def testReport_generatePolicy_fromInvalidDirectiveResult(self):
reportDefaultSrc = Report({
"blocked-uri": ReportTest.sampleURI1a,
"violated-directive": ReportTest.sampleDirective1a,
"document-uri": ReportTest.sampleURI2
})
assert reportDefaultSrc.generatePolicy("regular") == Policy.INVALID()
def testReport_generatePolicy_regular(self):
report = Report({
"blocked-uri": ReportTest.sampleURI1a,
"violated-directive": ReportTest.sampleDirective2a,
"document-uri": ReportTest.sampleURI2
})
assert report.generatePolicy("regular") == Policy(
[ReportTest.sampleDirective3])
def testReport_generatePolicy_wrongDocumentURI(self):
reportEmptyDocument = Report({
"blocked-uri": ReportTest.sampleURI1a,
"violated-directive": ReportTest.sampleDirective1a,
"document-uri": URI.EMPTY()
})
assert reportEmptyDocument.generatePolicy(
"regular") == Policy.INVALID()
def testReportParser_parse_requiredFields(self):
"""Required fields must be present even if strict=False."""
report = """{"this-is": "a quite empty report"}"""
expected = Report({"this-is": "a quite empty report"})
assert ReportParser(requiredKeys=[],
strict=False).parseString(report) == expected
assert ReportParser(
requiredKeys=["does-not-exist"],
strict=False).parseString(report) == Report.INVALID()
def testReport_generatePolicy_missingReportField(self):
reportNoViolated = Report({"blocked-uri": ReportTest.sampleURI1a,
"document-uri": ReportTest.sampleURI2
})
reportNoBlocked = Report({"violated-directive": ReportTest.sampleDirective2a,
"document-uri": ReportTest.sampleURI2
})
assert reportNoViolated.generatePolicy("regular") == Policy.INVALID()
assert reportNoBlocked.generatePolicy("regular") == Policy.INVALID()
def testReport_dict_iterateAndImmutable(self):
report = Report({"violated-directive": ReportTest.sampleDirective2a,
"original-policy": ReportTest.samplePolicy1a})
assert len(report) == 2
assert "violated-directive" in report
assert report["violated-directive"] == ReportTest.sampleDirective2a
assert "original-policy" in report
assert report["original-policy"] == ReportTest.samplePolicy1a
for (key, value) in report.iteritems():
assert key in ("violated-directive", "original-policy")
assert value in (ReportTest.sampleDirective2a, ReportTest.samplePolicy1a)
with pytest.raises(TypeError):
report["original-policy"] = None
with pytest.raises(TypeError):
report["something-else"] = 123
def testReportParser_parse_unicode(self):
"""The JSON deserialiser returns strings as unicode objects. Check that they are correctly parsed in URIs."""
fullReport = """{"remote-addr": "XXX", "policy-type": "regular", "http-user-agent":""" \
+ """ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0",""" \
+ """ "timestamp-utc": "2014-03-01 12:13:14.156789", "csp-report": {"violated-directive":""" \
+ """ "img-src 'none'", "referrer": "http://handbook5.com/a/a-security-analysis-of-amazon%E2%80%99s-elastic-compute-cloud-service-w14847.html",""" \
+ """ "blocked-uri": "http://www.iseclab.org/images/anr.png", "document-uri":""" \
+ """ "http://www.iseclab.org/?p"}, "header-type": "standard"}"""
expected = Report({
"violated-directive":
Directive("img-src", ()),
"referrer":
URI(
"http", "handbook5.com", None,
u"/a/a-security-analysis-of-amazon’s-elastic-compute-cloud-service-w14847.html"
),
"blocked-uri":
URI("http", "www.iseclab.org", None, u"/images/anr.png"),
"document-uri":
URI("http", "www.iseclab.org", None, u"/", "p")
})
parser = ReportParser(requiredKeys=[])
jsonReport = json.loads(fullReport)
cspReport = parser.parseJsonDict(jsonReport["csp-report"])
assert cspReport == expected
def testReport_str_regular(self):
"""Extended object types should be serialised to strings when getting the report as a string."""
report = Report({
"violated-directive": ReportTest.sampleDirective2a,
"original-policy": ReportTest.samplePolicy1a
})
assert str(report) == """{"original-policy": "default-src 'self'; script-src 'unsafe-inline'",""" \
+ """ "violated-directive": "script-src 'unsafe-inline'"}"""
def testReportParser_parse_selfURIFailStrict(self):
"""Tests that parsing fails if strict and no document-uri but another 'self' URI."""
report = """{"blocked-uri": "self", "other": "value"}"""
parser = ReportParser(requiredKeys=[],
strict=True,
uriKeys=["blocked-uri", "document-uri"])
cspReport = parser.parseString(report)
assert cspReport == Report.INVALID()
def testReportParser_parse_selfURISkipStrict(self):
"""Tests that parsing fails if strict and no document-uri but another 'self' URI."""
report = """{"blocked-uri": "self", "other": "value"}"""
expected = Report({"other": "value"})
parser = ReportParser(requiredKeys=[],
strict=False,
uriKeys=["blocked-uri", "document-uri"])
cspReport = parser.parseString(report)
assert cspReport == expected
def testReport_dict_iterateAndImmutable(self):
report = Report({
"violated-directive": ReportTest.sampleDirective2a,
"original-policy": ReportTest.samplePolicy1a
})
assert len(report) == 2
assert "violated-directive" in report
assert report["violated-directive"] == ReportTest.sampleDirective2a
assert "original-policy" in report
assert report["original-policy"] == ReportTest.samplePolicy1a
for (key, value) in report.iteritems():
assert key in ("violated-directive", "original-policy")
assert value in (ReportTest.sampleDirective2a,
ReportTest.samplePolicy1a)
with pytest.raises(TypeError):
report["original-policy"] = None
with pytest.raises(TypeError):
report["something-else"] = 123
def testReport_eq(self):
report1a = Report({
"violated-directive": ReportTest.sampleDirective2a,
"original-policy": ReportTest.samplePolicy1a
})
report1b = Report({
"violated-directive": ReportTest.sampleDirective2b,
"original-policy": ReportTest.samplePolicy1b
})
report2 = Report({
"violated-directive": ReportTest.sampleDirective1a,
"original-policy": ReportTest.samplePolicy1a
})
assert report1a == report1b
assert hash(report1a) == hash(report1b)
assert report1a != report2
assert report1a != Report.INVALID()
assert report2 != Report.INVALID()
def testReportParser_parse_emptyOrSelfURI(self):
"""This tests that the internal settings of the URI parser are chosen such that empty or self URIs are
correctly handled."""
report = """{"empty-uri": "", "self-uri": "self", "document-uri": "http://seclab.nu"}"""
expected = Report({
"empty-uri": URI.EMPTY(),
"self-uri": ReportTest.sampleURI1a,
"document-uri": ReportTest.sampleURI1a
})
assert ReportParser(requiredKeys=[], strict=True, uriKeys=["empty-uri", "self-uri", "document-uri"]) \
.parseString(report) == expected
def testReportParser_parse_stringVsJSON(self):
"""Ensure the string parsing returns the same result as JSON parsing."""
reportJSON = {"something": 123, "uri": "http://seclab.nu"}
reportString = """{"something": 123, "uri": "http://seclab.nu"}"""
expected = Report({"something": 123, "uri": ReportTest.sampleURI1a})
parser = ReportParser(uriKeys=["uri"], requiredKeys=[], strict=True)
parsedFromJSON = parser.parseJsonDict(reportJSON)
parsedFromString = parser.parseString(reportString)
print parsedFromJSON
print parsedFromString
assert parsedFromJSON == parsedFromString
assert parsedFromJSON == expected
def testReportParser_parse_fieldNameReplacements(self):
"""Checks that old field names are replaced correctly."""
report = """{"document-url": "http://seclab.nu", "original-policy": "default-src 'self'; script-src 'unsafe-inline'"}"""
expected = Report({
"document-uri": ReportTest.sampleURI1a,
"original-policy": ReportTest.samplePolicy1a
})
parser = ReportParser(
uriKeys=["document-uri"],
policyKeys=["original-policy"],
requiredKeys=["document-uri", "original-policy"],
strict=True,
keyNameReplacements={"document-url": "document-uri"})
cspReport = parser.parseString(report)
assert cspReport == expected
def testReport_generatePolicy_missingReportField(self):
reportNoViolated = Report({
"blocked-uri": ReportTest.sampleURI1a,
"document-uri": ReportTest.sampleURI2
})
reportNoBlocked = Report({
"violated-directive": ReportTest.sampleDirective2a,
"document-uri": ReportTest.sampleURI2
})
assert reportNoViolated.generatePolicy("regular") == Policy.INVALID()
assert reportNoBlocked.generatePolicy("regular") == Policy.INVALID()
def parseJsonDict(self, jsonLogEntry):
"""
Parses the given 'jsonLogEntry' according to the parameters set in the constructor of this LogEntryParser
and returns a LogEntry object. 'jsonLogEntry' is expected to be a Python dict object. If 'jsonLogEntry'
cannot be parsed because it is syntactically invalid (or empty), LogEntry.INVALID() will be returned.
"""
# TODO: could also parse the timestamp string etc.
if "csp-report" in jsonLogEntry:
jsonLogEntry["csp-report"] = self._reportParser.parseJsonDict(
jsonLogEntry["csp-report"])
if self._strict and jsonLogEntry["csp-report"] == Report.INVALID():
return LogEntry.INVALID()
else:
return LogEntry(jsonLogEntry)
else:
return LogEntry.INVALID()
def testReportParser_parse_typeFields(self):
"""Check that type indications for fields are properly parsed."""
report = """{"uri": "https://seclab.ccs.neu.edu?query", "directive": "script-src 'unsafe-inline'",""" \
+ """ "policy": "script-src 'unsafe-inline'; default-src 'self'",""" \
+ """ "nothing": "123"}"""
cspReport = ReportParser(uriKeys=["uri", "url"],
directiveKeys=["directive"],
policyKeys=["policy"],
requiredKeys=[],
strict=True).parseString(report)
expected = Report({
"uri": ReportTest.sampleURI2,
"directive": ReportTest.sampleDirective2a,
"policy": ReportTest.samplePolicy1a,
"nothing": "123"
})
assert cspReport == expected
def testReportCreation(self):
"""Writes a Report and loads it back as an object."""
report = Report({
"abc": True,
"def": 1,
"ghi": "http://seclab.nu/",
"document-uri": ReportDataReaderTest.sampleURI1a,
"violated-directive": ReportDataReaderTest.sampleDirective1a,
"original-policy": ReportDataReaderTest.samplePolicy1a,
"blocked-uri": ReportDataReaderTest.sampleURI2
})
self.fileOut.storeAll([report])
self.fileOut.close()
dataOut = self.fileIn.loadAll(self.filename)
assert len(dataOut) == 1
print report
print dataOut[0]
assert report in dataOut
def testReportParser_parse_inferSelfURI(self):
"""Tests if the self URI is correctly inferred from the "document-uri" field (even
after renaming)."""
report = """{"violated-directive": "default-src 'self'", "referrer": "",""" \
+ """ "blocked-uri": "self", "document-URL":""" \
+ """ "http://seclab.nu"}"""
expected = Report({
"violated-directive": ReportTest.sampleDirective1a,
"referrer": URI.EMPTY(),
"blocked-uri": ReportTest.sampleURI1a,
"document-uri": ReportTest.sampleURI1a
})
parser = ReportParser(
requiredKeys=["violated-directive", "document-uri", "blocked-uri"],
strict=True,
directiveKeys=["violated-directive"],
uriKeys=["referrer", "blocked-uri", "document-uri"],
keyNameReplacements={'document-url': 'document-uri'})
cspReport = parser.parseString(report)
assert cspReport == expected
def testReport_generatePolicy_invalid(self):
assert Report.INVALID().generatePolicy("regular") == Policy.INVALID()
def testReport_generatePolicy_fromInvalidDirectiveResult(self):
reportDefaultSrc = Report({"blocked-uri": ReportTest.sampleURI1a,
"violated-directive": ReportTest.sampleDirective1a,
"document-uri": ReportTest.sampleURI2
})
assert reportDefaultSrc.generatePolicy("regular") == Policy.INVALID()
def testReportParser_parse_failIfStrict(self):
"""The report must be declared invalid in strict mode when a child element is invalid."""
report = """{"invalid-policy": "awesomeness-src 'self'", "example": true}"""
assert ReportParser(requiredKeys=[], strict=True, policyKeys=["invalid-policy"]) \
.parseString(report) == Report.INVALID()
def testReport_generatePolicy_regular(self):
report = Report({"blocked-uri": ReportTest.sampleURI1a,
"violated-directive": ReportTest.sampleDirective2a,
"document-uri": ReportTest.sampleURI2
})
assert report.generatePolicy("regular") == Policy([ReportTest.sampleDirective3])
def testReport_generatePolicy_wrongDocumentURI(self):
reportEmptyDocument = Report({"blocked-uri": ReportTest.sampleURI1a,
"violated-directive": ReportTest.sampleDirective1a,
"document-uri": URI.EMPTY()
})
assert reportEmptyDocument.generatePolicy("regular") == Policy.INVALID()
def testReportParser_parse_skipIfNotStrict(self):
"""Invalid portions of the report must be skipped in non-strict mode."""
report = """{"invalid-policy": "awesomeness-src 'self'", "example": true}"""
expected = Report({"example": True})
assert ReportParser(requiredKeys=[], strict=False, policyKeys=["invalid-policy"]) \
.parseString(report) == expected
class LogEntryTest(unittest.TestCase):
starSourceExpr = URISourceExpression(None, "*", None, None)
strLogEntry = """{"csp-report": {"blocked-uri": "", "document-uri": "http://seclab.nu/csp-test.html", """ \
+ """"original-policy": "default-src *; script-src 'unsafe-eval' *; style-src *", """ \
+ """"referrer": "", "status-code": 200, "violated-directive": "style-src *"}, """ \
+ """"header-type": "webkit", "http-user-agent": """ \
+ """"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, """ \
+ """like Gecko) Chrome/31.0.1650.63 Safari/537.36", "policy-type": "inline", """ \
+ """"remote-addr": "1.2.3.4", "timestamp-utc": "2013-12-14 01:02:03.456789"}"""
logEntryData = {u"csp-report": Report({u"document-uri": URI("http", "seclab.nu", None, u"/csp-test.html"),
u"referrer": URI.EMPTY(),
u"violated-directive": Directive("style-src",
(starSourceExpr,)),
u"original-policy": Policy((Directive("default-src",
(starSourceExpr,)),
Directive("script-src",
(starSourceExpr,
SourceExpression.UNSAFE_EVAL())),
Directive("style-src",
(starSourceExpr,)))),
u"blocked-uri": URI.EMPTY(),
u"status-code": 200
}),
u"remote-addr": u"1.2.3.4",
u"http-user-agent": u"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) " \
+ u"AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36",
u"timestamp-utc": u"2013-12-14 01:02:03.456789",
u"policy-type": u"inline",
u"header-type": u"webkit"
}
cspLogEntry = LogEntry(logEntryData)
def testLogEntry_str_invalid(self):
assert str(LogEntry.INVALID()) == "[invalid]"
def testLogEntry_str_regular(self):
assert str(LogEntryTest.cspLogEntry) == LogEntryTest.strLogEntry
def testLogEntry_dict_iterateAndImmutable(self):
assert len(LogEntryTest.cspLogEntry) == 6
assert "http-user-agent" in LogEntryTest.cspLogEntry
assert LogEntryTest.cspLogEntry["remote-addr"] == "1.2.3.4"
for key in LogEntryTest.cspLogEntry.keys():
assert key in ("csp-report", "remote-addr", "http-user-agent",
"timestamp-utc", "policy-type", "header-type")
with pytest.raises(TypeError):
LogEntryTest.cspLogEntry["csp-report"] = None
with pytest.raises(TypeError):
LogEntryTest.cspLogEntry["something-else"] = 123
def testLogEntry_eq(self):
assert LogEntryTest.cspLogEntry != LogEntry.INVALID()
def testLogEntry_generatePolicy_standard(self):
assert LogEntryTest.cspLogEntry.generatePolicy() == Policy(
[Directive("style-src", [SourceExpression.UNSAFE_INLINE()])])
def testLogEntry_generatePolicy_invalid(self):
assert LogEntry.INVALID().generatePolicy() == Policy.INVALID()
def testLogEntry_generatePolicy_incomplete(self):
logEntryNoReport = LogEntryTest.logEntryData.copy()
del logEntryNoReport['csp-report']
logEntryNoPolicyType = LogEntryTest.logEntryData.copy()
del logEntryNoPolicyType['policy-type']
assert LogEntry(logEntryNoReport).generatePolicy() == Policy.INVALID()
assert LogEntry(
logEntryNoPolicyType).generatePolicy() == Policy.INVALID()
def testLogEntryParser_parse(self):
parser = LogEntryParser(strict=True)
parsed = parser.parseString(LogEntryTest.strLogEntry)
print parsed._entryData
print LogEntryTest.cspLogEntry._entryData
print parsed._entryData[
'csp-report'] == LogEntryTest.cspLogEntry._entryData['csp-report']
assert parsed == LogEntryTest.cspLogEntry
def testReport_str_invalid(self):
assert str(Report.INVALID()) == "[invalid]"
def testReport_str_primitives(self):
"""A Report with basic data types in it (instead of strings) should have them serialised
to JSON-supported basic data types, not all strings."""
report = Report({"abc": True, "def": 1, "ghi": ReportTest.sampleURI1a})
expected = """{"abc": true, "def": 1, "ghi": "http://seclab.nu"}"""
assert str(report) == expected
