def decrypt_cookie(encrypted_content): s = URLSafeSerializer(current_app.config["SECRET_KEY"], salt="cookie") try: content = s.loads(encrypted_content) except: content = "-1" return content
def test_should_response_200_json(self, session): self._create_dagrun(session) key = self.app.config["SECRET_KEY"] serializer = URLSafeSerializer(key) token = serializer.dumps({"download_logs": False}) headers = {'Accept': 'application/json'} response = self.client.get( f"api/v1/dags/{self.DAG_ID}/dagRuns/TEST_DAG_RUN_ID/" f"taskInstances/{self.TASK_ID}/logs/1?token={token}", headers=headers ) expected_filename = "{}/{}/{}/{}/1.log".format( self.log_dir, self.DAG_ID, self.TASK_ID, self.default_time.replace(":", ".") ) self.assertEqual( response.json['content'], f"*** Reading local file: {expected_filename}\nLog for testing." ) info = serializer.loads(response.json['continuation_token']) self.assertEqual( info, {'end_of_log': True} ) self.assertEqual(200, response.status_code)
def retrieve_cookie( cookie_name: str, request: flask.Request = flask.request ) -> Union[str, None]: """ Returns the decoded version of a signed cookie. If the cookie was tampered with, then it will return `None`. """ serializer = URLSafeSerializer(flask.current_app.config["SECRET_KEY"]) try: return serializer.loads(request.cookies[cookie_name]) except (BadSignature, BadData, KeyError): # Somebody tampered with the data and its better to return None. return None
def unserialize_user_flag(user_flag, *, secret=None): if secret is None: secret = current_app.config["SECRET_KEY"] user_flag = re.sub(".+?{(.+)}", r"\1", user_flag)[::-1] serializer = URLSafeSerializer(secret) data = serializer.loads(user_flag) data.append(None) account_id, challenge_id, challenge_data, *_ = data return account_id, challenge_id, challenge_data
def test_should_respond_200_json(self, session): self._create_dagrun(session) key = self.app.config["SECRET_KEY"] serializer = URLSafeSerializer(key) token = serializer.dumps({"download_logs": False}) response = self.client.get( f"api/v1/dags/{self.DAG_ID}/dagRuns/TEST_DAG_RUN_ID/" f"taskInstances/{self.TASK_ID}/logs/1?token={token}", headers={'Accept': 'application/json'}, environ_overrides={'REMOTE_USER': "******"}, ) expected_filename = "{}/{}/{}/{}/1.log".format( self.log_dir, self.DAG_ID, self.TASK_ID, self.default_time.replace(":", ".") ) assert ( response.json['content'] == f"[('', '*** Reading local file: {expected_filename}\\nLog for testing.')]" ) info = serializer.loads(response.json['continuation_token']) assert info == {'end_of_log': True} assert 200 == response.status_code
from itsdangerous.serializer import Serializer s = Serializer("secret-key") serializer_value = s.dumps([1, 2, 3, 4]) print(serializer_value) print(s.loads(serializer_value)) from itsdangerous.url_safe import URLSafeSerializer s1 = URLSafeSerializer("secret-key", salt="activate") s1.dumps(1) s2 = URLSafeSerializer("secret-key", salt="upgrade") s2.dumps(1) print(s1.dumps(1)) print(s2.dumps(1)) print(s1.loads(s1.dumps(1))) print(s2.loads(s2.dumps(1))) s = URLSafeSerializer("secret-key") s.dumps([1, 2, 3, 4]) print(s.dumps([1, 2, 3, 4])) print(s.loads(s.dumps([1, 2, 3, 4])))
class CSRFMiddleware(BaseHTTPMiddleware): def __init__( self, app: ASGIApp, secret: str, sensitive_cookies: Optional[Set[str]] = None, cookie_name: str = "csrftoken", cookie_path: str = "/", cookie_domain: Optional[str] = None, cookie_secure: bool = False, cookie_httponly: bool = False, cookie_samesite: str = "lax", header_name: str = "x-csrftoken", safe_methods: Set[str] = {"GET", "HEAD", "OPTIONS", "TRACE"}, exempt_urls: Optional[List[Pattern]] = None, ) -> None: super().__init__(app) self.serializer = URLSafeSerializer(secret, "csrftoken") self.secret = secret self.sensitive_cookies = sensitive_cookies self.cookie_name = cookie_name self.cookie_path = cookie_path self.cookie_domain = cookie_domain self.cookie_secure = cookie_secure self.cookie_httponly = cookie_httponly self.cookie_samesite = cookie_samesite self.header_name = header_name self.safe_methods = safe_methods self.exempt_urls = exempt_urls async def dispatch(self, request: Request, call_next: RequestResponseEndpoint): csrf_cookie = request.cookies.get(self.cookie_name) if ( request.method not in self.safe_methods and self._has_sensitive_cookies(request.cookies) and not self._url_is_exempt(request.url) ): submitted_csrf_token = await self._get_submitted_csrf_token(request) if ( not csrf_cookie or not submitted_csrf_token or not self._csrf_tokens_match(csrf_cookie, submitted_csrf_token) ): return self._get_error_response(request) response = await call_next(request) if not csrf_cookie: response.set_cookie( self.cookie_name, self._generate_csrf_token(), path=self.cookie_path, domain=self.cookie_domain, secure=self.cookie_secure, httponly=self.cookie_httponly, samesite=self.cookie_samesite, ) return response def _has_sensitive_cookies(self, cookies: Dict[str, str]) -> bool: if not self.sensitive_cookies: return True for sensitive_cookie in self.sensitive_cookies: if sensitive_cookie in cookies: return True return False def _url_is_exempt(self, url: URL) -> bool: if not self.exempt_urls: return False for exempt_url in self.exempt_urls: if exempt_url.match(url.path): return True return False async def _get_submitted_csrf_token(self, request: Request) -> Optional[str]: return request.headers.get(self.header_name) def _generate_csrf_token(self) -> str: return cast(str, self.serializer.dumps(secrets.token_urlsafe(128))) def _csrf_tokens_match(self, token1: str, token2: str) -> bool: try: decoded1: str = self.serializer.loads(token1) decoded2: str = self.serializer.loads(token2) return secrets.compare_digest(decoded1, decoded2) except BadSignature: return False def _get_error_response(self, request: Request) -> Response: return PlainTextResponse( content="CSRF token verification failed", status_code=403 )