def testDirective_eq(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = URISourceExpression("https", "seclab.nu", 443, "/")
directive1a = Directive("object-src", [srcExpr1, srcExpr2])
directive1b = Directive("object-src", [srcExpr2, srcExpr1])
directive2 = Directive("frame-src", [srcExpr1, srcExpr2])
directive3 = Directive("object-src", [srcExpr2])
directive4a = Directive("script-src",
(SourceExpression.UNSAFE_INLINE(), ))
directive4b = Directive("script-src",
(SourceExpression("unsafe-inline"), ))
assert directive1a == directive1b
assert hash(directive1a) == hash(directive1b)
assert directive1a != directive2
assert directive1a != directive3
assert directive2 != directive3
assert directive4a == directive4b
assert hash(directive4a) == hash(directive4b)
assert Directive.INVALID() == Directive.INVALID()
assert Directive.INVALID() not in (directive1a, directive1b,
directive2, directive3)
assert Directive.INLINE_STYLE_BASE_RESTRICTION() not in (directive1a,
directive1b,
directive2,
directive3)
def testDirective_asBasicDirectives_single(self):
assert Directive.INVALID().asBasicDirectives() == set([])
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().asBasicDirectives() == set([])
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().asBasicDirectives() == set([])
assert Directive.INLINE_STYLE_BASE_RESTRICTION().asBasicDirectives() == set([])
sampleDirective = Directive("img-src", [DirectiveTest.sampleSrcExpr1b])
assert sampleDirective.asBasicDirectives() == set([sampleDirective])
def testDirective_withoutPaths_removeDuplicates(self):
withPaths = Directive(
"script-src",
[DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3])
withoutPaths = Directive("script-src",
[DirectiveTest.sampleSrcExpr2.removePath()])
assert withPaths.withoutPaths() == withoutPaths
class PolicyDataReaderTest(unittest.TestCase):
samplePolicy = Policy([
Directive("default-src", ()),
Directive("style-src", [SourceExpression.UNSAFE_INLINE()]),
Directive("img-src",
[URISourceExpression(None, "seclab.nu", "*", None)])
])
@pytest.fixture(autouse=True)
def initdir(self, tmpdir):
tmpdir.chdir()
def setUp(self):
self.fileIn = PolicyDataReader(True)
self.filename = "policystorage.dat"
self.fileOut = DataWriter(self.filename)
def testReportCreation(self):
"""Writes a LogEntry and loads it back as an object."""
self.fileOut.storeAll([PolicyDataReaderTest.samplePolicy])
self.fileOut.close()
dataOut = self.fileIn.loadAll(self.filename)
assert len(dataOut) == 1
assert PolicyDataReaderTest.samplePolicy in dataOut
def testDirectiveParser_parse_empty(self):
assert DirectiveParser(strict=True).parse(" ") == Directive.INVALID()
assert DirectiveParser(strict=False).parse(" ") == Directive.INVALID()
assert DirectiveParser(
strict=True).parse("img-src ") == Directive.INVALID()
assert DirectiveParser(
strict=False).parse("img-src ") == Directive.INVALID()
def testDirective_withoutPaths_schemeOnly(self):
chromeExt = Directive("img-src", [
URISourceExpression("chrome-extension",
"mkfokfffehpeedafpekjeddnmnjhmcmk", None, None)
])
assert chromeExt.withoutPaths(["chrome-extension"]) == Directive(
"img-src",
[URISourceExpression("chrome-extension", None, None, None)])
def testDirective_getType(self):
assert Directive("default-src", []).getType() == "default-src"
assert Directive.INLINE_STYLE_BASE_RESTRICTION().getType(
) == "style-src"
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().getType(
) == "script-src"
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().getType(
) == "script-src"
def testPolicy_init_removeNotRegularDirective(self):
pol = Policy([
PolicyTest.sampleDirective1a,
Directive.INVALID(),
Directive.EVAL_SCRIPT_BASE_RESTRICTION()
])
expected = Policy([PolicyTest.sampleDirective1a])
assert pol == expected
def testDirective_init_removeDoubleExpressions(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = URISourceExpression("http", "seclab.nu", "*", None)
directive = Directive("style-src", [srcExpr1, srcExpr2])
whitelisted = directive.getWhitelistedSourceExpressions()
assert whitelisted == set([srcExpr1]) # duplicate source expressions should be removed
assert whitelisted == set([srcExpr2]) # sets should be equal
assert directive == Directive("style-src", [srcExpr1])
assert directive == Directive("style-src", [srcExpr2])
def testPolicy_compareTo_recursive(self):
pol1 = Policy([PolicyTest.sampleDirective6])
pol2 = Policy(
[Directive("style-src", [SourceExpression.UNSAFE_INLINE()])])
assert pol1.compareTo(pol2) == (
set([pol2]),
set([
Policy([Directive("style-src", [SelfSourceExpression.SELF()])])
]), set([]))
def testDirective_isRegularDirective(self):
assert Directive.INVALID().isRegularDirective() == False
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isRegularDirective(
) == False
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().isRegularDirective(
) == False
assert Directive.INLINE_STYLE_BASE_RESTRICTION().isRegularDirective(
) == False
assert Directive("default-src", []).isRegularDirective() == True
def testDirective_asBasicDirectives_multiple(self):
sampleDirective = Directive("script-src", [SelfSourceExpression.SELF(),
DirectiveTest.sampleSrcExpr1a,
DirectiveTest.sampleSrcExpr2,
DirectiveTest.sampleSrcExpr3])
assert sampleDirective.asBasicDirectives() == set([Directive("script-src", [SelfSourceExpression.SELF()]),
Directive("script-src", [DirectiveTest.sampleSrcExpr1a]),
Directive("script-src", [DirectiveTest.sampleSrcExpr2]),
Directive("script-src", [DirectiveTest.sampleSrcExpr3])])
def testDirective_generateDirective_regular(self):
violated = Directive(
"object-src",
[DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
generated = violated.generateDirective("regular",
DirectiveTest.sampleURI2)
assert generated == Directive(
"object-src",
[URISourceExpression("http", "seclab.ccs.neu.edu", 80, "/path")])
def testDirective_withoutPaths(self):
withPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2, SelfSourceExpression.SELF()])
withoutPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2.removePath(), SelfSourceExpression.SELF()])
assert withPaths.withoutPaths() == withoutPaths
assert withoutPaths.withoutPaths() == withoutPaths
assert Directive.INVALID().withoutPaths() == Directive.INVALID()
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().withoutPaths() == Directive.EVAL_SCRIPT_BASE_RESTRICTION()
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().withoutPaths() == Directive.INLINE_SCRIPT_BASE_RESTRICTION()
assert Directive.INLINE_STYLE_BASE_RESTRICTION().withoutPaths() == Directive.INLINE_STYLE_BASE_RESTRICTION()
def testDirective_init_removeDoubleExpressions(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = URISourceExpression("http", "seclab.nu", "*", None)
directive = Directive("style-src", [srcExpr1, srcExpr2])
whitelisted = directive.getWhitelistedSourceExpressions()
assert whitelisted == set(
[srcExpr1]) # duplicate source expressions should be removed
assert whitelisted == set([srcExpr2]) # sets should be equal
assert directive == Directive("style-src", [srcExpr1])
assert directive == Directive("style-src", [srcExpr2])
def testDirective_isBasicDirective(self):
assert Directive.INVALID().isBasicDirective() == False
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().isBasicDirective(
) == False
assert Directive("default-src", ()).isBasicDirective() == True
assert Directive(
"script-src",
[DirectiveTest.sampleSrcExpr2]).isBasicDirective() == True
assert Directive(
"object-src",
[DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3
]).isBasicDirective() == False
def testDirectiveParser_parse_standard(self):
assert DirectiveParser(strict=True).parse("default-src https: 'unsafe-inline' 'unsafe-eval'") \
== Directive("default-src", [URISourceExpression("https", None, None, None),
SourceExpression.UNSAFE_INLINE(), SourceExpression.UNSAFE_EVAL()])
assert DirectiveParser(strict=True).parse("default-src 'self'") \
== Directive("default-src", [SelfSourceExpression.SELF()])
assert DirectiveParser(strict=True).parse("img-src *") \
== Directive("img-src", [URISourceExpression(None, "*", None, None)])
assert DirectiveParser(strict=True).parse("object-src media1.example.com media2.example.com *.cdn.example.com") \
== Directive("object-src", [URISourceExpression(None, "media1.example.com", None, None),
URISourceExpression(None, "media2.example.com", None, None),
URISourceExpression(None, "*.cdn.example.com", None, None)])
def testDirective_combine_regular(self):
direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a])
direct2 = Directive("default-src", [DirectiveTest.sampleSrcExpr2])
expected = Directive(
"default-src",
[DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
assert direct1.combinedDirective(direct2) == expected
assert direct2.combinedDirective(direct1) == expected
assert direct1.combinedDirective(direct1) == direct1
assert direct2.combinedDirective(direct2) == direct2
def testDirective_generateDirective_incompatibleType(self):
violatedWrongInlineType = Directive("object-src", [])
violatedWrongEvalType = Directive("style-src", [])
assert violatedWrongInlineType.generateDirective(
"inline", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedWrongEvalType.generateDirective(
"eval", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_matches(self):
"""A few standard tests."""
directive1 = Directive(
"object-src",
[DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
directive2 = Directive("frame-src", [DirectiveTest.sampleSrcExpr2])
directive3 = Directive("default-src", [])
selfURI = DirectiveTest.sampleURI2
assert directive1.matches(DirectiveTest.sampleURI1, selfURI)
assert not directive1.matches(DirectiveTest.sampleURI2, selfURI)
assert not directive2.matches(DirectiveTest.sampleURI1, selfURI)
assert not directive2.matches(DirectiveTest.sampleURI2, selfURI)
assert not directive3.matches(DirectiveTest.sampleURI1, selfURI)
assert not directive3.matches(DirectiveTest.sampleURI2, selfURI)
def testDirectiveParser_parse_translate(self):
"""The old directive type 'xhr-src' is correctly rewritten to 'connect-src'."""
translateDirective = "xhr-src http://localhost"
cspTranslateDirective = DirectiveParser().parse(translateDirective)
assert cspTranslateDirective == Directive(
"connect-src",
(URISourceExpression("http", "localhost", None, None), ))
def testReportParser_parse_unicode(self):
"""The JSON deserialiser returns strings as unicode objects. Check that they are correctly parsed in URIs."""
fullReport = """{"remote-addr": "XXX", "policy-type": "regular", "http-user-agent":""" \
+ """ "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Firefox/27.0",""" \
+ """ "timestamp-utc": "2014-03-01 12:13:14.156789", "csp-report": {"violated-directive":""" \
+ """ "img-src 'none'", "referrer": "http://handbook5.com/a/a-security-analysis-of-amazon%E2%80%99s-elastic-compute-cloud-service-w14847.html",""" \
+ """ "blocked-uri": "http://www.iseclab.org/images/anr.png", "document-uri":""" \
+ """ "http://www.iseclab.org/?p"}, "header-type": "standard"}"""
expected = Report({
"violated-directive":
Directive("img-src", ()),
"referrer":
URI(
"http", "handbook5.com", None,
u"/a/a-security-analysis-of-amazon’s-elastic-compute-cloud-service-w14847.html"
),
"blocked-uri":
URI("http", "www.iseclab.org", None, u"/images/anr.png"),
"document-uri":
URI("http", "www.iseclab.org", None, u"/", "p")
})
parser = ReportParser(requiredKeys=[])
jsonReport = json.loads(fullReport)
cspReport = parser.parseJsonDict(jsonReport["csp-report"])
assert cspReport == expected
class ReportDataReaderTest(unittest.TestCase):
sampleURI1a = URI("http", "seclab.nu", None, None, None)
sampleURI1b = URI("http", "seclab.nu", None, None, None)
sampleURI2 = URI("http", "seclab.nu", None, "/blocked", "query")
sampleDirective1a = Directive("default-src", ())
sampleDirective1b = Directive("default-src", ())
sampleDirective2a = Directive("script-src",
(SourceExpression.UNSAFE_INLINE(), ))
sampleDirective2b = Directive("script-src",
(SourceExpression.UNSAFE_INLINE(), ))
samplePolicy1a = Policy((sampleDirective1a, sampleDirective2a))
samplePolicy1b = Policy((sampleDirective1b, sampleDirective2b))
samplePolicy2 = Policy((sampleDirective1a, ))
@pytest.fixture(autouse=True)
def initdir(self, tmpdir):
tmpdir.chdir()
def setUp(self):
self.fileIn = ReportDataReader(True)
self.filename = "encodingdecoding.dat"
self.fileOut = DataWriter(self.filename)
def tearDown(self):
pass
def testReportCreation(self):
"""Writes a Report and loads it back as an object."""
report = Report({
"abc": True,
"def": 1,
"ghi": "http://seclab.nu/",
"document-uri": ReportDataReaderTest.sampleURI1a,
"violated-directive": ReportDataReaderTest.sampleDirective1a,
"original-policy": ReportDataReaderTest.samplePolicy1a,
"blocked-uri": ReportDataReaderTest.sampleURI2
})
self.fileOut.storeAll([report])
self.fileOut.close()
dataOut = self.fileIn.loadAll(self.filename)
assert len(dataOut) == 1
print report
print dataOut[0]
assert report in dataOut
def testDirectiveParser_parse_none_syntaxerror_notstrict(self):
"""If 'none' appears in a directive not parsed strictly and other expressions occur, 'none' is ignored."""
noneDirectiveInvalid = """default-src http://one 'None' http://two"""
cspDirective = DirectiveParser(
strict=False).parse(noneDirectiveInvalid)
assert cspDirective == Directive("default-src", [
URISourceExpression("http", "one", None, None),
URISourceExpression("http", "two", None, None)
])
def testPolicyParser_parse_noDefaultSrcRewriting(self):
policy = """default-src 'self' http://seclab.nu"""
cspPolicy = PolicyParser(expandDefaultSrc=False,
defaultSrcTypes=("img-src",
"connect-src")).parse(policy)
assert cspPolicy == Policy([
Directive("default-src", [
PolicyTest.sampleSourceExpression1,
PolicyTest.sampleSourceExpression2
])
])
def testDirective_asBasicDirectives_single(self):
assert Directive.INVALID().asBasicDirectives() == set([])
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().asBasicDirectives(
) == set([])
assert Directive.INLINE_SCRIPT_BASE_RESTRICTION().asBasicDirectives(
) == set([])
assert Directive.INLINE_STYLE_BASE_RESTRICTION().asBasicDirectives(
) == set([])
sampleDirective = Directive("img-src", [DirectiveTest.sampleSrcExpr1b])
assert sampleDirective.asBasicDirectives() == set([sampleDirective])
def testDirective_generateDirective_incompatibleURI(self):
violatedRegular = Directive("object-src", [])
violatedInline = Directive("style-src", [])
violatedEval = Directive("script-src", [])
assert violatedRegular.generateDirective("regular", URI.EMPTY()) == Directive.INVALID()
assert violatedRegular.generateDirective("regular", URI.INVALID()) == Directive.INVALID()
#assert violatedInline.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedInline.generateDirective("inline", URI.INVALID()) == Directive.INVALID()
#assert violatedEval.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedEval.generateDirective("eval", URI.INVALID()) == Directive.INVALID()
def testDirective_init_removeDoubleSelfExpressions(self):
srcExpr1 = URISourceExpression("http", "seclab.nu", "*", None)
srcExpr2 = SelfSourceExpression.SELF()
srcExpr3 = SelfSourceExpression()
whitelisted = Directive(
"img-src",
[srcExpr1, srcExpr2, srcExpr3]).getWhitelistedSourceExpressions()
assert len(
whitelisted
) == 2 # one self expression should be removed (can have at most one)
assert srcExpr1 in whitelisted and (srcExpr2 in whitelisted
or srcExpr3 in whitelisted)
def testPolicy_combinedPolicy_validDefaultSrcOnly(self):
"""Combination of two policies with default directive is possible only if both policies contain
only a default directive."""
pol1 = Policy([PolicyTest.sampleDirective1a])
pol2 = Policy([PolicyTest.sampleDirective9])
expected = Policy([
Directive("default-src", [
PolicyTest.sampleSourceExpression1,
SourceExpression.UNSAFE_INLINE()
])
])
assert pol1.combinedPolicy(pol2) == expected
assert pol2.combinedPolicy(pol1) == expected
def testPolicyParser_parse_defaultSrcRewriting(self):
"""The default directive is used for each type that is not specifically defined (if the flag is enabled)."""
policy = """default-src 'self' http://seclab.nu; connect-src 'self' https://abc.seclab.nu/path chrome-extension:"""
cspPolicy = PolicyParser(expandDefaultSrc=True,
defaultSrcTypes=("img-src",
"connect-src")).parse(policy)
assert cspPolicy == Policy([
PolicyTest.sampleDirective5,
Directive("img-src", [
PolicyTest.sampleSourceExpression1,
PolicyTest.sampleSourceExpression2
])
])
def testPolicyParser_parse_duplicates(self):
"""The CSP standard mandates that only the first directive of each type should be used."""
duplicatePolicy = """connect-src 'self' chrome-extension: https://abc.seclab.nu/path; """ \
+ """font-src 'self' http://seclab.nu; """ \
+ """connect-src 'self' https://example.com"""
cspPolicy = PolicyParser().parse(duplicatePolicy)
assert cspPolicy == Policy([
PolicyTest.sampleDirective5,
Directive("font-src", [
PolicyTest.sampleSourceExpression1,
PolicyTest.sampleSourceExpression2
])
])
def testDirective_asBasicDirectives_multiple(self):
sampleDirective = Directive("script-src", [
SelfSourceExpression.SELF(), DirectiveTest.sampleSrcExpr1a,
DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3
])
assert sampleDirective.asBasicDirectives() == set([
Directive("script-src", [SelfSourceExpression.SELF()]),
Directive("script-src", [DirectiveTest.sampleSrcExpr1a]),
Directive("script-src", [DirectiveTest.sampleSrcExpr2]),
Directive("script-src", [DirectiveTest.sampleSrcExpr3])
])
def testDirective_combine_removeDuplicates(self):
direct1 = Directive(
"img-src",
[DirectiveTest.sampleSrcExpr1a,
SelfSourceExpression.SELF()])
direct2 = Directive("img-src", [DirectiveTest.sampleSrcExpr1b])
assert direct1.combinedDirective(direct2) == direct1
assert direct2.combinedDirective(direct1) == direct1
def testDirective_combine_regular(self):
direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a])
direct2 = Directive("default-src", [DirectiveTest.sampleSrcExpr2])
expected = Directive("default-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
assert direct1.combinedDirective(direct2) == expected
assert direct2.combinedDirective(direct1) == expected
assert direct1.combinedDirective(direct1) == direct1
assert direct2.combinedDirective(direct2) == direct2
def testDirective_matches(self):
"""A few standard tests."""
directive1 = Directive("object-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
directive2 = Directive("frame-src", [DirectiveTest.sampleSrcExpr2])
directive3 = Directive("default-src", [])
selfURI = DirectiveTest.sampleURI2
assert directive1.matches(DirectiveTest.sampleURI1, selfURI)
assert not directive1.matches(DirectiveTest.sampleURI2, selfURI)
assert not directive2.matches(DirectiveTest.sampleURI1, selfURI)
assert not directive2.matches(DirectiveTest.sampleURI2, selfURI)
assert not directive3.matches(DirectiveTest.sampleURI1, selfURI)
assert not directive3.matches(DirectiveTest.sampleURI2, selfURI)
def testDirectiveParser_parse_inline(self):
"""'unsafe-inline' keyword allowed only in 'script-src' and 'style-src' and 'default-src'"""
scriptSrcWithInline = """script-src 'self' 'unsafe-inline' http://me.com/"""
styleSrcWithInline = """style-src 'unsafe-inline' http://other"""
styleSrcWithInlineOnly = """style-src 'unsafe-inline'"""
defaultSrcWithInlineOnly = """default-src 'unsafe-inline'"""
invalidObjectSrcWithInline = """object-src 'self' 'unsafe-inline'"""
invalidObjectSrcWithInlineOnly = """object-src 'unsafe-inline'"""
assert str(DirectiveParser().parse(
scriptSrcWithInline)) == scriptSrcWithInline
assert str(
DirectiveParser().parse(styleSrcWithInline)) == styleSrcWithInline
assert str(DirectiveParser().parse(
styleSrcWithInlineOnly)) == styleSrcWithInlineOnly
assert str(DirectiveParser().parse(
defaultSrcWithInlineOnly)) == defaultSrcWithInlineOnly
assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInline) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInline)) \
== "object-src 'self'"
assert DirectiveParser(strict=True).parse(invalidObjectSrcWithInlineOnly) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidObjectSrcWithInlineOnly)) \
== "object-src 'none'"
def testDirectiveParser_parse_eval(self):
"""'unsafe-eval' keyword allowed only in 'script-src' and 'default-src'"""
scriptSrcWithEval = """script-src 'self' 'unsafe-eval' 'unsafe-inline'"""
scriptSrcWithEvalOnly = """script-src 'unsafe-eval'"""
defaultSrcWithInlineAndEvalOnly = """default-src 'unsafe-eval' 'unsafe-inline'"""
invalidImgSrcWithEval = """img-src http://example/path 'unsafe-eval'"""
assert str(
DirectiveParser().parse(scriptSrcWithEval)) == scriptSrcWithEval
assert str(DirectiveParser().parse(
scriptSrcWithEvalOnly)) == scriptSrcWithEvalOnly
assert str(DirectiveParser().parse(defaultSrcWithInlineAndEvalOnly)) \
== defaultSrcWithInlineAndEvalOnly
assert DirectiveParser(strict=True).parse(invalidImgSrcWithEval) \
== Directive.INVALID()
assert str(DirectiveParser(strict=False).parse(invalidImgSrcWithEval)) \
== "img-src http://example/path"
def testDirective_generateDirective_inline(self):
violated = Directive("style-src", [DirectiveTest.sampleSrcExpr2])
generated = violated.generateDirective("inline", URI.EMPTY())
assert generated == Directive("style-src", [SourceExpression.UNSAFE_INLINE()])
def testDirective_generateDirective_defaultSrcNotAllowed(self):
violated = Directive("default-src", [])
assert violated.generateDirective("regular", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_withoutPaths_schemeOnly(self):
chromeExt = Directive("img-src", [URISourceExpression("chrome-extension", "mkfokfffehpeedafpekjeddnmnjhmcmk", None, None)])
assert chromeExt.withoutPaths(["chrome-extension"]) == Directive("img-src", [URISourceExpression("chrome-extension", None, None, None)])
def testDirective_generateDirective_eval(self):
violated = Directive("script-src", [DirectiveTest.sampleSrcExpr1a])
generated = violated.generateDirective("eval", URI.EMPTY())
assert generated == Directive("script-src", [SourceExpression.UNSAFE_EVAL()])
def testDirective_generateDirective_invalidType(self):
violated = Directive("script-src", [DirectiveTest.sampleSrcExpr1a])
assert violated.generateDirective("evaluate", URI.EMPTY()) == Directive.INVALID()
def testDirective_combine_differentType(self):
direct1 = Directive("default-src", [DirectiveTest.sampleSrcExpr1a])
direct2 = Directive("script-src", [DirectiveTest.sampleSrcExpr2])
assert direct1.combinedDirective(direct2) == Directive.INVALID()
assert direct2.combinedDirective(direct1) == Directive.INVALID()
def testDirective_withoutPaths_removeDuplicates(self):
withPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2, DirectiveTest.sampleSrcExpr3])
withoutPaths = Directive("script-src", [DirectiveTest.sampleSrcExpr2.removePath()])
assert withPaths.withoutPaths() == withoutPaths
def testDirective_combine_notRegularURI(self):
direct = Directive("style-src", [SelfSourceExpression.SELF()])
assert direct.combinedDirective(Directive.INVALID()) == Directive.INVALID()
assert Directive.INVALID().combinedDirective(direct) == Directive.INVALID()
assert direct.combinedDirective(Directive.EVAL_SCRIPT_BASE_RESTRICTION()) == Directive.INVALID()
assert Directive.EVAL_SCRIPT_BASE_RESTRICTION().combinedDirective(direct) == Directive.INVALID()
def testDirective_generateDirective_incompatibleType(self):
violatedWrongInlineType = Directive("object-src", [])
violatedWrongEvalType = Directive("style-src", [])
assert violatedWrongInlineType.generateDirective("inline", DirectiveTest.sampleURI1) == Directive.INVALID()
assert violatedWrongEvalType.generateDirective("eval", DirectiveTest.sampleURI1) == Directive.INVALID()
def testDirective_generateDirective_regular(self):
violated = Directive("object-src", [DirectiveTest.sampleSrcExpr1a, DirectiveTest.sampleSrcExpr2])
generated = violated.generateDirective("regular", DirectiveTest.sampleURI2)
assert generated == Directive("object-src", [URISourceExpression("http", "seclab.ccs.neu.edu", 80, "/path")])
def testDirective_combine_removeDuplicates(self):
direct1 = Directive("img-src", [DirectiveTest.sampleSrcExpr1a, SelfSourceExpression.SELF()])
direct2 = Directive("img-src", [DirectiveTest.sampleSrcExpr1b])
assert direct1.combinedDirective(direct2) == direct1
assert direct2.combinedDirective(direct1) == direct1
