Exemplo n.º 1
0
    def test_retrieve_csp_policies_with_policies_case04(self):
        '''
        Test case in which 4 policies are specified using 4 differents CSP
        headers and in which 1 is specified using report only CSP header.
        Test in which we want only mandatory policies.
        '''
        hrds = {}
        hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
        hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
        hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + \
            " trust.sample.com"
        hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_SCRIPT + \
            " report.sample.com"
        csp_headers = Headers(hrds.items())

        http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 3)
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
        self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
        self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0],
                         "trust.sample.com")
Exemplo n.º 2
0
 def test_retrieve_csp_policies_without_policies(self):
     """
     Test case in which no policies are specified into HTTP response.
     """
     hrds = {}.items()
     csp_headers = Headers(hrds)
     http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
     policies = retrieve_csp_policies(http_response)
     self.assertEqual(len(policies), 0)
Exemplo n.º 3
0
 def test_retrieve_csp_policies_without_policies(self):
     '''
     Test case in which no policies are specified into HTTP response.
     '''
     hrds = {}.items()
     csp_headers = Headers(hrds)
     http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
     policies = retrieve_csp_policies(http_response)
     self.assertEqual(len(policies), 0)
Exemplo n.º 4
0
    def test_retrieve_csp_policies_with_special_policies_case01(self):
        """
        Test case in which 2 policies are specified using special directives
        with empty value.
        """
        header_value = "sandbox ; script-nonce "
        hrds = {CSP_HEADER_W3C: header_value}.items()
        csp_headers = Headers(hrds)

        http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 2)
        self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SANDBOX][0], "")
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "")
Exemplo n.º 5
0
    def test_retrieve_csp_policies_with_special_policies_case01(self):
        '''
        Test case in which 2 policies are specified using special directives
        with empty value.
        '''
        header_value = "sandbox ; script-nonce "
        hrds = {CSP_HEADER_W3C: header_value}.items()
        csp_headers = Headers(hrds)

        http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 2)
        self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SANDBOX][0], "")
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "")
Exemplo n.º 6
0
    def test_retrieve_csp_policies_with_special_policies_case02(self):
        """
        Test case in which 2 policies are specified using special directives
        with explicit values.
        """
        header_value = "sandbox allow-forms allow-scripts ;" " script-nonce AABBCCDDEE"
        hrds = {CSP_HEADER_W3C: header_value}.items()
        csp_headers = Headers(hrds)

        http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 2)
        self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 2)
        self.assertTrue("allow-forms" in policies[CSP_DIRECTIVE_SANDBOX])
        self.assertTrue("allow-scripts" in policies[CSP_DIRECTIVE_SANDBOX])
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "AABBCCDDEE")
Exemplo n.º 7
0
    def test_retrieve_csp_policies_with_policies_case05(self):
        """
        Test case in which 4 policies are specified using 4 differents CSP
        headers and in which 1 is specified using report only CSP header.
        Test in which we want only report-only policies.
        """
        hrds = {}
        hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
        hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
        hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + " trust.sample.com"
        hrds[CSP_HEADER_W3C_REPORT_ONLY] = CSP_DIRECTIVE_SCRIPT + " report.sample.com"
        csp_headers = Headers(hrds.items())

        http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response, True)

        self.assertEqual(len(policies), 1)
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT][0], "report.sample.com")
Exemplo n.º 8
0
    def test_retrieve_csp_policies_with_special_policies_case02(self):
        '''
        Test case in which 2 policies are specified using special directives
        with explicit values.
        '''
        header_value = "sandbox allow-forms allow-scripts ;"\
                       " script-nonce AABBCCDDEE"
        hrds = {CSP_HEADER_W3C: header_value}.items()
        csp_headers = Headers(hrds)

        http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 2)
        self.assertEqual(len(policies[CSP_DIRECTIVE_SANDBOX]), 2)
        self.assertTrue("allow-forms" in policies[CSP_DIRECTIVE_SANDBOX])
        self.assertTrue("allow-scripts" in policies[CSP_DIRECTIVE_SANDBOX])
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT_NONCE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT_NONCE][0], "AABBCCDDEE")
Exemplo n.º 9
0
    def test_retrieve_csp_policies_with_policies_case03(self):
        """
        Test case in which 3 policies are specified using 3 differents CSP headers.
        """
        hrds = {}
        hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
        hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
        hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + " trust.sample.com"
        csp_headers = Headers(hrds.items())

        http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 3)
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
        self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
        self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0], "trust.sample.com")
Exemplo n.º 10
0
    def test_retrieve_csp_policies_with_policies_case01(self):
        """
        Test case in which 1 same policy is specified using 3 differents CSP
        headers.
        """
        hrds = {}
        hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'self'"
        hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_OBJECT + " *"
        hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_OBJECT + " *.sample.com"
        csp_headers = Headers(hrds.items())

        http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)

        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 1)
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
        self.assertTrue("self" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("*" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("*.sample.com" in policies[CSP_DIRECTIVE_OBJECT])
Exemplo n.º 11
0
    def test_retrieve_csp_policies_with_policies_case01(self):
        '''
        Test case in which 1 same policy is specified using 3 differents CSP
        headers.
        '''
        hrds = {}
        hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'self'"
        hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_OBJECT + " *"
        hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_OBJECT + " *.sample.com"
        csp_headers = Headers(hrds.items())

        http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)

        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 1)
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
        self.assertTrue("self" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("*" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("*.sample.com" in policies[CSP_DIRECTIVE_OBJECT])
Exemplo n.º 12
0
    def test_retrieve_csp_policies_with_policies_case03(self):
        '''
        Test case in which 3 policies are specified using 3 differents CSP headers.
        '''
        hrds = {}
        hrds[CSP_HEADER_W3C] = CSP_DIRECTIVE_OBJECT + " 'none'"
        hrds[CSP_HEADER_FIREFOX] = CSP_DIRECTIVE_IMAGE + " *"
        hrds[CSP_HEADER_CHROME] = CSP_DIRECTIVE_CONNECTION + \
            " trust.sample.com"
        csp_headers = Headers(hrds.items())

        http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 3)
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_OBJECT][0], "none")
        self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
        self.assertEqual(len(policies[CSP_DIRECTIVE_CONNECTION]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_CONNECTION][0],
                         "trust.sample.com")
Exemplo n.º 13
0
    def test_retrieve_csp_policies_with_policies_case02(self):
        '''
        Test case in which several policies are specified using only 1 CSP
        header but with 7 differents directives.
        '''
        header_value = "default-src 'self'; img-src *;"\
                       " object-src media1.example.com media2.example.com"\
                       " *.cdn.example.com; script-src trustedscripts.example.com;"\
                       " form-action /ctxroot/action1 /ctxroot/action2;"\
                       " plugin-types application/pdf application/x-java-applet;"\
                       " reflected-xss block"
        hrds = {CSP_HEADER_W3C: header_value}.items()
        csp_headers = Headers(hrds)

        http_response = HTTPResponse(200, '', csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 7)
        self.assertEqual(len(policies[CSP_DIRECTIVE_DEFAULT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_DEFAULT][0], "self")
        self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT][0],
                         "trustedscripts.example.com")
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
        self.assertTrue("media1.example.com" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("media2.example.com" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("*.cdn.example.com" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertEqual(len(policies[CSP_DIRECTIVE_FORM]), 2)
        self.assertTrue("/ctxroot/action1" in policies[CSP_DIRECTIVE_FORM])
        self.assertTrue("/ctxroot/action2" in policies[CSP_DIRECTIVE_FORM])
        self.assertEqual(len(policies[CSP_DIRECTIVE_PLUGIN_TYPES]), 2)
        self.assertTrue(
            "application/pdf" in policies[CSP_DIRECTIVE_PLUGIN_TYPES])
        self.assertTrue("application/x-java-applet" in
                        policies[CSP_DIRECTIVE_PLUGIN_TYPES])
        self.assertEqual(len(policies[CSP_DIRECTIVE_XSS]), 1)
        self.assertTrue("block" in policies[CSP_DIRECTIVE_XSS])
Exemplo n.º 14
0
    def test_retrieve_csp_policies_with_policies_case02(self):
        """
        Test case in which several policies are specified using only 1 CSP
        header but with 7 differents directives.
        """
        header_value = (
            "default-src 'self'; img-src *;"
            " object-src media1.example.com media2.example.com"
            " *.cdn.example.com; script-src trustedscripts.example.com;"
            " form-action /ctxroot/action1 /ctxroot/action2;"
            " plugin-types application/pdf application/x-java-applet;"
            " reflected-xss block"
        )
        hrds = {CSP_HEADER_W3C: header_value}.items()
        csp_headers = Headers(hrds)

        http_response = HTTPResponse(200, "", csp_headers, self.url, self.url)
        policies = retrieve_csp_policies(http_response)

        self.assertEqual(len(policies), 7)
        self.assertEqual(len(policies[CSP_DIRECTIVE_DEFAULT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_DEFAULT][0], "self")
        self.assertEqual(len(policies[CSP_DIRECTIVE_IMAGE]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_IMAGE][0], "*")
        self.assertEqual(len(policies[CSP_DIRECTIVE_SCRIPT]), 1)
        self.assertEqual(policies[CSP_DIRECTIVE_SCRIPT][0], "trustedscripts.example.com")
        self.assertEqual(len(policies[CSP_DIRECTIVE_OBJECT]), 3)
        self.assertTrue("media1.example.com" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("media2.example.com" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertTrue("*.cdn.example.com" in policies[CSP_DIRECTIVE_OBJECT])
        self.assertEqual(len(policies[CSP_DIRECTIVE_FORM]), 2)
        self.assertTrue("/ctxroot/action1" in policies[CSP_DIRECTIVE_FORM])
        self.assertTrue("/ctxroot/action2" in policies[CSP_DIRECTIVE_FORM])
        self.assertEqual(len(policies[CSP_DIRECTIVE_PLUGIN_TYPES]), 2)
        self.assertTrue("application/pdf" in policies[CSP_DIRECTIVE_PLUGIN_TYPES])
        self.assertTrue("application/x-java-applet" in policies[CSP_DIRECTIVE_PLUGIN_TYPES])
        self.assertEqual(len(policies[CSP_DIRECTIVE_XSS]), 1)
        self.assertTrue("block" in policies[CSP_DIRECTIVE_XSS])