Revision f8dedf60
Added by koszko about 1 year ago
| test/haketilo_test/unit/test_policy_deciding.py | ||
|---|---|---|
| 23 | 23 |
|
| 24 | 24 |
from ..script_loader import load_script |
| 25 | 25 |
|
| 26 |
csp_re = re.compile(r'^\S+\s+\S+;(?:\s+\S+\s+\S+;)*$') |
|
| 27 |
rule_re = re.compile(r'^\s*(?P<src_kind>\S+)\s+(?P<allowed_origins>\S+)$') |
|
| 26 |
csp_re = re.compile(r''' |
|
| 27 |
^ |
|
| 28 |
\S+(?:\s+\S+)+; # first directive |
|
| 29 |
(?: |
|
| 30 |
\s+\S+(?:\s+\S+)+; # subsequent directive |
|
| 31 |
)* |
|
| 32 |
$ |
|
| 33 |
''', |
|
| 34 |
re.VERBOSE) |
|
| 35 |
|
|
| 36 |
rule_re = re.compile(r''' |
|
| 37 |
^ |
|
| 38 |
\s* |
|
| 39 |
(?P<src_kind>\S+) |
|
| 40 |
\s+ |
|
| 41 |
(?P<allowed_origins> |
|
| 42 |
\S+(?:\s+\S+)* |
|
| 43 |
) |
|
| 44 |
$ |
|
| 45 |
''', re.VERBOSE) |
|
| 46 |
|
|
| 28 | 47 |
def parse_csp(csp): |
| 29 |
''' |
|
| 30 |
Parsing of CSP string into a dict. A simplified format of CSP is assumed. |
|
| 31 |
''' |
|
| 48 |
'''Parsing of CSP string into a dict.''' |
|
| 32 | 49 |
assert csp_re.match(csp) |
| 33 | 50 |
|
| 34 | 51 |
result = {}
|
| 35 | 52 |
|
| 36 | 53 |
for rule in csp.split(';')[:-1]:
|
| 37 | 54 |
match = rule_re.match(rule) |
| 38 |
result[match.group('src_kind')] = match.group('allowed_origins')
|
|
| 55 |
result[match.group('src_kind')] = match.group('allowed_origins').split()
|
|
| 39 | 56 |
|
| 40 | 57 |
return result |
| 41 | 58 |
|
| ... | ... | |
| 78 | 95 |
for prop in ('mapping', 'payload', 'nonce', 'error'):
|
| 79 | 96 |
assert prop not in policy |
| 80 | 97 |
assert parse_csp(policy['csp']) == {
|
| 81 |
'prefetch-src': "'none'",
|
|
| 82 |
'script-src-attr': "'none'",
|
|
| 83 |
'script-src': "'none'",
|
|
| 84 |
'script-src-elem': "'none'"
|
|
| 98 |
'prefetch-src': ["'none'"],
|
|
| 99 |
'script-src-attr': ["'none'"],
|
|
| 100 |
'script-src': ["'none'", "'unsafe-eval'"],
|
|
| 101 |
'script-src-elem': ["'none'"]
|
|
| 85 | 102 |
} |
| 86 | 103 |
|
| 87 | 104 |
policy = execute_in_page( |
| ... | ... | |
| 95 | 112 |
for prop in ('payload', 'nonce', 'error'):
|
| 96 | 113 |
assert prop not in policy |
| 97 | 114 |
assert parse_csp(policy['csp']) == {
|
| 98 |
'prefetch-src': "'none'",
|
|
| 99 |
'script-src-attr': "'none'",
|
|
| 100 |
'script-src': "'none'",
|
|
| 101 |
'script-src-elem': "'none'"
|
|
| 115 |
'prefetch-src': ["'none'"],
|
|
| 116 |
'script-src-attr': ["'none'"],
|
|
| 117 |
'script-src': ["'none'", "'unsafe-eval'"],
|
|
| 118 |
'script-src-elem': ["'none'"]
|
|
| 102 | 119 |
} |
| 103 | 120 |
|
| 104 | 121 |
policy = execute_in_page( |
| ... | ... | |
| 114 | 131 |
assert policy['nonce'] == \ |
| 115 | 132 |
sha256('m1:res1:http://kno.wn/:abcd'.encode()).digest().hex()
|
| 116 | 133 |
assert parse_csp(policy['csp']) == {
|
| 117 |
'prefetch-src': f"'none'",
|
|
| 118 |
'script-src-attr': f"'none'",
|
|
| 119 |
'script-src': f"'nonce-{policy['nonce']}'",
|
|
| 120 |
'script-src-elem': f"'nonce-{policy['nonce']}'"
|
|
| 134 |
'prefetch-src': ["'none'"],
|
|
| 135 |
'script-src-attr': ["'none'"],
|
|
| 136 |
'script-src': [f"'nonce-{policy['nonce']}'", "'unsafe-eval'"],
|
|
| 137 |
'script-src-elem': [f"'nonce-{policy['nonce']}'"]
|
|
| 121 | 138 |
} |
| 122 | 139 |
|
| 123 | 140 |
policy = execute_in_page( |
| ... | ... | |
| 128 | 145 |
for prop in ('mapping', 'payload', 'nonce'):
|
| 129 | 146 |
assert prop not in policy |
| 130 | 147 |
assert parse_csp(policy['csp']) == {
|
| 131 |
'prefetch-src': "'none'",
|
|
| 132 |
'script-src-attr': "'none'",
|
|
| 133 |
'script-src': "'none'",
|
|
| 134 |
'script-src-elem': "'none'"
|
|
| 148 |
'prefetch-src': ["'none'"],
|
|
| 149 |
'script-src-attr': ["'none'"],
|
|
| 150 |
'script-src': ["'none'", "'unsafe-eval'"],
|
|
| 151 |
'script-src-elem': ["'none'"]
|
|
| 135 | 152 |
} |
Also available in: Unified diff
allow eval() in injected scripts