def test_DO01(self): process1 = Process("Process1") web = Server("Web Server") process1.handlesResourceConsumption = False process1.isResilient = False web.handlesResourceConsumption = False web.isResilient = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DO01")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(web))
def test_CR08(self): user = Actor("User") web = Server("Web Server") web.minTLSVersion = TLSVersion.TLSv11 user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True user_to_web.tlsVersion = TLSVersion.SSLv3 threat = threats["CR08"] self.assertTrue(threat.apply(user_to_web))
def test_DE02(self): web = Server("Web Server") process1 = Process("Process1") web.validatesInput = False web.sanitizesInput = False process1.validatesInput = False process1.sanitizesInput = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DE02")) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(process1))
def test_AC05(self): process1 = Process("Process1") web = Server("Web Server") process1.providesIntegrity = False process1.authorizesSource = False web.providesIntegrity = False web.authorizesSource = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "AC05")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(web))
def test_AC05(self): process1 = Process("Process1") web = Server("Web Server") process1.providesIntegrity = False process1.authorizesSource = False web.providesIntegrity = False web.authorizesSource = False threat = threats["AC05"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(web))
def test_DE02(self): web = Server("Web Server") process1 = Process("Process1") web.validatesInput = False web.sanitizesInput = False process1.validatesInput = False process1.sanitizesInput = False threat = threats["DE02"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(process1))
def test_DO04(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" xml = Data(name="user to web data", description="textual", format="XML") user_to_web.data = xml user_to_web.handlesResources = False threat = threats["DO04"] self.assertTrue(threat.apply(user_to_web))
def test_CR05(self): web = Server("Web Server") db = Datastore("db") web.usesEncryptionAlgorithm != 'RSA' web.usesEncryptionAlgorithm != 'AES' db.usesEncryptionAlgorithm != 'RSA' db.usesEncryptionAlgorithm != 'AES' ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "CR05")) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(db))
def test_CR05(self): web = Server("Web Server") db = Datastore("db") web.usesEncryptionAlgorithm != "RSA" web.usesEncryptionAlgorithm != "AES" db.usesEncryptionAlgorithm != "RSA" db.usesEncryptionAlgorithm != "AES" threat = threats["CR05"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(db))
def test_DE03(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.isEncrypted = False user_to_web.usesVPN = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "DE03")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_CR06(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.usesVPN = False user_to_web.implementsAuthenticationScheme = False user_to_web.authorizesSource = False threat = threats["CR06"] self.assertTrue(threat.apply(user_to_web))
def test_INP14(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") process1.validatesInput = False lambda1.validatesInput = False web.validatesInput = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "INP14")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1)) self.assertTrue(ThreatObj.apply(web))
def test_CR06(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.usesVPN = False user_to_web.implementsAuthenticationScheme = False user_to_web.authorizesSource = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "CR06")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_INP14(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") process1.validatesInput = False lambda1.validatesInput = False web.validatesInput = False threat = threats["INP14"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(web))
def test_AC04(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") xml = Data(name="user to web data", description="textual", format="XML") user_to_web.data = xml user_to_web.authorizesSource = False threat = threats["AC04"] self.assertTrue(threat.apply(user_to_web))
def test_AC22(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = Data("password", isCredentials=True, credentialsLife=Lifetime.HARDCODED) user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True threat = threats["AC22"] self.assertTrue(threat.apply(user_to_web))
def test_INP29(self): web = Server("Web Server") process1 = Process("Process") web.validatesInput = False web.sanitizesInput = False web.encodesOutput = False process1.validatesInput = False process1.sanitizesInput = False process1.encodesOutput = False threat = threats["INP29"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(web))
def test_CR01(self): user = Actor("User") web = Server("Web Server") web.protocol = 'HTTP' web.usesVPN = False web.usesSessionTokens = True user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.usesVPN = False user_to_web.usesSessionTokens = True ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "CR01")) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(user_to_web))
def test_CR01(self): user = Actor("User") web = Server("Web Server") web.protocol = "HTTP" web.usesVPN = False web.usesSessionTokens = True user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTP" user_to_web.usesVPN = False user_to_web.usesSessionTokens = True threat = threats["CR01"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(user_to_web))
def create_dataflow( source=Classification.RESTRICTED, sink=Classification.RESTRICTED, dataflow=Classification.RESTRICTED, data=Classification.RESTRICTED, define_data=True, ): source_ = Server("Source", maxClassification=source) sink_ = Datastore("Sink", maxClassification=sink) flow_ = Dataflow(source_, sink_, "Flow", maxClassification=dataflow) if define_data: flow_.data = Data("Data", classification=data) return flow_
def test_AC10(self): user = Actor("User") web = Server("Web Server") web.minTLSVersion = TLSVersion.TLSv11 web.implementsAuthenticationScheme = False web.authorizesSource = False user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = "HTTPS" user_to_web.isEncrypted = True user_to_web.tlsVersion = TLSVersion.SSLv3 web.inputs = [user_to_web] threat = threats["AC10"] self.assertTrue(threat.apply(web))
def test_INP08(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") process1.controls.validatesInput = False process1.controls.sanitizesInput = False lambda1.controls.validatesInput = False lambda1.controls.sanitizesInput = False web.controls.validatesInput = False web.controls.sanitizesInput = False threat = threats["INP08"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(web))
def test_AC01(self): web = Server("Web Server") process1 = Process("Process1") db = Datastore("DB") web.hasAccessControl = False web.authorizesSource = True process1.hasAccessControl = False process1.authorizesSource = False db.hasAccessControl = False db.authorizesSource = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "AC01")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(db))
def test_DO02(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") db = Datastore("DB") process1.handlesResourceConsumption = False lambda1.handlesResourceConsumption = False web.handlesResourceConsumption = False db.handlesResourceConsumption = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DO02")) self.assertTrue(ThreatObj.apply(process1)) self.assertTrue(ThreatObj.apply(lambda1)) self.assertTrue(ThreatObj.apply(web)) self.assertTrue(ThreatObj.apply(db))
def test_DO02(self): process1 = Process("Process1") lambda1 = Lambda("Lambda1") web = Server("Web Server") db = Datastore("DB") process1.handlesResourceConsumption = False lambda1.handlesResourceConsumption = False web.handlesResourceConsumption = False db.handlesResourceConsumption = False threat = threats["DO02"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(lambda1)) self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(db))
def test_AC01(self): web = Server("Web Server") process1 = Process("Process1") db = Datastore("DB") web.hasAccessControl = False web.authorizesSource = True process1.hasAccessControl = False process1.authorizesSource = False db.hasAccessControl = False db.authorizesSource = False threat = threats["AC01"] self.assertTrue(threat.apply(process1)) self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(db))
def test_dfd(self): dir_path = os.path.dirname(os.path.realpath(__file__)) install_path = os.path.dirname(os.path.realpath(pytm.__file__)) with open(os.path.join(dir_path, "dfd.dot")) as x: expected = x.read().strip().replace("INSTALL_PATH", os.path.dirname(install_path)) random.seed(0) TM.reset() tm = TM("my test tm", description="aaa") internet = Boundary("Internet") net = Boundary("Company net") dmz = Boundary("dmz", inBoundary=net) backend = Boundary("backend", inBoundary=net) user = Actor("User", inBoundary=internet) gw = Server("Gateway", inBoundary=dmz) web = Server("Web Server", inBoundary=backend) db = Datastore("SQL Database", inBoundary=backend, isEncryptedAtRest=True) comment = Data("Comment", isStored=True) Dataflow(user, gw, "User enters comments (*)") Dataflow(gw, web, "Request") Dataflow(web, db, "Insert query with comments", data=[comment]) Dataflow(db, web, "Retrieve comments") Dataflow(web, gw, "Response") Dataflow(gw, user, "Show comments (*)") self.assertTrue(tm.check()) output = tm.dfd() self.maxDiff = None self.assertEqual(output, expected)
def test_CR02(self): user = Actor("User") web = Server("Web Server") web.protocol = 'HTTP' web.sanitizesInput = False web.validatesInput = False web.usesSessionTokens = True user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.protocol = 'HTTP' user_to_web.sanitizesInput = False user_to_web.validatesInput = False user_to_web.usesSessionTokens = True threat = threats["CR02"] self.assertTrue(threat.apply(web)) self.assertTrue(threat.apply(user_to_web))
def test_overrides(self): random.seed(0) TM.reset() tm = TM("my test tm", description="aaa") internet = Boundary("Internet") server_db = Boundary("Server/DB") user = Actor("User", inBoundary=internet, inScope=False) web = Server( "Web Server", overrides=[ Finding(threat_id="Server", response="mitigated by adding TLS"), ], ) db = Datastore( "SQL Database", inBoundary=server_db, overrides=[ Finding( threat_id="Datastore", response="accepted since inside the trust boundary", ), ], ) req = Dataflow(user, web, "User enters comments (*)") query = Dataflow(web, db, "Insert query with comments") results = Dataflow(db, web, "Retrieve comments") resp = Dataflow(web, user, "Show comments (*)") TM._threats = [ Threat(SID="Server", target="Server", condition="False"), Threat(SID="Datastore", target="Datastore"), ] tm.resolve() self.maxDiff = None self.assertEqual( [f.threat_id for f in tm.findings], ["Server", "Datastore"], ) self.assertEqual([f.response for f in web.findings], ["mitigated by adding TLS"]) self.assertEqual( [f.response for f in db.findings], ["accepted since inside the trust boundary"], )
def test_json_dumps(self): random.seed(0) dir_path = os.path.dirname(os.path.realpath(__file__)) with open(os.path.join(dir_path, "output.json")) as x: expected = x.read().strip() TM.reset() tm = TM("my test tm", description="aaa", threatsFile="pytm/threatlib/threats.json") tm.isOrdered = True internet = Boundary("Internet") server_db = Boundary("Server/DB") user = Actor("User", inBoundary=internet) web = Server("Web Server") func = Lambda("Lambda func") worker = Process("Task queue worker") db = Datastore("SQL Database", inBoundary=server_db) cookie = Data( name="auth cookie", description="auth cookie description", classification=Classification.PUBLIC, ) Dataflow(user, web, "User enters comments (*)", note="bbb", data=cookie) Dataflow(web, db, "Insert query with comments", note="ccc") Dataflow(web, func, "Call func") Dataflow(db, web, "Retrieve comments") Dataflow(web, user, "Show comments (*)") Dataflow(worker, db, "Query for tasks") self.assertTrue(tm.check()) output = json.dumps(tm, default=to_serializable, sort_keys=True, indent=4) with open(os.path.join(dir_path, "output_current.json"), "w") as x: x.write(output) self.maxDiff = None self.assertEqual(output, expected)