def testDirective_generateDirective_incompatibleType(self): violatedWrongInlineType = Directive("object-src", []) violatedWrongEvalType = Directive("style-src", []) assert violatedWrongInlineType.generateDirective( "inline", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedWrongEvalType.generateDirective( "eval", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirectiveParser_parse_empty(self): assert DirectiveParser(strict=True).parse(" ") == Directive.INVALID() assert DirectiveParser(strict=False).parse(" ") == Directive.INVALID() assert DirectiveParser( strict=True).parse("img-src ") == Directive.INVALID() assert DirectiveParser( strict=False).parse("img-src ") == Directive.INVALID()
def testDirective_eq(self): srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None) srcExpr2 = URISourceExpression("https", "seclab.nu", 443, "/") directive1a = Directive("object-src", [srcExpr1, srcExpr2]) directive1b = Directive("object-src", [srcExpr2, srcExpr1]) directive2 = Directive("frame-src", [srcExpr1, srcExpr2]) directive3 = Directive("object-src", [srcExpr2]) directive4a = Directive("script-src", (SourceExpression.UNSAFE_INLINE(), )) directive4b = Directive("script-src", (SourceExpression("unsafe-inline"), )) assert directive1a == directive1b assert hash(directive1a) == hash(directive1b) assert directive1a != directive2 assert directive1a != directive3 assert directive2 != directive3 assert directive4a == directive4b assert hash(directive4a) == hash(directive4b) assert Directive.INVALID() == Directive.INVALID() assert Directive.INVALID() not in (directive1a, directive1b, directive2, directive3) assert Directive.INLINE_STYLE_BASE_RESTRICTION() not in (directive1a, directive1b, directive2, directive3)
def testDirective_generateDirective_incompatibleURI(self): violatedRegular = Directive("object-src", []) violatedInline = Directive("style-src", []) violatedEval = Directive("script-src", []) assert violatedRegular.generateDirective( "regular", URI.EMPTY()) == Directive.INVALID() assert violatedRegular.generateDirective( "regular", URI.INVALID()) == Directive.INVALID() #assert violatedInline.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedInline.generateDirective( "inline", URI.INVALID()) == Directive.INVALID() #assert violatedEval.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedEval.generateDirective( "eval", URI.INVALID()) == Directive.INVALID()
def testPolicy_init_removeNotRegularDirective(self): pol = Policy([ PolicyTest.sampleDirective1a, Directive.INVALID(), Directive.EVAL_SCRIPT_BASE_RESTRICTION() ]) expected = Policy([PolicyTest.sampleDirective1a]) assert pol == expected
def testDirective_isRegularDirective(self): assert Directive.INVALID().isRegularDirective() == False assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isRegularDirective( ) == False assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().isRegularDirective( ) == False assert Directive.INLINE_STYLE_BASE_RESTRICTION().isRegularDirective( ) == False assert Directive("default-src", []).isRegularDirective() == True
def testDirective_withoutPaths(self): withPaths = Directive( "script-src", [DirectiveTest.sampleSrcExpr2, SelfSourceExpression.SELF()]) withoutPaths = Directive("script-src", [ DirectiveTest.sampleSrcExpr2.removePath(), SelfSourceExpression.SELF() ]) assert withPaths.withoutPaths() == withoutPaths assert withoutPaths.withoutPaths() == withoutPaths assert Directive.INVALID().withoutPaths() == Directive.INVALID() assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().withoutPaths( ) == Directive.EVAL_SCRIPT_BASE_RESTRICTION() assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().withoutPaths( ) == Directive.INLINE_SCRIPT_BASE_RESTRICTION() assert Directive.INLINE_STYLE_BASE_RESTRICTION().withoutPaths( ) == Directive.INLINE_STYLE_BASE_RESTRICTION()
def testDirective_asBasicDirectives_single(self): assert Directive.INVALID().asBasicDirectives() == set([]) assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().asBasicDirectives( ) == set([]) assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().asBasicDirectives( ) == set([]) assert Directive.INLINE_STYLE_BASE_RESTRICTION().asBasicDirectives( ) == set([]) sampleDirective = Directive("img-src", [DirectiveTest.sampleSrcExpr1b]) assert sampleDirective.asBasicDirectives() == set([sampleDirective])
def testDirective_isBasicDirective(self): assert Directive.INVALID().isBasicDirective() == False assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isBasicDirective( ) == False assert Directive("default-src", ()).isBasicDirective() == True assert Directive( "script-src", [DirectiveTest.sampleSrcExpr2]).isBasicDirective() == True assert Directive( "object-src", [DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3 ]).isBasicDirective() == False
def testDirective_matches_special(self): """An invalid/special directive matches nothing.""" selfURI = DirectiveTest.sampleURI2 assert not Directive.INVALID().matches(URI.EMPTY(), selfURI) assert not Directive.INVALID().matches(URI.INVALID(), selfURI) assert not Directive.INVALID().matches(URI.INLINE(), selfURI) assert not Directive.INVALID().matches(URI.EVAL(), selfURI) assert not Directive.INVALID().matches(DirectiveTest.sampleURI1, selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.EMPTY(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.INVALID(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.INLINE(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.EVAL(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( DirectiveTest.sampleURI1, selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.EMPTY(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.INVALID(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.INLINE(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.EVAL(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( DirectiveTest.sampleURI1, selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.EMPTY(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.INVALID(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.INLINE(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.EVAL(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( DirectiveTest.sampleURI1, selfURI)
def testDirectiveParser_parse_inline(self): """'unsafe-inline' keyword allowed only in 'script-src' and 'style-src' and 'default-src'""" scriptSrcWithInline = """script-src 'self' 'unsafe-inline' http://me.com/""" styleSrcWithInline = """style-src 'unsafe-inline' http://other""" styleSrcWithInlineOnly = """style-src 'unsafe-inline'""" defaultSrcWithInlineOnly = """default-src 'unsafe-inline'""" invalidObjectSrcWithInline = """object-src 'self' 'unsafe-inline'""" invalidObjectSrcWithInlineOnly = """object-src 'unsafe-inline'""" assert str(DirectiveParser().parse( scriptSrcWithInline)) == scriptSrcWithInline assert str( DirectiveParser().parse(styleSrcWithInline)) == styleSrcWithInline assert str(DirectiveParser().parse( styleSrcWithInlineOnly)) == styleSrcWithInlineOnly assert str(DirectiveParser().parse( defaultSrcWithInlineOnly)) == defaultSrcWithInlineOnly assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInline) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInline)) \ == "object-src 'self'" assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInlineOnly) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInlineOnly)) \ == "object-src 'none'"
def testDirective_combine_notRegularURI(self): direct = Directive("style-src", [SelfSourceExpression.SELF()]) assert direct.combinedDirective( Directive.INVALID()) == Directive.INVALID() assert Directive.INVALID().combinedDirective( direct) == Directive.INVALID() assert direct.combinedDirective( Directive.EVAL_SCRIPT_BASE_RESTRICTION()) == Directive.INVALID() assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().combinedDirective( direct) == Directive.INVALID()
def testDirectiveParser_parse_eval(self): """'unsafe-eval' keyword allowed only in 'script-src' and 'default-src'""" scriptSrcWithEval = """script-src 'self' 'unsafe-eval' 'unsafe-inline'""" scriptSrcWithEvalOnly = """script-src 'unsafe-eval'""" defaultSrcWithInlineAndEvalOnly = """default-src 'unsafe-eval' 'unsafe-inline'""" invalidImgSrcWithEval = """img-src http://example/path 'unsafe-eval'""" assert str( DirectiveParser().parse(scriptSrcWithEval)) == scriptSrcWithEval assert str(DirectiveParser().parse( scriptSrcWithEvalOnly)) == scriptSrcWithEvalOnly assert str(DirectiveParser().parse(defaultSrcWithInlineAndEvalOnly)) \ == defaultSrcWithInlineAndEvalOnly assert DirectiveParser(strict=True).parse(invalidImgSrcWithEval) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidImgSrcWithEval)) \ == "img-src http://example/path"
def testDirective_generateDirective_invalidDirective(self): assert Directive.INVALID().generateDirective( "eval", URI.EMPTY()) == Directive.INVALID()
def testDirectiveParser_parse_invalidSourceExpression_strict(self): """In strict mode, only valid source expressions may be used.""" invalidDirective = """img-src http://url 'blah'""" assert DirectiveParser(strict=True).parse(invalidDirective) \ == Directive.INVALID()
def testDirectiveParser_parse_none_syntaxerror_strict(self): """If 'none' appears in a directive parsed strictly, no other values are permitted.""" noneDirectiveInvalid = """default-src http://one 'None' http://two""" assert DirectiveParser(strict=True).parse(noneDirectiveInvalid) \ == Directive.INVALID()
def testDirectiveParser_parse_ignore(self): """Report URIs are not supported in CSP Directives.""" ignoredDirective = "report-uri http://localhost/saveme.exe" assert DirectiveParser().parse(ignoredDirective) is Directive.INVALID()
def testDirectiveParser_parse_invalid(self): invalidDirective = "blah" assert DirectiveParser().parse(invalidDirective) is Directive.INVALID()
def testDirective_generateDirective_defaultSrcNotAllowed(self): violated = Directive("default-src", []) assert violated.generateDirective( "regular", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_generateDirective_invalidType(self): violated = Directive("script-src", [DirectiveTest.sampleSrcExpr1a]) assert violated.generateDirective("evaluate", URI.EMPTY()) == Directive.INVALID()
def testDirective_str_invalid(self): assert str(Directive.INVALID()) == "[invalid]"
def testDirective_combine_differentType(self): direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a]) direct2 = Directive("script-src", [DirectiveTest.sampleSrcExpr2]) assert direct1.combinedDirective(direct2) == Directive.INVALID() assert direct2.combinedDirective(direct1) == Directive.INVALID()