def test_add_exception(self):
ESAPI.intrusion_detector().add_exception( RuntimeError('message') )
ESAPI.intrusion_detector().add_exception(
ValidationException("user message", "log message") )
ESAPI.intrusion_detector().add_exception(
IntrusionException("user message", "log message") )
username = "******"
password = "******"
auth = ESAPI.authenticator()
user = auth.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user.login_with_password(password)
# Generate some exceptions to disable the account
for i in range(15):
IntegrityException(
"IntegrityException %s" % i,
"IntegrityException %s" % i )
self.assertFalse(user.is_logged_in())
self.assertTrue(user.is_locked())
def test_get_user_from_token(self):
instance = ESAPI.authenticator()
instance.logout()
account_name = "testUserFromToken"
password = instance.generate_strong_password()
user = instance.create_user(account_name, password, password)
user.enable()
###
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
m = Morsel()
m.key = HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME
m.value = "ridiculous"
request.cookies[m.key] = m
# Wrong cookie should fail
self.assertRaises(AuthenticationException, instance.login, request, response)
user.logout()
###
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.authenticator().current_user = user
new_token = ESAPI.http_utilities().set_remember_token(
password, 10000, "test.com", request.path, request, response )
request.set_cookie( key=HTTPUtilities.REMEMBER_TOKEN_COOKIE_NAME, value=new_token )
ESAPI.http_utilities().set_current_http(request, response)
# Logout the current user so we can log them in with the remember cookie
user2 = instance.login(request, response)
self.assertEquals(user, user2)
def test_add_exception(self):
ESAPI.intrusion_detector().add_exception(RuntimeError('message'))
ESAPI.intrusion_detector().add_exception(
ValidationException("user message", "log message"))
ESAPI.intrusion_detector().add_exception(
IntrusionException("user message", "log message"))
username = "******"
password = "******"
auth = ESAPI.authenticator()
user = auth.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user.login_with_password(password)
# Generate some exceptions to disable the account
for i in range(15):
IntegrityException("IntegrityException %s" % i,
"IntegrityException %s" % i)
self.assertFalse(user.is_logged_in())
self.assertTrue(user.is_locked())
def login_with_password(self, password):
if password is None:
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException(
_("Login failed"),
_("Missing password: %(account_name)s") %
{'account_name': self.account_name})
# Don't let disabled users log in
if not self.is_enabled():
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException(
_("Login failed"),
_("Disabled user attempt to login: %(account_name)s") %
{'account_name': self.account_name})
# Don't let locked users log in
if self.is_locked():
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException(
_("Login failed"),
_("Locked user attempt to login: %(account_name)s") %
{'account_name': self.account_name})
# Don't let expired users log in
if self.is_expired():
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException(
_("Login failed"),
_("Expired user attempt to login: %(account_name)s") %
{'account_name': self.account_name})
self.logout()
if self.verify_password(password):
self._logged_in = True
ESAPI.http_utilities().change_session_identifier(
ESAPI.current_request())
ESAPI.authenticator().current_user = self
self.last_login_time = datetime.now()
self.last_host_address = ESAPI.http_utilities(
).get_current_request().remote_host
self.logger.trace(
Logger.SECURITY_SUCCESS,
_("User logged in: %(account_name)s") %
{'account_name': self.account_name})
else:
self._logged_in = False
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
if self.get_failed_login_count() >= ESAPI.security_configuration(
).get_allowed_login_attempts():
self.lock()
raise AuthenticationLoginException(
_("Login failed"),
_("Incorrect password provided for %(account_name)s") %
{'account_name': self.account_name})
def test_add_csrf_token(self):
instance = ESAPI.authenticator()
username = "******"
password = '******'
user = instance.create_user(username, password, password)
instance.current_user = user
csrf1 = ESAPI.http_utilities().add_csrf_token('/test1')
self.assertTrue(csrf1.find('?') > -1)
csrf2 = ESAPI.http_utilities().add_csrf_token('test1?one=two')
self.assertTrue(csrf2.find('?') > -1)
def test_save_too_long_state_in_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
foo = "abcd" * 1000
data = {'long': foo}
try:
ESAPI.http_utilities().encrypt_state_in_cookie(response, data)
self.fail()
except:
pass
def login_with_password(self, password):
if password is None:
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException( _("Login failed"),
_("Missing password: %(account_name)s") %
{'account_name' : self.account_name})
# Don't let disabled users log in
if not self.is_enabled():
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException( _("Login failed"),
_("Disabled user attempt to login: %(account_name)s") %
{'account_name' : self.account_name})
# Don't let locked users log in
if self.is_locked():
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException( _("Login failed"),
_("Locked user attempt to login: %(account_name)s") %
{'account_name' : self.account_name})
# Don't let expired users log in
if self.is_expired():
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
raise AuthenticationLoginException( _("Login failed"),
_("Expired user attempt to login: %(account_name)s") %
{'account_name' : self.account_name})
self.logout()
if self.verify_password( password ):
self._logged_in = True
ESAPI.http_utilities().change_session_identifier( ESAPI.current_request() )
ESAPI.authenticator().current_user = self
self.last_login_time = datetime.now()
self.last_host_address = ESAPI.http_utilities().get_current_request().remote_host
self.logger.trace(Logger.SECURITY_SUCCESS,
_("User logged in: %(account_name)s") %
{'account_name' : self.account_name})
else:
self._logged_in = False
self.last_failed_login_time = datetime.now()
self.increment_failed_login_count()
if self.get_failed_login_count() >= ESAPI.security_configuration().get_allowed_login_attempts():
self.lock()
raise AuthenticationLoginException( _("Login failed"),
_("Incorrect password provided for %(account_name)s") %
{'account_name' : self.account_name})
def test_set_no_cache_headers(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
self.assertEquals(0, len(response.headers))
response.headers["test1"] = "1"
response.headers["test2"] = "2"
response.headers["test3"] = "3"
self.assertEquals(3, len(response.headers))
ESAPI.http_utilities().set_no_cache_headers( response )
self.assertTrue(response.headers.has_key('Cache-Control'))
self.assertTrue(response.headers.has_key('Expires'))
def test_state_from_encrypted_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
empty = ESAPI.http_utilities().decrypt_state_from_cookie(request)
self.assertEquals({}, empty)
m = {'one' : 'aspect',
'two' : 'ridiculous',
'test_hard' : "&(@#*!^|;,." }
ESAPI.http_utilities().encrypt_state_in_cookie(m, response)
value = response.headers['Set-Cookie']
encrypted = value[value.find('=')+1:value.find(';')]
ESAPI.encryptor().decrypt(encrypted)
def test_change_session_identifier(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
session = request.session
session['one'] = 'one'
session['two'] = 'two'
session['three'] = 'three'
id1 = request.session.id
session = ESAPI.http_utilities().change_session_identifier(request)
id2 = request.session.id
self.assertFalse(id1 == id2)
self.assertEquals("one", session['one'])
def test_set_remember_token(self):
instance = ESAPI.authenticator()
account_name = "joestheplumber"
password = instance.generate_strong_password()
user = instance.create_user(account_name, password, password)
user.enable()
request = MockHttpRequest()
request.POST['username'] = account_name
request.POST['password'] = password
response = MockHttpResponse()
instance.login(request, response)
max_age = 60 * 60 * 24 * 14
ESAPI.http_utilities().set_remember_token( password, max_age, "domain", '/', request, response )
def is_session_absolute_timeout(self):
session = ESAPI.http_utilities().current_request.session
if session is None:
return True
deadline = session.creation_time + self.ABSOLUTE_TIMEOUT_LENGTH
return datetime.now() > deadline
def is_session_absolute_timeout(self):
session = ESAPI.http_utilities().current_request.session
if session is None:
return True
deadline = session.creation_time + self.ABSOLUTE_TIMEOUT_LENGTH
return datetime.now() > deadline
def is_session_timeout(self):
session = ESAPI.http_utilities().current_request.session
if session is None:
return True
deadline = session.last_accessed_time + self.IDLE_TIMEOUT_LENGTH
return datetime.now() > deadline
def is_session_timeout(self):
session = ESAPI.http_utilities().current_request.session
if session is None:
return True
deadline = session.last_accessed_time + self.IDLE_TIMEOUT_LENGTH
return datetime.now() > deadline
def test_add_header(self):
instance = ESAPI.http_utilities()
request = MockHttpRequest()
response = MockHttpResponse()
instance.set_current_http(request, response)
instance.add_header('HeaderName', 'HeaderValue')
def test_query_to_dict(self):
instance = ESAPI.http_utilities()
query = '?a=1&b=2&c=3'
testing = instance.query_to_dict(query)
correct = {'a' : '1', 'b' : '2', 'c' : '3'}
self.assertEquals(testing, correct)
def log(self, level, event_type, message, exception=None):
"""
Log the message after optionally encoding any special characters
that might be dangerous when viewed by an HTML based log viewer.
Also encode any carriage returns and line feeds to prevent log
injection attacks. This logs all the supplied parameters plus the
user ID, user's source IP, a logging specific session ID, and the
current date/time.
It will only log the message if the current logging level is
enabled, otherwise it will discard the message.
@param level: the severity level of the security event
@param event_type: the event_type of the event
(SECURITY, FUNCTIONALITY, etc.)
@param message: the message
@param exception: an exception
"""
# Before we waste all kinds of time preparing this event for the
# log, let check to see if its loggable
if not self.pyLogger.isEnabledFor(level):
return
user = ESAPI.authenticator().current_user
# create a random session number for the user to represent the
# user's 'session', if it doesn't exist already
sid = _("unknown")
request = ESAPI.http_utilities().current_request
if request is not None:
session = request.session
if session is not None:
sid = session.get('ESAPI_SESSION', None)
# if there is no session id for the user yet, create one
# and store it in the user's session
if sid is None:
sid = str(ESAPI.randomizer().get_random_integer(0, 1000000))
session['ESAPI_SESSION'] = sid
# ensure there's something to log
if message is None:
message = ""
# ensure no CRLF injection into logs for forging records
clean = message.replace('\n', '_').replace('\r', '_')
if ESAPI.security_configuration().get_log_encoding_required():
clean = ESAPI.encoder().encode_for_html(message)
if message != clean:
clean += " (Encoded)"
extra = {
'eventType' : str(event_type),
'eventSuccess' : [_("SUCCESS"),_("FAILURE")][event_type.is_success()],
'user' : user.account_name,
'hostname' : user.last_host_address,
'sessionID' : sid,
}
self.pyLogger.log(level, clean, extra=extra)
def test_csrf_token(self):
username = "******"
password = "******"
user = ESAPI.authenticator().create_user(username, password, password)
ESAPI.authenticator().current_user = user
token = ESAPI.http_utilities().get_csrf_token()
self.assertEquals(8, len(token))
request = MockHttpRequest()
try:
ESAPI.http_utilities().verify_csrf_token(request)
self.fail()
except:
# expected
pass
request.GET[HTTPUtilities.CSRF_TOKEN_NAME] = token
ESAPI.http_utilities().verify_csrf_token(request)
def test_add_event(self):
username = "******"
password = "******"
auth = ESAPI.authenticator()
user = auth.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user.login_with_password(password)
# Generate some events to disable the account
for i in range(15):
ESAPI.intrusion_detector().add_event("test", "test message")
self.assertTrue(user.is_locked())
def test_get_user_from_session(self):
instance = ESAPI.authenticator()
instance.logout()
account_name = "sessionTester"
password = instance.generate_strong_password()
user = instance.create_user( account_name, password, password )
user.enable()
request = MockHttpRequest()
request.POST['username'] = account_name
request.POST['password'] = password
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http( request, response )
instance.login( request, response )
current_user = instance.get_user_from_session()
self.assertEquals(user, current_user)
def test_add_event(self):
username = "******"
password = "******"
auth = ESAPI.authenticator()
user = auth.create_user(username, password, password)
user.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user.login_with_password(password)
# Generate some events to disable the account
for i in range(15):
ESAPI.intrusion_detector().add_event("test", "test message")
self.assertTrue(user.is_locked())
def test_current_user(self):
instance = ESAPI.authenticator()
instance.logout()
user1_name = "currentUser1"
user2_name = "currentUser2"
password = "******"
user1 = instance.create_user(user1_name, password, password)
user1.enable()
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
user1.login_with_password(password)
current_user = instance.current_user
self.assertEquals(user1, current_user)
user2 = instance.create_user(user2_name, password, password)
instance.current_user = user2
self.assertFalse( current_user.account_name == user2.account_name )
def test_kill_cookie(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
self.assertTrue(len(response.cookies) == 0)
new_cookies = {}
m = Morsel()
m.key = 'test1'
m.value = '1'
new_cookies[m.key] = m
m = Morsel()
m.key = 'test2'
m.value = '2'
new_cookies[m.key] = m
request.cookies = new_cookies
ESAPI.http_utilities().kill_cookie( "test1", request, response )
self.assertTrue(len(response.cookies) == 1)
def test_assert_secure_request(self):
request = MockHttpRequest()
bad = ['http://example.com',
'ftp://example.com',
'',
None,]
good = ['https://example.com']
for bad_url in bad:
try:
request.url = bad_url
ESAPI.http_utilities().assert_secure_request(request)
self.fail()
except:
pass
for good_url in good:
try:
request.url = good_url
ESAPI.http_utilities().assert_secure_request(request)
except:
self.fail()
def test_add_cookie(self):
instance = ESAPI.http_utilities()
response = MockHttpResponse()
request = MockHttpRequest()
instance.set_current_http(request, response)
self.assertEquals(0, len(response.cookies))
# add_cookie(key, value='', max_age=None, path='/', domain=None,
# secure=None, httponly=False, version=None, comment=None, expires=None)
instance.add_cookie(response, key='test1', value='test1')
self.assertEquals(1, len(response.cookies))
instance.add_cookie(key='test2', value='test2')
self.assertEquals(2, len(response.cookies))
# illegal name
instance.add_cookie(response, key='tes<t3', value='test3')
self.assertEquals(2, len(response.cookies))
# illegal value
instance.add_cookie(response, key='test3', value='tes<t3')
self.assertEquals(2, len(response.cookies))
def setUp(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
ESAPI.authenticator().logout()
ESAPI.authenticator().clear_all_data()
def setUp(self):
request = MockHttpRequest()
response = MockHttpResponse()
ESAPI.http_utilities().set_current_http(request, response)
ESAPI.authenticator().logout()
ESAPI.authenticator().clear_all_data()
def log(self, level, event_type, message, exception=None):
"""
Log the message after optionally encoding any special characters
that might be dangerous when viewed by an HTML based log viewer.
Also encode any carriage returns and line feeds to prevent log
injection attacks. This logs all the supplied parameters plus the
user ID, user's source IP, a logging specific session ID, and the
current date/time.
It will only log the message if the current logging level is
enabled, otherwise it will discard the message.
@param level: the severity level of the security event
@param event_type: the event_type of the event
(SECURITY, FUNCTIONALITY, etc.)
@param message: the message
@param exception: an exception
"""
# Before we waste all kinds of time preparing this event for the
# log, let check to see if its loggable
if not self.pyLogger.isEnabledFor(level):
return
user = ESAPI.authenticator().current_user
# create a random session number for the user to represent the
# user's 'session', if it doesn't exist already
sid = _("unknown")
request = ESAPI.http_utilities().current_request
if request is not None:
session = request.session
if session is not None:
sid = session.get('ESAPI_SESSION', None)
# if there is no session id for the user yet, create one
# and store it in the user's session
if sid is None:
sid = str(ESAPI.randomizer().get_random_integer(
0, 1000000))
session['ESAPI_SESSION'] = sid
# ensure there's something to log
if message is None:
message = ""
# ensure no CRLF injection into logs for forging records
clean = message.replace('\n', '_').replace('\r', '_')
if ESAPI.security_configuration().get_log_encoding_required():
clean = ESAPI.encoder().encode_for_html(message)
if message != clean:
clean += " (Encoded)"
extra = {
'eventType':
str(event_type),
'eventSuccess': [_("SUCCESS"),
_("FAILURE")][event_type.is_success()],
'user':
user.account_name,
'hostname':
user.last_host_address,
'sessionID':
sid,
}
self.pyLogger.log(level, clean, extra=extra)
