def test_URISourceExpression_match_scheme_host_different(self):
"""A source expression with a scheme and a host name without a star matches only if the host name
is the same (case insensitive)."""
srcExpr = URISourceExpression("http", "blog.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
def test_URISourceExpression_match_scheme_host_different(self):
"""A source expression with a scheme and a host name without a star matches only if the host name
is the same (case insensitive)."""
srcExpr = URISourceExpression("http", "blog.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
def test_URISourceExpression_match_path_exact(self):
"""If the final character of the path in the source expression is not /, then the path
in the URI must be an exact match (excluding the query component)."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer2, selfURI)
def test_URISourceExpression_match_starhost(self):
"""Checks the behaviour of a fully specified URI with * as the hostname, that should match
any host as long as the scheme, port, and path match (is this in line with the CSP 1.1 specification??)"""
srcExpr = URISourceExpression("http", "*", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
def test_URISourceExpression_match_noscheme_http(self):
"""A source expression without a scheme and http as the protected resource's scheme match only
if the URI has the scheme http or https"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_longer1
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_noscheme_same(self):
"""A source expression without a scheme and the protected resource's scheme being different from http
match only if the URI has the same scheme as the protected resource"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_noport(self):
"""A source expression without a port matches only if the URI uses the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", None, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_query(self):
"""The query component in an URI should not matter when matching."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", None),
selfURI)
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", "query"),
selfURI)
def test_URISourceExpression_match_scheme_star(self):
"""A source expression with a scheme and a host name including a star matches only if the domain name
of the URI includes a subdomain at the level of the star (or below)."""
srcExpr = URISourceExpression("http", "*.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlSubstring, selfURI) # must be a true subdomain, not just substring
def test_URISourceExpression_match_port_star(self):
"""A source expression matches if the port is * (and everything else matches)."""
srcExpr = URISourceExpression("https", "seclab.nu", "*", None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_schemedomain, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
def test_URISourceExpression_match_scheme_different(self):
"An URI with a different (case-insensitive) scheme than the source expression does not match."""
srcExpr = URISourceExpression("https", "seclab.nu", 80, "/path")
srcExprUpper = URISourceExpression("HTTPS", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert not srcExprUpper.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprUpper.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
def test_URISourceExpression_match_noscheme_http(self):
"""A source expression without a scheme and http as the protected resource's scheme match only
if the URI has the scheme http or https"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_longer1
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_path_exact(self):
"""If the final character of the path in the source expression is not /, then the path
in the URI must be an exact match (excluding the query component)."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer2,
selfURI)
def test_URISourceExpression_match_noscheme_same(self):
"""A source expression without a scheme and the protected resource's scheme being different from http
match only if the URI has the same scheme as the protected resource"""
srcExpr = URISourceExpression(None, "seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
def test_URISourceExpression_match_starhost(self):
"""Checks the behaviour of a fully specified URI with * as the hostname, that should match
any host as long as the scheme, port, and path match (is this in line with the CSP 1.1 specification??)"""
srcExpr = URISourceExpression("http", "*", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
def test_URISourceExpression_match_scheme_star(self):
"""A source expression with a scheme and a host name including a star matches only if the domain name
of the URI includes a subdomain at the level of the star (or below)."""
srcExpr = URISourceExpression("http", "*.seclab.nu", None, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url1Sub, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_url2Sub, selfURI)
assert not srcExpr.matches(
SourceExpressionTest.uri_urlSubstring,
selfURI) # must be a true subdomain, not just substring
def test_URISourceExpression_match_empty_path(self):
"""If the path component of the source expression or the URI is the empty string, it
should be treated the same as being None."""
srcExprEmpty = URISourceExpression("http", "seclab.nu", 80, "")
srcExprNone = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprEmpty.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, None), selfURI)
assert srcExprNone.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, None), selfURI)
def test_URISourceExpression_match_path_slash(self):
"""If the final character of the path in the source expression is /, then the path in
the URI must be a prefix of the path."""
srcExprShort = URISourceExpression("http", "seclab.nu", 80, "/")
srcExprLong = URISourceExpression("http", "seclab.nu", 80, "/path/")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer2, selfURI)
assert not srcExprLong.matches(SourceExpressionTest.uri_urlFull, selfURI) # this is a file
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer1, selfURI)
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer2, selfURI)
def test_URISourceExpression_match_scheme_different(self):
"An URI with a different (case-insensitive) scheme than the source expression does not match." ""
srcExpr = URISourceExpression("https", "seclab.nu", 80, "/path")
srcExprUpper = URISourceExpression("HTTPS", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExprUpper.matches(SourceExpressionTest.uri_urlFull,
selfURI)
assert srcExprUpper.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
def test_URISourceExpression_match_port_star(self):
"""A source expression matches if the port is * (and everything else matches)."""
srcExpr = URISourceExpression("https", "seclab.nu", "*", None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_schemedomain,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
def test_URISourceExpression_match_empty_path(self):
"""If the path component of the source expression or the URI is the empty string, it
should be treated the same as being None."""
srcExprEmpty = URISourceExpression("http", "seclab.nu", 80, "")
srcExprNone = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprEmpty.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprEmpty.matches(URI("http", "seclab.nu", 80, None),
selfURI)
assert srcExprNone.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, ""), selfURI)
assert srcExprNone.matches(URI("http", "seclab.nu", 80, None), selfURI)
def test_URISourceExpression_match_scheme_only(self):
"A source expression where only the scheme matters"
srcExpr = URISourceExpression("chrome-extension", None, None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
def test_URISourceExpression_match_scheme_only(self):
"A source expression where only the scheme matters"
srcExpr = URISourceExpression("chrome-extension", None, None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_other,
selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
def test_URISourceExpression_match_port_same(self):
"""A source expression matches if the port is the same (and everything else matches), or
if the port is not given in the URI, it matches the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", 443, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure, selfURI)
srcExpr80 = URISourceExpression("https", "seclab.nu", 80, None)
assert srcExpr80.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert not srcExpr80.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr80.matches(SourceExpressionTest.uri_schemedomain_secure, selfURI)
def test_URISourceExpression_match_path_slash(self):
"""If the final character of the path in the source expression is /, then the path in
the URI must be a prefix of the path."""
srcExprShort = URISourceExpression("http", "seclab.nu", 80, "/")
srcExprLong = URISourceExpression("http", "seclab.nu", 80, "/path/")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert srcExprShort.matches(SourceExpressionTest.uri_urlFull_longer2,
selfURI)
assert not srcExprLong.matches(SourceExpressionTest.uri_urlFull,
selfURI) # this is a file
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer1,
selfURI)
assert srcExprLong.matches(SourceExpressionTest.uri_urlFull_longer2,
selfURI)
def test_URISourceExpression_match_port_same(self):
"""A source expression matches if the port is the same (and everything else matches), or
if the port is not given in the URI, it matches the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", 443, None)
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_schemedomain_secure,
selfURI)
srcExpr80 = URISourceExpression("https", "seclab.nu", 80, None)
assert srcExpr80.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert not srcExpr80.matches(
SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)
assert not srcExpr80.matches(
SourceExpressionTest.uri_schemedomain_secure, selfURI)
def test_URISourceExpression_match_nohost(self):
"An URI with no host does not match any source expression that is not *"
srcExpr = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
def test_URISourceExpression_match_star(self):
"A source expression that should match everything (except for special URIs)."
srcExpr = URISourceExpression(None, "*", None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
assert not srcExpr.matches(URI.EMPTY(), selfURI)
assert not srcExpr.matches(URI.INVALID(), selfURI)
assert not srcExpr.matches(URI.INLINE(), selfURI)
assert not srcExpr.matches(URI.EVAL(), selfURI)
def test_URISourceExpression_match_query(self):
"""The query component in an URI should not matter when matching."""
srcExpr = URISourceExpression("http", "seclab.nu", 80, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", None), selfURI)
assert srcExpr.matches(URI("http", "seclab.nu", 80, "/path", "query"), selfURI)
def test_URISourceExpression_match_star(self):
"A source expression that should match everything (except for special URIs)."
srcExpr = URISourceExpression(None, "*", None, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert srcExpr.matches(SourceExpressionTest.uri_chromeExtension,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure,
selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_other, selfURI)
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_domain, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_data, selfURI)
assert not srcExpr.matches(URI.EMPTY(), selfURI)
assert not srcExpr.matches(URI.INVALID(), selfURI)
assert not srcExpr.matches(URI.INLINE(), selfURI)
assert not srcExpr.matches(URI.EVAL(), selfURI)
def test_URISourceExpression_match_nohost(self):
"An URI with no host does not match any source expression that is not *"
srcExpr = URISourceExpression("http", "seclab.nu", 80, None)
selfURI = SourceExpressionTest.uri_chromeExtension
assert not srcExpr.matches(SourceExpressionTest.uri_empty, selfURI)
def test_URISourceExpression_match_noport(self):
"""A source expression without a port matches only if the URI uses the default port for the scheme."""
srcExpr = URISourceExpression("https", "seclab.nu", None, "/path")
selfURI = SourceExpressionTest.uri_urlFull_secure
assert not srcExpr.matches(SourceExpressionTest.uri_urlFull_secure, selfURI)
assert srcExpr.matches(SourceExpressionTest.uri_urlFull_secure_defaultPort, selfURI)