def test_add_exception(self): ESAPI.intrusion_detector().add_exception( RuntimeError('message') ) ESAPI.intrusion_detector().add_exception( ValidationException("user message", "log message") ) ESAPI.intrusion_detector().add_exception( IntrusionException("user message", "log message") ) username = "******" password = "******" auth = ESAPI.authenticator() user = auth.create_user(username, password, password) user.enable() request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) user.login_with_password(password) # Generate some exceptions to disable the account for i in range(15): IntegrityException( "IntegrityException %s" % i, "IntegrityException %s" % i ) self.assertFalse(user.is_logged_in()) self.assertTrue(user.is_locked())
def test_get_user_from_token(self): instance = ESAPI.authenticator() instance.logout() account_name = "testUserFromToken" password = instance.generate_strong_password() user = instance.create_user(account_name, password, password) user.enable() ### request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) m = Morsel() m.key = HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME m.value = "ridiculous" request.cookies[m.key] = m # Wrong cookie should fail self.assertRaises(AuthenticationException, instance.login, request, response) user.logout() ### request = MockHttpRequest() response = MockHttpResponse() ESAPI.authenticator().current_user = user new_token = ESAPI.http_utilities().set_remember_token( password, 10000, "test.com", request.path, request, response ) request.set_cookie( key=HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME, value=new_token ) ESAPI.http_utilities().set_current_http(request, response) # Logout the current user so we can log them in with the remember cookie user2 = instance.login(request, response) self.assertEquals(user, user2)
def test_add_exception(self): ESAPI.intrusion_detector().add_exception(RuntimeError('message')) ESAPI.intrusion_detector().add_exception( ValidationException("user message", "log message")) ESAPI.intrusion_detector().add_exception( IntrusionException("user message", "log message")) username = "******" password = "******" auth = ESAPI.authenticator() user = auth.create_user(username, password, password) user.enable() request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) user.login_with_password(password) # Generate some exceptions to disable the account for i in range(15): IntegrityException("IntegrityException %s" % i, "IntegrityException %s" % i) self.assertFalse(user.is_logged_in()) self.assertTrue(user.is_locked())
def login_with_password(self, password): if password is None: self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Missing password: %(account_name)s") % {'account_name': self.account_name}) # Don't let disabled users log in if not self.is_enabled(): self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Disabled user attempt to login: %(account_name)s") % {'account_name': self.account_name}) # Don't let locked users log in if self.is_locked(): self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Locked user attempt to login: %(account_name)s") % {'account_name': self.account_name}) # Don't let expired users log in if self.is_expired(): self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Expired user attempt to login: %(account_name)s") % {'account_name': self.account_name}) self.logout() if self.verify_password(password): self._logged_in = True ESAPI.http_utilities().change_session_identifier( ESAPI.current_request()) ESAPI.authenticator().current_user = self self.last_login_time = datetime.now() self.last_host_address = ESAPI.http_utilities( ).get_current_request().remote_host self.logger.trace( Logger.SECURITY_SUCCESS, _("User logged in: %(account_name)s") % {'account_name': self.account_name}) else: self._logged_in = False self.last_failed_login_time = datetime.now() self.increment_failed_login_count() if self.get_failed_login_count() >= ESAPI.security_configuration( ).get_allowed_login_attempts(): self.lock() raise AuthenticationLoginException( _("Login failed"), _("Incorrect password provided for %(account_name)s") % {'account_name': self.account_name})
def test_add_csrf_token(self): instance = ESAPI.authenticator() username = "******" password = '******' user = instance.create_user(username, password, password) instance.current_user = user csrf1 = ESAPI.http_utilities().add_csrf_token('/test1') self.assertTrue(csrf1.find('?') > -1) csrf2 = ESAPI.http_utilities().add_csrf_token('test1?one=two') self.assertTrue(csrf2.find('?') > -1)
def test_save_too_long_state_in_cookie(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) foo = "abcd" * 1000 data = {'long': foo} try: ESAPI.http_utilities().encrypt_state_in_cookie(response, data) self.fail() except: pass
def login_with_password(self, password): if password is None: self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Missing password: %(account_name)s") % {'account_name' : self.account_name}) # Don't let disabled users log in if not self.is_enabled(): self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Disabled user attempt to login: %(account_name)s") % {'account_name' : self.account_name}) # Don't let locked users log in if self.is_locked(): self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Locked user attempt to login: %(account_name)s") % {'account_name' : self.account_name}) # Don't let expired users log in if self.is_expired(): self.last_failed_login_time = datetime.now() self.increment_failed_login_count() raise AuthenticationLoginException( _("Login failed"), _("Expired user attempt to login: %(account_name)s") % {'account_name' : self.account_name}) self.logout() if self.verify_password( password ): self._logged_in = True ESAPI.http_utilities().change_session_identifier( ESAPI.current_request() ) ESAPI.authenticator().current_user = self self.last_login_time = datetime.now() self.last_host_address = ESAPI.http_utilities().get_current_request().remote_host self.logger.trace(Logger.SECURITY_SUCCESS, _("User logged in: %(account_name)s") % {'account_name' : self.account_name}) else: self._logged_in = False self.last_failed_login_time = datetime.now() self.increment_failed_login_count() if self.get_failed_login_count() >= ESAPI.security_configuration().get_allowed_login_attempts(): self.lock() raise AuthenticationLoginException( _("Login failed"), _("Incorrect password provided for %(account_name)s") % {'account_name' : self.account_name})
def test_set_no_cache_headers(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) self.assertEquals(0, len(response.headers)) response.headers["test1"] = "1" response.headers["test2"] = "2" response.headers["test3"] = "3" self.assertEquals(3, len(response.headers)) ESAPI.http_utilities().set_no_cache_headers( response ) self.assertTrue(response.headers.has_key('Cache-Control')) self.assertTrue(response.headers.has_key('Expires'))
def test_state_from_encrypted_cookie(self): request = MockHttpRequest() response = MockHttpResponse() empty = ESAPI.http_utilities().decrypt_state_from_cookie(request) self.assertEquals({}, empty) m = {'one' : 'aspect', 'two' : 'ridiculous', 'test_hard' : "&(@#*!^|;,." } ESAPI.http_utilities().encrypt_state_in_cookie(m, response) value = response.headers['Set-Cookie'] encrypted = value[value.find('=')+1:value.find(';')] ESAPI.encryptor().decrypt(encrypted)
def test_change_session_identifier(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) session = request.session session['one'] = 'one' session['two'] = 'two' session['three'] = 'three' id1 = request.session.id session = ESAPI.http_utilities().change_session_identifier(request) id2 = request.session.id self.assertFalse(id1 == id2) self.assertEquals("one", session['one'])
def test_set_remember_token(self): instance = ESAPI.authenticator() account_name = "joestheplumber" password = instance.generate_strong_password() user = instance.create_user(account_name, password, password) user.enable() request = MockHttpRequest() request.POST['username'] = account_name request.POST['password'] = password response = MockHttpResponse() instance.login(request, response) max_age = 60 * 60 * 24 * 14 ESAPI.http_utilities().set_remember_token( password, max_age, "domain", '/', request, response )
def is_session_absolute_timeout(self): session = ESAPI.http_utilities().current_request.session if session is None: return True deadline = session.creation_time + self.ABSOLUTE_TIMEOUT_LENGTH return datetime.now() > deadline
def is_session_timeout(self): session = ESAPI.http_utilities().current_request.session if session is None: return True deadline = session.last_accessed_time + self.IDLE_TIMEOUT_LENGTH return datetime.now() > deadline
def test_add_header(self): instance = ESAPI.http_utilities() request = MockHttpRequest() response = MockHttpResponse() instance.set_current_http(request, response) instance.add_header('HeaderName', 'HeaderValue')
def test_query_to_dict(self): instance = ESAPI.http_utilities() query = '?a=1&b=2&c=3' testing = instance.query_to_dict(query) correct = {'a' : '1', 'b' : '2', 'c' : '3'} self.assertEquals(testing, correct)
def log(self, level, event_type, message, exception=None): """ Log the message after optionally encoding any special characters that might be dangerous when viewed by an HTML based log viewer. Also encode any carriage returns and line feeds to prevent log injection attacks. This logs all the supplied parameters plus the user ID, user's source IP, a logging specific session ID, and the current date/time. It will only log the message if the current logging level is enabled, otherwise it will discard the message. @param level: the severity level of the security event @param event_type: the event_type of the event (SECURITY, FUNCTIONALITY, etc.) @param message: the message @param exception: an exception """ # Before we waste all kinds of time preparing this event for the # log, let check to see if its loggable if not self.pyLogger.isEnabledFor(level): return user = ESAPI.authenticator().current_user # create a random session number for the user to represent the # user's 'session', if it doesn't exist already sid = _("unknown") request = ESAPI.http_utilities().current_request if request is not None: session = request.session if session is not None: sid = session.get('ESAPI_SESSION', None) # if there is no session id for the user yet, create one # and store it in the user's session if sid is None: sid = str(ESAPI.randomizer().get_random_integer(0, 1000000)) session['ESAPI_SESSION'] = sid # ensure there's something to log if message is None: message = "" # ensure no CRLF injection into logs for forging records clean = message.replace('\n', '_').replace('\r', '_') if ESAPI.security_configuration().get_log_encoding_required(): clean = ESAPI.encoder().encode_for_html(message) if message != clean: clean += " (Encoded)" extra = { 'eventType' : str(event_type), 'eventSuccess' : [_("SUCCESS"),_("FAILURE")][event_type.is_success()], 'user' : user.account_name, 'hostname' : user.last_host_address, 'sessionID' : sid, } self.pyLogger.log(level, clean, extra=extra)
def test_csrf_token(self): username = "******" password = "******" user = ESAPI.authenticator().create_user(username, password, password) ESAPI.authenticator().current_user = user token = ESAPI.http_utilities().get_csrf_token() self.assertEquals(8, len(token)) request = MockHttpRequest() try: ESAPI.http_utilities().verify_csrf_token(request) self.fail() except: # expected pass request.GET[HTTPUtilities.CSRF_TOKEN_NAME] = token ESAPI.http_utilities().verify_csrf_token(request)
def test_add_event(self): username = "******" password = "******" auth = ESAPI.authenticator() user = auth.create_user(username, password, password) user.enable() request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) user.login_with_password(password) # Generate some events to disable the account for i in range(15): ESAPI.intrusion_detector().add_event("test", "test message") self.assertTrue(user.is_locked())
def test_get_user_from_session(self): instance = ESAPI.authenticator() instance.logout() account_name = "sessionTester" password = instance.generate_strong_password() user = instance.create_user( account_name, password, password ) user.enable() request = MockHttpRequest() request.POST['username'] = account_name request.POST['password'] = password response = MockHttpResponse() ESAPI.http_utilities().set_current_http( request, response ) instance.login( request, response ) current_user = instance.get_user_from_session() self.assertEquals(user, current_user)
def test_current_user(self): instance = ESAPI.authenticator() instance.logout() user1_name = "currentUser1" user2_name = "currentUser2" password = "******" user1 = instance.create_user(user1_name, password, password) user1.enable() request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) user1.login_with_password(password) current_user = instance.current_user self.assertEquals(user1, current_user) user2 = instance.create_user(user2_name, password, password) instance.current_user = user2 self.assertFalse( current_user.account_name == user2.account_name )
def test_kill_cookie(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) self.assertTrue(len(response.cookies) == 0) new_cookies = {} m = Morsel() m.key = 'test1' m.value = '1' new_cookies[m.key] = m m = Morsel() m.key = 'test2' m.value = '2' new_cookies[m.key] = m request.cookies = new_cookies ESAPI.http_utilities().kill_cookie( "test1", request, response ) self.assertTrue(len(response.cookies) == 1)
def test_assert_secure_request(self): request = MockHttpRequest() bad = ['http://example.com', 'ftp://example.com', '', None,] good = ['https://example.com'] for bad_url in bad: try: request.url = bad_url ESAPI.http_utilities().assert_secure_request(request) self.fail() except: pass for good_url in good: try: request.url = good_url ESAPI.http_utilities().assert_secure_request(request) except: self.fail()
def test_add_cookie(self): instance = ESAPI.http_utilities() response = MockHttpResponse() request = MockHttpRequest() instance.set_current_http(request, response) self.assertEquals(0, len(response.cookies)) # add_cookie(key, value='', max_age=None, path='/', domain=None, # secure=None, httponly=False, version=None, comment=None, expires=None) instance.add_cookie(response, key='test1', value='test1') self.assertEquals(1, len(response.cookies)) instance.add_cookie(key='test2', value='test2') self.assertEquals(2, len(response.cookies)) # illegal name instance.add_cookie(response, key='tes<t3', value='test3') self.assertEquals(2, len(response.cookies)) # illegal value instance.add_cookie(response, key='test3', value='tes<t3') self.assertEquals(2, len(response.cookies))
def setUp(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) ESAPI.authenticator().logout() ESAPI.authenticator().clear_all_data()
def log(self, level, event_type, message, exception=None): """ Log the message after optionally encoding any special characters that might be dangerous when viewed by an HTML based log viewer. Also encode any carriage returns and line feeds to prevent log injection attacks. This logs all the supplied parameters plus the user ID, user's source IP, a logging specific session ID, and the current date/time. It will only log the message if the current logging level is enabled, otherwise it will discard the message. @param level: the severity level of the security event @param event_type: the event_type of the event (SECURITY, FUNCTIONALITY, etc.) @param message: the message @param exception: an exception """ # Before we waste all kinds of time preparing this event for the # log, let check to see if its loggable if not self.pyLogger.isEnabledFor(level): return user = ESAPI.authenticator().current_user # create a random session number for the user to represent the # user's 'session', if it doesn't exist already sid = _("unknown") request = ESAPI.http_utilities().current_request if request is not None: session = request.session if session is not None: sid = session.get('ESAPI_SESSION', None) # if there is no session id for the user yet, create one # and store it in the user's session if sid is None: sid = str(ESAPI.randomizer().get_random_integer( 0, 1000000)) session['ESAPI_SESSION'] = sid # ensure there's something to log if message is None: message = "" # ensure no CRLF injection into logs for forging records clean = message.replace('\n', '_').replace('\r', '_') if ESAPI.security_configuration().get_log_encoding_required(): clean = ESAPI.encoder().encode_for_html(message) if message != clean: clean += " (Encoded)" extra = { 'eventType': str(event_type), 'eventSuccess': [_("SUCCESS"), _("FAILURE")][event_type.is_success()], 'user': user.account_name, 'hostname': user.last_host_address, 'sessionID': sid, } self.pyLogger.log(level, clean, extra=extra)