diff options
author | Chris Jerdonek <chris.jerdonek@gmail.com> | 2021-03-26 02:37:55 -0700 |
---|---|---|
committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2021-05-28 07:31:56 +0200 |
commit | 71179a6124142e43fd3c0eea2bfabf600a9b2d91 (patch) | |
tree | 76987cb81db984eeecb9667b498d98eeea53c221 /tests/csrf_tests | |
parent | e93eb3d9714be0b489891f4d2da41bb4df4978a5 (diff) | |
download | django-71179a6124142e43fd3c0eea2bfabf600a9b2d91.tar.gz |
Fixed #32596 -- Added CsrfViewMiddleware._check_referer().
This encapsulates CsrfViewMiddleware's referer logic into a method and
updates existing tests to check the "seam" introduced by the refactor,
when doing so would improve the test.
Diffstat (limited to 'tests/csrf_tests')
-rw-r--r-- | tests/csrf_tests/tests.py | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 5425c50fca..b04503cb3f 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -6,7 +6,7 @@ from django.core.exceptions import ImproperlyConfigured from django.http import HttpRequest, HttpResponse from django.middleware.csrf import ( CSRF_SESSION_KEY, CSRF_TOKEN_LENGTH, REASON_BAD_ORIGIN, REASON_BAD_TOKEN, - REASON_NO_CSRF_COOKIE, CsrfViewMiddleware, + REASON_NO_CSRF_COOKIE, CsrfViewMiddleware, RejectRequest, _compare_masked_tokens as equivalent_tokens, get_token, ) from django.test import SimpleTestCase, override_settings @@ -305,12 +305,17 @@ class CsrfViewMiddlewareTestMixin: status_code=403, ) + def _check_referer_rejects(self, mw, req): + with self.assertRaises(RejectRequest): + mw._check_referer(req) + @override_settings(DEBUG=True) def test_https_no_referer(self): """A POST HTTPS request with a missing referer is rejected.""" req = self._get_POST_request_with_token() req._is_secure_override = True mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains( response, @@ -329,6 +334,12 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_REFERER'] = 'https://www.evil.org/somepage' req.META['SERVER_PORT'] = '443' mw = CsrfViewMiddleware(token_view) + expected = ( + 'Referer checking failed - https://www.evil.org/somepage does not ' + 'match any trusted origins.' + ) + with self.assertRaisesMessage(RejectRequest, expected): + mw._check_referer(req) response = mw.process_view(req, token_view, (), {}) self.assertEqual(response.status_code, 403) @@ -338,6 +349,7 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_HOST'] = '@malformed' req.META['HTTP_ORIGIN'] = 'https://www.evil.org' mw = CsrfViewMiddleware(token_view) + self._check_referer_rejects(mw, req) response = mw.process_view(req, token_view, (), {}) self.assertEqual(response.status_code, 403) @@ -351,6 +363,7 @@ class CsrfViewMiddlewareTestMixin: req._is_secure_override = True req.META['HTTP_REFERER'] = 'http://http://www.example.com/' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains( response, @@ -359,28 +372,33 @@ class CsrfViewMiddlewareTestMixin: ) # Empty req.META['HTTP_REFERER'] = '' + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) # Non-ASCII req.META['HTTP_REFERER'] = 'ØBöIß' + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) # missing scheme # >>> urlparse('//example.com/') # ParseResult(scheme='', netloc='example.com', path='/', params='', query='', fragment='') req.META['HTTP_REFERER'] = '//example.com/' + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) # missing netloc # >>> urlparse('https://') # ParseResult(scheme='https', netloc='', path='', params='', query='', fragment='') req.META['HTTP_REFERER'] = 'https://' + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) # Invalid URL # >>> urlparse('https://[') # ValueError: Invalid IPv6 URL req.META['HTTP_REFERER'] = 'https://[' + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains(response, malformed_referer_msg, status_code=403) @@ -562,6 +580,7 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_HOST'] = 'www.example.com' req.META['HTTP_ORIGIN'] = 'https://www.evil.org' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) self.assertIs(mw._origin_verified(req), False) with self.assertLogs('django.security.csrf', 'WARNING') as cm: response = mw.process_view(req, post_form_view, (), {}) @@ -576,6 +595,7 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_HOST'] = 'www.example.com' req.META['HTTP_ORIGIN'] = 'null' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) self.assertIs(mw._origin_verified(req), False) with self.assertLogs('django.security.csrf', 'WARNING') as cm: response = mw.process_view(req, post_form_view, (), {}) @@ -591,6 +611,7 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_HOST'] = 'www.example.com' req.META['HTTP_ORIGIN'] = 'http://example.com' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) self.assertIs(mw._origin_verified(req), False) with self.assertLogs('django.security.csrf', 'WARNING') as cm: response = mw.process_view(req, post_form_view, (), {}) @@ -617,6 +638,7 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_HOST'] = 'www.example.com' req.META['HTTP_ORIGIN'] = 'http://foo.example.com' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) self.assertIs(mw._origin_verified(req), False) with self.assertLogs('django.security.csrf', 'WARNING') as cm: response = mw.process_view(req, post_form_view, (), {}) @@ -639,6 +661,7 @@ class CsrfViewMiddlewareTestMixin: req.META['HTTP_HOST'] = 'www.example.com' req.META['HTTP_ORIGIN'] = 'https://[' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) self.assertIs(mw._origin_verified(req), False) with self.assertLogs('django.security.csrf', 'WARNING') as cm: response = mw.process_view(req, post_form_view, (), {}) @@ -867,6 +890,7 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): req.META['HTTP_REFERER'] = 'http://example.com/' req.META['SERVER_PORT'] = '443' mw = CsrfViewMiddleware(post_form_view) + self._check_referer_rejects(mw, req) response = mw.process_view(req, post_form_view, (), {}) self.assertContains( response, |