def test_INP12(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") process1.checksInputBounds = False process1.validatesInput = False lambda1.checksInputBounds = False lambda1.validatesInput = False threat = threats["INP12"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1))
def test_DE02(self): web = Server("Web Server") process1 = Process("Process1") web.validatesInput = False web.sanitizesInput = False process1.validatesInput = False process1.sanitizesInput = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DE02")) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(process1))
def test_INP26(self): process1 = Process("Process") lambda1 = Lambda("lambda") process1.validatesInput = False process1.sanitizesInput = False lambda1.validatesInput = False lambda1.sanitizesInput = False threat = threats["INP26"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1))
def test_DE02(self): web = Server("Web Server") process1 = Process("Process1") web.validatesInput = False web.sanitizesInput = False process1.validatesInput = False process1.sanitizesInput = False threat = threats["DE02"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(process1))
def test_API02(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") process1.implementsAPI = True process1.validatesInput = False lambda1.implementsAPI = True lambda1.validatesInput = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "API02")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1))
def test_API02(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") process1.implementsAPI = True process1.validatesInput = False lambda1.implementsAPI = True lambda1.validatesInput = False threat = threats["API02"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1))
def test_INP24(self): process1 = Process("Process") lambda1 = Lambda("lambda") process1.controls.checksInputBounds = False process1.controls.validatesInput = False lambda1.controls.checksInputBounds = False lambda1.controls.validatesInput = False threat = threats["INP24"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1))
def test_AC05(self): process1 = Process("Process1") web = Server("Web Server") process1.providesIntegrity = False process1.authorizesSource = False web.providesIntegrity = False web.authorizesSource = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "AC05")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(web))
def test_INP12(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") process1.checksInputBounds = False process1.validatesInput = False lambda1.checksInputBounds = False lambda1.validatesInput = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "INP12")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1))
def test_DO01(self): process1 = Process("Process1") web = Server("Web Server") process1.handlesResourceConsumption = False process1.isResilient = False web.handlesResourceConsumption = False web.isResilient = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DO01")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(web))
def test_AC05(self): process1 = Process("Process1") web = Server("Web Server") process1.providesIntegrity = False process1.authorizesSource = False web.providesIntegrity = False web.authorizesSource = False threat = threats["AC05"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(web))
def test_INP14(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") process1.validatesInput = False lambda1.validatesInput = False web.validatesInput = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "INP14")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1)) self.assertTrue(ThreatObj.apply(web))
def test_INP14(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") process1.validatesInput = False lambda1.validatesInput = False web.validatesInput = False threat = threats["INP14"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(web))
def test_INP26(self): process1 = Process("Process") lambda1 = Lambda("lambda") process1.validatesInput = False process1.sanitizesInput = False lambda1.validatesInput = False lambda1.sanitizesInput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP26")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1))
def test_INP01(self): lambda1 = Lambda('mylambda') process1 = Process('myprocess') lambda1.usesEnvironmentVariables = True lambda1.sanitizesInput = False lambda1.checksInputBounds = False process1.usesEnvironmentVariables = True process1.sanitizesInput = False process1.checksInputBounds = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "INP01")) self.assertTrue(ThreatObj.apply(lambda1)) self.assertTrue(ThreatObj.apply(process1))
def test_INP01(self): lambda1 = Lambda("mylambda") process1 = Process("myprocess") lambda1.usesEnvironmentVariables = True lambda1.sanitizesInput = False lambda1.checksInputBounds = False process1.usesEnvironmentVariables = True process1.sanitizesInput = False process1.checksInputBounds = False threat = threats["INP01"] self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(process1))
def test_INP29(self): web = Server("Web Server") process1 = Process("Process") web.validatesInput = False web.sanitizesInput = False web.encodesOutput = False process1.validatesInput = False process1.sanitizesInput = False process1.encodesOutput = False threat = threats["INP29"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(web))
def test_LB01(self): process1 = Process("Process1") process1.implementsAPI = True process1.controls.validatesInput = False process1.controls.sanitizesInput = False lambda1 = Lambda("Lambda1") lambda1.implementsAPI = True lambda1.controls.validatesInput = False lambda1.controls.sanitizesInput = False threat = threats["LB01"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1))
def test_DO02(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") db = Datastore("DB") process1.handlesResourceConsumption = False lambda1.handlesResourceConsumption = False web.handlesResourceConsumption = False db.handlesResourceConsumption = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DO02")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1)) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(db))
def test_AC03(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") process1.usesEnvironmentVariables = True process1.implementsAuthenticationScheme = False process1.validatesInput = False process1.authorizesSource = False lambda1.usesEnvironmentVariables = True lambda1.implementsAuthenticationScheme = False lambda1.validatesInput = False lambda1.authorizesSource = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "AC03")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1))
def test_INP08(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") process1.controls.validatesInput = False process1.controls.sanitizesInput = False lambda1.controls.validatesInput = False lambda1.controls.sanitizesInput = False web.controls.validatesInput = False web.controls.sanitizesInput = False threat = threats["INP08"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(web))
def test_AC01(self): web = Server("Web Server") process1 = Process("Process1") db = Datastore("DB") web.hasAccessControl = False web.authorizesSource = True process1.hasAccessControl = False process1.authorizesSource = False db.hasAccessControl = False db.authorizesSource = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "AC01")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(db))
def test_DO02(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") db = Datastore("DB") process1.handlesResourceConsumption = False lambda1.handlesResourceConsumption = False web.handlesResourceConsumption = False db.handlesResourceConsumption = False threat = threats["DO02"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(db))
def test_AC03(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") process1.usesEnvironmentVariables = True process1.implementsAuthenticationScheme = False process1.validatesInput = False process1.authorizesSource = False lambda1.usesEnvironmentVariables = True lambda1.implementsAuthenticationScheme = False lambda1.validatesInput = False lambda1.authorizesSource = False threat = threats["AC03"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1))
def test_AC01(self): web = Server("Web Server") process1 = Process("Process1") db = Datastore("DB") web.hasAccessControl = False web.authorizesSource = True process1.hasAccessControl = False process1.authorizesSource = False db.hasAccessControl = False db.authorizesSource = False threat = threats["AC01"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(db))
def test_json_dumps(self): random.seed(0) dir_path = os.path.dirname(os.path.realpath(__file__)) with open(os.path.join(dir_path, "output.json")) as x: expected = x.read().strip() TM.reset() tm = TM("my test tm", description="aaa", threatsFile="pytm/threatlib/threats.json") tm.isOrdered = True internet = Boundary("Internet") server_db = Boundary("Server/DB") user = Actor("User", inBoundary=internet) web = Server("Web Server") func = Lambda("Lambda func") worker = Process("Task queue worker") db = Datastore("SQL Database", inBoundary=server_db) cookie = Data( name="auth cookie", description="auth cookie description", classification=Classification.PUBLIC, ) Dataflow(user, web, "User enters comments (*)", note="bbb", data=cookie) Dataflow(web, db, "Insert query with comments", note="ccc") Dataflow(web, func, "Call func") Dataflow(db, web, "Retrieve comments") Dataflow(web, user, "Show comments (*)") Dataflow(worker, db, "Query for tasks") self.assertTrue(tm.check()) output = json.dumps(tm, default=to_serializable, sort_keys=True, indent=4) with open(os.path.join(dir_path, "output_current.json"), "w") as x: x.write(output) self.maxDiff = None self.assertEqual(output, expected)
def test_INP20(self): process1 = Process("process") process1.disablesiFrames = False threat = threats["INP20"] self.assertTrue(threat.apply(process1))
def test_INP07(self): process1 = Process("Process1") process1.usesSecureFunctions = False threat = threats["INP07"] self.assertTrue(threat.apply(process1))
def test_SC01(self): process1 = Process("Process1") process1.implementsNonce = False process1.data = "JSON" threat = threats["SC01"] self.assertTrue(threat.apply(process1))
def test_INP02(self): process1 = Process("myprocess") process1.checksInputBounds = False threat = threats["INP02"] self.assertTrue(threat.apply(process1))