def test_EvalInlineSourceExpression_match(self): """The source expressions 'unsafe-inline' and 'unsafe-eval' do not match any URI.""" srcExprEval = SourceExpression.UNSAFE_EVAL() srcExprInline = SourceExpression.UNSAFE_INLINE() selfURI = SourceExpressionTest.uri_chromeExtension assert not srcExprEval.matches(SourceExpressionTest.uri_empty, selfURI) assert not srcExprInline.matches(SourceExpressionTest.uri_empty, selfURI) assert not srcExprEval.matches(URI.INVALID(), selfURI) assert not srcExprInline.matches(URI.INVALID(), selfURI) assert srcExprInline.matches(URI.INLINE(), selfURI) assert not srcExprInline.matches(URI.EVAL(), selfURI) assert not srcExprEval.matches(URI.INLINE(), selfURI) assert srcExprEval.matches(URI.EVAL(), selfURI)
def testDirective_generateDirective_incompatibleURI(self): violatedRegular = Directive("object-src", []) violatedInline = Directive("style-src", []) violatedEval = Directive("script-src", []) assert violatedRegular.generateDirective( "regular", URI.EMPTY()) == Directive.INVALID() assert violatedRegular.generateDirective( "regular", URI.INVALID()) == Directive.INVALID() #assert violatedInline.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedInline.generateDirective( "inline", URI.INVALID()) == Directive.INVALID() #assert violatedEval.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID() assert violatedEval.generateDirective( "eval", URI.INVALID()) == Directive.INVALID()
def test_SelfSourceExpression_match(self): """A 'self' source expression matches if the scheme, host and port of the self and other URI are the same (using default ports if absent).""" selfURI = URI("http", "seclab.nu", 80, "/other-path") srcExpr = SelfSourceExpression.SELF() assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_schemedomain, selfURI) # using default port in URI assert not srcExpr.matches(URI.EMPTY(), selfURI) assert not srcExpr.matches(URI.INVALID(), selfURI) assert not srcExpr.matches(URI.INLINE(), selfURI) assert not srcExpr.matches(URI.EVAL(), selfURI) selfURIDefaultPort = URI("https", "seclab.nu", None, "/yet-another-path") assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURIDefaultPort) assert srcExpr.matches( SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURIDefaultPort) selfURINoPort = SourceExpressionTest.uri_chromeExtension assert not srcExpr.matches( SourceExpressionTest.uri_chromeExtension, selfURINoPort) # no valid port can be deduced from this scheme
def test_regularURI_singletons(self): """All the singleton URIs should return False for isRegularURI().""" assert URI.EMPTY().isRegularURI() == False assert URI.INVALID().isRegularURI() == False assert URI.INLINE().isRegularURI() == False assert URI.EVAL().isRegularURI() == False assert URI("http", "seclab.nu", None, None, None).isRegularURI() == True
def testPolicy_matches_invalid(self): """An invalid policy matches nothing.""" selfURI = PolicyTest.sampleURI2 assert not Policy.INVALID().matches(PolicyTest.sampleURI1a, "script-src", selfURI) assert not Policy.INVALID().matches(URI.INVALID(), "script-src", selfURI) assert not Policy.INVALID().matches(URI.EMPTY(), "script-src", selfURI) assert not Policy.INVALID().matches(URI.INLINE(), "script-src", selfURI) assert not Policy.INVALID().matches(URI.EVAL(), "script-src", selfURI)
def testDirective_matches_special(self): """An invalid/special directive matches nothing.""" selfURI = DirectiveTest.sampleURI2 assert not Directive.INVALID().matches(URI.EMPTY(), selfURI) assert not Directive.INVALID().matches(URI.INVALID(), selfURI) assert not Directive.INVALID().matches(URI.INLINE(), selfURI) assert not Directive.INVALID().matches(URI.EVAL(), selfURI) assert not Directive.INVALID().matches(DirectiveTest.sampleURI1, selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.EMPTY(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.INVALID(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.INLINE(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( URI.EVAL(), selfURI) assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches( DirectiveTest.sampleURI1, selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.EMPTY(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.INVALID(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.INLINE(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( URI.EVAL(), selfURI) assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches( DirectiveTest.sampleURI1, selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.EMPTY(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.INVALID(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.INLINE(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( URI.EVAL(), selfURI) assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches( DirectiveTest.sampleURI1, selfURI)
def test_InvalidSourceExpression_match(self): """The invalid source expression does not match anything.""" srcExpr = SourceExpression.INVALID() selfURI = SourceExpressionTest.uri_chromeExtension assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_urlSubstring, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI) assert not srcExpr.matches(URI.INVALID(), selfURI) assert not srcExpr.matches(URI.EVAL(), selfURI) assert not srcExpr.matches(URI.INLINE(), selfURI)
def test_str(self): """Checks the string serialisation of a few URIs.""" assert str(URI("data", "", None, None)) == "data:" assert str(URI("data", "image/png;base64,iVBORw0KGgoAAAA", None, None)) == "data:image/png;base64,iVBORw0KGgoAAAA" assert str(URI("about", "blank", None, None)) == "about:blank" assert str( URI("http", "www.seclab.org", 80, "/file", "parameter=value") ) == "http://www.seclab.org:80/file?parameter=value" assert str(URI(None, "www.seclab.nu", None, None)) == "www.seclab.nu" assert str(URI.EMPTY()) == "" assert str(URI.INVALID()) == "[invalid]" assert str(URI.INLINE()) == "[inline]" assert str(URI.EVAL()) == "[eval]"
def test_URISourceExpression_match_star(self): "A source expression that should match everything (except for special URIs)." srcExpr = URISourceExpression(None, "*", None, None) selfURI = SourceExpressionTest.uri_chromeExtension assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI) assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_domain, selfURI) assert srcExpr.matches(SourceExpressionTest.uri_data, selfURI) assert not srcExpr.matches(URI.EMPTY(), selfURI) assert not srcExpr.matches(URI.INVALID(), selfURI) assert not srcExpr.matches(URI.INLINE(), selfURI) assert not srcExpr.matches(URI.EVAL(), selfURI)
def test_eq(self): """Checks that the eq and hash methods are consistent for a few URIs.""" uri1a = URI("http", "www.seclab.org", 80, "/", "query") uri1b = URI("http", "www.seclab.org", 80, "/", "query") uri2 = URI("https", "www.seclab.org", 80, "/") uri3 = URI("http", "www.seclab.org", 80, None) assert uri1a == uri1b assert hash(uri1a) == hash(uri1b) assert uri1a != uri2 assert uri1a != uri3 assert uri2 != uri3 assert URI.EMPTY() == URI.EMPTY() assert URI.INVALID() == URI.INVALID() assert URI.EMPTY() not in (uri1a, uri1b, uri2, uri3, URI.INVALID(), URI.INLINE(), URI.EVAL()) assert URI.INVALID() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(), URI.INLINE(), URI.EVAL()) assert URI.INLINE() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(), URI.INVALID(), URI.EVAL()) assert URI.EVAL() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(), URI.INVALID(), URI.INLINE())
def test_invalid_URI(self): """Ensure that URI.INVALID is returned when an invalid URI is parsed.""" uriString = "http://blah:blubb:baeh?" uriExpected = URI.INVALID() actual = URIParser().parse(uriString) assert actual == uriExpected
def test_remove_path(self): """Checks that the path and query are properly removed from a URI object.""" inputURI = URI("https", "seclab.nu", 443, "/index.html", "query=value") expectedURI = URI("https", "seclab.nu", 443, None, None) assert inputURI.removePath() == expectedURI assert URI.INVALID().removePath() == URI.INVALID()