Python Cspの例、sentry.interfaces.security.Csp Pythonの例

コード例 #1

0

ファイルを表示

 def test_coerce_blocked_uri_if_missing(self):
     result = Csp.to_python(
         dict(
             document_uri='http://example.com',
             effective_directive='script-src',
         ))
     assert result.blocked_uri == 'self'

コード例 #2

0

ファイルを表示

 def interface(self):
     return Csp.to_python(
         dict(
             document_uri='http://example.com',
             violated_directive='style-src cdn.example.com',
             blocked_uri='http://example.com/lol.css',
             effective_directive='style-src',
         ))

コード例 #3

0

ファイルを表示

ファイル: test_security.py プロジェクト: alexandrul/sentry

 def test_coerce_blocked_uri_if_missing(self):
     result = Csp.to_python(
         dict(
             document_uri='http://example.com',
             effective_directive='script-src',
         )
     )
     assert result.blocked_uri == 'self'

コード例 #4

0

ファイルを表示

ファイル: test_security.py プロジェクト: p22p/monitor-and-fix-crashes-in-realtime

    def test_get_message(self):
        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='img-src',
                blocked_uri='http://google.com/foo',
            ))
        assert result.get_message() == "Blocked 'image' from 'google.com'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='style-src',
                blocked_uri='',
            ))
        assert result.get_message() == "Blocked inline 'style'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
                violated_directive="script-src 'unsafe-inline'",
            ))
        assert result.get_message() == "Blocked unsafe inline 'script'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
                violated_directive="script-src 'unsafe-eval'",
            ))
        assert result.get_message() == "Blocked unsafe eval() 'script'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
                violated_directive="script-src example.com",
            ))
        assert result.get_message(
        ) == "Blocked unsafe (eval() or inline) 'script'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D',
            ))
        assert result.get_message() == "Blocked 'script' from 'data:'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='data',
            ))
        assert result.get_message() == "Blocked 'script' from 'data:'"

コード例 #5

0

ファイルを表示

ファイル: test_security.py プロジェクト: alexandrul/sentry

    def test_get_hash(self):
        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
            )
        )
        assert result.get_hash() == ['script-src', "'self'"]

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='self',
            )
        )
        assert result.get_hash() == ['script-src', "'self'"]

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='http://example.com/lol.js',
            )
        )
        assert result.get_hash() == ['script-src', 'example.com']

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='img-src',
                blocked_uri='data:foo',
            )
        )
        assert result.get_hash() == ['img-src', 'data:']

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='img-src',
                blocked_uri='ftp://example.com/foo',
            )
        )
        assert result.get_hash() == ['img-src', 'ftp://example.com']

コード例 #6

0

ファイルを表示

ファイル: test_security.py プロジェクト: alexandrul/sentry

 def interface(self):
     return Csp.to_python(
         dict(
             document_uri='http://example.com',
             violated_directive='style-src cdn.example.com',
             blocked_uri='http://example.com/lol.css',
             effective_directive='style-src',
         )
     )

コード例 #7

0

ファイルを表示

 def test_get_tags_stripe(self):
     result = Csp.to_python(
         dict(
             blocked_uri='https://api.stripe.com/v1/tokens?card[number]=xxx',
             effective_directive='script-src',
         ))
     assert result.get_tags() == [
         ('effective-directive', 'script-src'),
         ('blocked-uri', 'https://api.stripe.com/v1/tokens'),
     ]

コード例 #8

0

ファイルを表示

ファイル: test_security.py プロジェクト: alexandrul/sentry

 def test_get_tags_stripe(self):
     result = Csp.to_python(
         dict(
             blocked_uri='https://api.stripe.com/v1/tokens?card[number]=xxx',
             effective_directive='script-src',
         )
     )
     assert result.get_tags() == [
         ('effective-directive', 'script-src'),
         ('blocked-uri', 'https://api.stripe.com/v1/tokens'),
     ]

コード例 #9

0

ファイルを表示

ファイル: security.py プロジェクト: Kayle009/sentry

    def get_metadata(self):
        from sentry.interfaces.security import Csp
        # TODO(dcramer): pull get message into here to avoid instantiation
        # or ensure that these get interfaces passed instead of raw data
        csp = Csp.to_python(self.data['csp'])

        return {
            'directive': csp.effective_directive,
            'uri': csp._normalized_blocked_uri,
            'message': csp.get_message(),
        }

コード例 #10

0

ファイルを表示

ファイル: security.py プロジェクト: yndxz/sentry

    def get_metadata(self, data):
        from sentry.interfaces.security import Csp
        # TODO(dcramer): pull get message into here to avoid instantiation
        # or ensure that these get interfaces passed instead of raw data
        csp = Csp.to_python(data['csp'])

        return {
            'directive': csp.effective_directive,
            'uri': csp.normalized_blocked_uri,
            'message': csp.get_message(),
        }

コード例 #11

0

ファイルを表示

    def test_compute_hashes(self):
        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
            ))
        assert result.compute_hashes() == [['script-src', "'self'"]]

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='self',
            ))
        assert result.compute_hashes() == [['script-src', "'self'"]]

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='http://example.com/lol.js',
            ))
        assert result.compute_hashes() == [['script-src', 'example.com']]

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='img-src',
                blocked_uri='data:foo',
            ))
        assert result.compute_hashes() == [['img-src', 'data:']]

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='img-src',
                blocked_uri='ftp://example.com/foo',
            ))
        assert result.compute_hashes() == [['img-src', 'ftp://example.com']]

コード例 #12

0

ファイルを表示

ファイル: test_security.py プロジェクト: alexandrul/sentry

    def test_get_culprit(self):
        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src http://cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src http://cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='https://example.com/foo',
                violated_directive='style-src cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src https://cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src https://cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src http://example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == "style-src 'self'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src http://example2.com example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == "style-src http://example2.com 'self'"

コード例 #13

0

ファイルを表示

    def test_get_culprit(self):
        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src http://cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src http://cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='https://example.com/foo',
                violated_directive='style-src cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src https://cdn.example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == 'style-src https://cdn.example.com'

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src http://example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == "style-src 'self'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                violated_directive='style-src http://example2.com example.com',
                effective_directive='style-src',
            )
        )
        assert result.get_culprit() == "style-src http://example2.com 'self'"

コード例 #14

0

ファイルを表示

ファイル: test_csp.py プロジェクト: yaoqi/sentry

def test_real_report(make_csp_snapshot):
    raw_report = {
        "csp-report": {
            "document-uri": "https://sentry.io/sentry/csp/issues/88513416/",
            "referrer": "https://sentry.io/sentry/sentry/releases/7329107476ff14cfa19cf013acd8ce47781bb93a/",
            "violated-directive": "script-src",
            "effective-directive": "script-src",
            "original-policy": "default-src *; script-src 'make_csp_snapshot' 'unsafe-eval' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net cdn.ravenjs.com assets.zendesk.com ajax.googleapis.com ssl.google-analytics.com www.googleadservices.com analytics.twitter.com platform.twitter.com *.pingdom.net js.stripe.com api.stripe.com statuspage-production.s3.amazonaws.com s3.amazonaws.com *.google.com www.gstatic.com aui-cdn.atlassian.com *.atlassian.net *.jira.com *.zopim.com; font-src * data:; connect-src * wss://*.zopim.com; style-src 'make_csp_snapshot' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net s3.amazonaws.com aui-cdn.atlassian.com fonts.googleapis.com; img-src * data: blob:; report-uri https://sentry.io/api/54785/csp-report/?sentry_key=f724a8a027db45f5b21507e7142ff78e&sentry_release=39662eb9734f68e56b7f202260bb706be2f4cee7",
            "disposition": "enforce",
            "blocked-uri": "http://baddomain.com/test.js?_=1515535030116",
            "line-number": 24,
            "column-number": 66270,
            "source-file": "https://e90d271df3e973c7.global.ssl.fastly.net/_static/f0c7c026a4b2a3d2b287ae2d012c9924/sentry/dist/vendor.js",
            "status-code": 0,
            "script-sample": ""
        }
    }
    interface = Csp.from_raw(raw_report)
    make_csp_snapshot(interface.to_json())

コード例 #15

0

ファイルを表示

 def test_real_report(self):
     raw_report = {
         "csp-report": {
             "document-uri": "https://sentry.io/sentry/csp/issues/88513416/",
             "referrer": "https://sentry.io/sentry/sentry/releases/7329107476ff14cfa19cf013acd8ce47781bb93a/",
             "violated-directive": "script-src",
             "effective-directive": "script-src",
             "original-policy": "default-src *; script-src 'self' 'unsafe-eval' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net cdn.ravenjs.com assets.zendesk.com ajax.googleapis.com ssl.google-analytics.com www.googleadservices.com analytics.twitter.com platform.twitter.com *.pingdom.net js.stripe.com api.stripe.com statuspage-production.s3.amazonaws.com s3.amazonaws.com *.google.com www.gstatic.com aui-cdn.atlassian.com www.hipchat.com *.atlassian.net *.jira.com *.zopim.com; font-src * data:; connect-src * wss://*.zopim.com; style-src 'self' 'unsafe-inline' e90d271df3e973c7.global.ssl.fastly.net s3.amazonaws.com aui-cdn.atlassian.com www.hipchat.com fonts.googleapis.com; img-src * data: blob:; report-uri https://sentry.io/api/54785/csp-report/?sentry_key=f724a8a027db45f5b21507e7142ff78e&sentry_release=39662eb9734f68e56b7f202260bb706be2f4cee7",
             "disposition": "enforce",
             "blocked-uri": "http://baddomain.com/test.js?_=1515535030116",
             "line-number": 24,
             "column-number": 66270,
             "source-file": "https://e90d271df3e973c7.global.ssl.fastly.net/_static/f0c7c026a4b2a3d2b287ae2d012c9924/sentry/dist/vendor.js",
             "status-code": 0,
             "script-sample": ""
         }
     }
     interface = Csp.from_raw(raw_report)
     assert interface.effective_directive == 'script-src'

コード例 #16

0

ファイルを表示

def test_invalid_csp_report(report):
    with pytest.raises(InterfaceValidationError):
        Csp.to_python(report)

コード例 #17

0

ファイルを表示

ファイル: test_security.py プロジェクト: alexandrul/sentry

    def test_get_message(self):
        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='img-src',
                blocked_uri='http://google.com/foo',
            )
        )
        assert result.get_message() == "Blocked 'image' from 'google.com'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='style-src',
                blocked_uri='',
            )
        )
        assert result.get_message() == "Blocked inline 'style'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
                violated_directive="script-src 'unsafe-inline'",
            )
        )
        assert result.get_message() == "Blocked unsafe inline 'script'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
                violated_directive="script-src 'unsafe-eval'",
            )
        )
        assert result.get_message() == "Blocked unsafe eval() 'script'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='',
                violated_directive="script-src example.com",
            )
        )
        assert result.get_message() == "Blocked unsafe (eval() or inline) 'script'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D',
            )
        )
        assert result.get_message() == "Blocked 'script' from 'data:'"

        result = Csp.to_python(
            dict(
                document_uri='http://example.com/foo',
                effective_directive='script-src',
                blocked_uri='data',
            )
        )
        assert result.get_message() == "Blocked 'script' from 'data:'"

コード例 #18

0

ファイルを表示

def test_blocked_csp_report(report):
    assert Csp.to_python(report).should_filter() is True

コード例 #19

0

ファイルを表示

def test_valid_csp_report(report):
    assert Csp.to_python(report).should_filter() is False