Mercurial Repository: p/roundup/code: test/rest

comparison test/rest_common.py @ 5726:e199d0ae4a25

issue2551033: prevent reverse engineering hidden data by using etags as an oracle to identify when the right data has been guessed. Identified by Joseph Myers who also suggested remediation methods. Implemented John Rouillard.

author	John Rouillard <rouilj@ieee.org>
date	Thu, 23 May 2019 18:56:57 -0400
parents	aea2cc142c1b
children	8b5171f353eb

comparison

equal deleted inserted replaced

-:6923225fd781
+:e199d0ae4a25
 realname='JohnRandom',
 roles='User,Admin'
 )
 node = self.db.user.getnode(self.joeid)
-etag = calculate_etag(node)
+etag = calculate_etag(node, "zysjskakss")
 items = node.items(protected=True) # include every item
 print(repr(items))
 print(etag)
 self.assertEqual(etag, "6adf97f83acf6453d4a6a4b1070f3754")
-etag = calculate_etag(self.db.issue.getnode("1"))
+etag = calculate_etag(self.db.issue.getnode("1"), "zysjskakss")
 print(etag)
 self.assertEqual(etag, "6adf97f83acf6453d4a6a4b1070f3754")
 def testEtagProcessing(self):
 '''
 del(self.headers)
 except AttributeError:
 pass
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid),
+"zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('data', 'Joe Doe Doe'),
 ]
 if mode == 'header':
 """
 # TEST #1
 # PUT: joe's 'realname' using json data.
 # simulate: /rest/data/user/<id>/realname
 # use etag in header
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 body=b'{ "data": "Joe Doe 1" }'
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "PUT"
 }
 # TEST #2
 # Set joe's 'realname' using json data.
 # simulate: /rest/data/user/<id>/realname
 # use etag in payload
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 etagb = etag.strip ('"')
 body=s2b('{ "@etag": "\\"%s\\"", "data": "Joe Doe 2" }'%etagb)
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "PUT",
 #  FieldStorage(None, None, [])
 # use etag from header
 #
 # Also use GET on the uri via the dispatch to retrieve
 # the results from the db.
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 headers={"if-match": etag,
 "accept": "application/vnd.json.test-v1+json",
 }
 form = cgi.FieldStorage()
 form.list = [
 # save address so we can use it later
 stored_results = self.server.get_element('user', self.joeid,
 self.empty_form)
 self.assertEqual(self.dummy_client.response_code, 200)
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 etagb = etag.strip ('"')
 body=s2b('{ "address": "demo2@example.com", "@etag": "\\"%s\\""}'%etagb)
 env = { "CONTENT_TYPE": "application/json",
 "CONTENT_LENGTH": len(body),
 "REQUEST_METHOD": "PATCH"
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['attributes']['address'],
 'demo2@example.com')
 # and set it back reusing env and headers from last test
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 etagb = etag.strip ('"')
 body=s2b('{ "address": "%s", "@etag": "\\"%s\\""}'%(
 stored_results['data']['attributes']['address'],
 etagb))
 # reuse env and headers from prior test.
 self.assertEqual(msg, "Must provide the 'name' property.")
 # TEST #8
 # DELETE: delete issue 1
-etag = calculate_etag(self.db.issue.getnode("1"))
+etag = calculate_etag(self.db.issue.getnode("1"), "zysjskakss")
 etagb = etag.strip ('"')
 env = {"CONTENT_TYPE": "application/json",
 "CONTENT_LEN": 0,
 "REQUEST_METHOD": "DELETE" }
 # use text/plain header and request json output by appending
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['data']['data'], 'Joe Random')
 # change Joe's realname via attribute uri - etag in header
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('data', 'Joe Doe Doe'),
 ]
 self.headers = {'if-match': etag } # use etag in header
 # Also try to set protected items. The protected items should
 # be ignored on put_element to make it easy to get the item
 # with all fields, change one field and put the result without
 # having to filter out protected items.
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('creator', '3'),
 cgi.MiniFieldStorage('realname', 'Joe Doe'),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 # Try to reset joe's 'realname' and add a broken prop.
 # This should result in no change to the name and
 # a 400 UsageError stating prop does not exist.
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('JustKidding', '3'),
 cgi.MiniFieldStorage('realname', 'Joe Doe'),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 def testPutAttribute(self):
 # put protected property
 # make sure we don't have permission issues
 self.db.setCurrentUser('admin')
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('data', '3'),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 results = self.server.put_attribute(
 # put invalid property
 # make sure we don't have permission issues
 self.db.setCurrentUser('admin')
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.user.getnode(self.joeid))
+etag = calculate_etag(self.db.user.getnode(self.joeid), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('data', '3'),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 results = self.server.put_attribute(
 self.assertEqual(len(results['attributes']['nosy']), 1)
 self.assertListEqual(results['attributes']['nosy'],
 [{'id': '1', 'link': self.url_pfx + 'user/1'}])
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list.append(cgi.MiniFieldStorage('@etag', etag))
 # remove the title and nosy
 results = self.server.delete_attribute(
 'issue', issue_id, 'title', form
 )
 self.assertEqual(self.dummy_client.response_code, 200)
 del(form.list[-1])
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list.append(cgi.MiniFieldStorage('@etag', etag))
 results = self.server.delete_attribute(
 'issue', issue_id, 'nosy', form
 )
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(len(results['attributes']['nosy']), 0)
 self.assertListEqual(results['attributes']['nosy'], [])
 self.assertEqual(results['attributes']['title'], None)
 # delete protected property
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list.append(cgi.MiniFieldStorage('@etag', etag))
 results = self.server.delete_attribute(
 'issue', issue_id, 'creator', form
 )
 expected= {'error': {
 self.assertEqual(type(results['error']['msg']),
 type(expected['error']['msg']))
 self.assertEqual(self.dummy_client.response_code, 405)
 # delete required property
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list.append(cgi.MiniFieldStorage('@etag', etag))
 results = self.server.delete_attribute(
 'issue', issue_id, 'requireme', form
 )
 expected= {'error': {'status': 400,
 self.assertEqual(str(results['error']['msg']),
 str(expected['error']['msg']))
 self.assertEqual(self.dummy_client.response_code, 400)
 # delete bogus property
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list.append(cgi.MiniFieldStorage('@etag', etag))
 results = self.server.delete_attribute(
 'issue', issue_id, 'nosuchprop', form
 )
 expected= {'error': {'status': 400,
 cgi.MiniFieldStorage('nosy', '2')
 ]
 results = self.server.patch_element('issue', issue_id, form)
 self.assertEqual(self.dummy_client.response_code, 412)
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'add'),
 cgi.MiniFieldStorage('nosy', '2'),
 cgi.MiniFieldStorage('@etag', etag)
 results = results['data']
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(len(results['attributes']['nosy']), 2)
 self.assertListEqual(results['attributes']['nosy'], ['1', '2'])
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'add'),
 cgi.MiniFieldStorage('data', '3'),
 cgi.MiniFieldStorage('@etag', etag)
 self.assertEqual(len(results['attributes']['nosy']), 3)
 self.assertListEqual(results['attributes']['nosy'], ['1', '2', '3'])
 # patch invalid property
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'add'),
 cgi.MiniFieldStorage('data', '3'),
 cgi.MiniFieldStorage('@etag', etag)
 self.assertEqual(results['attributes']['status'], '1')
 self.assertEqual(len(results['attributes']['nosy']), 1)
 self.assertListEqual(results['attributes']['nosy'], ['1'])
 # replace userid 2 to the nosy list and status = 3
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'replace'),
 cgi.MiniFieldStorage('nosy', '2'),
 cgi.MiniFieldStorage('status', '3'),
 self.assertEqual(results['attributes']['status'], '3')
 self.assertEqual(len(results['attributes']['nosy']), 1)
 self.assertListEqual(results['attributes']['nosy'], ['2'])
 # replace status = 2 using status attribute
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'replace'),
 cgi.MiniFieldStorage('data', '2'),
 cgi.MiniFieldStorage('@etag', etag)
 results = results['data']
 self.assertEqual(self.dummy_client.response_code, 200)
 self.assertEqual(results['attributes']['status'], '2')
 # try to set a protected prop. It should fail.
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'replace'),
 cgi.MiniFieldStorage('creator', '2'),
 cgi.MiniFieldStorage('@etag', etag)
 str(expected['error']['msg']))
 self.assertEqual(self.dummy_client.response_code, 400)
 # try to set a protected prop using patch_attribute. It should
 # fail with a 405 bad/unsupported method.
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'replace'),
 cgi.MiniFieldStorage('data', '2'),
 cgi.MiniFieldStorage('@etag', etag)
 self.assertEqual(len(results['attributes']['nosy']), 2)
 self.assertEqual(results['attributes']['nosy'], ['1', '2'])
 # remove the nosy list and the title
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('@op', 'remove'),
 cgi.MiniFieldStorage('nosy', ''),
 cgi.MiniFieldStorage('title', ''),
 cgi.MiniFieldStorage('@etag', etag)
 self.assertEqual(results['attributes']['title'], None)
 self.assertEqual(len(results['attributes']['nosy']), 0)
 self.assertEqual(results['attributes']['nosy'], [])
 # try to remove a protected prop. It should fail.
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form = cgi.FieldStorage()
 form.list = [
 cgi.MiniFieldStorage('@op', 'remove'),
 cgi.MiniFieldStorage('creator', '2'),
 cgi.MiniFieldStorage('@etag', etag)
 self.assertEqual(str(results['error']['msg']),
 str(expected['error']['msg']))
 self.assertEqual(self.dummy_client.response_code, 400)
 # try to remove a required prop. it should fail
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('@op', 'remove'),
 cgi.MiniFieldStorage('requireme', ''),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 self.assertEqual(self.dummy_client.response_code, 412)
 self.assertFalse(self.db.issue.is_retired(issue_id))
 # execute action retire
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('@op', 'action'),
 cgi.MiniFieldStorage('@action_name', 'retire'),
 cgi.MiniFieldStorage('@etag', etag)
 ]
 self.assertEqual(len(results['attributes']['nosy']), 3)
 self.assertEqual(results['attributes']['nosy'], ['1', '2', '3'])
 # remove the nosy list and the title
 form = cgi.FieldStorage()
-etag = calculate_etag(self.db.issue.getnode(issue_id))
+etag = calculate_etag(self.db.issue.getnode(issue_id), "zysjskakss")
 form.list = [
 cgi.MiniFieldStorage('@op', 'remove'),
 cgi.MiniFieldStorage('nosy', '1, 2'),
 cgi.MiniFieldStorage('@etag', etag)
 ]

Mercurial > p > roundup > code

comparison test/rest_common.py @ 5726:e199d0ae4a25