p15693087
/
django
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Refs #32817 -- Added post_token/meta_token/token_header arguments to _get_POST_csrf_cookie_request().

This commit is contained in:
Chris Jerdonek 2021-06-10 10:20:08 -07:00 committed by Mariusz Felisiak
parent 999402f142
commit 6837bd68a4
1 changed files with 27 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
tests/csrf_tests/tests.py
View File

@ -46,10 +46,24 @@ class CsrfViewMiddlewareTestMixin:
def _get_GET_csrf_cookie_request(self, cookie=None): def _get_GET_csrf_cookie_request(self, cookie=None):
raise NotImplementedError('This method must be implemented by a subclass.') raise NotImplementedError('This method must be implemented by a subclass.')
def _get_POST_csrf_cookie_request(self, cookie=None): def _get_POST_csrf_cookie_request(
"""The cookie argument defaults to the valid test cookie.""" self, cookie=None, post_token=None, meta_token=None, token_header=None,
):
"""
The cookie argument defaults to this class's default test cookie. The
post_token and meta_token arguments are included in the request's
req.POST and req.META headers, respectively, when that argument is
provided and non-None. The token_header argument is the header key to
use for req.META, defaults to "HTTP_X_CSRFTOKEN".
"""
if token_header is None:
token_header = 'HTTP_X_CSRFTOKEN'
req = self._get_GET_csrf_cookie_request(cookie=cookie) req = self._get_GET_csrf_cookie_request(cookie=cookie)
req.method = "POST" req.method = "POST"
if post_token is not None:
req.POST['csrfmiddlewaretoken'] = post_token
if meta_token is not None:
req.META[token_header] = meta_token
return req return req
def _get_POST_no_csrf_cookie_request(self): def _get_POST_no_csrf_cookie_request(self):
@ -57,12 +71,8 @@ class CsrfViewMiddlewareTestMixin:
req.method = "POST" req.method = "POST"
return req return req
def _get_POST_request_with_token(self, token=None): def _get_POST_request_with_token(self):
"""The token argument defaults to the valid test token.""" req = self._get_POST_csrf_cookie_request(post_token=self._csrf_id)
if token is None:
token = self._csrf_id
req = self._get_POST_csrf_cookie_request()
req.POST['csrfmiddlewaretoken'] = token
return req return req
def _check_token_present(self, response, csrf_id=None): def _check_token_present(self, response, csrf_id=None):
@ -115,12 +125,8 @@ class CsrfViewMiddlewareTestMixin:
""" """
self._check_bad_or_missing_cookie(None, REASON_NO_CSRF_COOKIE) self._check_bad_or_missing_cookie(None, REASON_NO_CSRF_COOKIE)
def _check_bad_or_missing_token(self, token, expected): def _check_bad_or_missing_token(self, expected, token=None):
"""Passing None for token includes no token.""" req = self._get_POST_csrf_cookie_request(post_token=token)
if token is None:
req = self._get_POST_csrf_cookie_request()
else:
req = self._get_POST_request_with_token(token=token)
mw = CsrfViewMiddleware(post_form_view) mw = CsrfViewMiddleware(post_form_view)
mw.process_request(req) mw.process_request(req)
with self.assertLogs('django.security.csrf', 'WARNING') as cm: with self.assertLogs('django.security.csrf', 'WARNING') as cm:
@ -168,8 +174,7 @@ class CsrfViewMiddlewareTestMixin:
""" """
The token may be passed in a header instead of in the form. The token may be passed in a header instead of in the form.
""" """
req = self._get_POST_csrf_cookie_request() req = self._get_POST_csrf_cookie_request(meta_token=self._csrf_id)
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
mw = CsrfViewMiddleware(post_form_view) mw = CsrfViewMiddleware(post_form_view)
mw.process_request(req) mw.process_request(req)
resp = mw.process_view(req, post_form_view, (), {}) resp = mw.process_view(req, post_form_view, (), {})
@ -180,8 +185,10 @@ class CsrfViewMiddlewareTestMixin:
""" """
settings.CSRF_HEADER_NAME can be used to customize the CSRF header name settings.CSRF_HEADER_NAME can be used to customize the CSRF header name
""" """
req = self._get_POST_csrf_cookie_request() req = self._get_POST_csrf_cookie_request(
req.META['HTTP_X_CSRFTOKEN_CUSTOMIZED'] = self._csrf_id meta_token=self._csrf_id,
token_header='HTTP_X_CSRFTOKEN_CUSTOMIZED',
)
mw = CsrfViewMiddleware(post_form_view) mw = CsrfViewMiddleware(post_form_view)
mw.process_request(req) mw.process_request(req)
resp = mw.process_view(req, post_form_view, (), {}) resp = mw.process_view(req, post_form_view, (), {})
@ -210,17 +217,15 @@ class CsrfViewMiddlewareTestMixin:
""" """
HTTP PUT and DELETE can get through with X-CSRFToken and a cookie. HTTP PUT and DELETE can get through with X-CSRFToken and a cookie.
""" """
req = self._get_GET_csrf_cookie_request() req = self._get_POST_csrf_cookie_request(meta_token=self._csrf_id)
req.method = 'PUT' req.method = 'PUT'
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
mw = CsrfViewMiddleware(post_form_view) mw = CsrfViewMiddleware(post_form_view)
mw.process_request(req) mw.process_request(req)
resp = mw.process_view(req, post_form_view, (), {}) resp = mw.process_view(req, post_form_view, (), {})
self.assertIsNone(resp) self.assertIsNone(resp)
req = self._get_GET_csrf_cookie_request() req = self._get_POST_csrf_cookie_request(meta_token=self._csrf_id)
req.method = 'DELETE' req.method = 'DELETE'
req.META['HTTP_X_CSRFTOKEN'] = self._csrf_id
mw.process_request(req) mw.process_request(req)
resp = mw.process_view(req, post_form_view, (), {}) resp = mw.process_view(req, post_form_view, (), {})
self.assertIsNone(resp) self.assertIsNone(resp)