def test_set_no_cache_headers(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) self.assertEquals(0, len(response.headers)) response.headers["test1"] = "1" response.headers["test2"] = "2" response.headers["test3"] = "3" self.assertEquals(3, len(response.headers)) ESAPI.http_utilities().set_no_cache_headers( response ) self.assertTrue(response.headers.has_key('Cache-Control')) self.assertTrue(response.headers.has_key('Expires'))
def test_add_exception(self): ESAPI.intrusion_detector().add_exception(RuntimeError('message')) ESAPI.intrusion_detector().add_exception( ValidationException("user message", "log message")) ESAPI.intrusion_detector().add_exception( IntrusionException("user message", "log message")) username = "******" password = "******" auth = ESAPI.authenticator() user = auth.create_user(username, password, password) user.enable() request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) user.login_with_password(password) # Generate some exceptions to disable the account for i in range(15): IntegrityException("IntegrityException %s" % i, "IntegrityException %s" % i) self.assertFalse(user.is_logged_in()) self.assertTrue(user.is_locked())
def test_add_header(self): instance = ESAPI.http_utilities() request = MockHttpRequest() response = MockHttpResponse() instance.set_current_http(request, response) instance.add_header('HeaderName', 'HeaderValue')
def test_save_too_long_state_in_cookie(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) foo = "abcd" * 1000 data = {'long': foo} try: ESAPI.http_utilities().encrypt_state_in_cookie(response, data) self.fail() except: pass
def test_set_remember_token(self): instance = ESAPI.authenticator() account_name = "joestheplumber" password = instance.generate_strong_password() user = instance.create_user(account_name, password, password) user.enable() request = MockHttpRequest() request.POST['username'] = account_name request.POST['password'] = password response = MockHttpResponse() instance.login(request, response) max_age = 60 * 60 * 24 * 14 ESAPI.http_utilities().set_remember_token( password, max_age, "domain", '/', request, response )
def test_state_from_encrypted_cookie(self): request = MockHttpRequest() response = MockHttpResponse() empty = ESAPI.http_utilities().decrypt_state_from_cookie(request) self.assertEquals({}, empty) m = {'one' : 'aspect', 'two' : 'ridiculous', 'test_hard' : "&(@#*!^|;,." } ESAPI.http_utilities().encrypt_state_in_cookie(m, response) value = response.headers['Set-Cookie'] encrypted = value[value.find('=')+1:value.find(';')] ESAPI.encryptor().decrypt(encrypted)
def test_change_session_identifier(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) session = request.session session['one'] = 'one' session['two'] = 'two' session['three'] = 'three' id1 = request.session.id session = ESAPI.http_utilities().change_session_identifier(request) id2 = request.session.id self.assertFalse(id1 == id2) self.assertEquals("one", session['one'])
def test_add_event(self): username = "******" password = "******" auth = ESAPI.authenticator() user = auth.create_user(username, password, password) user.enable() request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) user.login_with_password(password) # Generate some events to disable the account for i in range(15): ESAPI.intrusion_detector().add_event("test", "test message") self.assertTrue(user.is_locked())
def test_kill_cookie(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) self.assertTrue(len(response.cookies) == 0) new_cookies = {} m = Morsel() m.key = 'test1' m.value = '1' new_cookies[m.key] = m m = Morsel() m.key = 'test2' m.value = '2' new_cookies[m.key] = m request.cookies = new_cookies ESAPI.http_utilities().kill_cookie( "test1", request, response ) self.assertTrue(len(response.cookies) == 1)
def test_add_cookie(self): instance = ESAPI.http_utilities() response = MockHttpResponse() request = MockHttpRequest() instance.set_current_http(request, response) self.assertEquals(0, len(response.cookies)) # add_cookie(key, value='', max_age=None, path='/', domain=None, # secure=None, httponly=False, version=None, comment=None, expires=None) instance.add_cookie(response, key='test1', value='test1') self.assertEquals(1, len(response.cookies)) instance.add_cookie(key='test2', value='test2') self.assertEquals(2, len(response.cookies)) # illegal name instance.add_cookie(response, key='tes<t3', value='test3') self.assertEquals(2, len(response.cookies)) # illegal value instance.add_cookie(response, key='test3', value='tes<t3') self.assertEquals(2, len(response.cookies))
def setUp(self): request = MockHttpRequest() response = MockHttpResponse() ESAPI.http_utilities().set_current_http(request, response) ESAPI.authenticator().logout() ESAPI.authenticator().clear_all_data()