def testDirectiveParser_parse_empty(self): assert DirectiveParser(strict=True).parse(" ") == Directive.INVALID() assert DirectiveParser(strict=False).parse(" ") == Directive.INVALID() assert DirectiveParser( strict=True).parse("img-src ") == Directive.INVALID() assert DirectiveParser( strict=False).parse("img-src ") == Directive.INVALID()
def testDirectiveParser_parse_standard(self): assert DirectiveParser(strict=True).parse("default-src https: 'unsafe-inline' 'unsafe-eval'") \ == Directive("default-src", [URISourceExpression("https", None, None, None), SourceExpression.UNSAFE_INLINE(), SourceExpression.UNSAFE_EVAL()]) assert DirectiveParser(strict=True).parse("default-src 'self'") \ == Directive("default-src", [SelfSourceExpression.SELF()]) assert DirectiveParser(strict=True).parse("img-src *") \ == Directive("img-src", [URISourceExpression(None, "*", None, None)]) assert DirectiveParser(strict=True).parse("object-src media1.example.com media2.example.com *.cdn.example.com") \ == Directive("object-src", [URISourceExpression(None, "media1.example.com", None, None), URISourceExpression(None, "media2.example.com", None, None), URISourceExpression(None, "*.cdn.example.com", None, None)])
def testDirectiveParser_parse_whitespaceRemoval(self): """Whitespace is properly removed.""" directive = "img-src 'self' https://abc.cloudfront.net/the-path chrome-extension: data: https://def.cloudfront.net/another-path " directiveClean = "img-src 'self' chrome-extension: data: https://abc.cloudfront.net/the-path https://def.cloudfront.net/another-path" cspDirective = DirectiveParser().parse(directive) assert cspDirective.getType() == "img-src" assert cspDirective.getWhitelistedSourceExpressions() == set([SelfSourceExpression.SELF(), URISourceExpression("chrome-extension", None, None, None), URISourceExpression("data", None, None, None), URISourceExpression("https", "abc.cloudfront.net", None, "/the-path"), URISourceExpression("https", "def.cloudfront.net", None, "/another-path")]) assert str(cspDirective) == directiveClean cspDirectiveClean = DirectiveParser().parse(directiveClean) assert cspDirective == cspDirectiveClean
def testDirectiveParser_parse_eval(self): """'unsafe-eval' keyword allowed only in 'script-src' and 'default-src'""" scriptSrcWithEval = """script-src 'self' 'unsafe-eval' 'unsafe-inline'""" scriptSrcWithEvalOnly = """script-src 'unsafe-eval'""" defaultSrcWithInlineAndEvalOnly = """default-src 'unsafe-eval' 'unsafe-inline'""" invalidImgSrcWithEval = """img-src http://example/path 'unsafe-eval'""" assert str( DirectiveParser().parse(scriptSrcWithEval)) == scriptSrcWithEval assert str(DirectiveParser().parse( scriptSrcWithEvalOnly)) == scriptSrcWithEvalOnly assert str(DirectiveParser().parse(defaultSrcWithInlineAndEvalOnly)) \ == defaultSrcWithInlineAndEvalOnly assert DirectiveParser(strict=True).parse(invalidImgSrcWithEval) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidImgSrcWithEval)) \ == "img-src http://example/path"
def testDirectiveParser_parse_translate(self): """The old directive type 'xhr-src' is correctly rewritten to 'connect-src'.""" translateDirective = "xhr-src http://localhost" cspTranslateDirective = DirectiveParser().parse(translateDirective) assert cspTranslateDirective == Directive( "connect-src", (URISourceExpression("http", "localhost", None, None), ))
def testDirectiveParser_parse_none_syntaxerror_notstrict(self): """If 'none' appears in a directive not parsed strictly and other expressions occur, 'none' is ignored.""" noneDirectiveInvalid = """default-src http://one 'None' http://two""" cspDirective = DirectiveParser( strict=False).parse(noneDirectiveInvalid) assert cspDirective == Directive("default-src", [ URISourceExpression("http", "one", None, None), URISourceExpression("http", "two", None, None) ])
def testDirectiveParser_parse_whitespaceRemoval(self): """Whitespace is properly removed.""" directive = "img-src 'self' https://abc.cloudfront.net/the-path chrome-extension: data: https://def.cloudfront.net/another-path " directiveClean = "img-src 'self' chrome-extension: data: https://abc.cloudfront.net/the-path https://def.cloudfront.net/another-path" cspDirective = DirectiveParser().parse(directive) assert cspDirective.getType() == "img-src" assert cspDirective.getWhitelistedSourceExpressions() == set([ SelfSourceExpression.SELF(), URISourceExpression("chrome-extension", None, None, None), URISourceExpression("data", None, None, None), URISourceExpression("https", "abc.cloudfront.net", None, "/the-path"), URISourceExpression("https", "def.cloudfront.net", None, "/another-path") ]) assert str(cspDirective) == directiveClean cspDirectiveClean = DirectiveParser().parse(directiveClean) assert cspDirective == cspDirectiveClean
def testDirectiveParser_parse_inline(self): """'unsafe-inline' keyword allowed only in 'script-src' and 'style-src' and 'default-src'""" scriptSrcWithInline = """script-src 'self' 'unsafe-inline' http://me.com/""" styleSrcWithInline = """style-src 'unsafe-inline' http://other""" styleSrcWithInlineOnly = """style-src 'unsafe-inline'""" defaultSrcWithInlineOnly = """default-src 'unsafe-inline'""" invalidObjectSrcWithInline = """object-src 'self' 'unsafe-inline'""" invalidObjectSrcWithInlineOnly = """object-src 'unsafe-inline'""" assert str(DirectiveParser().parse( scriptSrcWithInline)) == scriptSrcWithInline assert str( DirectiveParser().parse(styleSrcWithInline)) == styleSrcWithInline assert str(DirectiveParser().parse( styleSrcWithInlineOnly)) == styleSrcWithInlineOnly assert str(DirectiveParser().parse( defaultSrcWithInlineOnly)) == defaultSrcWithInlineOnly assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInline) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInline)) \ == "object-src 'self'" assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInlineOnly) \ == Directive.INVALID() assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInlineOnly)) \ == "object-src 'none'"
def testDirectiveParser_parse_evalScriptBaseRestriction(self): """The Firefox value 'eval script base restriction' for the 'violated-directive' field is parsed correctly.""" firefoxViolatedDirective = "eval script base restriction" assert DirectiveParser().parse(firefoxViolatedDirective) \ == Directive.EVAL_SCRIPT_BASE_RESTRICTION()
def testDirectiveParser_parse_inlineStyleBaseRestriction(self): """The Firefox value 'inline style base restriction' for the 'violated-directive' field is parsed correctly.""" firefoxViolatedDirective = "inline style base restriction" assert DirectiveParser().parse(firefoxViolatedDirective) \ == Directive.INLINE_STYLE_BASE_RESTRICTION()
def testDirectiveParser_parse_invalidSourceExpression_notstrict(self): """In non-strict mode, invalid source expressions are ignored.""" invalidDirective = """img-src http://url 'blah'""" cspDirective = DirectiveParser(strict=False).parse(invalidDirective) assert cspDirective == Directive( "img-src", [URISourceExpression("http", "url", None, None)])
def testDirectiveParser_parse_invalidSourceExpression_strict(self): """In strict mode, only valid source expressions may be used.""" invalidDirective = """img-src http://url 'blah'""" assert DirectiveParser(strict=True).parse(invalidDirective) \ == Directive.INVALID()
def testDirectiveParser_parse_none_syntaxerror_strict(self): """If 'none' appears in a directive parsed strictly, no other values are permitted.""" noneDirectiveInvalid = """default-src http://one 'None' http://two""" assert DirectiveParser(strict=True).parse(noneDirectiveInvalid) \ == Directive.INVALID()
def testDirectiveParser_parse_none(self): """Parse a 'none' value.""" noneDirective = """default-src 'none' """ cspNoneDirective = DirectiveParser().parse(noneDirective) assert cspNoneDirective == Directive("default-src", [])
def testDirectiveParser_parse_ignore(self): """Report URIs are not supported in CSP Directives.""" ignoredDirective = "report-uri http://localhost/saveme.exe" assert DirectiveParser().parse(ignoredDirective) is Directive.INVALID()
def testDirectiveParser_parse_invalid(self): invalidDirective = "blah" assert DirectiveParser().parse(invalidDirective) is Directive.INVALID()