def test_append_random_comment(self): html = '''<html> <head><title>Test</title></head> <body><p>Test body.</p></body> </html>''' @append_random_comment def test_view(request): return HttpResponse(html) request = RequestFactory().get('/') response = test_view(request) self.assertNotEqual(force_text(response.content), html) self.assertIn('<!-- ', force_text(response.content)) self.assertIn(' -->', force_text(response.content))
def test_unicode_characters(self): html = '''<!doctype html> <html> <head> <title>Page title</title> </head> <body> <h1>Test</h1> <p>{0}</p> </body> </html>'''.format(''.join(chr(x) for x in range(9999))) response = HttpResponse(html, content_type='text/html') request = RequestFactory().get('/') middleware = RandomCommentMiddleware() response = middleware.process_response(request, response) self.assertNotEqual(force_text(response.content), force_text(html))
def _get_val(): token = get_token(request) if token is None: # In order to be able to provide debugging info in the # case of misconfiguration, we use a sentinel value # instead of returning an empty dict. return 'NOTPROVIDED' else: key = force_bytes(get_random_string(16)) aes = AES.new(key) pad_length = 16 - (len(token) % 16 or 16) padding = ''.join('#' for _ in range(pad_length)) value = base64.b64encode( aes.encrypt('{0}{1}'.format(token, padding)) ) token = '$'.join((force_text(key), force_text(value))) return force_text(token)
def test_round_trip_loop(self): ''' Checks a wide range of input tokens and keys ''' for _ in range(1000): request = RequestFactory().get('/') csrf_token = get_random_string(32) request.META['CSRF_COOKIE'] = csrf_token token = force_text(csrf(request)['csrf_token']) request = RequestFactory().post( '/', {'csrfmiddlewaretoken': token}) middleware = CSRFCryptMiddleware() middleware.process_request(request) self.assertEqual( force_text(request.POST.get('csrfmiddlewaretoken')), force_text(csrf_token) )
def process_response(self, request, response): if not getattr(response, 'streaming', False) \ and response['Content-Type'] == 'text/html' \ and isinstance(response.content, string_types): comment = '<!-- {0} -->'.format( get_random_string(random.choice(range(12, 25)))) response.content = '{0}{1}'.format( force_text(response.content), comment) return response
def test_round_trip_loop_header(self): ''' Checks a wide range of input tokens and keys ''' for _ in range(1000): request = RequestFactory().get('/') csrf_token = get_random_string(32) request.META['CSRF_COOKIE'] = csrf_token token = csrf(request)['csrf_token'] request = RequestFactory().post( '/', HTTP_X_CSRFTOKEN=force_text(token), HTTP_X_REQUESTED_WITH='XMLHttpRequest' ) middleware = CSRFCryptMiddleware() middleware.process_request(request) self.assertEqual( force_text(request.META.get('HTTP_X_CSRFTOKEN')), force_text(csrf_token) )
def test_exemption(self): html = '''<html> <head><title>Test</title></head> <body><p>Test body.</p></body> </html>''' response = HttpResponse(html) response._random_comment_exempt = True request = RequestFactory().get('/') middleware = RandomCommentMiddleware() response = middleware.process_response(request, response) self.assertEqual(force_text(response.content), html)
def process_response(self, request, response): str_types = string_types + (binary_type,) if ( not getattr(response, "streaming", False) and response.get("Content-Type", "").startswith("text/html") and response.content and isinstance(response.content, str_types) and not getattr(response, "_random_comment_exempt", False) ): comment = "<!-- {0} -->".format(get_random_string(random.choice(range(12, 25)))) response.content = "{0}{1}".format(force_text(response.content), comment) return response
def test_crypt_csrf_token(self): resp = self.client.get(reverse('test_form')) m = re.search( r'value=\'(.*\$.*)\'', force_text(resp.content), re.MULTILINE | re.DOTALL ) self.assertEqual(len(m.groups()), 1) token = m.groups()[0].strip() post_resp = self.client.post( reverse('test_form'), {'csrfmiddlewaretoken': token, 'message': 'Some rubbish'} ) self.assertRedirects(post_resp, reverse('home'))
def test_csrf(self): request = RequestFactory().get('/') request.META['CSRF_COOKIE'] = 'abc123' context = csrf(request) self.assertTrue(force_text(context['csrf_token'])) self.assertNotEqual(force_text(context['csrf_token']), 'abc123')
def test_no_token_csrf(self): request = RequestFactory().get('/') context = csrf(request) self.assertTrue(force_text(context['csrf_token'])) self.assertEqual(force_text(context['csrf_token']), 'NOTPROVIDED')