def test_overrides(self): random.seed(0) TM.reset() tm = TM("my test tm", description="aaa") internet = Boundary("Internet") server_db = Boundary("Server/DB") user = Actor("User", inBoundary=internet, inScope=False) web = Server( "Web Server", overrides=[ Finding(threat_id="Server", response="mitigated by adding TLS"), ], ) db = Datastore( "SQL Database", inBoundary=server_db, overrides=[ Finding( threat_id="Datastore", response="accepted since inside the trust boundary", ), ], ) req = Dataflow(user, web, "User enters comments (*)") query = Dataflow(web, db, "Insert query with comments") results = Dataflow(db, web, "Retrieve comments") resp = Dataflow(web, user, "Show comments (*)") TM._threats = [ Threat(SID="Server", target="Server", condition="False"), Threat(SID="Datastore", target="Datastore"), ] tm.resolve() self.maxDiff = None self.assertEqual( [f.threat_id for f in tm.findings], ["Server", "Datastore"], ) self.assertEqual([f.response for f in web.findings], ["mitigated by adding TLS"]) self.assertEqual( [f.response for f in db.findings], ["accepted since inside the trust boundary"], )
def test_SC05(self): web = Server("Web Server") web.providesIntegrity = False web.usesCodeSigning = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "SC05")) self.assertTrue(ThreatObj.apply(web))
def test_CR04(self): web = Server("Web Server") web.usesSessionTokens = True web.implementsNonce = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "CR04")) self.assertTrue(ThreatObj.apply(web))
def test_INP15(self): web = Server("Web Server") web.protocol = 'IMAP' web.sanitizesInput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP15")) self.assertTrue(ThreatObj.apply(web))
def test_SC02(self): web = Server("Web Server") web.validatesInput = False web.encodesOutput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "SC02")) self.assertTrue(ThreatObj.apply(web))
def test_AC06(self): web = Server("Web Server") web.isHardened = False web.hasAccessControl = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC06")) self.assertTrue(ThreatObj.apply(web))
def test_HA01(self): web = Server("Web Server") web.validatesInput = False web.sanitizesInput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "HA01")) self.assertTrue(ThreatObj.apply(web))
def test_SC01(self): process1 = Process("Process1") process1.implementsNonce = False process1.data = 'JSON' ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "SC01")) self.assertTrue(ThreatObj.apply(process1))
def test_AC21(self): process1 = Process("Process") process1.implementsCSRFToken = False process1.verifySessionIdentifiers = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC21")) self.assertTrue(ThreatObj.apply(process1))
def test_INP04(self): web = Server("Web Server") web.validatesInput = False web.validatesHeaders = False web.protocol = 'HTTP' ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "INP04")) self.assertTrue(ThreatObj.apply(web))
def test_SC03(self): web = Server("Web Server") web.validatesInput = False web.sanitizesInput = False web.hasAccessControl = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "SC03")) self.assertTrue(ThreatObj.apply(web))
def test_INP17(self): web = Server("Web Server") web.validatesContentType = False web.invokesScriptFilters = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP17")) self.assertTrue(ThreatObj.apply(web))
def test_AC09(self): web = Server("Web Server") web.hasAccessControl = False web.authorizesSource = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC09")) self.assertTrue(ThreatObj.apply(web))
def test_resolve(self): random.seed(0) TM.reset() tm = TM("my test tm", description="aaa") internet = Boundary("Internet") server_db = Boundary("Server/DB") user = Actor("User", inBoundary=internet, inScope=False) web = Server("Web Server") db = Datastore("SQL Database", inBoundary=server_db) req = Dataflow(user, web, "User enters comments (*)") query = Dataflow(web, db, "Insert query with comments") results = Dataflow(db, web, "Retrieve comments") resp = Dataflow(web, user, "Show comments (*)") TM._BagOfThreats = [ Threat(SID=klass, target=klass) for klass in ["Actor", "Server", "Datastore", "Dataflow"] ] tm.resolve() self.maxDiff = None self.assertListEqual([f.id for f in tm.findings], [ 'Server', 'Datastore', 'Dataflow', 'Dataflow', 'Dataflow', 'Dataflow' ]) self.assertListEqual([f.id for f in user.findings], []) self.assertListEqual([f.id for f in web.findings], ["Server"]) self.assertListEqual([f.id for f in db.findings], ["Datastore"]) self.assertListEqual([f.id for f in req.findings], ["Dataflow"]) self.assertListEqual([f.id for f in query.findings], ["Dataflow"]) self.assertListEqual([f.id for f in results.findings], ["Dataflow"]) self.assertListEqual([f.id for f in resp.findings], ["Dataflow"])
def test_DO03(self): user = Actor("User") web = Server("Web Server") user_to_web = Dataflow(user, web, "User enters comments (*)") user_to_web.data = 'XML' ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "DO03")) self.assertTrue(ThreatObj.apply(user_to_web))
def test_INP37(self): web = Server("web") web.implementsStrictHTTPValidation = False web.encodesHeaders = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP37")) self.assertTrue(ThreatObj.apply(web))
def test_AC16(self): web = Server("web") web.usesStrongSessionIdentifiers = False web.encryptsCookies = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC16")) self.assertTrue(ThreatObj.apply(web))
def test_INP35(self): process1 = Process("Process") process1.validatesInput = False process1.sanitizesInput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP35")) self.assertTrue(ThreatObj.apply(process1))
def test_DE04(self): data = Datastore("DB") data.validatesInput = False data.implementsPOLP = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "DE04")) self.assertTrue(ThreatObj.apply(data))
def test_AC13(self): process1 = Process("Process") process1.hasAccessControl = False process1.implementsPOLP = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC13")) self.assertTrue(ThreatObj.apply(process1))
def test_INP22(self): web = Server("Web Server") web.usesXMLParser = False web.disablesDTD = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP22")) self.assertTrue(ThreatObj.apply(web))
def test_INP18(self): web = Server("Web Server") web.sanitizesInput = False web.encodesOutput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP18")) self.assertTrue(ThreatObj.apply(web))
def test_HA03(self): web = Server("Web Server") web.validatesHeaders = False web.encodesOutput = False web.isHardened = False ThreatObj = Threat(next(item for item in threats_json if item["SID"] == "HA03")) self.assertTrue(ThreatObj.apply(web))
def test_AC18(self): process1 = Process("Process") process1.usesStrongSessionIdentifiers = False process1.encryptsCookies = False process1.definesConnectionTimeout = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC18")) self.assertTrue(ThreatObj.apply(process1))
def test_INP40(self): process1 = Process("Process") process1.allowsClientSideScripting = True process1.sanitizesInput = False process1.validatesInput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "INP40")) self.assertTrue(ThreatObj.apply(process1))
def test_AC14(self): process1 = Process("Process") process1.implementsPOLP = False process1.usesEnvironmentVariables = False process1.validatesInput = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC14")) self.assertTrue(ThreatObj.apply(process1))
def test_DO05(self): web = Server("Web Server") web.validatesInput = False web.sanitizesInput = False web.usesXMLParser = True ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "DO05")) self.assertTrue(ThreatObj.apply(web))
def test_AA04(self): web = Server("Web Server") web.implementsServerSideValidation = False web.providesIntegrity = False web.authorizesSource = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AA04")) self.assertTrue(ThreatObj.apply(web))
def test_AC10(self): web = Server("Web Server") web.usesLatestTLSversion = False web.implementsAuthenticationScheme = False web.authorizesSource = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AC10")) self.assertTrue(ThreatObj.apply(web))
def test_AA03(self): web = Server("Web Server") web.providesIntegrity = False web.authenticatesSource = False web.usesStrongSessionIdentifiers = False ThreatObj = Threat( next(item for item in threats_json if item["SID"] == "AA03")) self.assertTrue(ThreatObj.apply(web))