Пример #1
0
 def testPolicy_compareTo_invalid(self):
     assert Policy.INVALID().compareTo(Policy.INVALID()) == (set([]),
                                                             set([]),
                                                             set([]))
     pol = Policy([PolicyTest.sampleDirective9])
     assert pol.compareTo(Policy.INVALID()) == (set([]), set([]), set([]))
     assert Policy.INVALID().compareTo(pol) == (set([]), set([]), set([]))
Пример #2
0
 def testPolicy_combinedPolicy_invalidPolicy(self):
     pol = Policy([
         PolicyTest.sampleDirective1a, PolicyTest.sampleDirective2,
         PolicyTest.sampleDirective3
     ])
     assert pol.combinedPolicy(Policy.INVALID()) == Policy.INVALID()
     assert Policy.INVALID().combinedPolicy(pol) == Policy.INVALID()
Пример #3
0
 def testLogEntry_generatePolicy_incomplete(self):
     logEntryNoReport = LogEntryTest.logEntryData.copy()
     del logEntryNoReport['csp-report']
     logEntryNoPolicyType = LogEntryTest.logEntryData.copy()
     del logEntryNoPolicyType['policy-type']
     assert LogEntry(logEntryNoReport).generatePolicy() == Policy.INVALID()
     assert LogEntry(
         logEntryNoPolicyType).generatePolicy() == Policy.INVALID()
Пример #4
0
 def testReport_generatePolicy_missingReportField(self):
     reportNoViolated = Report({
         "blocked-uri": ReportTest.sampleURI1a,
         "document-uri": ReportTest.sampleURI2
     })
     reportNoBlocked = Report({
         "violated-directive": ReportTest.sampleDirective2a,
         "document-uri": ReportTest.sampleURI2
     })
     assert reportNoViolated.generatePolicy("regular") == Policy.INVALID()
     assert reportNoBlocked.generatePolicy("regular") == Policy.INVALID()
Пример #5
0
 def testPolicy_matches_invalid(self):
     """An invalid policy matches nothing."""
     selfURI = PolicyTest.sampleURI2
     assert not Policy.INVALID().matches(PolicyTest.sampleURI1a,
                                         "script-src", selfURI)
     assert not Policy.INVALID().matches(URI.INVALID(), "script-src",
                                         selfURI)
     assert not Policy.INVALID().matches(URI.EMPTY(), "script-src", selfURI)
     assert not Policy.INVALID().matches(URI.INLINE(), "script-src",
                                         selfURI)
     assert not Policy.INVALID().matches(URI.EVAL(), "script-src", selfURI)
Пример #6
0
 def testPolicy_eq(self):
     pol1a = Policy(
         (PolicyTest.sampleDirective1a, PolicyTest.sampleDirective2,
          PolicyTest.sampleDirective3))
     pol1b = Policy(
         (PolicyTest.sampleDirective1b, PolicyTest.sampleDirective2,
          PolicyTest.sampleDirective3))
     pol2 = Policy(
         (PolicyTest.sampleDirective2, PolicyTest.sampleDirective3))
     assert Policy.INVALID() == Policy.INVALID()
     assert pol1a == pol1b
     assert hash(pol1a) == hash(pol1b)
     assert pol1a != pol2
Пример #7
0
 def testPolicy_withoutPaths(self):
     withPaths = Policy([
         PolicyTest.sampleDirective3, PolicyTest.sampleDirective5,
         PolicyTest.sampleDirective7
     ])
     withoutPaths = Policy([
         PolicyTest.sampleDirective3,
         PolicyTest.sampleDirective5.withoutPaths(),
         PolicyTest.sampleDirective7
     ])
     assert withPaths.withoutPaths() == withoutPaths
     assert withoutPaths.withoutPaths() == withoutPaths
     assert Policy.INVALID().withoutPaths() == Policy.INVALID()
Пример #8
0
 def generatePolicy(self):
     """
     Generates a new policy that allows exactly the kind of event that caused the CSP violation report
     in this log entry (but nothing more). This assumes that (1) the violation report contains a specific
     violated-directive field (it may not be 'default-src'), and (2) that the log entry contains the type
     of the violation report ('regular', 'eval' or 'inline'). If any inconsistent log entries/reports are used
     to generate policies, the policies themselves will be inconsistent. The result of this method is
     a Policy. It is Policy.INVALID() if (1) the violated directive is missing, Directive.INVALID() or
     'default-src', (2) if this log entry has none of the types 'regular', 'inline' or 'eval', (3) the
     'blocked-uri' is URI.INVALID() or URI.EMPTY() in the 'regular' case.
     
     The result is a basic Policy containing one whitelisted resource (corresponding to the violated directive). 
     In practice, it should not be used alone, but be combined with basic policies generated for other violations
     on the same web site. It should also be prepended with "default-src 'none'" to ensure that only the
     whitelisted resources are allowed. (The standard behaviour of CSP in absence of any default Directive is
     to assume "default-src *", which may not be the desired behaviour.)
     
     In particular, policies should be collected with CSP headers like these:
     
     Content-Security-Policy-Report-Only: default-src 'none'; script-src 'unsafe-eval' 'unsafe-inline'; object-src 'none'; style-src 'unsafe-inline'; img-src 'none'; media-src 'none'; frame-src 'none'; font-src 'none'; connect-src 'none'; report-uri /csp.cgi?type=regular
     Content-Security-Policy-Report-Only: default-src *; script-src * 'unsafe-inline'; style-src * 'unsafe-inline'; report-uri /csp.cgi?type=eval
     Content-Security-Policy-Report-Only: default-src *; script-src * 'unsafe-eval'; style-src *; report-uri /csp.cgi?type=inline
     
     The results should also be filtered to ensure that only reports sent by fully compatible browsers
     are taken into account.
     """
     if (self == LogEntry.INVALID() or 'policy-type' not in self
             or 'csp-report' not in self):
         return Policy.INVALID()
     return self['csp-report'].generatePolicy(self['policy-type'])
Пример #9
0
 def testPolicy_isBasicPolicy(self):
     assert Policy.INVALID().isBasicPolicy() == False
     assert Policy([PolicyTest.sampleDirective6]).isBasicPolicy() == False
     assert Policy([PolicyTest.sampleDirective1a]).isBasicPolicy() == True
     assert Policy(
         [PolicyTest.sampleDirective2,
          PolicyTest.sampleDirective4]).isBasicPolicy() == False
Пример #10
0
 def testReport_generatePolicy_fromInvalidDirectiveResult(self):
     reportDefaultSrc = Report({
         "blocked-uri": ReportTest.sampleURI1a,
         "violated-directive": ReportTest.sampleDirective1a,
         "document-uri": ReportTest.sampleURI2
     })
     assert reportDefaultSrc.generatePolicy("regular") == Policy.INVALID()
Пример #11
0
 def testPolicy_hasDefaultDirective(self):
     assert Policy.INVALID().hasDefaultDirective() == False
     assert Policy(
         [PolicyTest.sampleDirective2,
          PolicyTest.sampleDirective9]).hasDefaultDirective() == True
     assert Policy(
         [PolicyTest.sampleDirective5,
          PolicyTest.sampleDirective6]).hasDefaultDirective() == False
Пример #12
0
 def testReport_generatePolicy_wrongDocumentURI(self):
     reportEmptyDocument = Report({
         "blocked-uri": ReportTest.sampleURI1a,
         "violated-directive": ReportTest.sampleDirective1a,
         "document-uri": URI.EMPTY()
     })
     assert reportEmptyDocument.generatePolicy(
         "regular") == Policy.INVALID()
Пример #13
0
 def testPolicy_str_invalid(self):
     assert str(Policy.INVALID()) == "[invalid]"
Пример #14
0
 def testReport_generatePolicy_invalid(self):
     assert Report.INVALID().generatePolicy("regular") == Policy.INVALID()
Пример #15
0
 def testPolicy_asBasicPolicies_single(self):
     assert Policy.INVALID().asBasicPolicies() == set([])
     assert Policy([PolicyTest.sampleDirective1a]).asBasicPolicies() == set(
         [Policy([PolicyTest.sampleDirective1a])])
Пример #16
0
 def testPolicy_combinedPolicy_invalidDefaultSrcInOnePolicyOnly(self):
     pol1 = Policy([PolicyTest.sampleDirective3])
     pol2 = Policy([PolicyTest.sampleDirective9])
     assert pol1.combinedPolicy(pol2) == Policy.INVALID()
     assert pol2.combinedPolicy(pol1) == Policy.INVALID()
Пример #17
0
 def testPolicy_combinedPolicy_invalidDefaultSrcAndOtherDirective(self):
     pol1 = Policy(
         [PolicyTest.sampleDirective1a, PolicyTest.sampleDirective3])
     pol2 = Policy([PolicyTest.sampleDirective9])
     assert pol1.combinedPolicy(pol2) == Policy.INVALID()
     assert pol2.combinedPolicy(pol1) == Policy.INVALID()
Пример #18
0
 def testLogEntry_generatePolicy_invalid(self):
     assert LogEntry.INVALID().generatePolicy() == Policy.INVALID()
Пример #19
0
 def testPolicyParser_parse_strict_onlyValidDirectives(self):
     """Ensures that a CSP policy does not parse in strict mode if it contains an invalid directive."""
     policy = """img-src 'none'; script-src"""
     cspPolicy = PolicyParser(strict=True).parse(policy)
     assert cspPolicy == Policy.INVALID()