Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Commit

Permalink
Merge pull request #4185 from gratipay/fix-csrf-annoyance
Browse files Browse the repository at this point in the history 
Fix CSRF annoyance
  • Loading branch information
Paul Kuruvilla authored Nov 14, 2016
2 parents e637762 + 5584aae commit f610ea2
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 37 deletions.
37 changes: 0 additions & 37 deletions tests/py/test_hooks.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
from aspen.http.request import Request
from aspen.http.response import Response

from gratipay.security import csrf
from gratipay.security.user import SESSION
from gratipay.testing import Harness

Expand Down Expand Up @@ -115,39 +114,3 @@ def test_caching_of_simplates(self):
r = self.client.GET('/about/')
assert r.headers['Cache-Control'] == 'no-cache'
assert 'Vary' not in r.headers

def test_no_csrf_cookie(self):
r = self.client.POST('/', csrf_token=False, raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert b'csrf_token' in r.headers.cookie

def test_bad_csrf_cookie(self):
r = self.client.POST('/', csrf_token=b'bad_token', raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert r.headers.cookie[b'csrf_token'].value != 'bad_token'

def test_csrf_cookie_set_for_most_requests(self):
r = self.client.GET('/about/')
assert b'csrf_token' in r.headers.cookie

def test_no_csrf_cookie_set_for_assets(self):
r = self.client.GET('/assets/gratipay.css')
assert b'csrf_token' not in r.headers.cookie

def test_sanitize_token_passes_through_good_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeeffff'
assert csrf._sanitize_token(token) == token

def test_sanitize_token_rejects_overlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefffff'
assert csrf._sanitize_token(token) is None

def test_sanitize_token_rejects_underlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None

def test_sanitize_token_rejects_goofy_token(self):
token = 'ddddeeeeaaaadddd bbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None
49 changes: 49 additions & 0 deletions tests/py/test_security_csrf.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# -*- coding: utf-8 -*-
from __future__ import absolute_import, division, print_function, unicode_literals

from gratipay.security import csrf
from gratipay.testing import Harness


class Tests(Harness):

# st - _sanitize_token

def test_st_passes_through_good_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeeffff'
assert csrf._sanitize_token(token) == token

def test_st_rejects_overlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefffff'
assert csrf._sanitize_token(token) is None

def test_st_rejects_underlong_token(self):
token = 'ddddeeeeaaaaddddbbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None

def test_st_rejects_goofy_token(self):
token = 'ddddeeeeaaaadddd bbbbeeeeeeeefff'
assert csrf._sanitize_token(token) is None


# integration tests

def test_no_csrf_cookie_gives_403(self):
r = self.client.POST('/', csrf_token=False, raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert b'csrf_token' in r.headers.cookie

def test_bad_csrf_cookie_gives_403(self):
r = self.client.POST('/', csrf_token=b'bad_token', raise_immediately=False)
assert r.code == 403
assert "Bad CSRF cookie" in r.body
assert r.headers.cookie[b'csrf_token'].value != 'bad_token'

def test_csrf_cookie_set_for_most_requests(self):
r = self.client.GET('/about/')
assert b'csrf_token' in r.headers.cookie

def test_no_csrf_cookie_set_for_assets(self):
r = self.client.GET('/assets/gratipay.css')
assert b'csrf_token' not in r.headers.cookie

0 comments on commit f610ea2

Please sign in to comment.