""" Helpers for URI and method injection tests. @see: U{CVE-2019-12387} """ import string UNPRINTABLE_ASCII = ( frozenset(range(0, 128)) - frozenset(bytearray(string.printable, 'ascii')) ) NONASCII = frozenset(range(128, 256)) class MethodInjectionTestsMixin(object): """ A mixin that runs HTTP method injection tests. Define L{MethodInjectionTestsMixin.attemptRequestWithMaliciousMethod} in a L{twisted.trial.unittest.SynchronousTestCase} subclass to test how HTTP client code behaves when presented with malicious HTTP methods. @see: U{CVE-2019-12387} """ def attemptRequestWithMaliciousMethod(self, method): """ Attempt to send a request with the given method. This should synchronously raise a L{ValueError} if either is invalid. @param method: the method (e.g. C{GET\x00}) @param uri: the URI @type method: """ raise NotImplementedError() def test_methodWithCLRFRejected(self): """ Issuing a request with a method that contains a carriage return and line feed fails with a L{ValueError}. """ with self.assertRaises(ValueError) as cm: method = b"GET\r\nX-Injected-Header: value" self.attemptRequestWithMaliciousMethod(method) self.assertRegex(str(cm.exception), "^Invalid method") def test_methodWithUnprintableASCIIRejected(self): """ Issuing a request with a method that contains unprintable ASCII characters fails with a L{ValueError}. """ for c in UNPRINTABLE_ASCII: method = b"GET%s" % (bytearray([c]),) with self.assertRaises(ValueError) as cm: self.attemptRequestWithMaliciousMethod(method) self.assertRegex(str(cm.exception), "^Invalid method") def test_methodWithNonASCIIRejected(self): """ Issuing a request with a method that contains non-ASCII characters fails with a L{ValueError}. """ for c in NONASCII: method = b"GET%s" % (bytearray([c]),) with self.assertRaises(ValueError) as cm: self.attemptRequestWithMaliciousMethod(method) self.assertRegex(str(cm.exception), "^Invalid method") class URIInjectionTestsMixin(object): """ A mixin that runs HTTP URI injection tests. Define L{MethodInjectionTestsMixin.attemptRequestWithMaliciousURI} in a L{twisted.trial.unittest.SynchronousTestCase} subclass to test how HTTP client code behaves when presented with malicious HTTP URIs. """ def attemptRequestWithMaliciousURI(self, method): """ Attempt to send a request with the given URI. This should synchronously raise a L{ValueError} if either is invalid. @param uri: the URI. @type method: """ raise NotImplementedError() def test_hostWithCRLFRejected(self): """ Issuing a request with a URI whose host contains a carriage return and line feed fails with a L{ValueError}. """ with self.assertRaises(ValueError) as cm: uri = b"http://twisted\r\n.invalid/path" self.attemptRequestWithMaliciousURI(uri) self.assertRegex(str(cm.exception), "^Invalid URI") def test_hostWithWithUnprintableASCIIRejected(self): """ Issuing a request with a URI whose host contains unprintable ASCII characters fails with a L{ValueError}. """ for c in UNPRINTABLE_ASCII: uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),) with self.assertRaises(ValueError) as cm: self.attemptRequestWithMaliciousURI(uri) self.assertRegex(str(cm.exception), "^Invalid URI") def test_hostWithNonASCIIRejected(self): """ Issuing a request with a URI whose host contains non-ASCII characters fails with a L{ValueError}. """ for c in NONASCII: uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),) with self.assertRaises(ValueError) as cm: self.attemptRequestWithMaliciousURI(uri) self.assertRegex(str(cm.exception), "^Invalid URI") def test_pathWithCRLFRejected(self): """ Issuing a request with a URI whose path contains a carriage return and line feed fails with a L{ValueError}. """ with self.assertRaises(ValueError) as cm: uri = b"http://twisted.invalid/\r\npath" self.attemptRequestWithMaliciousURI(uri) self.assertRegex(str(cm.exception), "^Invalid URI") def test_pathWithWithUnprintableASCIIRejected(self): """ Issuing a request with a URI whose path contains unprintable ASCII characters fails with a L{ValueError}. """ for c in UNPRINTABLE_ASCII: uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),) with self.assertRaises(ValueError) as cm: self.attemptRequestWithMaliciousURI(uri) self.assertRegex(str(cm.exception), "^Invalid URI") def test_pathWithNonASCIIRejected(self): """ Issuing a request with a URI whose path contains non-ASCII characters fails with a L{ValueError}. """ for c in NONASCII: uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),) with self.assertRaises(ValueError) as cm: self.attemptRequestWithMaliciousURI(uri) self.assertRegex(str(cm.exception), "^Invalid URI")
Name | Type | Size | Permission | Actions |
---|---|---|---|---|
__pycache__ | Folder | 0755 |
|
|
__init__.py | File | 108 B | 0644 |
|
_util.py | File | 2.51 KB | 0644 |
|
injectionhelpers.py | File | 5.5 KB | 0644 |
|
requesthelper.py | File | 10.6 KB | 0644 |
|
test_agent.py | File | 113.19 KB | 0644 |
|
test_cgi.py | File | 13.29 KB | 0644 |
|
test_client.py | File | 1.34 KB | 0644 |
|
test_distrib.py | File | 16.02 KB | 0644 |
|
test_domhelpers.py | File | 10.84 KB | 0644 |
|
test_error.py | File | 15.83 KB | 0644 |
|
test_flatten.py | File | 17.83 KB | 0644 |
|
test_html.py | File | 1.23 KB | 0644 |
|
test_http.py | File | 122.6 KB | 0644 |
|
test_http2.py | File | 105.98 KB | 0644 |
|
test_http_headers.py | File | 19.91 KB | 0644 |
|
test_httpauth.py | File | 22.75 KB | 0644 |
|
test_newclient.py | File | 102.47 KB | 0644 |
|
test_proxy.py | File | 19.62 KB | 0644 |
|
test_resource.py | File | 8.02 KB | 0644 |
|
test_script.py | File | 3.7 KB | 0644 |
|
test_stan.py | File | 5.53 KB | 0644 |
|
test_static.py | File | 62.22 KB | 0644 |
|
test_tap.py | File | 10.34 KB | 0644 |
|
test_template.py | File | 24.99 KB | 0644 |
|
test_util.py | File | 12.29 KB | 0644 |
|
test_vhost.py | File | 7.22 KB | 0644 |
|
test_web.py | File | 55.24 KB | 0644 |
|
test_web__responses.py | File | 877 B | 0644 |
|
test_webclient.py | File | 57.45 KB | 0644 |
|
test_wsgi.py | File | 73.06 KB | 0644 |
|
test_xml.py | File | 41.36 KB | 0644 |
|
test_xmlrpc.py | File | 28.24 KB | 0644 |
|