def test_URISourceExpression_match_scheme_host_different(self):
"""A source expression with a scheme and a host name without a star matches only if the host name
is the same (case insensitive)."""
srcExpr = URISourceExpression("http", "blog.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
def testDirective_eq(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = URISourceExpression("https", "seclab.nu", 443, "/")
directive1a = Directive("object-src", [srcExpr1, srcExpr2])
directive1b = Directive("object-src", [srcExpr2, srcExpr1])
directive2 = Directive("frame-src", [srcExpr1, srcExpr2])
directive3 = Directive("object-src", [srcExpr2])
directive4a = Directive("script-src",
(SourceExpression.UNSAFE_INLINE(), ))
directive4b = Directive("script-src",
(SourceExpression("unsafe-inline"), ))
assert directive1a == directive1b
assert hash(directive1a) == hash(directive1b)
assert directive1a != directive2
assert directive1a != directive3
assert directive2 != directive3
assert directive4a == directive4b
assert hash(directive4a) == hash(directive4b)
assert Directive.INVALID() == Directive.INVALID()
assert Directive.INVALID() not in (directive1a, directive1b,
directive2, directive3)
assert Directive.INLINE_STYLE_BASE_RESTRICTION() not in (directive1a,
directive1b,
directive2,
directive3)
def test_URISourceExpression_match_scheme_host_different(self):
"""A source expression with a scheme and a host name without a star matches only if the host name
is the same (case insensitive)."""
srcExpr = URISourceExpression("http", "blog.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
def test_URISourceExpression_match_path_exact(self):
"""If the final character of the path in the source expression is not /, then the path
in the URI must be an exact match (excluding the query component)."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer2, selfURI)
def testDirective_withoutPaths_schemeOnly(self):
chromeExt = Directive("img-src", [
URISourceExpression("chrome-extension",
"mkfokfffehpeedafpekjeddnmnjhmcmk", None, None)
])
assert chromeExt.withoutPaths(["chrome-extension"]) == Directive(
"img-src",
[URISourceExpression("chrome-extension", None, None, None)])
def test_URISourceExpression_match_noscheme_http(self):
"""A source expression without a scheme and http as the protected resource's scheme match only
if the URI has the scheme http or https"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_longer1
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_starhost(self):
"""Checks the behaviour of a fully specified URI with * as the hostname, that should match
any host as long as the scheme, port, and path match (is this in line with the CSP 1.1 specification??)"""
srcExpr = URISourceExpression("http", "*", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
def test_URISourceExpression_match_noscheme_same(self):
"""A source expression without a scheme and the protected resource's scheme being different from http
match only if the URI has the same scheme as the protected resource"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_noport(self):
"""A source expression without a port matches only if the URI uses the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", None, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_eq(self):
srcExprFull1 = URISourceExpression("http", "seclab.nu", 80, "/")
srcExprFull2 = URISourceExpression("http", "seclab.nu", 80, "/")
assert srcExprFull1 == srcExprFull2
assert hash(srcExprFull1) == hash(srcExprFull2)
srcExprStar = URISourceExpression("http", "*.seclab.nu", None, None)
assert srcExprFull1 != srcExprStar
assert srcExprFull1 != SourceExpression.UNSAFE_EVAL()
def test_URISourceExpression_match_query(self):
"""The query component in an URI should not matter when matching."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", None),
selfURI)
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", "query"),
selfURI)
def test_URISourceExpression_match_scheme_star(self):
"""A source expression with a scheme and a host name including a star matches only if the domain name
of the URI includes a subdomain at the level of the star (or below)."""
srcExpr = URISourceExpression("http", "*.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlSubstring, selfURI) # must be a true subdomain, not just substring
def testDirectiveParser_parse_none_syntaxerror_notstrict(self):
"""If 'none' appears in a directive not parsed strictly and other expressions occur, 'none' is ignored."""
noneDirectiveInvalid = """default-src http://one 'None' http://two"""
cspDirective = DirectiveParser(
strict=False).parse(noneDirectiveInvalid)
assert cspDirective == Directive("default-src", [
URISourceExpression("http", "one", None, None),
URISourceExpression("http", "two", None, None)
])
def test_URISourceExpression_match_starhost(self):
"""Checks the behaviour of a fully specified URI with * as the hostname, that should match
any host as long as the scheme, port, and path match (is this in line with the CSP 1.1 specification??)"""
srcExpr = URISourceExpression("http", "*", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
def test_URISourceExpression_match_path_exact(self):
"""If the final character of the path in the source expression is not /, then the path
in the URI must be an exact match (excluding the query component)."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer2,
selfURI)
def testDirective_init_removeDoubleExpressions(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = URISourceExpression("http", "seclab.nu", "*", None)
directive = Directive("style-src", [srcExpr1, srcExpr2])
whitelisted = directive.getWhitelistedSourceExpressions()
assert whitelisted == set(
[srcExpr1]) # duplicate source expressions should be removed
assert whitelisted == set([srcExpr2]) # sets should be equal
assert directive == Directive("style-src", [srcExpr1])
assert directive == Directive("style-src", [srcExpr2])
def test_URISourceExpression_match_noscheme_same(self):
"""A source expression without a scheme and the protected resource's scheme being different from http
match only if the URI has the same scheme as the protected resource"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_noscheme_http(self):
"""A source expression without a scheme and http as the protected resource's scheme match only
if the URI has the scheme http or https"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_longer1
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_str(self):
srcExprFull = URISourceExpression("http", "seclab.nu", 80, "/")
assert str(srcExprFull) == "http://seclab.nu:80/"
srcExprStar = URISourceExpression("http", "*.seclab.nu", None, None)
assert str(srcExprStar) == "http://*.seclab.nu"
srcExprScheme = URISourceExpression("chrome-extension", None, None,
None)
assert str(srcExprScheme) == "chrome-extension:"
srcExprAll = URISourceExpression(None, "*", None, None)
assert str(srcExprAll) == "*"
def test_URISourceExpression_match_scheme_star(self):
"""A source expression with a scheme and a host name including a star matches only if the domain name
of the URI includes a subdomain at the level of the star (or below)."""
srcExpr = URISourceExpression("http", "*.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
assert not srcExpr.matches(
SourceExpressionTest.uri_urlSubstring,
selfURI) # must be a true subdomain, not just substring
def testDirectiveParser_parse_standard(self):
assert DirectiveParser(strict=True).parse("default-src https: 'unsafe-inline' 'unsafe-eval'") \
== Directive("default-src", [URISourceExpression("https", None, None, None),
SourceExpression.UNSAFE_INLINE(), SourceExpression.UNSAFE_EVAL()])
assert DirectiveParser(strict=True).parse("default-src 'self'") \
== Directive("default-src", [SelfSourceExpression.SELF()])
assert DirectiveParser(strict=True).parse("img-src *") \
== Directive("img-src", [URISourceExpression(None, "*", None, None)])
assert DirectiveParser(strict=True).parse("object-src media1.example.com media2.example.com *.cdn.example.com") \
== Directive("object-src", [URISourceExpression(None, "media1.example.com", None, None),
URISourceExpression(None, "media2.example.com", None, None),
URISourceExpression(None, "*.cdn.example.com", None, None)])
class PolicyDataReaderTest(unittest.TestCase):
samplePolicy = Policy([
Directive("default-src", ()),
Directive("style-src", [SourceExpression.UNSAFE_INLINE()]),
Directive("img-src",
[URISourceExpression(None, "seclab.nu", "*", None)])
])
@pytest.fixture(autouse=True)
def initdir(self, tmpdir):
tmpdir.chdir()
def setUp(self):
self.fileIn = PolicyDataReader(True)
self.filename = "policystorage.dat"
self.fileOut = DataWriter(self.filename)
def testReportCreation(self):
"""Writes a LogEntry and loads it back as an object."""
self.fileOut.storeAll([PolicyDataReaderTest.samplePolicy])
self.fileOut.close()
dataOut = self.fileIn.loadAll(self.filename)
assert len(dataOut) == 1
assert PolicyDataReaderTest.samplePolicy in dataOut
def testDirectiveParser_parse_translate(self):
"""The old directive type 'xhr-src' is correctly rewritten to 'connect-src'."""
translateDirective = "xhr-src http://localhost"
cspTranslateDirective = DirectiveParser().parse(translateDirective)
assert cspTranslateDirective == Directive(
"connect-src",
(URISourceExpression("http", "localhost", None, None), ))
def test_URISourceExpression_str_unicode(self):
"""Test URISourceExpression serialisation with unicode characters."""
url = u'http://handbook5.com/a/a-security-analysis-of-amazon%E2%80%99s-elastic-compute-cloud-service-w14847.html'
unicodePath = u"/a/a-security-analysis-of-amazon’s-elastic-compute-cloud-service-w14847.html"
parsed = SourceExpressionParser().parse(url)
assert parsed == URISourceExpression("http", "handbook5.com", None,
unicodePath)
assert str(parsed) == url # must use quoted version
def test_URISourceExpression_match_path_slash(self):
"""If the final character of the path in the source expression is /, then the path in
the URI must be a prefix of the path."""
srcExprShort = URISourceExpression("http", "seclab.nu", 80, "/")
srcExprLong = URISourceExpression("http", "seclab.nu", 80, "/path/")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer2,
selfURI)
assert not srcExprLong.matches(SourceExpressionTest.uri_urlFull,
selfURI) # this is a file
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer2,
selfURI)
def test_URISourceExpression_match_scheme_only(self):
"A source expression where only the scheme matters"
srcExpr = URISourceExpression("chrome-extension", None, None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
def testDirective_generateDirective_regular(self):
violated = Directive(
"object-src",
[DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
generated = violated.generateDirective("regular",
DirectiveTest.sampleURI2)
assert generated == Directive(
"object-src",
[URISourceExpression("http", "seclab.ccs.neu.edu", 80, "/path")])
def test_URISourceExpression_match_port_same(self):
"""A source expression matches if the port is the same (and everything else matches), or
if the port is not given in the URI, it matches the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", 443, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure,
selfURI)
srcExpr80 = URISourceExpression("https", "seclab.nu", 80, None)
assert srcExpr80.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExpr80.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr80.matches(
SourceExpressionTest.uri_schemedomain_secure, selfURI)
def testDirectiveParser_parse_whitespaceRemoval(self):
"""Whitespace is properly removed."""
directive = "img-src 'self' https://abc.cloudfront.net/the-path chrome-extension: data: https://def.cloudfront.net/another-path "
directiveClean = "img-src 'self' chrome-extension: data: https://abc.cloudfront.net/the-path https://def.cloudfront.net/another-path"
cspDirective = DirectiveParser().parse(directive)
assert cspDirective.getType() == "img-src"
assert cspDirective.getWhitelistedSourceExpressions() == set([
SelfSourceExpression.SELF(),
URISourceExpression("chrome-extension", None, None, None),
URISourceExpression("data", None, None, None),
URISourceExpression("https", "abc.cloudfront.net", None,
"/the-path"),
URISourceExpression("https", "def.cloudfront.net", None,
"/another-path")
])
assert str(cspDirective) == directiveClean
cspDirectiveClean = DirectiveParser().parse(directiveClean)
assert cspDirective == cspDirectiveClean
def test_URISourceExpression_match_scheme_only(self):
"A source expression where only the scheme matters"
srcExpr = URISourceExpression("chrome-extension", None, None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
def test_URISourceExpression_schemeOnly(self):
srcExprFull = URISourceExpression("chrome-extension",
"mkfokfffehpeedafpekjeddnmnjhmcmk",
None, None)
assert srcExprFull.schemeOnly() == URISourceExpression(
"chrome-extension", None, None, None)
srcExprIncomplete = URISourceExpression(None, "seclab.nu", None, None)
assert srcExprIncomplete.schemeOnly() == SourceExpression.INVALID()
def test_parse_uri_full(self):
exprStr = "http://seclab.nu:80/path"
srcExpr = SourceExpressionParser().parse(exprStr)
assert srcExpr == URISourceExpression("http", "seclab.nu", 80, "/path")
assert srcExpr.getType() == "uri"
assert srcExpr.getScheme() == "http"
assert srcExpr.getHost() == "seclab.nu"
assert srcExpr.getPort() == 80
assert srcExpr.getPath() == "/path"
assert str(srcExpr) == exprStr
def test_URISourceExpression_match_port_same(self):
"""A source expression matches if the port is the same (and everything else matches), or
if the port is not given in the URI, it matches the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", 443, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure, selfURI)
srcExpr80 = URISourceExpression("https", "seclab.nu", 80, None)
assert srcExpr80.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert not srcExpr80.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr80.matches(SourceExpressionTest.uri_schemedomain_secure, selfURI)
def test_URISourceExpression_match_scheme_different(self):
"An URI with a different (case-insensitive) scheme than the source expression does not match." ""
srcExpr = URISourceExpression("https", "seclab.nu", 80, "/path")
srcExprUpper = URISourceExpression("HTTPS", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExprUpper.matches(SourceExpressionTest.uri_urlFull,
selfURI)
assert srcExprUpper.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
def test_URISourceExpression_match_empty_path(self):
"""If the path component of the source expression or the URI is the empty string, it
should be treated the same as being None."""
srcExprEmpty = URISourceExpression("http", "seclab.nu", 80, "")
srcExprNone = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprEmpty.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, None),
selfURI)
assert srcExprNone.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, None), selfURI)
def test_parse_uri_scheme(self):
exprStr = "chrome-extension:"
srcExpr = SourceExpressionParser().parse(exprStr)
assert srcExpr == URISourceExpression("chrome-extension", None, None,
None)
assert srcExpr.getType() == "uri"
assert srcExpr.getScheme() == "chrome-extension"
assert srcExpr.getHost() == None
assert srcExpr.getPort() == None
assert srcExpr.getPath() == None
assert str(srcExpr) == exprStr
def testDirective_init_removeDoubleSelfExpressions(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = SelfSourceExpression.SELF()
srcExpr3 = SelfSourceExpression()
whitelisted = Directive(
"img-src",
[srcExpr1, srcExpr2, srcExpr3]).getWhitelistedSourceExpressions()
assert len(
whitelisted
) == 2 # one self expression should be removed (can have at most one)
assert srcExpr1 in whitelisted and (srcExpr2 in whitelisted
or srcExpr3 in whitelisted)
def test_URISourceExpression_match_port_star(self):
"""A source expression matches if the port is * (and everything else matches)."""
srcExpr = URISourceExpression("https", "seclab.nu", "*", None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_schemedomain, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
def test_URISourceExpression_match_scheme_different(self):
"An URI with a different (case-insensitive) scheme than the source expression does not match."""
srcExpr = URISourceExpression("https", "seclab.nu", 80, "/path")
srcExprUpper = URISourceExpression("HTTPS", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert not srcExprUpper.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprUpper.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
def test_URISourceExpression_match_port_star(self):
"""A source expression matches if the port is * (and everything else matches)."""
srcExpr = URISourceExpression("https", "seclab.nu", "*", None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_schemedomain,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
def test_URISourceExpression_match_empty_path(self):
"""If the path component of the source expression or the URI is the empty string, it
should be treated the same as being None."""
srcExprEmpty = URISourceExpression("http", "seclab.nu", 80, "")
srcExprNone = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprEmpty.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, None), selfURI)
assert srcExprNone.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, None), selfURI)
def test_URISourceExpression_match_path_slash(self):
"""If the final character of the path in the source expression is /, then the path in
the URI must be a prefix of the path."""
srcExprShort = URISourceExpression("http", "seclab.nu", 80, "/")
srcExprLong = URISourceExpression("http", "seclab.nu", 80, "/path/")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer2, selfURI)
assert not srcExprLong.matches(SourceExpressionTest.uri_urlFull, selfURI) # this is a file
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer2, selfURI)
def test_URISourceExpression_match_query(self):
"""The query component in an URI should not matter when matching."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", None), selfURI)
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", "query"), selfURI)
def test_URISourceExpression_match_noport(self):
"""A source expression without a port matches only if the URI uses the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", None, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_nohost(self):
"An URI with no host does not match any source expression that is not *"
srcExpr = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
def test_URISourceExpression_match_star(self):
"A source expression that should match everything (except for special URIs)."
srcExpr = URISourceExpression(None, "*", None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
assert not srcExpr.matches(URI.EMPTY(), selfURI)
assert not srcExpr.matches(URI.INVALID(), selfURI)
assert not srcExpr.matches(URI.INLINE(), selfURI)
assert not srcExpr.matches(URI.EVAL(), selfURI)
def test_URISourceExpression_schemeOnly(self):
srcExprFull = URISourceExpression("chrome-extension", "mkfokfffehpeedafpekjeddnmnjhmcmk", None, None)
assert srcExprFull.schemeOnly() == URISourceExpression("chrome-extension", None, None, None)
srcExprIncomplete = URISourceExpression(None, "seclab.nu", None, None)
assert srcExprIncomplete.schemeOnly() == SourceExpression.INVALID()
def test_URISourceExpression_removePath(self):
srcExprFull = URISourceExpression("http", "seclab.nu", 80, "/path")
assert srcExprFull.removePath() == URISourceExpression("http", "seclab.nu", 80, None)