def test_cors_headers(self, m):
cors_headers = {"Access-Control-Allow-Headers": "*"}
m.register_uri("GET", "http://example.com", headers=cors_headers)
resp = requests.get("http://example.com")
test = FakeTestObject(resp)
signal = cors(test)
self.assertEqual("HEADER_CORS_HEADERS_WILDCARD", signal.slug)
def test_cors_methods(self, m):
cors_headers = {"Access-Control-Allow-Methods": "*"}
m.register_uri("GET", "http://example.com", headers=cors_headers)
resp = requests.get("http://example.com")
test = FakeTestObject(resp)
signal = cors(test)
self.assertEqual("HEADER_CORS_METHODS_WILDCARD", signal.slug)
def test_not_cors_headers(self, m):
cors_headers = {"Access-Control-Allow-Origin": "www.gg.com"}
m.register_uri("GET", "http://example.com", headers=cors_headers)
resp = requests.get("http://example.com")
test = FakeTestObject(resp)
signal = cors(test)
self.assertIsNone(signal)
def test_not_cors_headers(self, m):
cors_headers = {"Access-Control-Allow-Origin": "www.gg.com"}
m.register_uri("GET", "http://example.com", headers=cors_headers)
resp = requests.get("http://example.com")
test = FakeTestObject(resp)
signal = cors(test)
self.assertIsNone(signal)
def test_case(self):
self.test_signals.register(cors(self))
cors_slugs = [
slugs for slugs in self.test_signals.all_slugs
if "HEADER_CORS" in slugs]
for slug in cors_slugs:
if "ORIGIN" in slug:
test_severity = syntribos.HIGH
else:
test_severity = syntribos.MEDIUM
self.register_issue(
defect_type="CORS_HEADER",
severity=test_severity,
confidence=syntribos.HIGH,
description=(
_("CORS header vulnerability found.\n"
"Make sure that the header is not assigned "
"a wildcard character.")))