Esempio n. 1
0
 def test_nice_report(self):
     self.assertJSONEqual(
         CSPReport(json=json.dumps({'csp-report': {}})).nice_report, {})
     self.assertJSONEqual(
         CSPReport(json=json.dumps({'csp-report': {
             'key': 'value'
         }})).nice_report, {'key': 'value'})
Esempio n. 2
0
 def test_nice_report_invalid_report(self):
     self.assertEqual(
         CSPReport(json=json.dumps({})).nice_report,
         "Invalid CSP report: {}")
     self.assertEqual(
         CSPReport(json=json.dumps({'key': 'value'})).nice_report,
         'Invalid CSP report: {\n    "key": "value"\n}')
Esempio n. 3
0
 def test_text_representation(self):
     self.assertEqual(str(CSPReport(json='')), '[no CSP report data]')
     self.assertEqual(str(CSPReport(json='Not a JSON')),
                      "Invalid CSP report: 'Not a JSON'")
     self.assertJSONEqual(
         str(CSPReport(json=json.dumps({'csp-report': {}}))), {})
     self.assertJSONEqual(
         str(CSPReport(json=json.dumps({'csp-report': {
             'key': 'value'
         }}))), {'key': 'value'})
Esempio n. 4
0
    def test_json_str_value_to_int(self):
        data = {
            'csp-report': {
                'document-uri': 'http://protected.example.cz/',
                'referrer': 'http://referrer.example.cz/',
                'blocked-uri': 'http://dangerous.example.cz/',
                'violated-directive': 'Very protective directive.',
                'original-policy': 'Nothing is allowed.',
                'source-file': 'nasty-script.js',
                'status-code': 0,
                'line-number': '36',
                'column-number': 32,
            }
        }

        message = json.dumps(data)
        report = CSPReport.from_message(message)

        self.assertTrue(report.is_valid)
        self.assertEqual(report.json, message)
        self.assertEqual(report.document_uri, 'http://protected.example.cz/')
        self.assertEqual(report.referrer, 'http://referrer.example.cz/')
        self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
        self.assertEqual(report.violated_directive,
                         'Very protective directive.')
        self.assertEqual(report.source_file, 'nasty-script.js')
        self.assertEqual(report.line_number, 36)
Esempio n. 5
0
    def test_invalid_json(self):
        # Test report which is not a valid JSON.
        report = CSPReport.from_message('NOT_A_JSON')

        self.assertFalse(report.is_valid)
        self.assertEqual(report.json, 'NOT_A_JSON')
        self.assertIsNone(report.document_uri)
Esempio n. 6
0
    def test_invalid_report(self):
        # Test report which is only a valid JSON.
        report = CSPReport.from_message('{}')

        self.assertFalse(report.is_valid)
        self.assertEqual(report.json, '{}')
        self.assertIsNone(report.document_uri)
Esempio n. 7
0
    def test_empty_csp_report(self):
        # Test JSON with empty 'csp-report' object.
        report = CSPReport.from_message("{'csp-report': {}}")

        self.assertFalse(report.is_valid)
        self.assertEqual(report.json, "{'csp-report': {}}")
        self.assertIsNone(report.document_uri)
Esempio n. 8
0
    def test_valid_csp_2_plus(self):
        # Test valid CSP report according to CSP level >= 2.0
        data = {
            'csp-report': {
                'document-uri': 'http://protected.example.cz/',
                'referrer': 'http://referrer.example.cz/',
                'blocked-uri': 'http://dangerous.example.cz/',
                'violated-directive': 'Very protective directive.',
                'original-policy': 'Nothing is allowed.',
                'source-file': 'nasty-script.js'
            }
        }
        message = json.dumps(data)
        report = CSPReport.from_message(message)

        self.assertTrue(report.is_valid)
        self.assertEqual(report.json, message)
        self.assertEqual(report.document_uri, 'http://protected.example.cz/')
        self.assertEqual(report.referrer, 'http://referrer.example.cz/')
        self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
        self.assertEqual(report.violated_directive,
                         'Very protective directive.')
        self.assertEqual(report.original_policy, 'Nothing is allowed.')
        self.assertEqual(report.source_file, 'nasty-script.js')
        self.assertIsNone(report.effective_directive)
Esempio n. 9
0
def save_report(request):
    message = request.body
    if isinstance(message, bytes):
        message = message.decode(request.encoding or settings.DEFAULT_CHARSET)

    report = CSPReport.from_message(message)
    report.user_agent = request.META.get('HTTP_USER_AGENT', '')
    report.save()
Esempio n. 10
0
    def test_partial_csp_report(self):
        # Test partial, but invalid CSP report
        data = {'csp-report': {'blocked-uri': 'self', 'violated-directive': 'inline script base restriction'}}
        message = json.dumps(data)
        report = CSPReport.from_message(message)

        self.assertFalse(report.is_valid)
        self.assertEqual(report.json, message)
        self.assertIsNone(report.document_uri)
        self.assertEqual(report.blocked_uri, 'self')
        self.assertEqual(report.violated_directive, 'inline script base restriction')
Esempio n. 11
0
    def test_render_reports(self):
        summary = CspReportSummary(sentinel.since, sentinel.to)
        summary.total_count = 42
        summary.valid_count = 32
        summary.invalid_count = 10
        violation = ViolationInfo('http://example.cz/')
        violation.append(CSPReport())
        summary.sources = [violation]
        summary.blocks = [violation]

        output = summary.render()

        self.assertIn('CSP report summary', output)
        self.assertIn('Violation sources', output)
        self.assertIn('Blocked URIs', output)
Esempio n. 12
0
    def test_valid_empty_fields(self):
        # Test valid CSP report according to CSP 1.0 with some fields with empty values
        data = {'csp-report': {'document-uri': 'http://protected.example.cz/',
                               'referrer': '',
                               'blocked-uri': '',
                               'violated-directive': 'Very protective directive.',
                               'original-policy': 'Nothing is allowed.'}}
        message = json.dumps(data)
        report = CSPReport.from_message(message)

        self.assertTrue(report.is_valid)
        self.assertEqual(report.json, message)
        self.assertEqual(report.document_uri, 'http://protected.example.cz/')
        self.assertEqual(report.referrer, '')
        self.assertEqual(report.blocked_uri, '')
        self.assertEqual(report.violated_directive, 'Very protective directive.')
        self.assertEqual(report.original_policy, 'Nothing is allowed.')
        self.assertIsNone(report.effective_directive)
Esempio n. 13
0
    def test_valid_line_number(self):
        # Test valid line number is extracted.
        data = {'csp-report': {'document-uri': 'http://protected.example.cz/',
                               'referrer': 'http://referrer.example.cz/',
                               'blocked-uri': 'http://dangerous.example.cz/',
                               'violated-directive': 'Very protective directive.',
                               'original-policy': 'Nothing is allowed.',
                               'line-number': 666}}
        message = json.dumps(data)
        report = CSPReport.from_message(message)

        self.assertTrue(report.is_valid)
        self.assertEqual(report.json, message)
        self.assertEqual(report.document_uri, 'http://protected.example.cz/')
        self.assertEqual(report.referrer, 'http://referrer.example.cz/')
        self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
        self.assertEqual(report.violated_directive, 'Very protective directive.')
        self.assertEqual(report.original_policy, 'Nothing is allowed.')
        self.assertEqual(report.line_number, 666)
Esempio n. 14
0
    def test_invalid_disposition(self):
        # Test invalid disposition is ignored.
        data = {'csp-report': {'document-uri': 'http://protected.example.cz/',
                               'referrer': 'http://referrer.example.cz/',
                               'blocked-uri': 'http://dangerous.example.cz/',
                               'violated-directive': 'Very protective directive.',
                               'original-policy': 'Nothing is allowed.',
                               'disposition': 'INVALID'}}
        message = json.dumps(data)
        report = CSPReport.from_message(message)

        self.assertTrue(report.is_valid)
        self.assertEqual(report.json, message)
        self.assertEqual(report.document_uri, 'http://protected.example.cz/')
        self.assertEqual(report.referrer, 'http://referrer.example.cz/')
        self.assertEqual(report.blocked_uri, 'http://dangerous.example.cz/')
        self.assertEqual(report.violated_directive, 'Very protective directive.')
        self.assertEqual(report.original_policy, 'Nothing is allowed.')
        self.assertIsNone(report.disposition)
Esempio n. 15
0
def save_report(request):
    report = CSPReport.from_message(
        request.body.decode(request.encoding or settings.DEFAULT_CHARSET))
    report.user_agent = request.META.get('HTTP_USER_AGENT', '')
    report.save()
Esempio n. 16
0
 def test_nice_report_empty(self):
     self.assertEqual(
         CSPReport(json=None).nice_report, '[no CSP report data]')
     self.assertEqual(
         CSPReport(json='').nice_report, '[no CSP report data]')
Esempio n. 17
0
 def test_nice_report_invalid_json(self):
     self.assertEqual(
         CSPReport(json='Not a JSON').nice_report,
         "Invalid CSP report: 'Not a JSON'")