Gecko [ theprintave.ca ]

Name	Size	Permission	Date
__pycache__	[ DIR ]	drwxr-xr-x	2024-11-28 06:59
__init__.py	107 B	-rw-r--r--	2022-02-07 13:12
_util.py	3.1 KB	-rw-r--r--	2022-02-07 13:12
injectionhelpers.py	5.46 KB	-rw-r--r--	2022-02-07 13:12
requesthelper.py	14.77 KB	-rw-r--r--	2022-02-07 13:12
test_agent.py	118.21 KB	-rw-r--r--	2022-02-07 13:12
test_cgi.py	14.76 KB	-rw-r--r--	2022-02-07 13:12
test_client.py	1.33 KB	-rw-r--r--	2022-02-07 13:12
test_distrib.py	17.61 KB	-rw-r--r--	2022-02-07 13:12
test_domhelpers.py	10.78 KB	-rw-r--r--	2022-02-07 13:12
test_error.py	15.57 KB	-rw-r--r--	2022-02-07 13:12
test_flatten.py	21.61 KB	-rw-r--r--	2022-02-07 13:12
test_html.py	1.19 KB	-rw-r--r--	2022-02-07 13:12
test_http.py	151.87 KB	-rw-r--r--	2024-11-22 17:49
test_http2.py	105.32 KB	-rw-r--r--	2022-02-07 13:12
test_http_headers.py	22.75 KB	-rw-r--r--	2022-02-07 13:12
test_httpauth.py	23.23 KB	-rw-r--r--	2022-02-07 13:12
test_newclient.py	106.8 KB	-rw-r--r--	2022-02-07 13:12
test_proxy.py	19.58 KB	-rw-r--r--	2022-02-07 13:12
test_resource.py	8.92 KB	-rw-r--r--	2022-02-07 13:12
test_script.py	3.72 KB	-rw-r--r--	2022-02-07 13:12
test_soap.py	3.06 KB	-rw-r--r--	2022-02-07 13:12
test_stan.py	7.08 KB	-rw-r--r--	2022-02-07 13:12
test_static.py	66.6 KB	-rw-r--r--	2022-02-07 13:12
test_tap.py	11.56 KB	-rw-r--r--	2022-02-07 13:12
test_template.py	28.17 KB	-rw-r--r--	2022-02-07 13:12
test_util.py	14.7 KB	-rw-r--r--	2024-11-22 17:49
test_vhost.py	7.55 KB	-rw-r--r--	2024-11-22 17:49
test_web.py	67.52 KB	-rw-r--r--	2024-11-22 17:49
test_web__responses.py	829 B	-rw-r--r--	2022-02-07 13:12
test_webclient.py	11.52 KB	-rw-r--r--	2022-02-07 13:12
test_wsgi.py	74.72 KB	-rw-r--r--	2022-02-07 13:12
test_xml.py	41.04 KB	-rw-r--r--	2022-02-07 13:12
test_xmlrpc.py	29.86 KB	-rw-r--r--	2022-02-07 13:12

Rename

"""
Helpers for URI and method injection tests.

@see: U{CVE-2019-12387}
"""

import string

UNPRINTABLE_ASCII = frozenset(range(0, 128)) - frozenset(
    bytearray(string.printable, "ascii")
)

NONASCII = frozenset(range(128, 256))

class MethodInjectionTestsMixin:
    """
    A mixin that runs HTTP method injection tests.  Define
    L{MethodInjectionTestsMixin.attemptRequestWithMaliciousMethod} in
    a L{twisted.trial.unittest.SynchronousTestCase} subclass to test
    how HTTP client code behaves when presented with malicious HTTP
    methods.

@see: U{CVE-2019-12387}
    """

def attemptRequestWithMaliciousMethod(self, method):
        """
        Attempt to send a request with the given method.  This should
        synchronously raise a L{ValueError} if either is invalid.

@param method: the method (e.g. C{GET\x00})

@param uri: the URI

@type method:
        """
        raise NotImplementedError()

def test_methodWithCLRFRejected(self):
        """
        Issuing a request with a method that contains a carriage
        return and line feed fails with a L{ValueError}.
        """
        with self.assertRaises(ValueError) as cm:
            method = b"GET\r\nX-Injected-Header: value"
            self.attemptRequestWithMaliciousMethod(method)
        self.assertRegex(str(cm.exception), "^Invalid method")

def test_methodWithUnprintableASCIIRejected(self):
        """
        Issuing a request with a method that contains unprintable
        ASCII characters fails with a L{ValueError}.
        """
        for c in UNPRINTABLE_ASCII:
            method = b"GET%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousMethod(method)
            self.assertRegex(str(cm.exception), "^Invalid method")

def test_methodWithNonASCIIRejected(self):
        """
        Issuing a request with a method that contains non-ASCII
        characters fails with a L{ValueError}.
        """
        for c in NONASCII:
            method = b"GET%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousMethod(method)
            self.assertRegex(str(cm.exception), "^Invalid method")

class URIInjectionTestsMixin:
    """
    A mixin that runs HTTP URI injection tests.  Define
    L{MethodInjectionTestsMixin.attemptRequestWithMaliciousURI} in a
    L{twisted.trial.unittest.SynchronousTestCase} subclass to test how
    HTTP client code behaves when presented with malicious HTTP
    URIs.
    """

def attemptRequestWithMaliciousURI(self, method):
        """
        Attempt to send a request with the given URI.  This should
        synchronously raise a L{ValueError} if either is invalid.

@param uri: the URI.

@type method:
        """
        raise NotImplementedError()

def test_hostWithCRLFRejected(self):
        """
        Issuing a request with a URI whose host contains a carriage
        return and line feed fails with a L{ValueError}.
        """
        with self.assertRaises(ValueError) as cm:
            uri = b"http://twisted\r\n.invalid/path"
            self.attemptRequestWithMaliciousURI(uri)
        self.assertRegex(str(cm.exception), "^Invalid URI")

def test_hostWithWithUnprintableASCIIRejected(self):
        """
        Issuing a request with a URI whose host contains unprintable
        ASCII characters fails with a L{ValueError}.
        """
        for c in UNPRINTABLE_ASCII:
            uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")

def test_hostWithNonASCIIRejected(self):
        """
        Issuing a request with a URI whose host contains non-ASCII
        characters fails with a L{ValueError}.
        """
        for c in NONASCII:
            uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")

def test_pathWithCRLFRejected(self):
        """
        Issuing a request with a URI whose path contains a carriage
        return and line feed fails with a L{ValueError}.
        """
        with self.assertRaises(ValueError) as cm:
            uri = b"http://twisted.invalid/\r\npath"
            self.attemptRequestWithMaliciousURI(uri)
        self.assertRegex(str(cm.exception), "^Invalid URI")

def test_pathWithWithUnprintableASCIIRejected(self):
        """
        Issuing a request with a URI whose path contains unprintable
        ASCII characters fails with a L{ValueError}.
        """
        for c in UNPRINTABLE_ASCII:
            uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")

def test_pathWithNonASCIIRejected(self):
        """
        Issuing a request with a URI whose path contains non-ASCII
        characters fails with a L{ValueError}.
        """
        for c in NONASCII:
            uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")