Adding header checks and unit tests
Adding header check and unit test, this would enable using using multilevel logic in complex tests that needs header checks. Change-Id: I0323dece724499432696d95b8129b210833c6b2b
This commit is contained in:
parent
e4b46ec2b9
commit
3341a8640c
|
@ -0,0 +1,45 @@
|
||||||
|
# Copyright 2016 Intel
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
import syntribos.signal
|
||||||
|
|
||||||
|
|
||||||
|
def cors(test):
|
||||||
|
"""Checks if the response header has any CORS headers.
|
||||||
|
|
||||||
|
If any cross origin resource sharing headers (CORS) are found,
|
||||||
|
checks if any is set to wild characters, if so returns a Signal.
|
||||||
|
|
||||||
|
:param test object
|
||||||
|
:returns: Signal if cors vulnerability is found, other wise None
|
||||||
|
:rtype: :class:`syntribos.signal.SynSignal, None`
|
||||||
|
"""
|
||||||
|
|
||||||
|
strength = 1.0
|
||||||
|
slug = "HEADER_CORS{0}_WILDCARD"
|
||||||
|
cors_type = ""
|
||||||
|
places = ['Origin', 'Methods', 'Headers']
|
||||||
|
cors_headers = ["Access-Control-Allow-{0}".format(p) for p in places]
|
||||||
|
headers = test.init_resp.headers
|
||||||
|
|
||||||
|
for cors_header in cors_headers:
|
||||||
|
if headers.get(cors_header) == '*':
|
||||||
|
cors_type += "_" + cors_header.upper().split('-')[-1]
|
||||||
|
text = ("A wildcard CORS header policy with these details "
|
||||||
|
"was detected: {head}: {value}.\n".format(
|
||||||
|
head=cors_header, value=headers[cors_header]))
|
||||||
|
if cors_type == "":
|
||||||
|
return None
|
||||||
|
|
||||||
|
slug = slug.format(cors_type)
|
||||||
|
return syntribos.signal.SynSignal(text=text, slug=slug, strength=strength)
|
|
@ -0,0 +1,113 @@
|
||||||
|
# Copyright 2016 Intel
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
import requests
|
||||||
|
import requests_mock
|
||||||
|
import testtools
|
||||||
|
|
||||||
|
from syntribos.checks.header import cors
|
||||||
|
|
||||||
|
|
||||||
|
class FakeTestObject(object):
|
||||||
|
"""A class to generate fake test objects."""
|
||||||
|
def __init__(self, resp):
|
||||||
|
self.init_resp = resp
|
||||||
|
self.init_req = resp.request
|
||||||
|
self.test_resp = resp
|
||||||
|
self.test_req = resp.request
|
||||||
|
|
||||||
|
|
||||||
|
class TestHeaders(testtools.TestCase):
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_origin(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Origin": "*"}
|
||||||
|
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_ORIGIN_WILDCARD", signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_origin_headers(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Origin": "*",
|
||||||
|
"Access-Control-Allow-Headers": "*"}
|
||||||
|
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_ORIGIN_HEADERS_WILDCARD", signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_origin_methods(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Origin": "*",
|
||||||
|
"Access-Control-Allow-Methods": "*"}
|
||||||
|
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_ORIGIN_METHODS_WILDCARD", signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_headers_methods(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Headers": "*",
|
||||||
|
"Access-Control-Allow-Methods": "*"}
|
||||||
|
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_METHODS_HEADERS_WILDCARD", signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_origin_headers_methods(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Origin": "*",
|
||||||
|
"Access-Control-Allow-Headers": "*",
|
||||||
|
"Access-Control-Allow-Methods": "*"}
|
||||||
|
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_ORIGIN_METHODS_HEADERS_WILDCARD",
|
||||||
|
signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_methods(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Methods": "*"}
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_METHODS_WILDCARD", signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_cors_headers(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Headers": "*"}
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertEqual("HEADER_CORS_HEADERS_WILDCARD", signal.slug)
|
||||||
|
|
||||||
|
@requests_mock.Mocker()
|
||||||
|
def test_not_cors_headers(self, m):
|
||||||
|
cors_headers = {"Access-Control-Allow-Origin": "www.gg.com"}
|
||||||
|
m.register_uri("GET", "http://example.com", headers=cors_headers)
|
||||||
|
resp = requests.get("http://example.com")
|
||||||
|
test = FakeTestObject(resp)
|
||||||
|
signal = cors(test)
|
||||||
|
self.assertIsNone(signal)
|
Loading…
Reference in New Issue