def test_state_from_encrypted_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
empty = ESAPI.http_utilities().decrypt_state_from_cookie(request)
self.assertEquals({}, empty)
m = {'one' : 'aspect',
'two' : 'ridiculous',
'test_hard' : "&(@#*!^|;,." }
ESAPI.http_utilities().encrypt_state_in_cookie(m, response)
value = response.headers['Set-Cookie']
encrypted = value[value.find('=')+1:value.find(';')]
ESAPI.encryptor().decrypt(encrypted)
def encrypt_cc(self, cc_number):
""" Encrypt credit card number for safe storage. """
# Generate last_4
self.last_4 = cc_number[-4:]
# Encrypt
instance = ESAPI.encryptor()
self.encrypted_number = instance.encrypt(cc_number)
def set_remember_token(self, password, max_age, domain, path, request=None, response=None):
if request is None:
request = self.current_request
if response is None:
response = self.current_response
user = ESAPI.authenticator().current_user
try:
self.kill_cookie(self.REMEMBER_TOKEN_COOKIE_NAME, request, response)
# Seal already contains random data
clear_token = user.account_name + "|" + password
expiry = datetime.now() + timedelta(seconds=max_age)
crypt_token = ESAPI.encryptor().seal(clear_token, expiry)
morsel = Cookie.Morsel()
morsel.value = crypt_token
morsel['max-age'] = max_age
morsel['domain'] = domain
morsel['path'] = path
response.cookies[self.REMEMBER_TOKEN_COOKIE_NAME] = morsel
self.logger.info( Logger.SECURITY_SUCCESS,
_("Enabled remember me token for %(user)s") %
{'user' : user.account_name} )
return crypt_token
except IntegrityException, extra:
self.logger.warning( Logger.SECURITY_FAILURE,
_("Attempt to set remember me token failed for %(user)s") %
{'user' : user.account_name}, extra )
def decrypt_hidden_field(self, encrypted):
try:
return ESAPI.encryptor().decrypt(encrypted)
except EncryptionException, extra:
raise IntrusionException(
_("Invalid request"),
_("Tampering detected. Hidden field data did not decrypt properly."), extra )
def decrypt_hidden_field(self, encrypted):
try:
return ESAPI.encryptor().decrypt(encrypted)
except EncryptionException, extra:
raise IntrusionException(
_("Invalid request"),
_("Tampering detected. Hidden field data did not decrypt properly."
), extra)
def test_verify_seal(self):
instance = ESAPI.encryptor()
plaintext = "ridiculous"
seal = instance.seal( plaintext, timedelta(minutes=1000) )
self.assertTrue(instance.verify_seal(seal))
self.assertFalse(instance.verify_seal(plaintext))
self.assertFalse(instance.verify_seal( instance.encrypt(plaintext) ) )
self.assertFalse(instance.verify_seal( instance.encrypt("100:" + plaintext) ) )
self.assertFalse(instance.verify_seal( instance.encrypt("100:random:" + plaintext) ) )
self.assertFalse(instance.verify_seal( instance.encrypt("100:random:" + plaintext + ":badsig") ) )
def decrypt_state_from_cookie(self, request=None):
if request is None:
request = self.current_request
try:
encrypted = self.get_cookie( self.ESAPI_STATE, request )
if encrypted is None:
return {}
plaintext = ESAPI.encryptor().decrypt(encrypted)
return self.query_to_dict(plaintext)
except ValidationException, extra:
return None
def decrypt_state_from_cookie(self, request=None):
if request is None:
request = self.current_request
try:
encrypted = self.get_cookie(self.ESAPI_STATE, request)
if encrypted is None:
return {}
plaintext = ESAPI.encryptor().decrypt(encrypted)
return self.query_to_dict(plaintext)
except ValidationException, extra:
return None
def test_crypt(self):
instance = ESAPI.encryptor()
def check(plaintext):
ciphertext = instance.encrypt(plaintext)
result = instance.decrypt(ciphertext)
self.assertEquals(plaintext, result)
# Example plaintext
check("test1234")
# 20 random strings
for i in range(20):
check(ESAPI.randomizer().get_random_string(40, Encoder.CHAR_ALPHANUMERICS))
def test_verify_seal(self):
instance = ESAPI.encryptor()
plaintext = "ridiculous"
seal = instance.seal(plaintext, timedelta(minutes=1000))
self.assertTrue(instance.verify_seal(seal))
self.assertFalse(instance.verify_seal(plaintext))
self.assertFalse(instance.verify_seal(instance.encrypt(plaintext)))
self.assertFalse(
instance.verify_seal(instance.encrypt("100:" + plaintext)))
self.assertFalse(
instance.verify_seal(instance.encrypt("100:random:" + plaintext)))
self.assertFalse(
instance.verify_seal(
instance.encrypt("100:random:" + plaintext + ":badsig")))
def test_crypt(self):
instance = ESAPI.encryptor()
def check(plaintext):
ciphertext = instance.encrypt(plaintext)
result = instance.decrypt(ciphertext)
self.assertEquals(plaintext, result)
# Example plaintext
check("test1234")
# 20 random strings
for i in range(20):
check(ESAPI.randomizer().get_random_string(
40, Encoder.CHAR_ALPHANUMERICS))
def test_sign_and_verify(self):
instance = ESAPI.encryptor()
def check(plaintext):
sig = instance.sign(plaintext)
self.assertTrue( instance.verify_signature(sig, plaintext) )
self.assertFalse( instance.verify_signature(sig, "ridiculous") )
self.assertFalse( instance.verify_signature("ridiculous", plaintext) )
# Example plaintext
check("test1234")
# 20 random strings
for i in range(20):
check(ESAPI.randomizer().get_random_string(40, Encoder.CHAR_ALPHANUMERICS))
def test_hash(self):
instance = ESAPI.encryptor()
# Same salt, different texts
hash1 = instance.hash("test1", "salt")
hash2 = instance.hash("test2", "salt")
self.assertFalse(hash1 == hash2)
# Same text, different salts
hash3 = instance.hash("test", "salt1")
hash4 = instance.hash("test", "salt2")
self.assertFalse(hash3 == hash4)
# Same text, same salts
hash3 = instance.hash("test", "salt1")
hash4 = instance.hash("test", "salt1")
self.assertTrue(hash3 == hash4)
def test_hash(self):
instance = ESAPI.encryptor()
# Same salt, different texts
hash1 = instance.hash("test1", "salt")
hash2 = instance.hash("test2", "salt")
self.assertFalse(hash1 == hash2)
# Same text, different salts
hash3 = instance.hash("test", "salt1")
hash4 = instance.hash("test", "salt2")
self.assertFalse(hash3 == hash4)
# Same text, same salts
hash3 = instance.hash("test", "salt1")
hash4 = instance.hash("test", "salt1")
self.assertTrue(hash3 == hash4)
def test_sign_and_verify(self):
instance = ESAPI.encryptor()
def check(plaintext):
sig = instance.sign(plaintext)
self.assertTrue(instance.verify_signature(sig, plaintext))
self.assertFalse(instance.verify_signature(sig, "ridiculous"))
self.assertFalse(instance.verify_signature("ridiculous",
plaintext))
# Example plaintext
check("test1234")
# 20 random strings
for i in range(20):
check(ESAPI.randomizer().get_random_string(
40, Encoder.CHAR_ALPHANUMERICS))
def test_seal_unseal(self):
instance = ESAPI.encryptor()
plaintext = "THIS IS MY DATA"
# Test with timedelta
seal = instance.seal(plaintext, timedelta(minutes=1000))
data = instance.unseal(seal)
self.assertEquals(plaintext, data)
# Test with absolute datetime
seal = instance.seal(plaintext, datetime.now() + timedelta(minutes=3))
data = instance.unseal(seal)
self.assertEquals(plaintext, data)
# Test with int
future = datetime.now() + timedelta(minutes=3)
seal = instance.seal(plaintext, time.mktime(future.timetuple()))
data = instance.unseal(seal)
self.assertEquals(plaintext, data)
# Unseal bad data
self.assertRaises(EncryptionException, instance.unseal, "badseal")
def test_seal_unseal(self):
instance = ESAPI.encryptor()
plaintext = "THIS IS MY DATA"
# Test with timedelta
seal = instance.seal( plaintext, timedelta(minutes=1000) )
data = instance.unseal(seal)
self.assertEquals(plaintext, data)
# Test with absolute datetime
seal = instance.seal( plaintext, datetime.now() + timedelta(minutes=3) )
data = instance.unseal(seal)
self.assertEquals(plaintext, data)
# Test with int
future = datetime.now() + timedelta(minutes=3)
seal = instance.seal( plaintext, time.mktime(future.timetuple()) )
data = instance.unseal(seal)
self.assertEquals(plaintext, data)
# Unseal bad data
self.assertRaises(EncryptionException, instance.unseal, "badseal")
def set_remember_token(self,
password,
max_age,
domain,
path,
request=None,
response=None):
if request is None:
request = self.current_request
if response is None:
response = self.current_response
user = ESAPI.authenticator().current_user
try:
self.kill_cookie(self.REMEMBER_TOKEN_COOKIE_NAME, request,
response)
# Seal already contains random data
clear_token = user.account_name + "|" + password
expiry = datetime.now() + timedelta(seconds=max_age)
crypt_token = ESAPI.encryptor().seal(clear_token, expiry)
morsel = Cookie.Morsel()
morsel.value = crypt_token
morsel['max-age'] = max_age
morsel['domain'] = domain
morsel['path'] = path
response.cookies[self.REMEMBER_TOKEN_COOKIE_NAME] = morsel
self.logger.info(
Logger.SECURITY_SUCCESS,
_("Enabled remember me token for %(user)s") %
{'user': user.account_name})
return crypt_token
except IntegrityException, extra:
self.logger.warning(
Logger.SECURITY_FAILURE,
_("Attempt to set remember me token failed for %(user)s") %
{'user': user.account_name}, extra)
def encrypt_query_string(self, query):
return ESAPI.encryptor().encrypt(query)
def encrypt_hidden_field(self, value):
return ESAPI.encryptor().encrypt(value)
def decrypt_query_string(self, encrypted):
plaintext = ESAPI.encryptor().decrypt(encrypted)
return self.query_to_dict(plaintext)
def decrypt_query_string(self, encrypted):
plaintext = ESAPI.encryptor().decrypt(encrypted)
return self.query_to_dict(plaintext)
def encrypt_hidden_field(self, value):
return ESAPI.encryptor().encrypt(value)
buf = ''
for key, value in cleartext_map.items():
if buf != '':
buf += '&'
try:
key = ESAPI.encoder().encode_for_url(key)
value = ESAPI.encoder().encode_for_url(value)
buf += "%s=%s" % (key, value)
except EncodingException, extra:
self.logger.error(
Logger.SECURITY_FAILURE,
_("Problem encrypting state in cookie - skipping entry"),
extra=extra)
encrypted = ESAPI.encryptor().encrypt(buf)
if len(encrypted) > self.MAX_COOKIE_LEN:
self.logger.error(
Logger.SECURITY_FAILURE,
_("Problem encrypting state in cookie because of max cookie length"
))
raise EncryptionException(
_("Encryption Exception"),
_("Encrypted cookie state length of %(len)s is longer than allowed %(allowed)s."
) % {
'len': len(encrypted),
'allowed': self.MAX_COOKIE_LEN
})
self.add_cookie(response, key=self.ESAPI_STATE, value=encrypted)
def encrypt_query_string(self, query):
return ESAPI.encryptor().encrypt(query)
def decrypt_cc(self):
""" Decrypt a credit card. """
instance = ESAPI.encryptor()
cc_number = instance.decrypt(self.encrypted_number)
return cc_number
buf = ''
for key, value in cleartext_map.items():
if buf != '':
buf += '&'
try:
key = ESAPI.encoder().encode_for_url( key )
value = ESAPI.encoder().encode_for_url( value )
buf += "%s=%s" % (key, value)
except EncodingException, extra:
self.logger.error( Logger.SECURITY_FAILURE,
_("Problem encrypting state in cookie - skipping entry"),
extra=extra )
encrypted = ESAPI.encryptor().encrypt(buf)
if len(encrypted) > self.MAX_COOKIE_LEN:
self.logger.error( Logger.SECURITY_FAILURE,
_("Problem encrypting state in cookie because of max cookie length") )
raise EncryptionException( _("Encryption Exception"),
_("Encrypted cookie state length of %(len)s is longer than allowed %(allowed)s.") %
{'len' : len(encrypted),
'allowed' : self.MAX_COOKIE_LEN} )
self.add_cookie( response, key=self.ESAPI_STATE, value=encrypted )
def get_cookie(self, name, request=None):
if request is None:
request = self.current_request
morsel = request.cookies.get(name, None)