2024-02-29 20:09:43 +00:00
|
|
|
From d3aed2c18cc3a1c88a8052af1f34d7f81f1be11a Mon Sep 17 00:00:00 2001
|
2024-01-02 11:29:13 +00:00
|
|
|
From: Flakebi <flakebi@t-online.de>
|
2024-02-29 20:09:43 +00:00
|
|
|
Date: Wed, 28 Feb 2024 23:24:14 +0100
|
2024-01-02 11:29:13 +00:00
|
|
|
Subject: [PATCH] Fix with new dependency versions
|
|
|
|
|
|
|
|
- cookie_jar is private in werkzeug 2.3, so recreate the client instead
|
|
|
|
- set_cookie does not take a hostname argument anymore, use domain instead
|
|
|
|
- Headers need to specify a content type
|
|
|
|
---
|
2024-02-29 20:09:43 +00:00
|
|
|
test_seasurf.py | 71 ++++++++++++++++++++++++-------------------------
|
|
|
|
1 file changed, 35 insertions(+), 36 deletions(-)
|
2024-01-02 11:29:13 +00:00
|
|
|
|
|
|
|
diff --git a/test_seasurf.py b/test_seasurf.py
|
2024-02-29 20:09:43 +00:00
|
|
|
index 517b2d7..f940b91 100644
|
2024-01-02 11:29:13 +00:00
|
|
|
--- a/test_seasurf.py
|
|
|
|
+++ b/test_seasurf.py
|
|
|
|
@@ -71,18 +71,18 @@ class SeaSurfTestCase(BaseTestCase):
|
|
|
|
self.assertEqual(type(token), str)
|
|
|
|
|
|
|
|
def test_exempt_view(self):
|
|
|
|
- rv = self.app.test_client().post('/foo')
|
|
|
|
+ rv = self.app.test_client().post('/foo', content_type='application/json')
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
|
|
|
|
- rv = self.app.test_client().post(u'/foo/\xf8')
|
|
|
|
+ rv = self.app.test_client().post(u'/foo/\xf8', content_type='application/json')
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
|
|
|
|
def test_token_validation(self):
|
|
|
|
# should produce a logger warning
|
|
|
|
- rv = self.app.test_client().post('/bar')
|
|
|
|
+ rv = self.app.test_client().post('/bar', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
- rv = self.app.test_client().post(u'/bar/\xf8')
|
|
|
|
+ rv = self.app.test_client().post(u'/bar/\xf8', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
def test_json_token_validation_bad(self):
|
2024-02-29 20:09:43 +00:00
|
|
|
@@ -93,7 +93,7 @@ class SeaSurfTestCase(BaseTestCase):
|
|
|
|
with self.app.test_client() as client:
|
|
|
|
with client.session_transaction() as sess:
|
|
|
|
sess[self.csrf._csrf_name] = tokenA
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, tokenB)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, tokenB, domain='www.example.com')
|
|
|
|
|
|
|
|
rv = client.post('/bar', data=data)
|
|
|
|
self.assertEqual(rv.status_code, 403, rv)
|
2024-01-02 11:29:13 +00:00
|
|
|
@@ -107,7 +107,7 @@ class SeaSurfTestCase(BaseTestCase):
|
|
|
|
data = {'_csrf_token': token}
|
|
|
|
with self.app.test_client() as client:
|
|
|
|
with client.session_transaction() as sess:
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, token)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com')
|
|
|
|
sess[self.csrf._csrf_name] = token
|
|
|
|
|
|
|
|
rv = client.post('/bar', data=data)
|
|
|
|
@@ -121,7 +121,7 @@ class SeaSurfTestCase(BaseTestCase):
|
|
|
|
with client.session_transaction() as sess:
|
|
|
|
token = self.csrf._generate_token()
|
|
|
|
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, token)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com')
|
|
|
|
sess[self.csrf._csrf_name] = token
|
|
|
|
|
|
|
|
# once this is reached the session was stored
|
2024-02-29 20:09:43 +00:00
|
|
|
@@ -144,18 +144,18 @@ class SeaSurfTestCase(BaseTestCase):
|
2024-01-02 11:29:13 +00:00
|
|
|
with client.session_transaction() as sess:
|
|
|
|
token = self.csrf._generate_token()
|
|
|
|
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, token)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com')
|
|
|
|
sess[self.csrf._csrf_name] = token
|
|
|
|
|
|
|
|
# once this is reached the session was stored
|
2024-02-29 20:09:43 +00:00
|
|
|
- rv = client.post('/bar',
|
|
|
|
+ rv = client.post('/bar', content_type='application/json',
|
|
|
|
data={self.csrf._csrf_name: token},
|
|
|
|
base_url='https://www.example.com',
|
|
|
|
headers={'Referer': 'https://www.example.com/foobar'})
|
|
|
|
|
|
|
|
self.assertEqual(rv.status_code, 200)
|
|
|
|
|
|
|
|
- rv = client.post(u'/bar/\xf8',
|
|
|
|
+ rv = client.post(u'/bar/\xf8', content_type='application/json',
|
|
|
|
data={self.csrf._csrf_name: token},
|
|
|
|
base_url='https://www.example.com',
|
|
|
|
headers={'Referer': 'https://www.example.com/foobar\xf8'})
|
2024-01-02 11:29:13 +00:00
|
|
|
@@ -167,7 +167,7 @@ class SeaSurfTestCase(BaseTestCase):
|
|
|
|
with client.session_transaction() as sess:
|
|
|
|
token = self.csrf._generate_token()
|
|
|
|
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, token)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com')
|
|
|
|
sess[self.csrf._csrf_name] = token
|
|
|
|
|
|
|
|
rv = client.post('/bar',
|
|
|
|
@@ -187,10 +187,10 @@ class SeaSurfTestCase(BaseTestCase):
|
|
|
|
self.csrf._csrf_header_name: token,
|
|
|
|
}
|
|
|
|
|
|
|
|
- rv = client.post('/bar', headers=headers)
|
|
|
|
+ rv = client.post('/bar', headers=headers, content_type='application/json')
|
|
|
|
self.assertEqual(rv.status_code, 200, rv)
|
|
|
|
|
|
|
|
- rv = client.post(u'/bar/\xf8', headers=headers)
|
|
|
|
+ rv = client.post(u'/bar/\xf8', headers=headers, content_type='application/json')
|
|
|
|
self.assertEqual(rv.status_code, 200, rv)
|
|
|
|
|
|
|
|
def test_token_in_form_data(self):
|
|
|
|
@@ -280,14 +280,14 @@ class SeaSurfTestCaseExemptViews(BaseTestCase):
|
|
|
|
|
|
|
|
def test_exempt_view(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/foo')
|
|
|
|
+ rv = c.post('/foo', content_type='application/json')
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
self.assertEqual(cookie, None)
|
|
|
|
|
|
|
|
def test_token_validation(self):
|
|
|
|
# should produce a logger warning
|
|
|
|
- rv = self.app.test_client().post('/bar')
|
|
|
|
+ rv = self.app.test_client().post('/bar', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
|
|
|
|
@@ -319,18 +319,18 @@ class SeaSurfTestCaseIncludeViews(BaseTestCase):
|
|
|
|
return 'foo'
|
|
|
|
|
|
|
|
def test_include_view(self):
|
|
|
|
- rv = self.app.test_client().post('/foo')
|
|
|
|
+ rv = self.app.test_client().post('/foo', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
- rv = self.app.test_client().post(u'/foo/\xf8')
|
|
|
|
+ rv = self.app.test_client().post(u'/foo/\xf8', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
def test_token_validation(self):
|
|
|
|
# should produce a logger warning
|
|
|
|
- rv = self.app.test_client().post('/bar')
|
|
|
|
+ rv = self.app.test_client().post('/bar', content_type='application/json')
|
|
|
|
self.assertIn(b('foo'), rv.data)
|
|
|
|
|
|
|
|
- rv = self.app.test_client().post(u'/bar/\xf8')
|
|
|
|
+ rv = self.app.test_client().post(u'/bar/\xf8', content_type='application/json')
|
|
|
|
self.assertIn(b('foo'), rv.data)
|
|
|
|
|
|
|
|
|
|
|
|
@@ -363,10 +363,10 @@ class SeaSurfTestCaseExemptUrls(BaseTestCase):
|
|
|
|
return 'foo'
|
|
|
|
|
|
|
|
def test_exempt_view(self):
|
|
|
|
- rv = self.app.test_client().post('/foo/baz')
|
|
|
|
+ rv = self.app.test_client().post('/foo/baz', content_type='application/json')
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/foo/quz')
|
|
|
|
+ rv = c.post('/foo/quz', content_type='application/json')
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
self.assertEqual(cookie, None)
|
|
|
|
@@ -374,7 +374,7 @@ class SeaSurfTestCaseExemptUrls(BaseTestCase):
|
|
|
|
def test_token_validation(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
# should produce a logger warning
|
|
|
|
- rv = c.post('/bar')
|
|
|
|
+ rv = c.post('/bar', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
token = self.csrf._get_token()
|
|
|
|
@@ -434,7 +434,7 @@ class SeaSurfTestCaseDisableCookie(unittest.TestCase):
|
|
|
|
|
|
|
|
def test_no_csrf_cookie_even_after_manually_validated(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/manual')
|
|
|
|
+ rv = c.post('/manual', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
self.assertEqual(cookie, None)
|
|
|
|
@@ -474,14 +474,14 @@ class SeaSurfTestCaseEnableCookie(unittest.TestCase):
|
|
|
|
|
|
|
|
def test_has_csrf_cookie(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/exempt_with_cookie')
|
|
|
|
+ rv = c.post('/exempt_with_cookie', content_type='application/json')
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
token = self.csrf._get_token()
|
|
|
|
self.assertEqual(cookie, token)
|
|
|
|
|
|
|
|
def test_has_csrf_cookie_but_doesnt_validate(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/exempt_with_cookie')
|
|
|
|
+ rv = c.post('/exempt_with_cookie', content_type='application/json')
|
|
|
|
self.assertIn(b('exempt_with_cookie'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
token = self.csrf._get_token()
|
|
|
|
@@ -530,7 +530,7 @@ class SeaSurfTestCaseSkipValidation(unittest.TestCase):
|
|
|
|
|
|
|
|
def test_skips_validation(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/foo/quz')
|
|
|
|
+ rv = c.post('/foo/quz', content_type='application/json')
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
token = self.csrf._get_token()
|
|
|
|
@@ -538,20 +538,20 @@ class SeaSurfTestCaseSkipValidation(unittest.TestCase):
|
|
|
|
|
|
|
|
def test_enforces_validation_reject(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.delete('/foo/baz')
|
|
|
|
+ rv = c.delete('/foo/baz', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
def test_enforces_validation_accept(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
# GET generates CSRF token
|
|
|
|
c.get('/foo/baz')
|
|
|
|
- rv = c.delete('/foo/baz',
|
|
|
|
+ rv = c.delete('/foo/baz', content_type='application/json',
|
|
|
|
headers={'X-CSRFToken': self.csrf._get_token()})
|
|
|
|
self.assertIn(b('bar'), rv.data)
|
|
|
|
|
|
|
|
def test_manual_validation(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/manual')
|
|
|
|
+ rv = c.post('/manual', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
|
|
|
|
|
|
|
|
@@ -578,7 +578,7 @@ class SeaSurfTestManualValidation(unittest.TestCase):
|
|
|
|
|
|
|
|
def test_can_manually_validate_exempt_views(self):
|
|
|
|
with self.app.test_client() as c:
|
|
|
|
- rv = c.post('/manual')
|
|
|
|
+ rv = c.post('/manual', content_type='application/json')
|
|
|
|
self.assertIn(b('403 Forbidden'), rv.data)
|
|
|
|
cookie = get_cookie(rv, self.csrf._csrf_name)
|
|
|
|
token = self.csrf._get_token()
|
|
|
|
@@ -651,7 +651,7 @@ class SeaSurfTestCaseReferer(BaseTestCase):
|
|
|
|
with client.session_transaction() as sess:
|
|
|
|
token = self.csrf._generate_token()
|
|
|
|
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, token)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com')
|
|
|
|
sess[self.csrf._csrf_name] = token
|
|
|
|
|
|
|
|
# once this is reached the session was stored
|
|
|
|
@@ -728,8 +728,7 @@ class SeaSurfTestCaseSetCookie(BaseTestCase):
|
|
|
|
res3.headers.get('Set-Cookie', ''),
|
|
|
|
'CSRF cookie always be re-set if a token is requested by the template')
|
|
|
|
|
|
|
|
- client.cookie_jar.clear()
|
|
|
|
-
|
|
|
|
+ with self.app.test_client() as client:
|
|
|
|
res4 = client.get('/foo')
|
|
|
|
|
|
|
|
self.assertIn(self.csrf._csrf_name,
|
|
|
|
@@ -739,14 +738,14 @@ class SeaSurfTestCaseSetCookie(BaseTestCase):
|
|
|
|
def test_header_set_on_post(self):
|
|
|
|
with self.app.test_client() as client:
|
|
|
|
headers = {}
|
|
|
|
- res1 = client.post('/bar', headers=headers)
|
|
|
|
+ res1 = client.post('/bar', headers=headers, content_type='application/json')
|
|
|
|
self.assertEqual(res1.status_code, 403)
|
|
|
|
|
|
|
|
for cookie in client.cookie_jar:
|
|
|
|
if cookie.name == self.csrf._csrf_name:
|
|
|
|
headers[self.csrf._csrf_header_name] = cookie.value
|
|
|
|
|
|
|
|
- res2 = client.post('/bar', headers=headers)
|
|
|
|
+ res2 = client.post('/bar', headers=headers, content_type='application/json')
|
|
|
|
self.assertEqual(res2.status_code, 200)
|
|
|
|
|
|
|
|
def test_header_set_cookie_samesite(self):
|
2024-02-29 20:09:43 +00:00
|
|
|
@@ -789,7 +788,7 @@ class SeaSurfTestCaseGenerateNewToken(BaseTestCase):
|
|
|
|
client.get('/foo')
|
|
|
|
tokenA = self.csrf._get_token()
|
|
|
|
|
|
|
|
- client.set_cookie('www.example.com', self.csrf._csrf_name, tokenA)
|
|
|
|
+ client.set_cookie(self.csrf._csrf_name, tokenA, domain='www.example.com')
|
|
|
|
with client.session_transaction() as sess:
|
|
|
|
sess[self.csrf._csrf_name] = tokenA
|
|
|
|
|
2024-01-02 11:29:13 +00:00
|
|
|
--
|
2024-02-29 20:09:43 +00:00
|
|
|
2.43.0
|
2024-01-02 11:29:13 +00:00
|
|
|
|