def test_invalid_header_contentSecurity(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({ "Content-Security-Policy": "$# default-src https://my.csp.domain.amsterdam" }) header_config = headers.parse_headers() self.assertEquals("", header_config)
def set_up_nginx_files(m2ee): lines = "" if use_instadeploy(m2ee.config.get_runtime_version()): mxbuild_upstream = "proxy_pass http://mendix_mxbuild" else: mxbuild_upstream = "return 501" with open("nginx/conf/nginx.conf") as fh: lines = "".join(fh.readlines()) http_headers = parse_headers() lines = ( lines.replace("CONFIG", get_path_config()) .replace("NGINX_PORT", str(get_nginx_port())) .replace("RUNTIME_PORT", str(get_runtime_port())) .replace("ADMIN_PORT", str(get_admin_port())) .replace("DEPLOY_PORT", str(get_deploy_port())) .replace("ROOT", os.getcwd()) .replace("HTTP_HEADERS", http_headers) .replace("MXBUILD_UPSTREAM", mxbuild_upstream) ) for line in lines.split("\n"): logger.debug(line) with open("nginx/conf/nginx.conf", "w") as fh: fh.write(lines) gen_htpasswd({"MxAdmin": get_m2ee_password()}) gen_htpasswd( {"deploy": os.getenv("DEPLOY_PASSWORD")}, file_name_suffix="-mxbuild" )
def test_valid_header_permittedPolicies(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-Permitted-Cross-Domain-Policies": "by-content-type"}) header_config = headers.parse_headers() self.assertIn( "add_header X-Permitted-Cross-Domain-Policies 'by-content-type';", header_config, )
def test_valid_header_referrerPolicy(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"Referrer-Policy": "no-referrer-when-downgrade"}) header_config = headers.parse_headers() self.assertIn( "add_header Referrer-Policy 'no-referrer-when-downgrade';", header_config, )
def handle(self): # read request message method, path, protocol = self.rfile.readline().decode().split() self.parse_rfile = [] for line in self.rfile: if line == b'\r\n': break self.parse_rfile.append(line) req_headers = { key.lower().capitalize(): val for key, val in headers.parse_headers(self.parse_rfile).items() } content_length = req_headers.get('Content-length') if content_length: # if request body exists body = self.rfile.read(int(content_length)) else: body = None if debug: print("Method : {0}".format(method)) print("Path : {0}".format(path)) print("Protocol : {0}".format(protocol)) print("Request Headers : {0}".format(req_headers)) print("Content Length : {0}".format(content_length)) print("Body : {0}".format(body)) # read content from file name: '.' + path filename = '.' + path try: f = open(filename, 'rb') content = f.read() f.close() except Exception as e: content = None # Build response message res_headers = {} res_headers['Date'] = time.asctime() res_headers['Server'] = 'MyServer/1.0' res_headers['Connection'] = req_headers.get('Connection') if content: content_type, encoding = mimetypes.guess_type(filename) res_headers['Accept-Ranges'] = 'bytes' res_headers['Content-type'] = content_type res_headers['Content-length'] = str(len(content)) print('HTTP/1.1 200 OK') self.wfile.write(b'HTTP/1.1 200 OK\r\n') self.wfile.write(headers.to_bytes(res_headers) + b'\r\n') self.wfile.write(content) else: print('HTTP/1.1 404 Not found') self.wfile.write(b'HTTP/1.1 404 not found\r\n') self.wfile.write(headers.to_bytes(res_headers) + b'\r\n') if debug: print("Response Headers : {0}".format(res_headers)) self.wfile.flush()
def test_valid_header_xfrmaeOption(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-Frame-Options": "allow-from https://mendix.com"}) os.environ["X_FRAME_OPTIONS"] = "deny" header_config = headers.parse_headers() self.assertIn( "add_header X-Frame-Options 'allow-from https://mendix.com';", header_config, )
def test_valid_header_contentSecurity(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({ "Content-Security-Policy": "default-src https: \u0027unsafe-eval\u0027 \u0027unsafe-inline\u0027; object-src \u0027none\u0027" # noqa: E501 }) header_config = headers.parse_headers() self.assertIn( "add_header Content-Security-Policy 'default-src https: \\'unsafe-eval\\' \\'unsafe-inline\\'; object-src \\'none\\'';", # noqa: E501 header_config, )
def test_valid_header_xssProtection(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({ "X-XSS-Protection": "1; report=https://domainwithnewstyle.tld.consultancy" }) header_config = headers.parse_headers() self.assertIn( "add_header X-XSS-Protection '1; report=https://domainwithnewstyle.tld.consultancy';", header_config, )
def request_handler(rfile, wfile): while True: # read request message method, path, protocol = rfile.readline().decode().split() req_headers = headers.parse_headers(rfile) content_length = req_headers.get('Content-length') if content_length: # if request body exists body = rfile.read(int(content_length)) else: body = None print(method, path, protocol) print(req_headers) if content_length: print(body) # Build response message import os file = '.' + path try: f = open(file, 'rb') except: content = None else: content = f.read() f.close() if content: print('HTTP/1.1 200 OK') wfile.write(b'HTTP/1.1 200 OK\r\n') else: print('HTTP/1.1 404 not found') wfile.write(b'HTTP/1.1 404 not found\r\n') res_headers = {} res_headers['Date'] = time.asctime() res_headers['Server'] = 'MyServer/1.0' res_headers['Accept-Ranges'] = 'bytes' if req_headers.get('Connection') == 'close': res_headers['Connection'] = 'close' else: res_headers['Connection'] = 'keep-alive' if content: content_type, encoding = mimetypes.guess_type(file) res_headers['Content-type'] = content_type res_headers['Content-length'] = str(len(content)) res_headers_text = headers.to_bytes(res_headers) print(res_headers_text.decode()) wfile.write(res_headers_text) if content: wfile.write(content) wfile.flush() if res_headers['Connection'] == 'close': break
def test_valid_header_partial(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps({ "Referrer-Policy": "no-referrr-when-downgrade", "Access-Control-Allow-Origin": "https://this.is.mydomain.nl", "X-Content-Type-Options": "nosniff", }) header_config = headers.parse_headers() self.assertNotIn( "add_header X-XSS-Protection '1; report=https://domainwithnewstyle.tld.consultancy';", header_config, )
def handle(self): print(self.request) # read request message method, path, protocol = self.rfile.readline().decode().split() req_headers = headers.parse_headers(self.rfile) content_length = req_headers.get('Content-length') if content_length: # if request body exists body = self.rfile.read(int(content_length)) else: body = None print(method, path, protocol) print(req_headers) if content_length: print(body) # read content from file name: '.' + path file = '.' + path try: f = open(file, 'rb') except Exception as e: content = None else: content = f.read() f.close() # Build response message if content: print('HTTP/1.1 200 OK') self.wfile.write(b'HTTP/1.1 200 OK\r\n') else: print('HTTP/1.1 404 Not found') self.wfile.write(b'HTTP/1.1 404 not found\r\n') res_headers = {} res_headers['Date'] = time.asctime() res_headers['Server'] = 'MyServer/1.0' res_headers['Connection'] = 'close' if req_headers.get( 'Connection') == 'close' else 'keep-alive' if content: content_type, encoding = mimetypes.guess_type(file) res_headers['Accept-Ranges'] = 'bytes' res_headers['Content-type'] = content_type res_headers['Content-length'] = str(len(content)) print(res_headers) self.wfile.write(headers.to_bytes(res_headers)) if content: self.wfile.write(content) self.wfile.flush()
def test_valid_header_accessControl(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"Access-Control-Allow-Origin": "*"}) header_config = headers.parse_headers() self.assertIn("add_header Access-Control-Allow-Origin '*';", header_config)
def handle(self): # read a request message buffer = self.request.recv(1024).strip() file = io.BytesIO(buffer) request_headers = headers.parse_headers(file) # print('request_headers: ', request_headers) # read content from file name: '.' + path PATH = '' PATH = request_headers['PATH'] METHOD = '' METHOD = request_headers['METHOD'] senddata = b'\r\n' print(PATH, METHOD) if METHOD != 'GET': PATH = '/notget.html' print(PATH, METHOD) if PATH == '/public/index.html': f = open('./public/index.html', 'rb') elif PATH: if PATH == '/css/style.css' or PATH == '/favicon.ico': f = open('./public' + PATH, 'rb') elif PATH == '/notget.html': f = open('./public' + PATH, 'rb') elif os.path.isfile("." + PATH): f = open('.' + PATH, 'rb') else: f = open('./public/404.html', 'rb') else: f = open('./public/404.html', 'rb') data = f.read(1024) while data: senddata += data data = f.read(1024) f.close() # Build the response message res_status_line = '' res_status_line = 'HTTP/1.1 404 Not found' res_headers = {} res_headers['Date'] = time.asctime() res_headers['Server'] = 'MyServer/1.0' res_headers['Accept-range'] = 'bytes' if PATH == '/public/index.html': f = open('./public/index.html', 'rb') res_headers['Content-type'] = 'text/html' res_headers['Content-Length'] = str( os.path.getsize('./public' + '/index.html')) res_status_line = 'HTTP/1.1 200 OK\r\n' elif PATH: if PATH == '/css/style.css' or PATH == '/favicon.ico': f = open('./public' + PATH, 'rb') res_headers['Content-type'] = mimetypes.guess_type('./public' + PATH)[0] res_headers['Content-Length'] = str( os.path.getsize('./public' + PATH)) res_status_line = 'HTTP/1.1 200 OK\r\n' elif os.path.isfile("." + PATH): f = open('.' + PATH, 'rb') res_headers['Content-type'] = mimetypes.guess_type(PATH)[0] res_headers['Content-Length'] = str(os.path.getsize('.' + PATH)) # res_headers['Content-Length'] = '10000' res_status_line = 'HTTP/1.1 200 OK\r\n' else: f = open('./public/404.html', 'rb') res_headers['Content-type'] = 'text/html' res_headers['Content-Length'] = str( os.path.getsize('./public' + '/404.html')) else: f = open('./public/404.html', 'rb') res_headers['Content-type'] = 'text/html' res_headers['Content-Length'] = str( os.path.getsize('./public' + '/404.html')) if PATH == '/notget.html': res_headers['Content-Length'] = str( os.path.getsize('./public' + '/notget.html')) for k in res_headers: line = k + ': ' + res_headers[k] + '\r\n' res_status_line += line sbuff = res_status_line.encode() sbuff += senddata self.wfile.write(sbuff) self.wfile.flush() # Flush-out output buffer for immediate sending
def test_invalid_header_permittedPolicies(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-Permitted-Cross-Domain-Policies": "#%#^#^"}) header_config = headers.parse_headers() self.assertEquals("", header_config)
def test_invalid_header_xssProtection(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-XSS-Protection": "1;mode=bock"}) header_config = headers.parse_headers() self.assertEquals("", header_config)
def test_invalid_header_json(self): os.environ["HTTP_RESPONSE_HEADERS"] = "invalid" with self.assertRaises(ValueError): headers.parse_headers()
def test_invalid_header_contentType(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-Content-Type-Options": ""}) header_config = headers.parse_headers() self.assertEquals("", header_config)
def test_invalid_header_xframeOption(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-Frame-Options": "allow-form htps://mendix.com"}) header_config = headers.parse_headers() self.assertEquals("", header_config)
def test_valid_header_contentType(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"X-Content-Type-Options": "nosniff"}) header_config = headers.parse_headers() self.assertIn("add_header X-Content-Type-Options 'nosniff';", header_config)
def test_invalid_header_accessControl(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"Access-Control-Allow-Origin": "htps://this.is.mydomain.nl"}) header_config = headers.parse_headers() self.assertEquals("", header_config)
def handle(self): # read a request message # print(self.client_address[0]) import os buffer = self.request.recv(1024).strip() file = io.BytesIO(buffer) request_headers = headers.parse_headers(file) # print('request_headers: ', request_headers) PATH = '' PATH = request_headers['PATH'] KeepAlive = '' if 'Keep-Alive' in request_headers: KeepAlive = request_headers['Keep-Alive'] if request_headers['CONNECTION']: CONNECTION = request_headers['CONNECTION'] else: CONNECTION = 'keep-alive' print(PATH, CONNECTION) pass senddata=b'\r\n' # read content from file name: '.' + path if PATH == '/test/index.html': f = open('./test/index.html', 'rb') elif PATH: if os.path.exists("." + PATH): if PATH == '/test' or PATH == '/test/': f = open('./test/404.html', 'rb') else: f = open('.'+PATH, 'rb') else: f = open('./test/404.html', 'rb') data = f.read(1024) while data: senddata+=data data = f.read(1024) f.close() pass # Build the response message import mimetypes import time text = '' res_headers = {} res_headers['Date'] = time.asctime() res_headers['Server'] = 'MyServer/1.0' res_headers['Accept-range'] = 'bytes' if CONNECTION == 'keep-alive': res_headers['Connection'] = 'keep-alive' if KeepAlive == '': res_headers['Keep-Alive'] = 'timeout=10, max=100' else: KeepAlive = list(KeepAlive.split(', ')) if int(KeepAlive[1]) -1 == 0: res_headers['Connection'] = 'close' else: KeepAlive[1] = int(KeepAlive[0][4:]) - 1 KeepAlive = ', '.join(KeepAlive) res_headers['Keep-Alive'] = KeepAlive elif CONNECTION == 'close': res_headers['Connection'] = 'close' if PATH == '/test/index.html': res_headers['Content-type'] = 'text/html' res_headers['Content-Length'] = str(os.path.getsize('./test'+'/index.html')) text += 'HTTP/1.1 200 OK\r\n' elif PATH: if os.path.exists("." + PATH): if PATH == '/test' or PATH == '/test/': res_headers['Content-type'] = 'text/html' res_headers['Content-Length'] = str(os.path.getsize('./test'+'/404.html')) text += 'HTTP/1.1 200 OK\r\n' else: res_headers['Content-type'] = mimetypes.guess_type(PATH)[0] res_headers['Content-Length'] = str(os.path.getsize('.'+PATH)) text += 'HTTP/1.1 200 OK\r\n' else: res_headers['Content-type'] = 'text/html' res_headers['Content-Length'] = str(os.path.getsize('./test'+'/404.html')) text += 'HTTP/1.1 404 Not found' for k in res_headers: line = k+': '+res_headers[k]+'\r\n' text += line sbuff = text.encode() sbuff+=senddata self.wfile.write(sbuff) pass self.wfile.flush() # Flush-out output buffer for immediate sending
def test_invalid_header_referrerPolicy(self): os.environ["HTTP_RESPONSE_HEADERS"] = json.dumps( {"Referrer-Policy": "no-referrr-when-downgrade"}) header_config = headers.parse_headers() self.assertEquals("", header_config)
def test_valid_with_xframeOption(self): os.environ["HTTP_RESPONSE_HEADERS"] = "{}" os.environ["X_FRAME_OPTIONS"] = "DENY" header_config = headers.parse_headers() self.assertIn("add_header X-Frame-Options 'DENY';", header_config)