def test_EvalInlineSourceExpression_match(self):
"""The source expressions 'unsafe-inline' and 'unsafe-eval' do not match any URI."""
srcExprEval = SourceExpression.UNSAFE_EVAL()
srcExprInline = SourceExpression.UNSAFE_INLINE()
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExprEval.matches(SourceExpressionTest.uri_empty, selfURI)
assert not srcExprInline.matches(SourceExpressionTest.uri_empty,
selfURI)
assert not srcExprEval.matches(URI.INVALID(), selfURI)
assert not srcExprInline.matches(URI.INVALID(), selfURI)
assert srcExprInline.matches(URI.INLINE(), selfURI)
assert not srcExprInline.matches(URI.EVAL(), selfURI)
assert not srcExprEval.matches(URI.INLINE(), selfURI)
assert srcExprEval.matches(URI.EVAL(), selfURI)
def testPolicy_matches_defaultSrcNotSpecified_noMatch(self):
"""Policy contains no directive of resource type, and no default directive either.
Should assume 'default-src *' (no match for inline/eval resources)."""
pol = Policy((PolicyTest.sampleDirective5, ))
selfURI = PolicyTest.sampleURI1a
assert not pol.matches(URI.INLINE(), "script-src", selfURI)
assert not pol.matches(URI.EVAL(), "script-src", selfURI)
def test_SelfSourceExpression_match(self):
"""A 'self' source expression matches if the scheme, host and port of the self and other URI
are the same (using default ports if absent)."""
selfURI = URI("http", "seclab.nu", 80, "/other-path")
srcExpr = SelfSourceExpression.SELF()
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain,
selfURI) # using default port in URI
assert not srcExpr.matches(URI.EMPTY(), selfURI)
assert not srcExpr.matches(URI.INVALID(), selfURI)
assert not srcExpr.matches(URI.INLINE(), selfURI)
assert not srcExpr.matches(URI.EVAL(), selfURI)
selfURIDefaultPort = URI("https", "seclab.nu", None,
"/yet-another-path")
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURIDefaultPort)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort,
selfURIDefaultPort)
selfURINoPort = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(
SourceExpressionTest.uri_chromeExtension,
selfURINoPort) # no valid port can be deduced from this scheme
def test_regularURI_singletons(self):
"""All the singleton URIs should return False for isRegularURI()."""
assert URI.EMPTY().isRegularURI() == False
assert URI.INVALID().isRegularURI() == False
assert URI.INLINE().isRegularURI() == False
assert URI.EVAL().isRegularURI() == False
assert URI("http", "seclab.nu", None, None,
None).isRegularURI() == True
def testPolicy_matches_invalid(self):
"""An invalid policy matches nothing."""
selfURI = PolicyTest.sampleURI2
assert not Policy.INVALID().matches(PolicyTest.sampleURI1a,
"script-src", selfURI)
assert not Policy.INVALID().matches(URI.INVALID(), "script-src",
selfURI)
assert not Policy.INVALID().matches(URI.EMPTY(), "script-src", selfURI)
assert not Policy.INVALID().matches(URI.INLINE(), "script-src",
selfURI)
assert not Policy.INVALID().matches(URI.EVAL(), "script-src", selfURI)
def test_eq(self):
"""Checks that the eq and hash methods are consistent for a few URIs."""
uri1a = URI("http", "www.seclab.org", 80, "/", "query")
uri1b = URI("http", "www.seclab.org", 80, "/", "query")
uri2 = URI("https", "www.seclab.org", 80, "/")
uri3 = URI("http", "www.seclab.org", 80, None)
assert uri1a == uri1b
assert hash(uri1a) == hash(uri1b)
assert uri1a != uri2
assert uri1a != uri3
assert uri2 != uri3
assert URI.EMPTY() == URI.EMPTY()
assert URI.INVALID() == URI.INVALID()
assert URI.EMPTY() not in (uri1a, uri1b, uri2, uri3, URI.INVALID(),
URI.INLINE(), URI.EVAL())
assert URI.INVALID() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(),
URI.INLINE(), URI.EVAL())
assert URI.INLINE() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(),
URI.INVALID(), URI.EVAL())
assert URI.EVAL() not in (uri1a, uri1b, uri2, uri3, URI.EMPTY(),
URI.INVALID(), URI.INLINE())
def testDirective_matches_special(self):
"""An invalid/special directive matches nothing."""
selfURI = DirectiveTest.sampleURI2
assert not Directive.INVALID().matches(URI.EMPTY(), selfURI)
assert not Directive.INVALID().matches(URI.INVALID(), selfURI)
assert not Directive.INVALID().matches(URI.INLINE(), selfURI)
assert not Directive.INVALID().matches(URI.EVAL(), selfURI)
assert not Directive.INVALID().matches(DirectiveTest.sampleURI1,
selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.EMPTY(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.INVALID(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.INLINE(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
URI.EVAL(), selfURI)
assert not Directive.EVAL_SCRIPT_BASE_RESTRICTION().matches(
DirectiveTest.sampleURI1, selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.EMPTY(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.INVALID(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.INLINE(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
URI.EVAL(), selfURI)
assert not Directive.INLINE_SCRIPT_BASE_RESTRICTION().matches(
DirectiveTest.sampleURI1, selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.EMPTY(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.INVALID(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.INLINE(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
URI.EVAL(), selfURI)
assert not Directive.INLINE_STYLE_BASE_RESTRICTION().matches(
DirectiveTest.sampleURI1, selfURI)
def test_InvalidSourceExpression_match(self):
"""The invalid source expression does not match anything."""
srcExpr = SourceExpression.INVALID()
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlSubstring,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
assert not srcExpr.matches(URI.INVALID(), selfURI)
assert not srcExpr.matches(URI.EVAL(), selfURI)
assert not srcExpr.matches(URI.INLINE(), selfURI)
def test_str(self):
"""Checks the string serialisation of a few URIs."""
assert str(URI("data", "", None, None)) == "data:"
assert str(URI("data", "image/png;base64,iVBORw0KGgoAAAA", None,
None)) == "data:image/png;base64,iVBORw0KGgoAAAA"
assert str(URI("about", "blank", None, None)) == "about:blank"
assert str(
URI("http", "www.seclab.org", 80, "/file", "parameter=value")
) == "http://www.seclab.org:80/file?parameter=value"
assert str(URI(None, "www.seclab.nu", None, None)) == "www.seclab.nu"
assert str(URI.EMPTY()) == ""
assert str(URI.INVALID()) == "[invalid]"
assert str(URI.INLINE()) == "[inline]"
assert str(URI.EVAL()) == "[eval]"
def test_URISourceExpression_match_star(self):
"A source expression that should match everything (except for special URIs)."
srcExpr = URISourceExpression(None, "*", None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
assert not srcExpr.matches(URI.EMPTY(), selfURI)
assert not srcExpr.matches(URI.INVALID(), selfURI)
assert not srcExpr.matches(URI.INLINE(), selfURI)
assert not srcExpr.matches(URI.EVAL(), selfURI)