def test_coerce_blocked_uri_if_missing(self):
result = Csp.to_python(
dict(
document_uri='http://example.com',
effective_directive='script-src',
))
assert result.blocked_uri == 'self'
def interface(self):
return Csp.to_python(
dict(
document_uri='http://example.com',
violated_directive='style-src cdn.example.com',
blocked_uri='http://example.com/lol.css',
effective_directive='style-src',
))
def test_coerce_blocked_uri_if_missing(self):
result = Csp.to_python(
dict(
document_uri='http://example.com',
effective_directive='script-src',
)
)
assert result.blocked_uri == 'self'
def test_get_message(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='http://google.com/foo',
))
assert result.get_message() == "Blocked 'image' from 'google.com'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='style-src',
blocked_uri='',
))
assert result.get_message() == "Blocked inline 'style'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-inline'",
))
assert result.get_message() == "Blocked unsafe inline 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-eval'",
))
assert result.get_message() == "Blocked unsafe eval() 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src example.com",
))
assert result.get_message(
) == "Blocked unsafe (eval() or inline) 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D',
))
assert result.get_message() == "Blocked 'script' from 'data:'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data',
))
assert result.get_message() == "Blocked 'script' from 'data:'"
def test_get_hash(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
)
)
assert result.get_hash() == ['script-src', "'self'"]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='self',
)
)
assert result.get_hash() == ['script-src', "'self'"]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='http://example.com/lol.js',
)
)
assert result.get_hash() == ['script-src', 'example.com']
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='data:foo',
)
)
assert result.get_hash() == ['img-src', 'data:']
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='ftp://example.com/foo',
)
)
assert result.get_hash() == ['img-src', 'ftp://example.com']
def interface(self):
return Csp.to_python(
dict(
document_uri='http://example.com',
violated_directive='style-src cdn.example.com',
blocked_uri='http://example.com/lol.css',
effective_directive='style-src',
)
)
def test_get_tags_stripe(self):
result = Csp.to_python(
dict(
blocked_uri='https://api.stripe.com/v1/tokens?card[number]=xxx',
effective_directive='script-src',
))
assert result.get_tags() == [
('effective-directive', 'script-src'),
('blocked-uri', 'https://api.stripe.com/v1/tokens'),
]
def test_get_tags_stripe(self):
result = Csp.to_python(
dict(
blocked_uri='https://api.stripe.com/v1/tokens?card[number]=xxx',
effective_directive='script-src',
)
)
assert result.get_tags() == [
('effective-directive', 'script-src'),
('blocked-uri', 'https://api.stripe.com/v1/tokens'),
]
def get_metadata(self):
from sentry.interfaces.security import Csp
# TODO(dcramer): pull get message into here to avoid instantiation
# or ensure that these get interfaces passed instead of raw data
csp = Csp.to_python(self.data['csp'])
return {
'directive': csp.effective_directive,
'uri': csp._normalized_blocked_uri,
'message': csp.get_message(),
}
def get_metadata(self, data):
from sentry.interfaces.security import Csp
# TODO(dcramer): pull get message into here to avoid instantiation
# or ensure that these get interfaces passed instead of raw data
csp = Csp.to_python(data['csp'])
return {
'directive': csp.effective_directive,
'uri': csp.normalized_blocked_uri,
'message': csp.get_message(),
}
def test_compute_hashes(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
))
assert result.compute_hashes() == [['script-src', "'self'"]]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='self',
))
assert result.compute_hashes() == [['script-src', "'self'"]]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='http://example.com/lol.js',
))
assert result.compute_hashes() == [['script-src', 'example.com']]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='data:foo',
))
assert result.compute_hashes() == [['img-src', 'data:']]
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='ftp://example.com/foo',
))
assert result.compute_hashes() == [['img-src', 'ftp://example.com']]
def test_get_culprit(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src http://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='https://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src https://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src https://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src 'self'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example2.com example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src http://example2.com 'self'"
def test_get_culprit(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src http://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='https://example.com/foo',
violated_directive='style-src cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src https://cdn.example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == 'style-src https://cdn.example.com'
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src 'self'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
violated_directive='style-src http://example2.com example.com',
effective_directive='style-src',
)
)
assert result.get_culprit() == "style-src http://example2.com 'self'"
def test_invalid_csp_report(report):
with pytest.raises(InterfaceValidationError):
Csp.to_python(report)
def test_get_message(self):
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='img-src',
blocked_uri='http://google.com/foo',
)
)
assert result.get_message() == "Blocked 'image' from 'google.com'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='style-src',
blocked_uri='',
)
)
assert result.get_message() == "Blocked inline 'style'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-inline'",
)
)
assert result.get_message() == "Blocked unsafe inline 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src 'unsafe-eval'",
)
)
assert result.get_message() == "Blocked unsafe eval() 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='',
violated_directive="script-src example.com",
)
)
assert result.get_message() == "Blocked unsafe (eval() or inline) 'script'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data:text/plain;base64,SGVsbG8sIFdvcmxkIQ%3D%3D',
)
)
assert result.get_message() == "Blocked 'script' from 'data:'"
result = Csp.to_python(
dict(
document_uri='http://example.com/foo',
effective_directive='script-src',
blocked_uri='data',
)
)
assert result.get_message() == "Blocked 'script' from 'data:'"
def test_blocked_csp_report(report):
assert Csp.to_python(report).should_filter() is True
def test_valid_csp_report(report):
assert Csp.to_python(report).should_filter() is False