
"document-uri": "https://sentry.io/sentry/csp/issues/88513416/",
"referrer": "https://sentry.io/sentry/sentry/releases/7329107476ff14cfa19cf013acd8ce47781bb93a/",
"violated-directive": "script-src",
"effective-directive": "script-src",
"original-policy": "default-src *; script-src 'make_csp_snapshot' 'unsafe-eval' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net cdn.ravenjs.com assets.zendesk.com ajax.googleapis.com ssl.google-analytics.com www.googleadservices.com analytics.twitter.com platform.twitter.com *.pingdom.net js.stripe.com api.stripe.com statuspage-production.s3.amazonaws.com s3.amazonaws.com *.google.com www.gstatic.com aui-cdn.atlassian.com *.atlassian.net *.jira.com *.zopim.com; font-src * data:; connect-src * wss://*.zopim.com; style-src 'make_csp_snapshot' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net s3.amazonaws.com aui-cdn.atlassian.com fonts.googleapis.com; img-src * data: blob:; report-uri https://sentry.io/api/54785/csp-report/?sentry_key=f724a8a027db45f5b21507e7142ff78e&sentry_release=39662eb9734f68e56b7f202260bb706be2f4cee7",
"disposition": "enforce",
"blocked-uri": "http://baddomain.com/test.js?_=1515535030116",
"line-number": 24,
"column-number": 66270,
"source-file": "https://e90d271df3e973c7.global.ssl.fastly.net/_static/f0c7c026a4b2a3d2b287ae2d012c9924/sentry/dist/vendor.js",
"status-code": 0,
"script-sample": ""
}
}
interface = Csp.from_raw(raw_report)
make_csp_snapshot(interface.to_json())
def test_real_report(self):
raw_report = {
"csp-report": {
"document-uri": "https://sentry.io/sentry/csp/issues/88513416/",
"referrer": "https://sentry.io/sentry/sentry/releases/7329107476ff14cfa19cf013acd8ce47781bb93a/",
"violated-directive": "script-src",
"effective-directive": "script-src",
"original-policy": "default-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net cdn.ravenjs.com assets.zendesk.com ajax.googleapis.com ssl.google-analytics.com www.googleadservices.com analytics.twitter.com platform.twitter.com *.pingdom.net js.stripe.com api.stripe.com statuspage-production.s3.amazonaws.com s3.amazonaws.com *.google.com www.gstatic.com aui-cdn.atlassian.com www.hipchat.com *.atlassian.net *.jira.com *.zopim.com; font-src * data:; connect-src * wss://*.zopim.com; style-src 'self' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net s3.amazonaws.com aui-cdn.atlassian.com www.hipchat.com fonts.googleapis.com; img-src * data: blob:; report-uri https://sentry.io/api/54785/csp-report/?sentry_key=f724a8a027db45f5b21507e7142ff78e&sentry_release=39662eb9734f68e56b7f202260bb706be2f4cee7",
"disposition": "enforce",
"blocked-uri": "http://baddomain.com/test.js?_=1515535030116",
"line-number": 24,
"column-number": 66270,
"source-file": "https://e90d271df3e973c7.global.ssl.fastly.net/_static/f0c7c026a4b2a3d2b287ae2d012c9924/sentry/dist/vendor.js",
"status-code": 0,
"script-sample": ""
}
}
interface = Csp.from_raw(raw_report)
assert interface.effective_directive == 'script-src'
def test_invalid_csp_report(report):
with pytest.raises(InterfaceValidationError):
Csp.to_python(report)
def test_get_message(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='http://google.com/foo',
)
)
assert result.get_message() == "Blocked 'image' from 'google.com'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='style-src',
blocked_uri='',
)
)
assert result.get_message() == "Blocked inline 'style'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-inline'",
)
)
assert result.get_message() == "Blocked unsafe inline 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-eval'",
)
)
assert result.get_message() == "Blocked unsafe eval() 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src example.com",
)
)
assert result.get_message() == "Blocked unsafe (eval() or inline) 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D',
)
)
assert result.get_message() == "Blocked 'script' from 'data:'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data',
)
)
assert result.get_message() == "Blocked 'script' from 'data:'"
def test_blocked_csp_report(report):
assert Csp.to_python(report).should_filter() is True
def test_valid_csp_report(report):
assert Csp.to_python(report).should_filter() is False