uce/tests/plugins/uce_security_smoke.py

45 lines
2.0 KiB
Python

import http.client
from run_network_tests import TestFailure
def _direct_http_request(path, headers=None):
connection = http.client.HTTPConnection("127.0.0.1", 8080, timeout=5.0)
try:
connection.request("GET", path, headers=headers or {})
response = connection.getresponse()
body = response.read().decode("utf-8", errors="replace")
return response.status, dict(response.getheaders()), body
finally:
connection.close()
def register(registry):
def direct_http_rejects_dotdot(context):
status, headers, body = _direct_http_request("/../site/demo/hello.uce")
if status == 200 or "hello world" in body:
raise TestFailure("direct HTTP accepted dot-dot script traversal")
return "direct HTTP dot-dot traversal rejected with HTTP %s" % status
def direct_http_ignores_script_filename_header(context):
status, headers, body = _direct_http_request(
"/no-such-script.uce",
headers={"Script-Filename": "/Code/uce.openfu.com/uce/site/demo/hello.uce"},
)
if status == 200 or "hello world" in body:
raise TestFailure("direct HTTP trusted client Script-Filename header")
return "direct HTTP Script-Filename override rejected with HTTP %s" % status
def response_headers_are_sanitized(context):
response = context.request("/tests/security_headers.uce")
if "X-UCE-Injected" in response.headers or "X-UCE-Redirect-Injected" in response.headers:
raise TestFailure("CRLF header injection produced an extra response header")
location = response.headers.get("Location", "")
if "\r" in location or "\n" in location:
raise TestFailure("Location header contains raw CR/LF")
return "CRLF response header injection was sanitized"
registry.case("direct HTTP rejects dot-dot script traversal", direct_http_rejects_dotdot, tags=["security", "http", "internal"])
registry.case("direct HTTP ignores Script-Filename header", direct_http_ignores_script_filename_header, tags=["security", "http", "internal"])
registry.case("response headers sanitize CRLF", response_headers_are_sanitized, tags=["security", "http", "internal"])