|
1
|
# SPDX-License-Identifier: CC0-1.0
|
|
2
|
|
|
3
|
"""
|
|
4
|
Haketilo unit tests - exposing some special functionalities to injected scripts
|
|
5
|
"""
|
|
6
|
|
|
7
|
# This file is part of Haketilo
|
|
8
|
#
|
|
9
|
# Copyright (C) 2022 Wojtek Kosior <koszko@koszko.org>
|
|
10
|
#
|
|
11
|
# This program is free software: you can redistribute it and/or modify
|
|
12
|
# it under the terms of the CC0 1.0 Universal License as published by
|
|
13
|
# the Creative Commons Corporation.
|
|
14
|
#
|
|
15
|
# This program is distributed in the hope that it will be useful,
|
|
16
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
17
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
18
|
# CC0 1.0 Universal License for more details.
|
|
19
|
|
|
20
|
import pytest
|
|
21
|
import json
|
|
22
|
from selenium.webdriver.support.ui import WebDriverWait
|
|
23
|
|
|
24
|
from ..script_loader import load_script
|
|
25
|
from ..world_wide_library import some_data
|
|
26
|
|
|
27
|
def content_script():
|
|
28
|
return load_script('content/haketilo_apis.js') + ';\nstart();'
|
|
29
|
|
|
30
|
def background_script():
|
|
31
|
return load_script('background/CORS_bypass_server.js') + ';\nstart();'
|
|
32
|
|
|
33
|
resource_url = 'https://anotherdoma.in/resource/blocked/by/CORS.json'
|
|
34
|
|
|
35
|
@pytest.mark.ext_data({
|
|
36
|
'content_script': content_script,
|
|
37
|
'background_script': background_script
|
|
38
|
})
|
|
39
|
@pytest.mark.usefixtures('webextension')
|
|
40
|
def test_haketilo_apis_CORS_bypass(driver):
|
|
41
|
"""
|
|
42
|
Verify injected scripts will be able to bypass CORS with the help of
|
|
43
|
Haketilo API.
|
|
44
|
"""
|
|
45
|
driver.get('https://gotmyowndoma.in/')
|
|
46
|
|
|
47
|
# First, verify that it is impossible to normally fetch the resource.
|
|
48
|
with pytest.raises(Exception, match='NetworkError'):
|
|
49
|
driver.execute_script('return fetch(arguments[0]);', resource_url)
|
|
50
|
|
|
51
|
# First, verify that it is possible to fetch the resource using API.
|
|
52
|
response = driver.execute_script(
|
|
53
|
'''
|
|
54
|
const fetch_arg = {
|
|
55
|
url: arguments[0],
|
|
56
|
init: {},
|
|
57
|
verify_that_nonstandard_properties_are_ignored: ":)"
|
|
58
|
};
|
|
59
|
|
|
60
|
const detail = {
|
|
61
|
data: JSON.stringify(fetch_arg),
|
|
62
|
id: "abcdef",
|
|
63
|
nonstandard_properties_verify_that_ignored_are: ":o"
|
|
64
|
};
|
|
65
|
|
|
66
|
let cb, done = new Promise(_cb => cb = _cb);
|
|
67
|
window.addEventListener("haketilo_CORS_bypass-abcdef",
|
|
68
|
e => cb(JSON.parse(e.detail)));
|
|
69
|
window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass", {detail}));
|
|
70
|
|
|
71
|
return done;
|
|
72
|
''',
|
|
73
|
resource_url)
|
|
74
|
|
|
75
|
assert response['body'] == some_data.encode().hex()
|
|
76
|
assert response['status'] == 200
|
|
77
|
assert type(response['headers']) is list
|
|
78
|
|
|
79
|
@pytest.mark.ext_data({
|
|
80
|
'content_script': content_script,
|
|
81
|
'background_script': background_script
|
|
82
|
})
|
|
83
|
@pytest.mark.usefixtures('webextension')
|
|
84
|
@pytest.mark.parametrize('error', [
|
|
85
|
'bad url',
|
|
86
|
'no_url',
|
|
87
|
'non_string_url',
|
|
88
|
'non_object_init',
|
|
89
|
'non_object_detail',
|
|
90
|
'non_string_id',
|
|
91
|
'non_string_data'
|
|
92
|
])
|
|
93
|
def test_haketilo_apis_CORS_bypass_errors(driver, error):
|
|
94
|
"""
|
|
95
|
Verify errors are returned properly by CORS_bypass API.
|
|
96
|
"""
|
|
97
|
data = {
|
|
98
|
'bad_url': {'url': 'muahahahaha', 'init': {}},
|
|
99
|
'no_url': {'init': {}},
|
|
100
|
'non_string_url': {'url': {}, 'init': {}},
|
|
101
|
'non_object_init': {'url': {}, 'init': ":d"},
|
|
102
|
}.get(error, {'url': resource_url, 'init': {}})
|
|
103
|
|
|
104
|
detail = {
|
|
105
|
'non_object_detail': '!!!',
|
|
106
|
'non_string_id': {'data': json.dumps(data), 'id': None},
|
|
107
|
'non_string_data': {'data': data, 'id': 'abcdef'}
|
|
108
|
}.get(error, {'data': json.dumps(data), 'id': 'abcdef'})
|
|
109
|
|
|
110
|
driver.get('https://gotmyowndoma.in/')
|
|
111
|
|
|
112
|
result = driver.execute_script(
|
|
113
|
'''
|
|
114
|
let cb, done = new Promise(_cb => cb = _cb);
|
|
115
|
window.addEventListener("haketilo_CORS_bypass-abcdef",
|
|
116
|
e => cb(JSON.parse(e.detail)));
|
|
117
|
window.dispatchEvent(new CustomEvent("haketilo_CORS_bypass",
|
|
118
|
{detail: arguments[0]}));
|
|
119
|
setTimeout(() => cb("timeout"), 5000);
|
|
120
|
|
|
121
|
return done;
|
|
122
|
''',
|
|
123
|
detail)
|
|
124
|
|
|
125
|
if error in {'bad_url', 'no_url', 'non_string_url', 'non_object_init'}:
|
|
126
|
assert result['error']['name'] == 'TypeError'
|
|
127
|
|
|
128
|
if error in {'non_object_detail', 'non_string_id', 'non_string_data'}:
|
|
129
|
assert result == 'timeout'
|