Fixed #32596 -- Added CsrfViewMiddleware._check_referer().

This encapsulates CsrfViewMiddleware's referer logic into a method and updates existing tests to check the "seam" introduced by the refactor, when doing so would improve the test.
author: Chris Jerdonek <chris.jerdonek@gmail.com> 2021-03-26 02:37:55 -0700
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2021-05-28 07:31:56 +0200
commit: 71179a6124142e43fd3c0eea2bfabf600a9b2d91 (patch)
tree: 76987cb81db984eeecb9667b498d98eeea53c221 /tests/csrf_tests
parent: e93eb3d9714be0b489891f4d2da41bb4df4978a5 (diff)
download: django-71179a6124142e43fd3c0eea2bfabf600a9b2d91.tar.gz
1 files changed, 25 insertions, 1 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py
index 5425c50fca..b04503cb3f 100644
--- a/tests/csrf_tests/tests.py
+++ b/tests/csrf_tests/tests.py
@@ -6,7 +6,7 @@ from django.core.exceptions import ImproperlyConfigured
 from django.http import HttpRequest, HttpResponse
 from django.middleware.csrf import (
     CSRF_SESSION_KEY, CSRF_TOKEN_LENGTH, REASON_BAD_ORIGIN, REASON_BAD_TOKEN,
-    REASON_NO_CSRF_COOKIE, CsrfViewMiddleware,
+    REASON_NO_CSRF_COOKIE, CsrfViewMiddleware, RejectRequest,
     _compare_masked_tokens as equivalent_tokens, get_token,
 )
 from django.test import SimpleTestCase, override_settings
@@ -305,12 +305,17 @@ class CsrfViewMiddlewareTestMixin:
             status_code=403,
         )
 
+    def _check_referer_rejects(self, mw, req):
+        with self.assertRaises(RejectRequest):
+            mw._check_referer(req)
+
     @override_settings(DEBUG=True)
     def test_https_no_referer(self):
         """A POST HTTPS request with a missing referer is rejected."""
         req = self._get_POST_request_with_token()
         req._is_secure_override = True
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(
             response,
@@ -329,6 +334,12 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage'
         req.META['SERVER_PORT'] = '443'
         mw = CsrfViewMiddleware(token_view)
+        expected = (
+            'Referer checking failed - https://www.evil.org/somepage does not '
+            'match any trusted origins.'
+        )
+        with self.assertRaisesMessage(RejectRequest, expected):
+            mw._check_referer(req)
         response = mw.process_view(req, token_view, (), {})
         self.assertEqual(response.status_code, 403)
 
@@ -338,6 +349,7 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_HOST'] = '@malformed'
         req.META['HTTP_ORIGIN'] = 'https://www.evil.org'
         mw = CsrfViewMiddleware(token_view)
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, token_view, (), {})
         self.assertEqual(response.status_code, 403)
 
@@ -351,6 +363,7 @@ class CsrfViewMiddlewareTestMixin:
         req._is_secure_override = True
         req.META['HTTP_REFERER'] = 'http://http://www.example.com/'
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(
             response,
@@ -359,28 +372,33 @@ class CsrfViewMiddlewareTestMixin:
         )
         # Empty
         req.META['HTTP_REFERER'] = ''
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
         # Non-ASCII
         req.META['HTTP_REFERER'] = 'ØBöIß'
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
         # missing scheme
         # >>> urlparse('//example.com/')
         # ParseResult(scheme='', netloc='example.com', path='/', params='', query='', fragment='')
         req.META['HTTP_REFERER'] = '//example.com/'
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
         # missing netloc
         # >>> urlparse('https://')
         # ParseResult(scheme='https', netloc='', path='', params='', query='', fragment='')
         req.META['HTTP_REFERER'] = 'https://'
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
         # Invalid URL
         # >>> urlparse('https://[')
         # ValueError: Invalid IPv6 URL
         req.META['HTTP_REFERER'] = 'https://['
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(response, malformed_referer_msg, status_code=403)
 
@@ -562,6 +580,7 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_HOST'] = 'www.example.com'
         req.META['HTTP_ORIGIN'] = 'https://www.evil.org'
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         self.assertIs(mw._origin_verified(req), False)
         with self.assertLogs('django.security.csrf', 'WARNING') as cm:
             response = mw.process_view(req, post_form_view, (), {})
@@ -576,6 +595,7 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_HOST'] = 'www.example.com'
         req.META['HTTP_ORIGIN'] = 'null'
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         self.assertIs(mw._origin_verified(req), False)
         with self.assertLogs('django.security.csrf', 'WARNING') as cm:
             response = mw.process_view(req, post_form_view, (), {})
@@ -591,6 +611,7 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_HOST'] = 'www.example.com'
         req.META['HTTP_ORIGIN'] = 'http://example.com'
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         self.assertIs(mw._origin_verified(req), False)
         with self.assertLogs('django.security.csrf', 'WARNING') as cm:
             response = mw.process_view(req, post_form_view, (), {})
@@ -617,6 +638,7 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_HOST'] = 'www.example.com'
         req.META['HTTP_ORIGIN'] = 'http://foo.example.com'
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         self.assertIs(mw._origin_verified(req), False)
         with self.assertLogs('django.security.csrf', 'WARNING') as cm:
             response = mw.process_view(req, post_form_view, (), {})
@@ -639,6 +661,7 @@ class CsrfViewMiddlewareTestMixin:
         req.META['HTTP_HOST'] = 'www.example.com'
         req.META['HTTP_ORIGIN'] = 'https://['
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         self.assertIs(mw._origin_verified(req), False)
         with self.assertLogs('django.security.csrf', 'WARNING') as cm:
             response = mw.process_view(req, post_form_view, (), {})
@@ -867,6 +890,7 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase):
         req.META['HTTP_REFERER'] = 'http://example.com/'
         req.META['SERVER_PORT'] = '443'
         mw = CsrfViewMiddleware(post_form_view)
+        self._check_referer_rejects(mw, req)
         response = mw.process_view(req, post_form_view, (), {})
         self.assertContains(
             response,
author	Chris Jerdonek <chris.jerdonek@gmail.com>	2021-03-26 02:37:55 -0700
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2021-05-28 07:31:56 +0200
commit	71179a6124142e43fd3c0eea2bfabf600a9b2d91 (patch)
tree	76987cb81db984eeecb9667b498d98eeea53c221 /tests/csrf_tests
parent	e93eb3d9714be0b489891f4d2da41bb4df4978a5 (diff)
download	django-71179a6124142e43fd3c0eea2bfabf600a9b2d91.tar.gz