def test_csrf_form_w_expired_input(self):
        """ Test the CSRF validation with an expired CSRF specified. """
        with self.app.application.test_request_context(method='POST'):
            flask.g.session = MagicMock()
            form = pagure.forms.ConfirmationForm()
            data = form.csrf_token.current_token

            # CSRF token expired
            if hasattr(flask_wtf, '__version__') and \
                    tuple(flask_wtf.__version__.split('.')) >= (0,10,0):
                expires = time.time() - 1
            else:
                expires = (
                    datetime.datetime.now() -
                    datetime.timedelta(minutes=1)).strftime('%Y%m%d%H%M%S')

            # Change the CSRF format
            if hasattr(flask_wtf, '__version__') and \
                    tuple([int(e) for e in flask_wtf.__version__.split('.')]
                    ) >= (0,14,0):
                import itsdangerous
                timestamp = itsdangerous.base64_encode(
                    itsdangerous.int_to_bytes(int(expires)))
                print '*', data
                part1, _, part2 = data.split('.', 2)
                form.csrf_token.data = '.'.join([part1, timestamp, part2])
            else:
                _, hmac_csrf = data.split('##', 1)
                form.csrf_token.data = '%s##%s' % (expires, hmac_csrf)

            self.assertFalse(form.validate_on_submit())
Esempio n. 2
0
File: csrf.py Progetto: quru/qis
    def generate_csrf_token():
        nonce = os.urandom(16)
        secret = session.setdefault('_csrf_secret', os.urandom(16))

        nonce_int = bytes_to_int(nonce)
        secret_int = bytes_to_int(secret)

        jsw = JSONWebSignatureSerializer(app.secret_key)
        token = jsw.dumps({
            "n": _bytes_to_str(b64encode(nonce)),
            "k": _bytes_to_str(b64encode(int_to_bytes(nonce_int ^ secret_int)))
        })
        return _bytes_to_str(token)
Esempio n. 3
0
    def generate_csrf_token():
        nonce = os.urandom(16)
        secret = session.setdefault('_csrf_secret', os.urandom(16))

        nonce_int = bytes_to_int(nonce)
        secret_int = bytes_to_int(secret)

        jsw = JSONWebSignatureSerializer(app.secret_key)
        token = jsw.dumps({
            "n": b64encode(nonce),
            "k": b64encode(int_to_bytes(nonce_int ^ secret_int))
        })

        return token
Esempio n. 4
0
File: csrf.py Progetto: quru/qis
    def is_csrf_token_bad(token, csrf_secret):
        try:
            jsw = JSONWebSignatureSerializer(app.secret_key)
            tobj = jsw.loads(token)

            nonce_int = bytes_to_int(b64decode(_str_to_bytes(tobj["n"])))
            key_int = bytes_to_int(b64decode(_str_to_bytes(tobj["k"])))

            user_secret = int_to_bytes(nonce_int ^ key_int)

            return not constant_time_compare(
                user_secret,
                csrf_secret
            )
        except Exception:
            return True
Esempio n. 5
0
    def is_csrf_token_bad(token, csrf_secret):
        try:
            jsw = JSONWebSignatureSerializer(app.secret_key)
            tobj = jsw.loads(token)

            nonce_int = bytes_to_int(b64decode(tobj["n"]))
            key_int = bytes_to_int(b64decode(tobj["k"]))

            user_secret = int_to_bytes(nonce_int ^ key_int)

            return not constant_time_compare(
                user_secret,
                csrf_secret
            )
        except Exception:
            return True
Esempio n. 6
0
    def test_csrf_form_w_expired_input(self):
        """ Test the CSRF validation with an expired CSRF specified. """
        with self.app.application.test_request_context(method="POST"):
            flask.g.session = MagicMock()
            form = pagure.forms.ConfirmationForm()
            data = form.csrf_token.current_token

            # CSRF token expired
            if hasattr(flask_wtf, "__version__") and tuple(
                [int(v)
                 for v in flask_wtf.__version__.split(".")]) < (0, 10, 0):
                expires = time.time() - 1
            else:
                expires = (
                    datetime.datetime.now() -
                    datetime.timedelta(minutes=1)).strftime("%Y%m%d%H%M%S")

            # Change the CSRF format
            if hasattr(flask_wtf, "__version__") and tuple(
                [int(e)
                 for e in flask_wtf.__version__.split(".")]) >= (0, 14, 0):
                import itsdangerous

                try:  # ItsDangerous-1.0
                    timestamp = itsdangerous.base64_encode(
                        itsdangerous.encoding.int_to_bytes(int(expires)))
                except AttributeError:  # ItsDangerous-0.24
                    timestamp = itsdangerous.base64_encode(
                        itsdangerous.int_to_bytes(int(expires)))
                timestamp = timestamp.decode("ascii")
                part1, _, part2 = data.split(".", 2)
                form.csrf_token.data = ".".join([part1, timestamp, part2])
            else:
                _, hmac_csrf = data.split("##", 1)
                form.csrf_token.data = "%s##%s" % (expires, hmac_csrf)

            self.assertFalse(form.validate_on_submit())