Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Fix CSRF annoyance #4185

Merged
merged 3 commits into from
Nov 14, 2016
Merged

Fix CSRF annoyance #4185

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1b76462
Start a separate file for CSRF tests
chadwhitacre Nov 11, 2016
946b8a3
Move these over too, I guess
chadwhitacre Nov 11, 2016
5584aae
Import harness to use test client
rohitpaulk Nov 14, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 0 additions & 37 deletions tests/py/test_hooks.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
from aspen.http.request import Request
from aspen.http.response import Response

from gratipay.security import csrf
from gratipay.security.user import SESSION
from gratipay.testing import Harness

Expand Down Expand Up @@ -115,39 +114,3 @@ def test_caching_of_simplates(self):
r = self.client.GET('/about/')
assert r.headers['Cache-Control'] == 'no-cache'
assert 'Vary' not in r.headers

def test_no_csrf_cookie(self):
r = self.client.POST('/', csrf_token=False, raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert b'csrf_token' in r.headers.cookie

def test_bad_csrf_cookie(self):
r = self.client.POST('/', csrf_token=b'bad_token', raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert r.headers.cookie[b'csrf_token'].value != 'bad_token'

def test_csrf_cookie_set_for_most_requests(self):
r = self.client.GET('/about/')
assert b'csrf_token' in r.headers.cookie

def test_no_csrf_cookie_set_for_assets(self):
r = self.client.GET('/assets/gratipay.css')
assert b'csrf_token' not in r.headers.cookie

def test_sanitize_token_passes_through_good_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeeffff'
assert csrf._sanitize_token(token) == token

def test_sanitize_token_rejects_overlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefffff'
assert csrf._sanitize_token(token) is None

def test_sanitize_token_rejects_underlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None

def test_sanitize_token_rejects_goofy_token(self):
token = 'ddddeeeeaaaadddd bbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None
49 changes: 49 additions & 0 deletions tests/py/test_security_csrf.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# -*- coding: utf-8 -*-
from __future__ import absolute_import, division, print_function, unicode_literals

from gratipay.security import csrf
from gratipay.testing import Harness


class Tests(Harness):

# st - _sanitize_token

def test_st_passes_through_good_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeeffff'
assert csrf._sanitize_token(token) == token

def test_st_rejects_overlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefffff'
assert csrf._sanitize_token(token) is None

def test_st_rejects_underlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None

def test_st_rejects_goofy_token(self):
token = 'ddddeeeeaaaadddd bbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None


# integration tests

def test_no_csrf_cookie_gives_403(self):
r = self.client.POST('/', csrf_token=False, raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert b'csrf_token' in r.headers.cookie

def test_bad_csrf_cookie_gives_403(self):
r = self.client.POST('/', csrf_token=b'bad_token', raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert r.headers.cookie[b'csrf_token'].value != 'bad_token'

def test_csrf_cookie_set_for_most_requests(self):
r = self.client.GET('/about/')
assert b'csrf_token' in r.headers.cookie

def test_no_csrf_cookie_set_for_assets(self):
r = self.client.GET('/assets/gratipay.css')
assert b'csrf_token' not in r.headers.cookie