def test_stuff(): pdb = zoobar.zoodb.person_setup() pdb.query(zoobar.zoodb.Person).delete() adduser(pdb, 'alice', 'atok') adduser(pdb, 'bob', 'btok') balance1 = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) pdb.commit() tdb = zoobar.zoodb.transfer_setup() tdb.query(zoobar.zoodb.Transfer).delete() tdb.commit() environ = {} environ['wsgi.url_scheme'] = 'http' environ['wsgi.input'] = 'xxx' environ['SERVER_NAME'] = 'zoobar' environ['SERVER_PORT'] = '80' environ['SCRIPT_NAME'] = 'script' environ['QUERY_STRING'] = 'query' environ['HTTP_REFERER'] = fuzzy.mk_str('referrer') environ['HTTP_COOKIE'] = fuzzy.mk_str('cookie') ## In two cases, we over-restrict the inputs in order to reduce the ## number of paths that "make check" explores, so that it finishes ## in a reasonable amount of time. You could pass unconstrained ## concolic values for both REQUEST_METHOD and PATH_INFO, but then ## zoobar generates around 2000 distinct paths, and that takes many ## minutes to check. # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ['REQUEST_METHOD'] = 'GET' environ['PATH_INFO'] = 'trans' + fuzzy.mk_str('path') if environ['PATH_INFO'].startswith('//'): ## Don't bother trying to construct paths with lots of slashes; ## otherwise, the lstrip() code generates lots of paths.. return resp = zoobar.app(environ, startresp) if verbose: for x in resp: print x ## Exercise 6: your code here. ## Detect balance mismatch. ## When detected, call report_balance_mismatch() pdb = zoobar.zoodb.person_setup() balancet = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) if balance1 != balancet: report_balance_mismatch() ## Detect zoobar theft. ## When detected, call report_zoobar_theft() tdb = zoobar.zoodb.transfer_setup() for p in pdb.query(zoobar.zoodb.Person).all(): if tdb.query(zoobar.zoodb.Transfer).filter_by( sender=p.username).first() == None: report_zoobar_theft()
def test_stuff(): pdb = zoobar.zoodb.person_setup() pdb.query(zoobar.zoodb.Person).delete() adduser(pdb, "alice", "atok") adduser(pdb, "bob", "btok") balance1 = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) pdb.commit() tdb = zoobar.zoodb.transfer_setup() tdb.query(zoobar.zoodb.Transfer).delete() tdb.commit() environ = {} environ["wsgi.url_scheme"] = "http" environ["wsgi.input"] = "xxx" environ["SERVER_NAME"] = "zoobar" environ["SERVER_PORT"] = "80" environ["SCRIPT_NAME"] = "script" environ["QUERY_STRING"] = "query" environ["HTTP_REFERER"] = fuzzy.mk_str("referrer") environ["HTTP_COOKIE"] = fuzzy.mk_str("cookie") ## In two cases, we over-restrict the inputs in order to reduce the ## number of paths that "make check" explores, so that it finishes ## in a reasonable amount of time. You could pass unconstrained ## concolic values for both REQUEST_METHOD and PATH_INFO, but then ## zoobar generates around 2000 distinct paths, and that takes many ## minutes to check. # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ["REQUEST_METHOD"] = "GET" environ["PATH_INFO"] = "trans" + fuzzy.mk_str("path") if environ["PATH_INFO"].startswith("//"): ## Don't bother trying to construct paths with lots of slashes; ## otherwise, the lstrip() code generates lots of paths.. return resp = zoobar.app(environ, startresp) if verbose: for x in resp: print x ## Exercise 6: your code here. ## Detect balance mismatch. ## When detected, call report_balance_mismatch() pdb = zoobar.zoodb.person_setup() balancet = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) if balance1 != balancet: report_balance_mismatch() ## Detect zoobar theft. ## When detected, call report_zoobar_theft() tdb = zoobar.zoodb.transfer_setup() for p in pdb.query(zoobar.zoodb.Person).all(): if tdb.query(zoobar.zoodb.Transfer).filter_by(sender=p.username).first() == None: report_zoobar_theft()
def test_stuff(): pdb = zoobar.zoodb.person_setup() pdb.query(zoobar.zoodb.Person).delete() adduser(pdb, 'alice', 'atok') adduser(pdb, 'bob', 'btok') balance1 = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) pdb.commit() tdb = zoobar.zoodb.transfer_setup() tdb.query(zoobar.zoodb.Transfer).delete() tdb.commit() environ = {} environ['wsgi.url_scheme'] = 'http' environ['wsgi.input'] = 'xxx' environ['SERVER_NAME'] = 'zoobar' environ['SERVER_PORT'] = '80' environ['SCRIPT_NAME'] = 'script' environ['QUERY_STRING'] = 'query' environ['HTTP_REFERER'] = fuzzy.mk_str('referrer') environ['HTTP_COOKIE'] = fuzzy.mk_str('cookie') ## In two cases, we over-restrict the inputs in order to reduce the ## number of paths that "make check" explores, so that it finishes ## in a reasonable amount of time. You could pass unconstrained ## concolic values for both REQUEST_METHOD and PATH_INFO, but then ## zoobar generates around 2000 distinct paths, and that takes many ## minutes to check. # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ['REQUEST_METHOD'] = 'GET' environ['PATH_INFO'] = 'trans' + fuzzy.mk_str('path') if environ['PATH_INFO'].startswith('//'): ## Don't bother trying to construct paths with lots of slashes; ## otherwise, the lstrip() code generates lots of paths.. return resp = zoobar.app(environ, startresp) if verbose: for x in resp: print x
def test_zoobar(): time.sleep(0.1) environ = {} environ['wsgi.url_scheme'] = 'http' environ['wsgi.input'] = 'xxx' environ['SERVER_NAME'] = 'zoobar' environ['SERVER_PORT'] = '80' environ['SCRIPT_NAME'] = 'script' environ['QUERY_STRING'] = 'query' environ['HTTP_REFERER'] = fuzzy.mk_str('referrer') environ['HTTP_COOKIE'] = fuzzy.mk_str('cookie') # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ['REQUEST_METHOD'] = 'GET' environ['PATH_INFO'] = 'trans' + fuzzy.mk_str('path') if environ['PATH_INFO'].startswith('//'): return try: resp = zoobar.app(environ, startresp) except RequireMismatch: pass
def test_stuff(): pdb = zoobar.zoodb.person_setup() pdb.query(zoobar.zoodb.Person).delete() adduser(pdb, 'alice', 'atok') adduser(pdb, 'bob', 'btok') balance1 = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) people1 = sum([1 for p in pdb.query(zoobar.zoodb.Person).all()]) all_balances1 = { p.username: p.zoobars for p in pdb.query(zoobar.zoodb.Person).all() } pdb.commit() tdb = zoobar.zoodb.transfer_setup() tdb.query(zoobar.zoodb.Transfer).delete() tdb.commit() environ = {} environ['wsgi.url_scheme'] = 'http' environ['wsgi.input'] = 'xxx' environ['SERVER_NAME'] = 'zoobar' environ['SERVER_PORT'] = '80' environ['SCRIPT_NAME'] = 'script' environ['QUERY_STRING'] = 'query' environ['HTTP_REFERER'] = fuzzy.mk_str('referrer') environ['HTTP_COOKIE'] = fuzzy.mk_str('cookie') ## In two cases, we over-restrict the inputs in order to reduce the ## number of paths that "make check" explores, so that it finishes ## in a reasonable amount of time. You could pass unconstrained ## concolic values for both REQUEST_METHOD and PATH_INFO, but then ## zoobar generates around 2000 distinct paths, and that takes many ## minutes to check. # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ['REQUEST_METHOD'] = 'GET' environ['PATH_INFO'] = 'trans' + fuzzy.mk_str('path') if environ['PATH_INFO'].startswith('//'): ## Don't bother trying to construct paths with lots of slashes; ## otherwise, the lstrip() code generates lots of paths.. return resp = zoobar.app(environ, startresp) if verbose: for x in resp: print x ## Exercise 6: your code here. ## Detect balance mismatch. ## When detected, call report_balance_mismatch() balanceEnd = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) peopleEnd = sum([1 for p in pdb.query(zoobar.zoodb.Person).all()]) if balanceEnd != balance1 and peopleEnd == people1: print "balance1=", balance1, "balanceEnd=", balanceEnd, "people1=", people1 report_balance_mismatch() #return ## Detect zoobar theft. ## When detected, call report_zoobar_theft() all_balancesEnd = { p.username: p.zoobars for p in pdb.query(zoobar.zoodb.Person).all() } if len(all_balancesEnd.keys()) == len(all_balances1.keys()) and set( all_balancesEnd.keys()) == set(all_balances1.keys()): # same number and set of users diff_balance_users = [] for user in all_balances1: if all_balances1[user] != all_balancesEnd[user]: diff_balance_users.append(user) # check all the users with different balances that they have entries in the Tranfer table tdb = zoobar.zoodb.transfer_setup() for user in diff_balance_users: net_balance_change = 0 user_transfer = tdb.query(zoobar.zoodb.Transfer).filter_by(sender=user) for transfer in user_transfer: net_balance_change -= transfer.amount user_transfer = tdb.query( zoobar.zoodb.Transfer).filter_by(recipient=user) for transfer in user_transfer: net_balance_change += transfer.amount if all_balancesEnd[user] != all_balances1[user] + net_balance_change: print "user="******",berfore=", all_balances1[ user], ",after=", all_balancesEnd[ user], ",net_balance_change=", net_balance_change report_zoobar_theft()
def test_stuff(): pdb = zoobar.zoodb.person_setup() pdb.query(zoobar.zoodb.Person).delete() adduser(pdb, 'alice', 'atok') adduser(pdb, 'bob', 'btok') balance1 = sum([p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) pdb.commit() tdb = zoobar.zoodb.transfer_setup() tdb.query(zoobar.zoodb.Transfer).delete() tdb.commit() environ = {} environ['wsgi.url_scheme'] = 'http' environ['wsgi.input'] = 'xxx' environ['SERVER_NAME'] = 'zoobar' environ['SERVER_PORT'] = '80' environ['SCRIPT_NAME'] = 'script' environ['QUERY_STRING'] = 'query' environ['HTTP_REFERER'] = fuzzy.mk_str('referrer') environ['HTTP_COOKIE'] = fuzzy.mk_str('cookie') ## In two cases, we over-restrict the inputs in order to reduce the ## number of paths that "make check" explores, so that it finishes ## in a reasonable amount of time. You could pass unconstrained ## concolic values for both REQUEST_METHOD and PATH_INFO, but then ## zoobar generates around 2000 distinct paths, and that takes many ## minutes to check. # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ['REQUEST_METHOD'] = 'GET' environ['PATH_INFO'] = 'trans' + fuzzy.mk_str('path') if environ['PATH_INFO'].startswith('//'): ## Don't bother trying to construct paths with lots of slashes; ## otherwise, the lstrip() code generates lots of paths.. return resp = zoobar.app(environ, startresp) if verbose: for x in resp: print x after_balance = sum( [p.zoobars for p in pdb.query(zoobar.zoodb.Person).all()]) if after_balance != balance1: debug_out = 'balance_mismatch: ' for p in pdb.query(zoobar.zoodb.Person).all(): debug_out += '%s: %d, ' % (p.username, p.zoobars) print debug_out report_balance_mismatch() check_user = ['alice', 'bob'] for idx, user in enumerate(['alice', 'bob']): if environ['HTTP_COOKIE'].startswith('PyZoobarLogin=%s' % user): del check_user[idx] for user in check_user: user_row = pdb.query(zoobar.zoodb.Person).get(user) if user_row != None and user_row.zoobars < 10: debug_out = 'zoobar_theft: ' for t in tdb.query(zoobar.zoodb.Transfer).all(): debug_out += '%s ,' % vars(t) print debug_out report_zoobar_theft()
def test_stuff(): pdb = zoobar.zoodb.person_setup() pdb.query(zoobar.zoodb.Person).delete() adduser(pdb, 'alice', 'atok') adduser(pdb, 'bob', 'btok') user1 = pdb.query(zoobar.zoodb.Person).all() nuser1 = len(user1) balance1 = sum([p.zoobars for p in user1]) pdb.commit() tdb = zoobar.zoodb.transfer_setup() tdb.query(zoobar.zoodb.Transfer).delete() tdb.commit() environ = {} environ['wsgi.url_scheme'] = 'http' environ['wsgi.input'] = 'xxx' environ['SERVER_NAME'] = 'zoobar' environ['SERVER_PORT'] = '80' environ['SCRIPT_NAME'] = 'script' environ['QUERY_STRING'] = 'query' environ['HTTP_REFERER'] = fuzzy.mk_str('referrer') environ['HTTP_COOKIE'] = fuzzy.mk_str('cookie') ## In two cases, we over-restrict the inputs in order to reduce the ## number of paths that "make check" explores, so that it finishes ## in a reasonable amount of time. You could pass unconstrained ## concolic values for both REQUEST_METHOD and PATH_INFO, but then ## zoobar generates around 2000 distinct paths, and that takes many ## minutes to check. # environ['REQUEST_METHOD'] = fuzzy.mk_str('method') # environ['PATH_INFO'] = fuzzy.mk_str('path') environ['REQUEST_METHOD'] = 'GET' environ['PATH_INFO'] = 'trans' + fuzzy.mk_str('path') if environ['PATH_INFO'].startswith('//'): ## Don't bother trying to construct paths with lots of slashes; ## otherwise, the lstrip() code generates lots of paths.. return resp = zoobar.app(environ, startresp) if verbose: for x in resp: print x ## Detect balance mismatch. ## When detected, call report_balance_mismatch() user2 = pdb.query(zoobar.zoodb.Person).all() nuser2 = len(user2) balance2 = sum([p.zoobars for p in user2]) if nuser1 == nuser2 and balance1 != balance2: report_balance_mismatch() ## Detect zoobar theft. ## When detected, call report_zoobar_theft() transfers = tdb.query(zoobar.zoodb.Transfer).all() alice_balance = [ alice.zoobars for alice in user2 if alice.username == 'alice' ][0] bob_balance = [bob.zoobars for bob in user2 if bob.username == 'bob'][0] for user, zoobars in zip(['alice', 'bob'], [alice_balance, bob_balance]): did = len([t for t in transfers if t.sender == user]) != 0 if not did and zoobars < 10: report_zoobar_theft()