def test_empty_csp_report(self):
# Test JSON with empty 'csp-report' object.
report = CSPReport.from_message("{'csp-report': {}}")
self.assertFalse(report.is_valid)
self.assertEqual(report.json, "{'csp-report': {}}")
self.assertIsNone(report.document_uri)
def test_invalid_json(self):
# Test report which is not a valid JSON.
report = CSPReport.from_message('NOT_A_JSON')
self.assertFalse(report.is_valid)
self.assertEqual(report.json, 'NOT_A_JSON')
self.assertIsNone(report.document_uri)
def test_invalid_report(self):
# Test report which is only a valid JSON.
report = CSPReport.from_message('{}')
self.assertFalse(report.is_valid)
self.assertEqual(report.json, '{}')
self.assertIsNone(report.document_uri)
def test_json_str_value_to_int(self):
data = {
'csp-report': {
'document-uri': 'http://protected.example.cz/',
'referrer': 'http://referrer.example.cz/',
'blocked-uri': 'http://dangerous.example.cz/',
'violated-directive': 'Very protective directive.',
'original-policy': 'Nothing is allowed.',
'source-file': 'nasty-script.js',
'status-code': 0,
'line-number': '36',
'column-number': 32,
}
}
message = json.dumps(data)
report = CSPReport.from_message(message)
self.assertTrue(report.is_valid)
self.assertEqual(report.json, message)
self.assertEqual(report.document_uri, 'http://protected.example.cz/')
self.assertEqual(report.referrer, 'http://referrer.example.cz/')
self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
self.assertEqual(report.violated_directive,
'Very protective directive.')
self.assertEqual(report.source_file, 'nasty-script.js')
self.assertEqual(report.line_number, 36)
def test_valid_csp_2_plus(self):
# Test valid CSP report according to CSP level >= 2.0
data = {
'csp-report': {
'document-uri': 'http://protected.example.cz/',
'referrer': 'http://referrer.example.cz/',
'blocked-uri': 'http://dangerous.example.cz/',
'violated-directive': 'Very protective directive.',
'original-policy': 'Nothing is allowed.',
'source-file': 'nasty-script.js'
}
}
message = json.dumps(data)
report = CSPReport.from_message(message)
self.assertTrue(report.is_valid)
self.assertEqual(report.json, message)
self.assertEqual(report.document_uri, 'http://protected.example.cz/')
self.assertEqual(report.referrer, 'http://referrer.example.cz/')
self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
self.assertEqual(report.violated_directive,
'Very protective directive.')
self.assertEqual(report.original_policy, 'Nothing is allowed.')
self.assertEqual(report.source_file, 'nasty-script.js')
self.assertIsNone(report.effective_directive)
def save_report(request):
message = request.body
if isinstance(message, bytes):
message = message.decode(request.encoding or settings.DEFAULT_CHARSET)
report = CSPReport.from_message(message)
report.user_agent = request.META.get('HTTP_USER_AGENT', '')
report.save()
def test_partial_csp_report(self):
# Test partial, but invalid CSP report
data = {'csp-report': {'blocked-uri': 'self', 'violated-directive': 'inline script base restriction'}}
message = json.dumps(data)
report = CSPReport.from_message(message)
self.assertFalse(report.is_valid)
self.assertEqual(report.json, message)
self.assertIsNone(report.document_uri)
self.assertEqual(report.blocked_uri, 'self')
self.assertEqual(report.violated_directive, 'inline script base restriction')
def test_valid_empty_fields(self):
# Test valid CSP report according to CSP 1.0 with some fields with empty values
data = {'csp-report': {'document-uri': 'http://protected.example.cz/',
'referrer': '',
'blocked-uri': '',
'violated-directive': 'Very protective directive.',
'original-policy': 'Nothing is allowed.'}}
message = json.dumps(data)
report = CSPReport.from_message(message)
self.assertTrue(report.is_valid)
self.assertEqual(report.json, message)
self.assertEqual(report.document_uri, 'http://protected.example.cz/')
self.assertEqual(report.referrer, '')
self.assertEqual(report.blocked_uri, '')
self.assertEqual(report.violated_directive, 'Very protective directive.')
self.assertEqual(report.original_policy, 'Nothing is allowed.')
self.assertIsNone(report.effective_directive)
def test_invalid_disposition(self):
# Test invalid disposition is ignored.
data = {'csp-report': {'document-uri': 'http://protected.example.cz/',
'referrer': 'http://referrer.example.cz/',
'blocked-uri': 'http://dangerous.example.cz/',
'violated-directive': 'Very protective directive.',
'original-policy': 'Nothing is allowed.',
'disposition': 'INVALID'}}
message = json.dumps(data)
report = CSPReport.from_message(message)
self.assertTrue(report.is_valid)
self.assertEqual(report.json, message)
self.assertEqual(report.document_uri, 'http://protected.example.cz/')
self.assertEqual(report.referrer, 'http://referrer.example.cz/')
self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
self.assertEqual(report.violated_directive, 'Very protective directive.')
self.assertEqual(report.original_policy, 'Nothing is allowed.')
self.assertIsNone(report.disposition)
def test_valid_line_number(self):
# Test valid line number is extracted.
data = {'csp-report': {'document-uri': 'http://protected.example.cz/',
'referrer': 'http://referrer.example.cz/',
'blocked-uri': 'http://dangerous.example.cz/',
'violated-directive': 'Very protective directive.',
'original-policy': 'Nothing is allowed.',
'line-number': 666}}
message = json.dumps(data)
report = CSPReport.from_message(message)
self.assertTrue(report.is_valid)
self.assertEqual(report.json, message)
self.assertEqual(report.document_uri, 'http://protected.example.cz/')
self.assertEqual(report.referrer, 'http://referrer.example.cz/')
self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
self.assertEqual(report.violated_directive, 'Very protective directive.')
self.assertEqual(report.original_policy, 'Nothing is allowed.')
self.assertEqual(report.line_number, 666)
def save_report(request):
report = CSPReport.from_message(
request.body.decode(request.encoding or settings.DEFAULT_CHARSET))
report.user_agent = request.META.get('HTTP_USER_AGENT', '')
report.save()