Example #1
0
 def test_EvalInlineSourceExpression_match(self):
     """The source expressions 'unsafe-inline' and 'unsafe-eval' do not match any URI."""
     srcExprEval = SourceExpression.UNSAFE_EVAL()
     srcExprInline = SourceExpression.UNSAFE_INLINE()
     selfURI = SourceExpressionTest.uri_chromeExtension
     assert not srcExprEval.matches(SourceExpressionTest.uri_empty, selfURI)
     assert not srcExprInline.matches(SourceExpressionTest.uri_empty,
                                      selfURI)
     assert not srcExprEval.matches(URI.INVALID(), selfURI)
     assert not srcExprInline.matches(URI.INVALID(), selfURI)
     assert srcExprInline.matches(URI.INLINE(), selfURI)
     assert not srcExprInline.matches(URI.EVAL(), selfURI)
     assert not srcExprEval.matches(URI.INLINE(), selfURI)
     assert srcExprEval.matches(URI.EVAL(), selfURI)
Example #2
0
 def testPolicy_matches_defaultSrcNotSpecified_noMatch(self):
     """Policy contains no directive of resource type, and no default directive either.
     Should assume 'default-src *' (no match for inline/eval resources)."""
     pol = Policy((PolicyTest.sampleDirective5, ))
     selfURI = PolicyTest.sampleURI1a
     assert not pol.matches(URI.INLINE(), "script-src", selfURI)
     assert not pol.matches(URI.EVAL(), "script-src", selfURI)
Example #3
0
 def test_SelfSourceExpression_match(self):
     """A 'self' source expression matches if the scheme, host and port of the self and other URI
     are the same (using default ports if absent)."""
     selfURI = URI("http", "seclab.nu", 80, "/other-path")
     srcExpr = SelfSourceExpression.SELF()
     assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1,
                            selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
                                selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_schemedomain,
                            selfURI)  # using default port in URI
     assert not srcExpr.matches(URI.EMPTY(), selfURI)
     assert not srcExpr.matches(URI.INVALID(), selfURI)
     assert not srcExpr.matches(URI.INLINE(), selfURI)
     assert not srcExpr.matches(URI.EVAL(), selfURI)
     selfURIDefaultPort = URI("https", "seclab.nu", None,
                              "/yet-another-path")
     assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
                                selfURIDefaultPort)
     assert srcExpr.matches(
         SourceExpressionTest.uri_urlFull_secure_defaultPort,
         selfURIDefaultPort)
     selfURINoPort = SourceExpressionTest.uri_chromeExtension
     assert not srcExpr.matches(
         SourceExpressionTest.uri_chromeExtension,
         selfURINoPort)  # no valid port can be deduced from this scheme
Example #4
0
 def test_regularURI_singletons(self):
     """All the singleton URIs should return False for isRegularURI()."""
     assert URI.EMPTY().isRegularURI() == False
     assert URI.INVALID().isRegularURI() == False
     assert URI.INLINE().isRegularURI() == False
     assert URI.EVAL().isRegularURI() == False
     assert URI("http", "seclab.nu", None, None,
                None).isRegularURI() == True
Example #5
0
 def testPolicy_matches_invalid(self):
     """An invalid policy matches nothing."""
     selfURI = PolicyTest.sampleURI2
     assert not Policy.INVALID().matches(PolicyTest.sampleURI1a,
                                         "script-src", selfURI)
     assert not Policy.INVALID().matches(URI.INVALID(), "script-src",
                                         selfURI)
     assert not Policy.INVALID().matches(URI.EMPTY(), "script-src", selfURI)
     assert not Policy.INVALID().matches(URI.INLINE(), "script-src",
                                         selfURI)
     assert not Policy.INVALID().matches(URI.EVAL(), "script-src", selfURI)
Example #6
0
 def test_eq(self):
     """Checks that the eq and hash methods are consistent for a few URIs."""
     uri1a = URI("http", "www.seclab.org", 80, "/", "query")
     uri1b = URI("http", "www.seclab.org", 80, "/", "query")
     uri2 = URI("https", "www.seclab.org", 80, "/")
     uri3 = URI("http", "www.seclab.org", 80, None)
     assert uri1a == uri1b
     assert hash(uri1a) == hash(uri1b)
     assert uri1a != uri2
     assert uri1a != uri3
     assert uri2 != uri3
     assert URI.EMPTY() == URI.EMPTY()
     assert URI.INVALID() == URI.INVALID()
     assert URI.EMPTY() not in (uri1a, uri1b, uri2, uri3, URI.INVALID(),
                                URI.INLINE(), URI.EVAL())
     assert URI.INVALID() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(),
                                  URI.INLINE(), URI.EVAL())
     assert URI.INLINE() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(),
                                 URI.INVALID(), URI.EVAL())
     assert URI.EVAL() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(),
                               URI.INVALID(), URI.INLINE())
Example #7
0
 def testDirective_matches_special(self):
     """An invalid/special directive matches nothing."""
     selfURI = DirectiveTest.sampleURI2
     assert not Directive.INVALID().matches(URI.EMPTY(), selfURI)
     assert not Directive.INVALID().matches(URI.INVALID(), selfURI)
     assert not Directive.INVALID().matches(URI.INLINE(), selfURI)
     assert not Directive.INVALID().matches(URI.EVAL(), selfURI)
     assert not Directive.INVALID().matches(DirectiveTest.sampleURI1,
                                            selfURI)
     assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
         URI.EMPTY(), selfURI)
     assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
         URI.INVALID(), selfURI)
     assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
         URI.INLINE(), selfURI)
     assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
         URI.EVAL(), selfURI)
     assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
         DirectiveTest.sampleURI1, selfURI)
     assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
         URI.EMPTY(), selfURI)
     assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
         URI.INVALID(), selfURI)
     assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
         URI.INLINE(), selfURI)
     assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
         URI.EVAL(), selfURI)
     assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
         DirectiveTest.sampleURI1, selfURI)
     assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
         URI.EMPTY(), selfURI)
     assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
         URI.INVALID(), selfURI)
     assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
         URI.INLINE(), selfURI)
     assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
         URI.EVAL(), selfURI)
     assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
         DirectiveTest.sampleURI1, selfURI)
Example #8
0
 def test_InvalidSourceExpression_match(self):
     """The invalid source expression does not match anything."""
     srcExpr = SourceExpression.INVALID()
     selfURI = SourceExpressionTest.uri_chromeExtension
     assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_urlSubstring,
                                selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
     assert not srcExpr.matches(URI.INVALID(), selfURI)
     assert not srcExpr.matches(URI.EVAL(), selfURI)
     assert not srcExpr.matches(URI.INLINE(), selfURI)
Example #9
0
 def test_str(self):
     """Checks the string serialisation of a few URIs."""
     assert str(URI("data", "", None, None)) == "data:"
     assert str(URI("data", "image/png;base64,iVBORw0KGgoAAAA", None,
                    None)) == "data:image/png;base64,iVBORw0KGgoAAAA"
     assert str(URI("about", "blank", None, None)) == "about:blank"
     assert str(
         URI("http", "www.seclab.org", 80, "/file", "parameter=value")
     ) == "http://www.seclab.org:80/file?parameter=value"
     assert str(URI(None, "www.seclab.nu", None, None)) == "www.seclab.nu"
     assert str(URI.EMPTY()) == ""
     assert str(URI.INVALID()) == "[invalid]"
     assert str(URI.INLINE()) == "[inline]"
     assert str(URI.EVAL()) == "[eval]"
Example #10
0
 def test_URISourceExpression_match_star(self):
     "A source expression that should match everything (except for special URIs)."
     srcExpr = URISourceExpression(None, "*", None, None)
     selfURI = SourceExpressionTest.uri_chromeExtension
     assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension,
                            selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
                            selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
     assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
     assert srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
     assert not srcExpr.matches(URI.EMPTY(), selfURI)
     assert not srcExpr.matches(URI.INVALID(), selfURI)
     assert not srcExpr.matches(URI.INLINE(), selfURI)
     assert not srcExpr.matches(URI.EVAL(), selfURI)