Revision f8dedf60
Added by koszko about 1 year ago
test/haketilo_test/unit/test_policy_deciding.py | ||
---|---|---|
23 | 23 |
|
24 | 24 |
from ..script_loader import load_script |
25 | 25 |
|
26 |
csp_re = re.compile(r'^\S+\s+\S+;(?:\s+\S+\s+\S+;)*$') |
|
27 |
rule_re = re.compile(r'^\s*(?P<src_kind>\S+)\s+(?P<allowed_origins>\S+)$') |
|
26 |
csp_re = re.compile(r''' |
|
27 |
^ |
|
28 |
\S+(?:\s+\S+)+; # first directive |
|
29 |
(?: |
|
30 |
\s+\S+(?:\s+\S+)+; # subsequent directive |
|
31 |
)* |
|
32 |
$ |
|
33 |
''', |
|
34 |
re.VERBOSE) |
|
35 |
|
|
36 |
rule_re = re.compile(r''' |
|
37 |
^ |
|
38 |
\s* |
|
39 |
(?P<src_kind>\S+) |
|
40 |
\s+ |
|
41 |
(?P<allowed_origins> |
|
42 |
\S+(?:\s+\S+)* |
|
43 |
) |
|
44 |
$ |
|
45 |
''', re.VERBOSE) |
|
46 |
|
|
28 | 47 |
def parse_csp(csp): |
29 |
''' |
|
30 |
Parsing of CSP string into a dict. A simplified format of CSP is assumed. |
|
31 |
''' |
|
48 |
'''Parsing of CSP string into a dict.''' |
|
32 | 49 |
assert csp_re.match(csp) |
33 | 50 |
|
34 | 51 |
result = {} |
35 | 52 |
|
36 | 53 |
for rule in csp.split(';')[:-1]: |
37 | 54 |
match = rule_re.match(rule) |
38 |
result[match.group('src_kind')] = match.group('allowed_origins') |
|
55 |
result[match.group('src_kind')] = match.group('allowed_origins').split()
|
|
39 | 56 |
|
40 | 57 |
return result |
41 | 58 |
|
... | ... | |
78 | 95 |
for prop in ('mapping', 'payload', 'nonce', 'error'): |
79 | 96 |
assert prop not in policy |
80 | 97 |
assert parse_csp(policy['csp']) == { |
81 |
'prefetch-src': "'none'",
|
|
82 |
'script-src-attr': "'none'",
|
|
83 |
'script-src': "'none'",
|
|
84 |
'script-src-elem': "'none'"
|
|
98 |
'prefetch-src': ["'none'"],
|
|
99 |
'script-src-attr': ["'none'"],
|
|
100 |
'script-src': ["'none'", "'unsafe-eval'"],
|
|
101 |
'script-src-elem': ["'none'"]
|
|
85 | 102 |
} |
86 | 103 |
|
87 | 104 |
policy = execute_in_page( |
... | ... | |
95 | 112 |
for prop in ('payload', 'nonce', 'error'): |
96 | 113 |
assert prop not in policy |
97 | 114 |
assert parse_csp(policy['csp']) == { |
98 |
'prefetch-src': "'none'",
|
|
99 |
'script-src-attr': "'none'",
|
|
100 |
'script-src': "'none'",
|
|
101 |
'script-src-elem': "'none'"
|
|
115 |
'prefetch-src': ["'none'"],
|
|
116 |
'script-src-attr': ["'none'"],
|
|
117 |
'script-src': ["'none'", "'unsafe-eval'"],
|
|
118 |
'script-src-elem': ["'none'"]
|
|
102 | 119 |
} |
103 | 120 |
|
104 | 121 |
policy = execute_in_page( |
... | ... | |
114 | 131 |
assert policy['nonce'] == \ |
115 | 132 |
sha256('m1:res1:http://kno.wn/:abcd'.encode()).digest().hex() |
116 | 133 |
assert parse_csp(policy['csp']) == { |
117 |
'prefetch-src': f"'none'",
|
|
118 |
'script-src-attr': f"'none'",
|
|
119 |
'script-src': f"'nonce-{policy['nonce']}'",
|
|
120 |
'script-src-elem': f"'nonce-{policy['nonce']}'"
|
|
134 |
'prefetch-src': ["'none'"],
|
|
135 |
'script-src-attr': ["'none'"],
|
|
136 |
'script-src': [f"'nonce-{policy['nonce']}'", "'unsafe-eval'"],
|
|
137 |
'script-src-elem': [f"'nonce-{policy['nonce']}'"]
|
|
121 | 138 |
} |
122 | 139 |
|
123 | 140 |
policy = execute_in_page( |
... | ... | |
128 | 145 |
for prop in ('mapping', 'payload', 'nonce'): |
129 | 146 |
assert prop not in policy |
130 | 147 |
assert parse_csp(policy['csp']) == { |
131 |
'prefetch-src': "'none'",
|
|
132 |
'script-src-attr': "'none'",
|
|
133 |
'script-src': "'none'",
|
|
134 |
'script-src-elem': "'none'"
|
|
148 |
'prefetch-src': ["'none'"],
|
|
149 |
'script-src-attr': ["'none'"],
|
|
150 |
'script-src': ["'none'", "'unsafe-eval'"],
|
|
151 |
'script-src-elem': ["'none'"]
|
|
135 | 152 |
} |
Also available in: Unified diff
allow eval() in injected scripts