From d3aed2c18cc3a1c88a8052af1f34d7f81f1be11a Mon Sep 17 00:00:00 2001 From: Flakebi Date: Wed, 28 Feb 2024 23:24:14 +0100 Subject: [PATCH] Fix with new dependency versions - cookie_jar is private in werkzeug 2.3, so recreate the client instead - set_cookie does not take a hostname argument anymore, use domain instead - Headers need to specify a content type --- test_seasurf.py | 71 ++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 36 deletions(-) diff --git a/test_seasurf.py b/test_seasurf.py index 517b2d7..f940b91 100644 --- a/test_seasurf.py +++ b/test_seasurf.py @@ -71,18 +71,18 @@ class SeaSurfTestCase(BaseTestCase): self.assertEqual(type(token), str) def test_exempt_view(self): - rv = self.app.test_client().post('/foo') + rv = self.app.test_client().post('/foo', content_type='application/json') self.assertIn(b('bar'), rv.data) - rv = self.app.test_client().post(u'/foo/\xf8') + rv = self.app.test_client().post(u'/foo/\xf8', content_type='application/json') self.assertIn(b('bar'), rv.data) def test_token_validation(self): # should produce a logger warning - rv = self.app.test_client().post('/bar') + rv = self.app.test_client().post('/bar', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) - rv = self.app.test_client().post(u'/bar/\xf8') + rv = self.app.test_client().post(u'/bar/\xf8', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) def test_json_token_validation_bad(self): @@ -93,7 +93,7 @@ class SeaSurfTestCase(BaseTestCase): with self.app.test_client() as client: with client.session_transaction() as sess: sess[self.csrf._csrf_name] = tokenA - client.set_cookie('www.example.com', self.csrf._csrf_name, tokenB) + client.set_cookie(self.csrf._csrf_name, tokenB, domain='www.example.com') rv = client.post('/bar', data=data) self.assertEqual(rv.status_code, 403, rv) @@ -107,7 +107,7 @@ class SeaSurfTestCase(BaseTestCase): data = {'_csrf_token': token} with self.app.test_client() as client: with client.session_transaction() as sess: - client.set_cookie('www.example.com', self.csrf._csrf_name, token) + client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com') sess[self.csrf._csrf_name] = token rv = client.post('/bar', data=data) @@ -121,7 +121,7 @@ class SeaSurfTestCase(BaseTestCase): with client.session_transaction() as sess: token = self.csrf._generate_token() - client.set_cookie('www.example.com', self.csrf._csrf_name, token) + client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com') sess[self.csrf._csrf_name] = token # once this is reached the session was stored @@ -144,18 +144,18 @@ class SeaSurfTestCase(BaseTestCase): with client.session_transaction() as sess: token = self.csrf._generate_token() - client.set_cookie('www.example.com', self.csrf._csrf_name, token) + client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com') sess[self.csrf._csrf_name] = token # once this is reached the session was stored - rv = client.post('/bar', + rv = client.post('/bar', content_type='application/json', data={self.csrf._csrf_name: token}, base_url='https://www.example.com', headers={'Referer': 'https://www.example.com/foobar'}) self.assertEqual(rv.status_code, 200) - rv = client.post(u'/bar/\xf8', + rv = client.post(u'/bar/\xf8', content_type='application/json', data={self.csrf._csrf_name: token}, base_url='https://www.example.com', headers={'Referer': 'https://www.example.com/foobar\xf8'}) @@ -167,7 +167,7 @@ class SeaSurfTestCase(BaseTestCase): with client.session_transaction() as sess: token = self.csrf._generate_token() - client.set_cookie('www.example.com', self.csrf._csrf_name, token) + client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com') sess[self.csrf._csrf_name] = token rv = client.post('/bar', @@ -187,10 +187,10 @@ class SeaSurfTestCase(BaseTestCase): self.csrf._csrf_header_name: token, } - rv = client.post('/bar', headers=headers) + rv = client.post('/bar', headers=headers, content_type='application/json') self.assertEqual(rv.status_code, 200, rv) - rv = client.post(u'/bar/\xf8', headers=headers) + rv = client.post(u'/bar/\xf8', headers=headers, content_type='application/json') self.assertEqual(rv.status_code, 200, rv) def test_token_in_form_data(self): @@ -280,14 +280,14 @@ class SeaSurfTestCaseExemptViews(BaseTestCase): def test_exempt_view(self): with self.app.test_client() as c: - rv = c.post('/foo') + rv = c.post('/foo', content_type='application/json') self.assertIn(b('bar'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) self.assertEqual(cookie, None) def test_token_validation(self): # should produce a logger warning - rv = self.app.test_client().post('/bar') + rv = self.app.test_client().post('/bar', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) @@ -319,18 +319,18 @@ class SeaSurfTestCaseIncludeViews(BaseTestCase): return 'foo' def test_include_view(self): - rv = self.app.test_client().post('/foo') + rv = self.app.test_client().post('/foo', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) - rv = self.app.test_client().post(u'/foo/\xf8') + rv = self.app.test_client().post(u'/foo/\xf8', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) def test_token_validation(self): # should produce a logger warning - rv = self.app.test_client().post('/bar') + rv = self.app.test_client().post('/bar', content_type='application/json') self.assertIn(b('foo'), rv.data) - rv = self.app.test_client().post(u'/bar/\xf8') + rv = self.app.test_client().post(u'/bar/\xf8', content_type='application/json') self.assertIn(b('foo'), rv.data) @@ -363,10 +363,10 @@ class SeaSurfTestCaseExemptUrls(BaseTestCase): return 'foo' def test_exempt_view(self): - rv = self.app.test_client().post('/foo/baz') + rv = self.app.test_client().post('/foo/baz', content_type='application/json') self.assertIn(b('bar'), rv.data) with self.app.test_client() as c: - rv = c.post('/foo/quz') + rv = c.post('/foo/quz', content_type='application/json') self.assertIn(b('bar'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) self.assertEqual(cookie, None) @@ -374,7 +374,7 @@ class SeaSurfTestCaseExemptUrls(BaseTestCase): def test_token_validation(self): with self.app.test_client() as c: # should produce a logger warning - rv = c.post('/bar') + rv = c.post('/bar', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) token = self.csrf._get_token() @@ -434,7 +434,7 @@ class SeaSurfTestCaseDisableCookie(unittest.TestCase): def test_no_csrf_cookie_even_after_manually_validated(self): with self.app.test_client() as c: - rv = c.post('/manual') + rv = c.post('/manual', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) self.assertEqual(cookie, None) @@ -474,14 +474,14 @@ class SeaSurfTestCaseEnableCookie(unittest.TestCase): def test_has_csrf_cookie(self): with self.app.test_client() as c: - rv = c.post('/exempt_with_cookie') + rv = c.post('/exempt_with_cookie', content_type='application/json') cookie = get_cookie(rv, self.csrf._csrf_name) token = self.csrf._get_token() self.assertEqual(cookie, token) def test_has_csrf_cookie_but_doesnt_validate(self): with self.app.test_client() as c: - rv = c.post('/exempt_with_cookie') + rv = c.post('/exempt_with_cookie', content_type='application/json') self.assertIn(b('exempt_with_cookie'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) token = self.csrf._get_token() @@ -530,7 +530,7 @@ class SeaSurfTestCaseSkipValidation(unittest.TestCase): def test_skips_validation(self): with self.app.test_client() as c: - rv = c.post('/foo/quz') + rv = c.post('/foo/quz', content_type='application/json') self.assertIn(b('bar'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) token = self.csrf._get_token() @@ -538,20 +538,20 @@ class SeaSurfTestCaseSkipValidation(unittest.TestCase): def test_enforces_validation_reject(self): with self.app.test_client() as c: - rv = c.delete('/foo/baz') + rv = c.delete('/foo/baz', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) def test_enforces_validation_accept(self): with self.app.test_client() as c: # GET generates CSRF token c.get('/foo/baz') - rv = c.delete('/foo/baz', + rv = c.delete('/foo/baz', content_type='application/json', headers={'X-CSRFToken': self.csrf._get_token()}) self.assertIn(b('bar'), rv.data) def test_manual_validation(self): with self.app.test_client() as c: - rv = c.post('/manual') + rv = c.post('/manual', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) @@ -578,7 +578,7 @@ class SeaSurfTestManualValidation(unittest.TestCase): def test_can_manually_validate_exempt_views(self): with self.app.test_client() as c: - rv = c.post('/manual') + rv = c.post('/manual', content_type='application/json') self.assertIn(b('403 Forbidden'), rv.data) cookie = get_cookie(rv, self.csrf._csrf_name) token = self.csrf._get_token() @@ -651,7 +651,7 @@ class SeaSurfTestCaseReferer(BaseTestCase): with client.session_transaction() as sess: token = self.csrf._generate_token() - client.set_cookie('www.example.com', self.csrf._csrf_name, token) + client.set_cookie(self.csrf._csrf_name, token, domain='www.example.com') sess[self.csrf._csrf_name] = token # once this is reached the session was stored @@ -728,8 +728,7 @@ class SeaSurfTestCaseSetCookie(BaseTestCase): res3.headers.get('Set-Cookie', ''), 'CSRF cookie always be re-set if a token is requested by the template') - client.cookie_jar.clear() - + with self.app.test_client() as client: res4 = client.get('/foo') self.assertIn(self.csrf._csrf_name, @@ -739,14 +738,14 @@ class SeaSurfTestCaseSetCookie(BaseTestCase): def test_header_set_on_post(self): with self.app.test_client() as client: headers = {} - res1 = client.post('/bar', headers=headers) + res1 = client.post('/bar', headers=headers, content_type='application/json') self.assertEqual(res1.status_code, 403) for cookie in client.cookie_jar: if cookie.name == self.csrf._csrf_name: headers[self.csrf._csrf_header_name] = cookie.value - res2 = client.post('/bar', headers=headers) + res2 = client.post('/bar', headers=headers, content_type='application/json') self.assertEqual(res2.status_code, 200) def test_header_set_cookie_samesite(self): @@ -789,7 +788,7 @@ class SeaSurfTestCaseGenerateNewToken(BaseTestCase): client.get('/foo') tokenA = self.csrf._get_token() - client.set_cookie('www.example.com', self.csrf._csrf_name, tokenA) + client.set_cookie(self.csrf._csrf_name, tokenA, domain='www.example.com') with client.session_transaction() as sess: sess[self.csrf._csrf_name] = tokenA -- 2.43.0