diff options
| author | Andreas Pelme <andreas@pelme.se> | 2022-11-20 21:46:55 +0100 |
|---|---|---|
| committer | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2022-12-17 08:46:37 +0100 |
| commit | ab7a85ac297464df82d8363455609979ca3603db (patch) | |
| tree | d22374e4fee09779ce1fffedaac6678325462c33 /tests/middleware/tests.py | |
| parent | a1bcdc94da6d597c51b4eca0411a97a6460b482e (diff) | |
Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.
Diffstat (limited to 'tests/middleware/tests.py')
| -rw-r--r-- | tests/middleware/tests.py | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/tests/middleware/tests.py b/tests/middleware/tests.py index 50ba268832..1b8efe1a3e 100644 --- a/tests/middleware/tests.py +++ b/tests/middleware/tests.py @@ -3,6 +3,7 @@ import random import re import struct from io import BytesIO +from unittest import mock from urllib.parse import quote from django.conf import settings @@ -978,12 +979,47 @@ class GZipMiddlewareTest(SimpleTestCase): ConditionalGetMiddleware from recognizing conditional matches on gzipped content). """ - r1 = GZipMiddleware(self.get_response)(self.req) - r2 = GZipMiddleware(self.get_response)(self.req) + + class DeterministicGZipMiddleware(GZipMiddleware): + max_random_bytes = 0 + + r1 = DeterministicGZipMiddleware(self.get_response)(self.req) + r2 = DeterministicGZipMiddleware(self.get_response)(self.req) self.assertEqual(r1.content, r2.content) self.assertEqual(self.get_mtime(r1.content), 0) self.assertEqual(self.get_mtime(r2.content), 0) + def test_random_bytes(self): + """A random number of bytes is added to mitigate the BREACH attack.""" + with mock.patch( + "django.utils.text.secrets.randbelow", autospec=True, return_value=3 + ): + r = GZipMiddleware(self.get_response)(self.req) + # The fourth byte of a gzip stream contains flags. + self.assertEqual(r.content[3], gzip.FNAME) + # A 3 byte filename "aaa" and a null byte are added. + self.assertEqual(r.content[10:14], b"aaa\x00") + self.assertEqual(self.decompress(r.content), self.compressible_string) + + def test_random_bytes_streaming_response(self): + """A random number of bytes is added to mitigate the BREACH attack.""" + + def get_stream_response(request): + resp = StreamingHttpResponse(self.sequence) + resp["Content-Type"] = "text/html; charset=UTF-8" + return resp + + with mock.patch( + "django.utils.text.secrets.randbelow", autospec=True, return_value=3 + ): + r = GZipMiddleware(get_stream_response)(self.req) + content = b"".join(r) + # The fourth byte of a gzip stream contains flags. + self.assertEqual(content[3], gzip.FNAME) + # A 3 byte filename "aaa" and a null byte are added. + self.assertEqual(content[10:14], b"aaa\x00") + self.assertEqual(self.decompress(content), b"".join(self.sequence)) + class ETagGZipMiddlewareTest(SimpleTestCase): """ |