def test_json_xsrf(self):
def json_response(string_value):
resp = Response(string_value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
# a view returning a vulnerable json response should issue a warning
for value in [
'["value1", "value2"]', # json array
' \n ["value1", "value2"] ', # may include whitespace
'"value"', # strings may contain nasty characters in UTF-7
]:
resp = Response(value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
assert len(self.get_logs()) == 1, "Expected warning: %s" % value
# a view returning safe json response should not issue a warning
for value in [
'{"value1": "value2"}', # json object
' \n {"value1": "value2"} ', # may include whitespace
'true',
'false',
'null', # primitives
'123',
'-123',
'0.123', # numbers
]:
resp = Response(value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
assert len(self.get_logs()) == 0, "Unexpected warning: %s" % value
def test_json_xsrf(self):
def json_response(string_value):
resp = Response(string_value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
# a view returning a vulnerable json response should issue a warning
for value in [
'["value1", "value2"]', # json array
' \n ["value1", "value2"] ', # may include whitespace
'"value"', # strings may contain nasty characters in UTF-7
]:
resp = Response(value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
assert len(self.get_logs()) == 1, "Expected warning: %s" % value
# a view returning safe json response should not issue a warning
for value in [
'{"value1": "value2"}', # json object
' \n {"value1": "value2"} ', # may include whitespace
'true', 'false', 'null', # primitives
'123', '-123', '0.123', # numbers
]:
resp = Response(value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
assert len(self.get_logs()) == 0, "Unexpected warning: %s" % value
def test_json_xsrf_vulnerable_values_warning(self):
vulnerable_values = [
'["value1", "value2"]', # json array
' \n ["value1", "value2"] ', # may include whitespace
'"value"', # strings may contain nasty characters in UTF-7
]
# a view returning a vulnerable json response should issue a warning
for value in vulnerable_values:
response = Response(value)
response.status = 200
response.content_type = 'application/json'
filter_json_xsrf(response)
assert len(self.get_logs()) == 1, "Expected warning: %s" % value
def test_json_xsrf_vulnerable_values_warning(self):
vulnerable_values = [
'["value1", "value2"]', # json array
' \n ["value1", "value2"] ', # may include whitespace
'"value"', # strings may contain nasty characters in UTF-7
]
# a view returning a vulnerable json response should issue a warning
for value in vulnerable_values:
response = Response(value)
response.status = 200
response.content_type = 'application/json'
filter_json_xsrf(response)
assert len(self.get_logs()) == 1, "Expected warning: %s" % value
def test_json_xsrf(self):
# a view returning a json list should issue a warning
resp = Response(json.dumps(('value1', 'value2')))
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
self.assertEquals(len(self.get_logs()), 1)
# json lists can also start end end with spaces
resp = Response(" ('value1', 'value2') ")
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
self.assertEquals(len(self.get_logs()), 1)
def test_json_xsrf_safe_values_no_warning(self):
safe_values = [
'{"value1": "value2"}', # json object
' \n {"value1": "value2"} ', # may include whitespace
'true', 'false', 'null', # primitives
'123', '-123', '0.123', # numbers
]
# a view returning safe json response should not issue a warning
for value in safe_values:
response = Response(value)
response.status = 200
response.content_type = 'application/json'
filter_json_xsrf(response)
assert len(self.get_logs()) == 0, "Unexpected warning: %s" % value
def test_json_xsrf_safe_values_no_warning(self):
safe_values = [
'{"value1": "value2"}', # json object
' \n {"value1": "value2"} ', # may include whitespace
'true',
'false',
'null', # primitives
'123',
'-123',
'0.123', # numbers
]
# a view returning safe json response should not issue a warning
for value in safe_values:
response = Response(value)
response.status = 200
response.content_type = 'application/json'
filter_json_xsrf(response)
assert len(self.get_logs()) == 0, "Unexpected warning: %s" % value
def json_response(string_value):
resp = Response(string_value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
def json_response(string_value):
resp = Response(string_value)
resp.status = 200
resp.content_type = 'application/json'
filter_json_xsrf(resp)
