Browse Source

Use webtest to ensure no external login redirects

Now that the login page will redirect to a specified path after logging
in, I want to make sure that it can't be used to redirect to a different
site.
merge-requests/74/head
Deimos 5 years ago
parent
commit
c494f585c3
  1. 28
      tildes/tests/conftest.py
  2. 15
      tildes/tests/webtests/test_login.py

28
tildes/tests/conftest.py

@ -24,6 +24,18 @@ from tildes.models.user import User
pytest_plugins = ["tests.fixtures"] pytest_plugins = ["tests.fixtures"]
# Extra environment setup for webtest TestApps:
# - wsgi.url_scheme: needed for secure cookies from the session library
# - tm.active: setting to True effectively disables pyramid_tm, which fixes an issue
# with webtest fixtures failing to rollback data after the tests are complete
# - REMOTE_ADDR: must be defined for logging to work
WEBTEST_EXTRA_ENVIRON = {
"wsgi.url_scheme": "https",
"tm.active": True,
"REMOTE_ADDR": "0.0.0.0",
}
class NestedSessionWrapper(Session): class NestedSessionWrapper(Session):
"""Wrapper that starts a new nested transaction on commit/rollback.""" """Wrapper that starts a new nested transaction on commit/rollback."""
@ -198,19 +210,7 @@ def base_app(overall_redis_session, sdb):
@fixture(scope="session") @fixture(scope="session")
def webtest(base_app): def webtest(base_app):
"""Create a webtest TestApp and log in as the SessionUser account in it.""" """Create a webtest TestApp and log in as the SessionUser account in it."""
# create the TestApp - note that specifying wsgi.url_scheme is necessary so that the
# secure cookies from the session library will work
app = TestApp(
base_app,
# This "tm.active" is a temporary fix around this fixture failing to rollback
# data after the tests are complete (it effectively deactivates pyramid_tm).
extra_environ={
"wsgi.url_scheme": "https",
"tm.active": True,
"REMOTE_ADDR": "0.0.0.0",
},
cookiejar=CookieJar(),
)
app = TestApp(base_app, extra_environ=WEBTEST_EXTRA_ENVIRON, cookiejar=CookieJar())
# fetch the login page, fill in the form, and submit it (sets the cookie) # fetch the login page, fill in the form, and submit it (sets the cookie)
login_page = app.get("/login") login_page = app.get("/login")
@ -224,4 +224,4 @@ def webtest(base_app):
@fixture(scope="session") @fixture(scope="session")
def webtest_loggedout(base_app): def webtest_loggedout(base_app):
"""Create a logged-out webtest TestApp (no cookies retained).""" """Create a logged-out webtest TestApp (no cookies retained)."""
yield TestApp(base_app)
yield TestApp(base_app, extra_environ=WEBTEST_EXTRA_ENVIRON)

15
tildes/tests/webtests/test_login.py

@ -0,0 +1,15 @@
# Copyright (c) 2019 Tildes contributors <code@tildes.net>
# SPDX-License-Identifier: AGPL-3.0-or-later
def test_login_no_external_redirect(webtest_loggedout):
"""Ensure that the login page won't redirect to an external site."""
login_page = webtest_loggedout.get(
"/login", params={"from_url": "http://example.com"}
)
login_page.form["username"] = "SessionUser"
login_page.form["password"] = "session user password"
response = login_page.form.submit()
assert response.status_int == 302
assert "example.com" not in response.headers["Location"]
Loading…
Cancel
Save