def testDirective_eq(self): srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None) srcExpr2 = URISourceExpression("https", "seclab.nu", 443, "/") directive1a = Directive("object-src", [srcExpr1, srcExpr2]) directive1b = Directive("object-src", [srcExpr2, srcExpr1]) directive2 = Directive("frame-src", [srcExpr1, srcExpr2]) directive3 = Directive("object-src", [srcExpr2]) directive4a = Directive("script-src", (SourceExpression.UNSAFE_INLINE(), )) directive4b = Directive("script-src", (SourceExpression("unsafe-inline"), )) assert directive1a == directive1b assert hash(directive1a) == hash(directive1b) assert directive1a != directive2 assert directive1a != directive3 assert directive2 != directive3 assert directive4a == directive4b assert hash(directive4a) == hash(directive4b) assert Directive.INVALID() == Directive.INVALID() assert Directive.INVALID() not in (directive1a, directive1b, directive2, directive3) assert Directive.INLINE_STYLE_BASE_RESTRICTION() not in (directive1a, directive1b, directive2, directive3)
def testDirective_asBasicDirectives_single(self): assert Directive.INVALID().asBasicDirectives() == set([]) assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().asBasicDirectives() == set([]) assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().asBasicDirectives() == set([]) assert Directive.INLINE_STYLE_BASE_RESTRICTION().asBasicDirectives() == set([]) sampleDirective = Directive("img-src", [DirectiveTest.sampleSrcExpr1b]) assert sampleDirective.asBasicDirectives() == set([sampleDirective])
def testDirective_withoutPaths_removeDuplicates(self): withPaths = Directive( "script-src", [DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3]) withoutPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2.removePath()]) assert withPaths.withoutPaths() == withoutPaths
class PolicyDataReaderTest(unittest.TestCase): samplePolicy = Policy([ Directive("default-src", ()), Directive("style-src", [SourceExpression.UNSAFE_INLINE()]), Directive("img-src", [URISourceExpression(None, "seclab.nu", "*", None)]) ]) @pytest.fixture(autouse=True) def initdir(self, tmpdir): tmpdir.chdir() def setUp(self): self.fileIn = PolicyDataReader(True) self.filename = "policystorage.dat" self.fileOut = DataWriter(self.filename) def testReportCreation(self): """Writes a LogEntry and loads it back as an object.""" self.fileOut.storeAll([PolicyDataReaderTest.samplePolicy]) self.fileOut.close() dataOut = self.fileIn.loadAll(self.filename) assert len(dataOut) == 1 assert PolicyDataReaderTest.samplePolicy in dataOut
def testDirectiveParser_parse_empty(self): assert DirectiveParser(strict=True).parse(" ") == Directive.INVALID() assert DirectiveParser(strict=False).parse(" ") == Directive.INVALID() assert DirectiveParser( strict=True).parse("img-src ") == Directive.INVALID() assert DirectiveParser( strict=False).parse("img-src ") == Directive.INVALID()
def testDirective_withoutPaths_schemeOnly(self): chromeExt = Directive("img-src", [ URISourceExpression("chrome-extension", "mkfokfffehpeedafpekjeddnmnjhmcmk", None, None) ]) assert chromeExt.withoutPaths(["chrome-extension"]) == Directive( "img-src", [URISourceExpression("chrome-extension", None, None, None)])
def testDirective_getType(self): assert Directive("default-src", []).getType() == "default-src" assert Directive.INLINE_STYLE_BASE_RESTRICTION().getType( ) == "style-src" assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().getType( ) == "script-src" assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().getType( ) == "script-src"
def testPolicy_init_removeNotRegularDirective(self): pol = Policy([ PolicyTest.sampleDirective1a, Directive.INVALID(), Directive.EVAL_SCRIPT_BASE_RESTRICTION() ]) expected = Policy([PolicyTest.sampleDirective1a]) assert pol == expected
def testDirective_init_removeDoubleExpressions(self): srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None) srcExpr2 = URISourceExpression("http", "seclab.nu", "*", None) directive = Directive("style-src", [srcExpr1, srcExpr2]) whitelisted = directive.getWhitelistedSourceExpressions() assert whitelisted == set([srcExpr1]) # duplicate source expressions should be removed assert whitelisted == set([srcExpr2]) # sets should be equal assert directive == Directive("style-src", [srcExpr1]) assert directive == Directive("style-src", [srcExpr2])
def testPolicy_compareTo_recursive(self): pol1 = Policy([PolicyTest.sampleDirective6]) pol2 = Policy( [Directive("style-src", [SourceExpression.UNSAFE_INLINE()])]) assert pol1.compareTo(pol2) == ( set([pol2]), set([ Policy([Directive("style-src", [SelfSourceExpression.SELF()])]) ]), set([]))
def testDirective_isRegularDirective(self): assert Directive.INVALID().isRegularDirective() == False assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isRegularDirective( ) == False assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().isRegularDirective( ) == False assert Directive.INLINE_STYLE_BASE_RESTRICTION().isRegularDirective( ) == False assert Directive("default-src", []).isRegularDirective() == True
def testDirective_asBasicDirectives_multiple(self): sampleDirective = Directive("script-src", [SelfSourceExpression.SELF(), DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3]) assert sampleDirective.asBasicDirectives() == set([Directive("script-src", [SelfSourceExpression.SELF()]), Directive("script-src", [DirectiveTest.sampleSrcExpr1a]), Directive("script-src", [DirectiveTest.sampleSrcExpr2]), Directive("script-src", [DirectiveTest.sampleSrcExpr3])])
def testDirective_generateDirective_regular(self): violated = Directive( "object-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2]) generated = violated.generateDirective("regular", DirectiveTest.sampleURI2) assert generated == Directive( "object-src", [URISourceExpression("http", "seclab.ccs.neu.edu", 80, "/path")])
def testDirective_withoutPaths(self): withPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2, SelfSourceExpression.SELF()]) withoutPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2.removePath(), SelfSourceExpression.SELF()]) assert withPaths.withoutPaths() == withoutPaths assert withoutPaths.withoutPaths() == withoutPaths assert Directive.INVALID().withoutPaths() == Directive.INVALID() assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().withoutPaths() == Directive.EVAL_SCRIPT_BASE_RESTRICTION() assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().withoutPaths() == Directive.INLINE_SCRIPT_BASE_RESTRICTION() assert Directive.INLINE_STYLE_BASE_RESTRICTION().withoutPaths() == Directive.INLINE_STYLE_BASE_RESTRICTION()
def testDirective_init_removeDoubleExpressions(self): srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None) srcExpr2 = URISourceExpression("http", "seclab.nu", "*", None) directive = Directive("style-src", [srcExpr1, srcExpr2]) whitelisted = directive.getWhitelistedSourceExpressions() assert whitelisted == set( [srcExpr1]) # duplicate source expressions should be removed assert whitelisted == set([srcExpr2]) # sets should be equal assert directive == Directive("style-src", [srcExpr1]) assert directive == Directive("style-src", [srcExpr2])
def testDirective_isBasicDirective(self): assert Directive.INVALID().isBasicDirective() == False assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isBasicDirective( ) == False assert Directive("default-src", ()).isBasicDirective() == True assert Directive( "script-src", [DirectiveTest.sampleSrcExpr2]).isBasicDirective() == True assert Directive( "object-src", [DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3 ]).isBasicDirective() == False
def testDirectiveParser_parse_standard(self): assert DirectiveParser(strict=True).parse("default-src https: 'unsafe-inline' 'unsafe-eval'") \ == Directive("default-src", [URISourceExpression("https", None, None, None), SourceExpression.UNSAFE_INLINE(), SourceExpression.UNSAFE_EVAL()]) assert DirectiveParser(strict=True).parse("default-src 'self'") \ == Directive("default-src", [SelfSourceExpression.SELF()]) assert DirectiveParser(strict=True).parse("img-src *") \ == Directive("img-src", [URISourceExpression(None, "*", None, None)]) assert DirectiveParser(strict=True).parse("object-src media1.example.com media2.example.com *.cdn.example.com") \ == Directive("object-src", [URISourceExpression(None, "media1.example.com", None, None), URISourceExpression(None, "media2.example.com", None, None), URISourceExpression(None, "*.cdn.example.com", None, None)])
def testDirective_combine_regular(self): direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a]) direct2 = Directive("default-src", [DirectiveTest.sampleSrcExpr2]) expected = Directive( "default-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2]) assert direct1.combinedDirective(direct2) == expected assert direct2.combinedDirective(direct1) == expected assert direct1.combinedDirective(direct1) == direct1 assert direct2.combinedDirective(direct2) == direct2
def testDirective_generateDirective_incompatibleType(self): violatedWrongInlineType = Directive("object-src", []) violatedWrongEvalType = Directive("style-src", []) assert violatedWrongInlineType.generateDirective( "inline", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedWrongEvalType.generateDirective( "eval", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_matches(self): """A few standard tests.""" directive1 = Directive( "object-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2]) directive2 = Directive("frame-src", [DirectiveTest.sampleSrcExpr2]) directive3 = Directive("default-src", []) selfURI = DirectiveTest.sampleURI2 assert directive1.matches(DirectiveTest.sampleURI1, selfURI) assert not directive1.matches(DirectiveTest.sampleURI2, selfURI) assert not directive2.matches(DirectiveTest.sampleURI1, selfURI) assert not directive2.matches(DirectiveTest.sampleURI2, selfURI) assert not directive3.matches(DirectiveTest.sampleURI1, selfURI) assert not directive3.matches(DirectiveTest.sampleURI2, selfURI)
def testDirectiveParser_parse_translate(self): """The old directive type 'xhr-src' is correctly rewritten to 'connect-src'.""" translateDirective = "xhr-src http://localhost" cspTranslateDirective = DirectiveParser().parse(translateDirective) assert cspTranslateDirective == Directive( "connect-src", (URISourceExpression("http", "localhost", None, None), ))
def testReportParser_parse_unicode(self): """The JSON deserialiser returns strings as unicode objects. Check that they are correctly parsed in URIs.""" fullReport = """{"remote-addr": "XXX", "policy-type": "regular", "http-user-agent":""" \ + """ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0",""" \ + """ "timestamp-utc": "2014-03-01 12:13:14.156789", "csp-report": {"violated-directive":""" \ + """ "img-src 'none'", "referrer": "http://handbook5.com/a/a-security-analysis-of-amazon%E2%80%99s-elastic-compute-cloud-service-w14847.html",""" \ + """ "blocked-uri": "http://www.iseclab.org/images/anr.png", "document-uri":""" \ + """ "http://www.iseclab.org/?p"}, "header-type": "standard"}""" expected = Report({ "violated-directive": Directive("img-src", ()), "referrer": URI( "http", "handbook5.com", None, u"/a/a-security-analysis-of-amazon’s-elastic-compute-cloud-service-w14847.html" ), "blocked-uri": URI("http", "www.iseclab.org", None, u"/images/anr.png"), "document-uri": URI("http", "www.iseclab.org", None, u"/", "p") }) parser = ReportParser(requiredKeys=[]) jsonReport = json.loads(fullReport) cspReport = parser.parseJsonDict(jsonReport["csp-report"]) assert cspReport == expected
class ReportDataReaderTest(unittest.TestCase): sampleURI1a = URI("http", "seclab.nu", None, None, None) sampleURI1b = URI("http", "seclab.nu", None, None, None) sampleURI2 = URI("http", "seclab.nu", None, "/blocked", "query") sampleDirective1a = Directive("default-src", ()) sampleDirective1b = Directive("default-src", ()) sampleDirective2a = Directive("script-src", (SourceExpression.UNSAFE_INLINE(), )) sampleDirective2b = Directive("script-src", (SourceExpression.UNSAFE_INLINE(), )) samplePolicy1a = Policy((sampleDirective1a, sampleDirective2a)) samplePolicy1b = Policy((sampleDirective1b, sampleDirective2b)) samplePolicy2 = Policy((sampleDirective1a, )) @pytest.fixture(autouse=True) def initdir(self, tmpdir): tmpdir.chdir() def setUp(self): self.fileIn = ReportDataReader(True) self.filename = "encodingdecoding.dat" self.fileOut = DataWriter(self.filename) def tearDown(self): pass def testReportCreation(self): """Writes a Report and loads it back as an object.""" report = Report({ "abc": True, "def": 1, "ghi": "http://seclab.nu/", "document-uri": ReportDataReaderTest.sampleURI1a, "violated-directive": ReportDataReaderTest.sampleDirective1a, "original-policy": ReportDataReaderTest.samplePolicy1a, "blocked-uri": ReportDataReaderTest.sampleURI2 }) self.fileOut.storeAll([report]) self.fileOut.close() dataOut = self.fileIn.loadAll(self.filename) assert len(dataOut) == 1 print report print dataOut[0] assert report in dataOut
def testDirectiveParser_parse_none_syntaxerror_notstrict(self): """If 'none' appears in a directive not parsed strictly and other expressions occur, 'none' is ignored.""" noneDirectiveInvalid = """default-src http://one 'None' http://two""" cspDirective = DirectiveParser( strict=False).parse(noneDirectiveInvalid) assert cspDirective == Directive("default-src", [ URISourceExpression("http", "one", None, None), URISourceExpression("http", "two", None, None) ])
def testPolicyParser_parse_noDefaultSrcRewriting(self): policy = """default-src 'self' http://seclab.nu""" cspPolicy = PolicyParser(expandDefaultSrc=False, defaultSrcTypes=("img-src", "connect-src")).parse(policy) assert cspPolicy == Policy([ Directive("default-src", [ PolicyTest.sampleSourceExpression1, PolicyTest.sampleSourceExpression2 ]) ])
def testDirective_asBasicDirectives_single(self): assert Directive.INVALID().asBasicDirectives() == set([]) assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().asBasicDirectives( ) == set([]) assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().asBasicDirectives( ) == set([]) assert Directive.INLINE_STYLE_BASE_RESTRICTION().asBasicDirectives( ) == set([]) sampleDirective = Directive("img-src", [DirectiveTest.sampleSrcExpr1b]) assert sampleDirective.asBasicDirectives() == set([sampleDirective])
def testDirective_generateDirective_incompatibleURI(self): violatedRegular = Directive("object-src", []) violatedInline = Directive("style-src", []) violatedEval = Directive("script-src", []) assert violatedRegular.generateDirective("regular", URI.EMPTY()) == Directive.INVALID() assert violatedRegular.generateDirective("regular", URI.INVALID()) == Directive.INVALID() #assert violatedInline.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedInline.generateDirective("inline", URI.INVALID()) == Directive.INVALID() #assert violatedEval.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedEval.generateDirective("eval", URI.INVALID()) == Directive.INVALID()
def testDirective_init_removeDoubleSelfExpressions(self): srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None) srcExpr2 = SelfSourceExpression.SELF() srcExpr3 = SelfSourceExpression() whitelisted = Directive( "img-src", [srcExpr1, srcExpr2, srcExpr3]).getWhitelistedSourceExpressions() assert len( whitelisted ) == 2 # one self expression should be removed (can have at most one) assert srcExpr1 in whitelisted and (srcExpr2 in whitelisted or srcExpr3 in whitelisted)
def testPolicy_combinedPolicy_validDefaultSrcOnly(self): """Combination of two policies with default directive is possible only if both policies contain only a default directive.""" pol1 = Policy([PolicyTest.sampleDirective1a]) pol2 = Policy([PolicyTest.sampleDirective9]) expected = Policy([ Directive("default-src", [ PolicyTest.sampleSourceExpression1, SourceExpression.UNSAFE_INLINE() ]) ]) assert pol1.combinedPolicy(pol2) == expected assert pol2.combinedPolicy(pol1) == expected
def testPolicyParser_parse_defaultSrcRewriting(self): """The default directive is used for each type that is not specifically defined (if the flag is enabled).""" policy = """default-src 'self' http://seclab.nu; connect-src 'self' https://abc.seclab.nu/path chrome-extension:""" cspPolicy = PolicyParser(expandDefaultSrc=True, defaultSrcTypes=("img-src", "connect-src")).parse(policy) assert cspPolicy == Policy([ PolicyTest.sampleDirective5, Directive("img-src", [ PolicyTest.sampleSourceExpression1, PolicyTest.sampleSourceExpression2 ]) ])
def testPolicyParser_parse_duplicates(self): """The CSP standard mandates that only the first directive of each type should be used.""" duplicatePolicy = """connect-src 'self' chrome-extension: https://abc.seclab.nu/path; """ \ + """font-src 'self' http://seclab.nu; """ \ + """connect-src 'self' https://example.com""" cspPolicy = PolicyParser().parse(duplicatePolicy) assert cspPolicy == Policy([ PolicyTest.sampleDirective5, Directive("font-src", [ PolicyTest.sampleSourceExpression1, PolicyTest.sampleSourceExpression2 ]) ])
def testDirective_asBasicDirectives_multiple(self): sampleDirective = Directive("script-src", [ SelfSourceExpression.SELF(), DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3 ]) assert sampleDirective.asBasicDirectives() == set([ Directive("script-src", [SelfSourceExpression.SELF()]), Directive("script-src", [DirectiveTest.sampleSrcExpr1a]), Directive("script-src", [DirectiveTest.sampleSrcExpr2]), Directive("script-src", [DirectiveTest.sampleSrcExpr3]) ])
def testDirective_combine_removeDuplicates(self): direct1 = Directive( "img-src", [DirectiveTest.sampleSrcExpr1a, SelfSourceExpression.SELF()]) direct2 = Directive("img-src", [DirectiveTest.sampleSrcExpr1b]) assert direct1.combinedDirective(direct2) == direct1 assert direct2.combinedDirective(direct1) == direct1
def testDirective_combine_regular(self): direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a]) direct2 = Directive("default-src", [DirectiveTest.sampleSrcExpr2]) expected = Directive("default-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2]) assert direct1.combinedDirective(direct2) == expected assert direct2.combinedDirective(direct1) == expected assert direct1.combinedDirective(direct1) == direct1 assert direct2.combinedDirective(direct2) == direct2
def testDirective_matches(self): """A few standard tests.""" directive1 = Directive("object-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2]) directive2 = Directive("frame-src", [DirectiveTest.sampleSrcExpr2]) directive3 = Directive("default-src", []) selfURI = DirectiveTest.sampleURI2 assert directive1.matches(DirectiveTest.sampleURI1, selfURI) assert not directive1.matches(DirectiveTest.sampleURI2, selfURI) assert not directive2.matches(DirectiveTest.sampleURI1, selfURI) assert not directive2.matches(DirectiveTest.sampleURI2, selfURI) assert not directive3.matches(DirectiveTest.sampleURI1, selfURI) assert not directive3.matches(DirectiveTest.sampleURI2, selfURI)
def testDirectiveParser_parse_inline(self): """'unsafe-inline' keyword allowed only in 'script-src' and 'style-src' and 'default-src'""" scriptSrcWithInline = """script-src 'self' 'unsafe-inline' http://me.com/""" styleSrcWithInline = """style-src 'unsafe-inline' http://other""" styleSrcWithInlineOnly = """style-src 'unsafe-inline'""" defaultSrcWithInlineOnly = """default-src 'unsafe-inline'""" invalidObjectSrcWithInline = """object-src 'self' 'unsafe-inline'""" invalidObjectSrcWithInlineOnly = """object-src 'unsafe-inline'""" assert str(DirectiveParser().parse( scriptSrcWithInline)) == scriptSrcWithInline assert str( DirectiveParser().parse(styleSrcWithInline)) == styleSrcWithInline assert str(DirectiveParser().parse( styleSrcWithInlineOnly)) == styleSrcWithInlineOnly assert str(DirectiveParser().parse( defaultSrcWithInlineOnly)) == defaultSrcWithInlineOnly assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInline) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInline)) \ == "object-src 'self'" assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInlineOnly) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInlineOnly)) \ == "object-src 'none'"
def testDirectiveParser_parse_eval(self): """'unsafe-eval' keyword allowed only in 'script-src' and 'default-src'""" scriptSrcWithEval = """script-src 'self' 'unsafe-eval' 'unsafe-inline'""" scriptSrcWithEvalOnly = """script-src 'unsafe-eval'""" defaultSrcWithInlineAndEvalOnly = """default-src 'unsafe-eval' 'unsafe-inline'""" invalidImgSrcWithEval = """img-src http://example/path 'unsafe-eval'""" assert str( DirectiveParser().parse(scriptSrcWithEval)) == scriptSrcWithEval assert str(DirectiveParser().parse( scriptSrcWithEvalOnly)) == scriptSrcWithEvalOnly assert str(DirectiveParser().parse(defaultSrcWithInlineAndEvalOnly)) \ == defaultSrcWithInlineAndEvalOnly assert DirectiveParser(strict=True).parse(invalidImgSrcWithEval) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidImgSrcWithEval)) \ == "img-src http://example/path"
def testDirective_generateDirective_inline(self): violated = Directive("style-src", [DirectiveTest.sampleSrcExpr2]) generated = violated.generateDirective("inline", URI.EMPTY()) assert generated == Directive("style-src", [SourceExpression.UNSAFE_INLINE()])
def testDirective_generateDirective_defaultSrcNotAllowed(self): violated = Directive("default-src", []) assert violated.generateDirective("regular", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_withoutPaths_schemeOnly(self): chromeExt = Directive("img-src", [URISourceExpression("chrome-extension", "mkfokfffehpeedafpekjeddnmnjhmcmk", None, None)]) assert chromeExt.withoutPaths(["chrome-extension"]) == Directive("img-src", [URISourceExpression("chrome-extension", None, None, None)])
def testDirective_generateDirective_eval(self): violated = Directive("script-src", [DirectiveTest.sampleSrcExpr1a]) generated = violated.generateDirective("eval", URI.EMPTY()) assert generated == Directive("script-src", [SourceExpression.UNSAFE_EVAL()])
def testDirective_generateDirective_invalidType(self): violated = Directive("script-src", [DirectiveTest.sampleSrcExpr1a]) assert violated.generateDirective("evaluate", URI.EMPTY()) == Directive.INVALID()
def testDirective_combine_differentType(self): direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a]) direct2 = Directive("script-src", [DirectiveTest.sampleSrcExpr2]) assert direct1.combinedDirective(direct2) == Directive.INVALID() assert direct2.combinedDirective(direct1) == Directive.INVALID()
def testDirective_withoutPaths_removeDuplicates(self): withPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3]) withoutPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2.removePath()]) assert withPaths.withoutPaths() == withoutPaths
def testDirective_combine_notRegularURI(self): direct = Directive("style-src", [SelfSourceExpression.SELF()]) assert direct.combinedDirective(Directive.INVALID()) == Directive.INVALID() assert Directive.INVALID().combinedDirective(direct) == Directive.INVALID() assert direct.combinedDirective(Directive.EVAL_SCRIPT_BASE_RESTRICTION()) == Directive.INVALID() assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().combinedDirective(direct) == Directive.INVALID()
def testDirective_generateDirective_incompatibleType(self): violatedWrongInlineType = Directive("object-src", []) violatedWrongEvalType = Directive("style-src", []) assert violatedWrongInlineType.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedWrongEvalType.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_generateDirective_regular(self): violated = Directive("object-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2]) generated = violated.generateDirective("regular", DirectiveTest.sampleURI2) assert generated == Directive("object-src", [URISourceExpression("http", "seclab.ccs.neu.edu", 80, "/path")])
def testDirective_combine_removeDuplicates(self): direct1 = Directive("img-src", [DirectiveTest.sampleSrcExpr1a, SelfSourceExpression.SELF()]) direct2 = Directive("img-src", [DirectiveTest.sampleSrcExpr1b]) assert direct1.combinedDirective(direct2) == direct1 assert direct2.combinedDirective(direct1) == direct1