def test_csrf_form_w_expired_input(self):
""" Test the CSRF validation with an expired CSRF specified. """
with self.app.application.test_request_context(method='POST'):
flask.g.session = MagicMock()
form = pagure.forms.ConfirmationForm()
data = form.csrf_token.current_token
# CSRF token expired
if hasattr(flask_wtf, '__version__') and \
tuple(flask_wtf.__version__.split('.')) >= (0,10,0):
expires = time.time() - 1
else:
expires = (
datetime.datetime.now() -
datetime.timedelta(minutes=1)).strftime('%Y%m%d%H%M%S')
# Change the CSRF format
if hasattr(flask_wtf, '__version__') and \
tuple([int(e) for e in flask_wtf.__version__.split('.')]
) >= (0,14,0):
import itsdangerous
timestamp = itsdangerous.base64_encode(
itsdangerous.int_to_bytes(int(expires)))
print '*', data
part1, _, part2 = data.split('.', 2)
form.csrf_token.data = '.'.join([part1, timestamp, part2])
else:
_, hmac_csrf = data.split('##', 1)
form.csrf_token.data = '%s##%s' % (expires, hmac_csrf)
self.assertFalse(form.validate_on_submit())
def generate_csrf_token():
nonce = os.urandom(16)
secret = session.setdefault('_csrf_secret', os.urandom(16))
nonce_int = bytes_to_int(nonce)
secret_int = bytes_to_int(secret)
jsw = JSONWebSignatureSerializer(app.secret_key)
token = jsw.dumps({
"n": _bytes_to_str(b64encode(nonce)),
"k": _bytes_to_str(b64encode(int_to_bytes(nonce_int ^ secret_int)))
})
return _bytes_to_str(token)
def generate_csrf_token():
nonce = os.urandom(16)
secret = session.setdefault('_csrf_secret', os.urandom(16))
nonce_int = bytes_to_int(nonce)
secret_int = bytes_to_int(secret)
jsw = JSONWebSignatureSerializer(app.secret_key)
token = jsw.dumps({
"n": b64encode(nonce),
"k": b64encode(int_to_bytes(nonce_int ^ secret_int))
})
return token
def is_csrf_token_bad(token, csrf_secret):
try:
jsw = JSONWebSignatureSerializer(app.secret_key)
tobj = jsw.loads(token)
nonce_int = bytes_to_int(b64decode(_str_to_bytes(tobj["n"])))
key_int = bytes_to_int(b64decode(_str_to_bytes(tobj["k"])))
user_secret = int_to_bytes(nonce_int ^ key_int)
return not constant_time_compare(
user_secret,
csrf_secret
)
except Exception:
return True
def is_csrf_token_bad(token, csrf_secret):
try:
jsw = JSONWebSignatureSerializer(app.secret_key)
tobj = jsw.loads(token)
nonce_int = bytes_to_int(b64decode(tobj["n"]))
key_int = bytes_to_int(b64decode(tobj["k"]))
user_secret = int_to_bytes(nonce_int ^ key_int)
return not constant_time_compare(
user_secret,
csrf_secret
)
except Exception:
return True
def test_csrf_form_w_expired_input(self):
""" Test the CSRF validation with an expired CSRF specified. """
with self.app.application.test_request_context(method="POST"):
flask.g.session = MagicMock()
form = pagure.forms.ConfirmationForm()
data = form.csrf_token.current_token
# CSRF token expired
if hasattr(flask_wtf, "__version__") and tuple(
[int(v)
for v in flask_wtf.__version__.split(".")]) < (0, 10, 0):
expires = time.time() - 1
else:
expires = (
datetime.datetime.now() -
datetime.timedelta(minutes=1)).strftime("%Y%m%d%H%M%S")
# Change the CSRF format
if hasattr(flask_wtf, "__version__") and tuple(
[int(e)
for e in flask_wtf.__version__.split(".")]) >= (0, 14, 0):
import itsdangerous
try: # ItsDangerous-1.0
timestamp = itsdangerous.base64_encode(
itsdangerous.encoding.int_to_bytes(int(expires)))
except AttributeError: # ItsDangerous-0.24
timestamp = itsdangerous.base64_encode(
itsdangerous.int_to_bytes(int(expires)))
timestamp = timestamp.decode("ascii")
part1, _, part2 = data.split(".", 2)
form.csrf_token.data = ".".join([part1, timestamp, part2])
else:
_, hmac_csrf = data.split("##", 1)
form.csrf_token.data = "%s##%s" % (expires, hmac_csrf)
self.assertFalse(form.validate_on_submit())