Resolve "Use a HMAC instead of a hash"

author: jfriedli 2020-04-26 09:50:14 -0700
committer: jfriedli 2020-04-26 09:50:14 -0700
commit: c301e472bd7fd79d675c5df089db0b16fd1e2cfe (patch)
tree: c3332e0f974edc09881b5534c35becc5b9fffa3b /test/test.py
parent: e1bac8b6a7fd857f38b7bcb678398c82baaa8fd5 (diff)
1 files changed, 55 insertions, 34 deletions
diff --git a/test/test.py b/test/test.py
index 02216ac..2d09662 100644
--- a/test/test.py
+++ b/test/test.py
@@ -6,12 +6,13 @@ import io
 import os
 from unittest.mock import patch
+from flask_testing import TestCase
 import main
-class Mat2WebTestCase(unittest.TestCase):
+class Mat2WebTestCase(TestCase):
-    def setUp(self):
+    def create_app(self):
        os.environ.setdefault('MAT2_ALLOW_ORIGIN_WHITELIST', 'origin1.gnu origin2.gnu')
        self.upload_folder = tempfile.mkdtemp()
        app = main.create_app(
@@ -20,45 +21,45 @@ class Mat2WebTestCase(unittest.TestCase):
                'UPLOAD_FOLDER': self.upload_folder
            }
        )
-        self.app = app.test_client()
+        return app
    def tearDown(self):
        shutil.rmtree(self.upload_folder)
    def test_get_root(self):
-        rv = self.app.get('/')
+        rv = self.client.get('/')
        self.assertIn(b'mat2-web', rv.data)
    def test_check_mimetypes(self):
-        rv = self.app.get('/')
+        rv = self.client.get('/')
        self.assertIn(b'.torrent', rv.data)
        self.assertIn(b'.ods', rv.data)
    def test_get_download_dangerous_file(self):
-        rv = self.app.get('/download/1337/\..\filename')
+        rv = self.client.get('/download/1337/aabb/\..\filename')
        self.assertEqual(rv.status_code, 302)
    def test_get_download_without_key_file(self):
-        rv = self.app.get('/download/non_existant')
+        rv = self.client.get('/download/non_existant')
        self.assertEqual(rv.status_code, 404)
    def test_get_download_nonexistant_file(self):
-        rv = self.app.get('/download/1337/non_existant')
+        rv = self.client.get('/download/1337/aabb/non_existant')
        self.assertEqual(rv.status_code, 302)
    def test_get_upload_without_file(self):
-        rv = self.app.post('/')
+        rv = self.client.post('/')
        self.assertEqual(rv.status_code, 302)
    def test_get_upload_empty_file(self):
-        rv = self.app.post('/',
+        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b""), 'test.pdf'),
                    ), follow_redirects=False)
        self.assertEqual(rv.status_code, 302)
    def test_get_upload_empty_file_redir(self):
-        rv = self.app.post('/',
+        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b""), 'test.pdf'),
                    ), follow_redirects=True)
@@ -67,7 +68,7 @@ class Mat2WebTestCase(unittest.TestCase):
        self.assertEqual(rv.status_code, 200)
    def test_get_upload_no_selected_file(self):
-        rv = self.app.post('/',
+        rv = self.client.post('/',
                           data=dict(
                               file=(io.BytesIO(b""), ''),
                           ), follow_redirects=True)
@@ -86,7 +87,7 @@ class Mat2WebTestCase(unittest.TestCase):
            'AAAAAAAAAAApIFnAAAAdGVzdC5qc29uVVQNAAfomo9d6JqPXeiaj111eAsAAQTpAwAABOkDAAB'
            'QSwUGAAAAAAIAAgC8AAAAwAAAAAAA'
        )
-        rv = self.app.post('/',
+        rv = self.client.post('/',
                           data=dict(
                               file=(io.BytesIO(zip_file_bytes), 'test.zip'),
                           ), follow_redirects=True)
@@ -94,7 +95,7 @@ class Mat2WebTestCase(unittest.TestCase):
        self.assertEqual(rv.status_code, 200)
    def test_get_upload_no_file_name(self):
-        rv = self.app.post('/',
+        rv = self.client.post('/',
                data=dict(
                    file=(io.BytesIO(b"aaa")),
                    ), follow_redirects=True)
@@ -102,30 +103,51 @@ class Mat2WebTestCase(unittest.TestCase):
        self.assertEqual(rv.status_code, 200)
    def test_get_upload_harmless_file(self):
-        rv = self.app.post('/',
+        rv = self.client.post(
-                data=dict(
+            '/',
-                    file=(io.BytesIO(b"Some text"), 'test.txt'),
+            data=dict(
-                    ), follow_redirects=True)
+                file=(io.BytesIO(b"Some text"), 'test.txt'),
-        self.assertIn(b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt', rv.data)
+            ),
+            follow_redirects=True
+        )
+        download_uri = self.get_context_variable('download_uri')
+        self.assertIn('/test.cleaned.txt', download_uri)
        self.assertEqual(rv.status_code, 200)
        self.assertNotIn('Access-Control-Allow-Origin', rv.headers)
-        rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')
+        rv = self.client.get(download_uri)
        self.assertEqual(rv.status_code, 200)
-        rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')
+        rv = self.client.get(download_uri)
        self.assertEqual(rv.status_code, 302)
-    def test_upload_wrong_hash(self):
+    def test_upload_wrong_hash_or_secret(self):
-        rv = self.app.post('/',
+        rv = self.client.post(
-                           data=dict(
+            '/',
-                               file=(io.BytesIO(b"Some text"), 'test.txt'),
+            data=dict(
-                           ), follow_redirects=True)
+                file=(io.BytesIO(b"Some text"), 'test.txt'),
-        self.assertIn(b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt',
+            ),
-                      rv.data)
+            follow_redirects=True
+        )
+        download_uri = self.get_context_variable('download_uri')
+        self.assertIn('/test.cleaned.txt', download_uri)
+        self.assertIn('/download', download_uri)
        self.assertEqual(rv.status_code, 200)
-        rv = self.app.get('/download/70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')
+        uri_parts = download_uri.split("/")
+        self.assertEqual(len(uri_parts[2]), len(uri_parts[3]))
+        self.assertEqual(64, len(uri_parts[2]))
+        key_uri_parts = uri_parts
+        key_uri_parts[2] = '70623619c'
+        rv = self.client.get("/".join(key_uri_parts))
+        self.assertEqual(rv.status_code, 302)
+        key_uri_parts = uri_parts
+        key_uri_parts[3] = '70623619c'
+        rv = self.client.get("/".join(key_uri_parts))
        self.assertEqual(rv.status_code, 302)
    @patch('matweb.file_removal_scheduler.random.randint')
@@ -140,19 +162,18 @@ class Mat2WebTestCase(unittest.TestCase):
        )
        app = app.test_client()
-        request = self.app.post('/',
+        request = self.client.post('/',
                           data=dict(
                               file=(io.BytesIO(b"Some text"), 'test.txt'),
                           ), follow_redirects=True)
        self.assertEqual(request.status_code, 200)
-        request = app.get(
-            b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt'
+        request = app.get(self.get_context_variable('download_uri'))
-        )
        self.assertEqual(302, request.status_code)
        os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = '9999'
    def test_info_page(self):
-        rv = self.app.get('/info')
+        rv = self.client.get('/info')
        self.assertIn(b'What are metadata?', rv.data)
        self.assertIn(b'.asc', rv.data)
        self.assertIn(b'.mp2', rv.data)
author	jfriedli	2020-04-26 09:50:14 -0700
committer	jfriedli	2020-04-26 09:50:14 -0700
commit	c301e472bd7fd79d675c5df089db0b16fd1e2cfe (patch)
tree	c3332e0f974edc09881b5534c35becc5b9fffa3b /test/test.py
parent	e1bac8b6a7fd857f38b7bcb678398c82baaa8fd5 (diff)

diff --git a/test/test.py b/test/test.py index 02216ac..2d09662 100644 --- a/test/test.py +++ b/test/test.py
@@ -6,12 +6,13 @@ import io
6	import os	6	import os
7		7
8	from unittest.mock import patch	8	from unittest.mock import patch
		9	from flask_testing import TestCase
9		10
10	import main	11	import main
11		12
12		13
13	class Mat2WebTestCase(unittest.TestCase):	14	class Mat2WebTestCase(TestCase):
14	def setUp(self):	15	def create_app(self):
15	os.environ.setdefault('MAT2_ALLOW_ORIGIN_WHITELIST', 'origin1.gnu origin2.gnu')	16	os.environ.setdefault('MAT2_ALLOW_ORIGIN_WHITELIST', 'origin1.gnu origin2.gnu')
16	self.upload_folder = tempfile.mkdtemp()	17	self.upload_folder = tempfile.mkdtemp()
17	app = main.create_app(	18	app = main.create_app(
@@ -20,45 +21,45 @@ class Mat2WebTestCase(unittest.TestCase):
20	'UPLOAD_FOLDER': self.upload_folder	21	'UPLOAD_FOLDER': self.upload_folder
21	}	22	}
22	)	23	)
23	self.app = app.test_client()	24	return app
24		25
25	def tearDown(self):	26	def tearDown(self):
26	shutil.rmtree(self.upload_folder)	27	shutil.rmtree(self.upload_folder)
27		28
28	def test_get_root(self):	29	def test_get_root(self):
29	rv = self.app.get('/')	30	rv = self.client.get('/')
30	self.assertIn(b'mat2-web', rv.data)	31	self.assertIn(b'mat2-web', rv.data)
31		32
32	def test_check_mimetypes(self):	33	def test_check_mimetypes(self):
33	rv = self.app.get('/')	34	rv = self.client.get('/')
34	self.assertIn(b'.torrent', rv.data)	35	self.assertIn(b'.torrent', rv.data)
35	self.assertIn(b'.ods', rv.data)	36	self.assertIn(b'.ods', rv.data)
36		37
37	def test_get_download_dangerous_file(self):	38	def test_get_download_dangerous_file(self):
38	rv = self.app.get('/download/1337/\..\filename')	39	rv = self.client.get('/download/1337/aabb/\..\filename')
39	self.assertEqual(rv.status_code, 302)	40	self.assertEqual(rv.status_code, 302)
40		41
41	def test_get_download_without_key_file(self):	42	def test_get_download_without_key_file(self):
42	rv = self.app.get('/download/non_existant')	43	rv = self.client.get('/download/non_existant')
43	self.assertEqual(rv.status_code, 404)	44	self.assertEqual(rv.status_code, 404)
44		45
45	def test_get_download_nonexistant_file(self):	46	def test_get_download_nonexistant_file(self):
46	rv = self.app.get('/download/1337/non_existant')	47	rv = self.client.get('/download/1337/aabb/non_existant')
47	self.assertEqual(rv.status_code, 302)	48	self.assertEqual(rv.status_code, 302)
48		49
49	def test_get_upload_without_file(self):	50	def test_get_upload_without_file(self):
50	rv = self.app.post('/')	51	rv = self.client.post('/')
51	self.assertEqual(rv.status_code, 302)	52	self.assertEqual(rv.status_code, 302)
52		53
53	def test_get_upload_empty_file(self):	54	def test_get_upload_empty_file(self):
54	rv = self.app.post('/',	55	rv = self.client.post('/',
55	data=dict(	56	data=dict(
56	file=(io.BytesIO(b""), 'test.pdf'),	57	file=(io.BytesIO(b""), 'test.pdf'),
57	), follow_redirects=False)	58	), follow_redirects=False)
58	self.assertEqual(rv.status_code, 302)	59	self.assertEqual(rv.status_code, 302)
59		60
60	def test_get_upload_empty_file_redir(self):	61	def test_get_upload_empty_file_redir(self):
61	rv = self.app.post('/',	62	rv = self.client.post('/',
62	data=dict(	63	data=dict(
63	file=(io.BytesIO(b""), 'test.pdf'),	64	file=(io.BytesIO(b""), 'test.pdf'),
64	), follow_redirects=True)	65	), follow_redirects=True)
@@ -67,7 +68,7 @@ class Mat2WebTestCase(unittest.TestCase):
67	self.assertEqual(rv.status_code, 200)	68	self.assertEqual(rv.status_code, 200)
68		69
69	def test_get_upload_no_selected_file(self):	70	def test_get_upload_no_selected_file(self):
70	rv = self.app.post('/',	71	rv = self.client.post('/',
71	data=dict(	72	data=dict(
72	file=(io.BytesIO(b""), ''),	73	file=(io.BytesIO(b""), ''),
73	), follow_redirects=True)	74	), follow_redirects=True)
@@ -86,7 +87,7 @@ class Mat2WebTestCase(unittest.TestCase):
86	'AAAAAAAAAAApIFnAAAAdGVzdC5qc29uVVQNAAfomo9d6JqPXeiaj111eAsAAQTpAwAABOkDAAB'	87	'AAAAAAAAAAApIFnAAAAdGVzdC5qc29uVVQNAAfomo9d6JqPXeiaj111eAsAAQTpAwAABOkDAAB'
87	'QSwUGAAAAAAIAAgC8AAAAwAAAAAAA'	88	'QSwUGAAAAAAIAAgC8AAAAwAAAAAAA'
88	)	89	)
89	rv = self.app.post('/',	90	rv = self.client.post('/',
90	data=dict(	91	data=dict(
91	file=(io.BytesIO(zip_file_bytes), 'test.zip'),	92	file=(io.BytesIO(zip_file_bytes), 'test.zip'),
92	), follow_redirects=True)	93	), follow_redirects=True)
@@ -94,7 +95,7 @@ class Mat2WebTestCase(unittest.TestCase):
94	self.assertEqual(rv.status_code, 200)	95	self.assertEqual(rv.status_code, 200)
95		96
96	def test_get_upload_no_file_name(self):	97	def test_get_upload_no_file_name(self):
97	rv = self.app.post('/',	98	rv = self.client.post('/',
98	data=dict(	99	data=dict(
99	file=(io.BytesIO(b"aaa")),	100	file=(io.BytesIO(b"aaa")),
100	), follow_redirects=True)	101	), follow_redirects=True)
@@ -102,30 +103,51 @@ class Mat2WebTestCase(unittest.TestCase):
102	self.assertEqual(rv.status_code, 200)	103	self.assertEqual(rv.status_code, 200)
103		104
104	def test_get_upload_harmless_file(self):	105	def test_get_upload_harmless_file(self):
105	rv = self.app.post('/',	106	rv = self.client.post(
106	data=dict(	107	'/',
107	file=(io.BytesIO(b"Some text"), 'test.txt'),	108	data=dict(
108	), follow_redirects=True)	109	file=(io.BytesIO(b"Some text"), 'test.txt'),
109	self.assertIn(b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt', rv.data)	110	),
		111	follow_redirects=True
		112	)
		113	download_uri = self.get_context_variable('download_uri')
		114	self.assertIn('/test.cleaned.txt', download_uri)
110	self.assertEqual(rv.status_code, 200)	115	self.assertEqual(rv.status_code, 200)
111	self.assertNotIn('Access-Control-Allow-Origin', rv.headers)	116	self.assertNotIn('Access-Control-Allow-Origin', rv.headers)
112		117
113	rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')	118	rv = self.client.get(download_uri)
114	self.assertEqual(rv.status_code, 200)	119	self.assertEqual(rv.status_code, 200)
115		120
116	rv = self.app.get('/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')	121	rv = self.client.get(download_uri)
117	self.assertEqual(rv.status_code, 302)	122	self.assertEqual(rv.status_code, 302)
118		123
119	def test_upload_wrong_hash(self):	124	def test_upload_wrong_hash_or_secret(self):
120	rv = self.app.post('/',	125	rv = self.client.post(
121	data=dict(	126	'/',
122	file=(io.BytesIO(b"Some text"), 'test.txt'),	127	data=dict(
123	), follow_redirects=True)	128	file=(io.BytesIO(b"Some text"), 'test.txt'),
124	self.assertIn(b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt',	129	),
125	rv.data)	130	follow_redirects=True
		131	)
		132
		133	download_uri = self.get_context_variable('download_uri')
		134
		135	self.assertIn('/test.cleaned.txt', download_uri)
		136	self.assertIn('/download', download_uri)
126	self.assertEqual(rv.status_code, 200)	137	self.assertEqual(rv.status_code, 200)
127		138
128	rv = self.app.get('/download/70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt')	139	uri_parts = download_uri.split("/")
		140	self.assertEqual(len(uri_parts[2]), len(uri_parts[3]))
		141	self.assertEqual(64, len(uri_parts[2]))
		142
		143	key_uri_parts = uri_parts
		144	key_uri_parts[2] = '70623619c'
		145	rv = self.client.get("/".join(key_uri_parts))
		146	self.assertEqual(rv.status_code, 302)
		147
		148	key_uri_parts = uri_parts
		149	key_uri_parts[3] = '70623619c'
		150	rv = self.client.get("/".join(key_uri_parts))
129	self.assertEqual(rv.status_code, 302)	151	self.assertEqual(rv.status_code, 302)
130		152
131	@patch('matweb.file_removal_scheduler.random.randint')	153	@patch('matweb.file_removal_scheduler.random.randint')
@@ -140,19 +162,18 @@ class Mat2WebTestCase(unittest.TestCase):
140	)	162	)
141	app = app.test_client()	163	app = app.test_client()
142		164
143	request = self.app.post('/',	165	request = self.client.post('/',
144	data=dict(	166	data=dict(
145	file=(io.BytesIO(b"Some text"), 'test.txt'),	167	file=(io.BytesIO(b"Some text"), 'test.txt'),
146	), follow_redirects=True)	168	), follow_redirects=True)
147	self.assertEqual(request.status_code, 200)	169	self.assertEqual(request.status_code, 200)
148	request = app.get(	170
149	b'/download/4c2e9e6da31a64c70623619c449a040968cdbea85945bf384fa30ed2d5d24fa3/test.cleaned.txt'	171	request = app.get(self.get_context_variable('download_uri'))
150	)
151	self.assertEqual(302, request.status_code)	172	self.assertEqual(302, request.status_code)
152	os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = '9999'	173	os.environ['MAT2_MAX_FILE_AGE_FOR_REMOVAL'] = '9999'
153		174
154	def test_info_page(self):	175	def test_info_page(self):
155	rv = self.app.get('/info')	176	rv = self.client.get('/info')
156	self.assertIn(b'What are metadata?', rv.data)	177	self.assertIn(b'What are metadata?', rv.data)
157	self.assertIn(b'.asc', rv.data)	178	self.assertIn(b'.asc', rv.data)
158	self.assertIn(b'.mp2', rv.data)	179	self.assertIn(b'.mp2', rv.data)