diff options
| author | Bruno Alla <bruno.alla@founders4schools.org.uk> | 2017-03-07 21:00:43 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2017-05-24 08:36:34 -0400 |
| commit | 6092ea8fa62191bf9ed8ebaae3125dcde9c4bbec (patch) | |
| tree | 4da8346887b1c33e3b0a993eaf780687cdb239b0 /tests/auth_tests/test_views.py | |
| parent | 91b2bc3e70be2632baad86488fb03cf02848b5b6 (diff) | |
Refs #27804 -- Used subTest() in several tests.
Diffstat (limited to 'tests/auth_tests/test_views.py')
| -rw-r--r-- | tests/auth_tests/test_views.py | 180 |
1 files changed, 97 insertions, 83 deletions
diff --git a/tests/auth_tests/test_views.py b/tests/auth_tests/test_views.py index 40c48b7e9e..7dbf74928d 100644 --- a/tests/auth_tests/test_views.py +++ b/tests/auth_tests/test_views.py @@ -108,10 +108,11 @@ class AuthViewNamedURLTests(AuthViewsTestCase): ('password_reset_complete', [], {}), ] for name, args, kwargs in expected_named_urls: - try: - reverse(name, args=args, kwargs=kwargs) - except NoReverseMatch: - self.fail("Reversal of url named '%s' failed with NoReverseMatch" % name) + with self.subTest(name=name): + try: + reverse(name, args=args, kwargs=kwargs) + except NoReverseMatch: + self.fail("Reversal of url named '%s' failed with NoReverseMatch" % name) class PasswordResetTest(AuthViewsTestCase): @@ -559,48 +560,54 @@ class LoginTest(AuthViewsTestCase): def test_security_check(self): login_url = reverse('login') - # Those URLs should not pass the security check - for bad_url in ('http://example.com', - 'http:///example.com', - 'https://example.com', - 'ftp://example.com', - '///example.com', - '//example.com', - 'javascript:alert("XSS")'): - - nasty_url = '%(url)s?%(next)s=%(bad_url)s' % { - 'url': login_url, - 'next': REDIRECT_FIELD_NAME, - 'bad_url': quote(bad_url), - } - response = self.client.post(nasty_url, { - 'username': 'testclient', - 'password': 'password', - }) - self.assertEqual(response.status_code, 302) - self.assertNotIn(bad_url, response.url, - "%s should be blocked" % bad_url) + # These URLs should not pass the security check. + bad_urls = ( + 'http://example.com', + 'http:///example.com', + 'https://example.com', + 'ftp://example.com', + '///example.com', + '//example.com', + 'javascript:alert("XSS")', + ) + for bad_url in bad_urls: + with self.subTest(bad_url=bad_url): + nasty_url = '%(url)s?%(next)s=%(bad_url)s' % { + 'url': login_url, + 'next': REDIRECT_FIELD_NAME, + 'bad_url': quote(bad_url), + } + response = self.client.post(nasty_url, { + 'username': 'testclient', + 'password': 'password', + }) + self.assertEqual(response.status_code, 302) + self.assertNotIn(bad_url, response.url, '%s should be blocked' % bad_url) - # These URLs *should* still pass the security check - for good_url in ('/view/?param=http://example.com', - '/view/?param=https://example.com', - '/view?param=ftp://example.com', - 'view/?param=//example.com', - 'https://testserver/', - 'HTTPS://testserver/', - '//testserver/', - '/url%20with%20spaces/'): # see ticket #12534 - safe_url = '%(url)s?%(next)s=%(good_url)s' % { - 'url': login_url, - 'next': REDIRECT_FIELD_NAME, - 'good_url': quote(good_url), - } - response = self.client.post(safe_url, { - 'username': 'testclient', - 'password': 'password', - }) - self.assertEqual(response.status_code, 302) - self.assertIn(good_url, response.url, "%s should be allowed" % good_url) + # These URLs should pass the security check. + good_urls = ( + '/view/?param=http://example.com', + '/view/?param=https://example.com', + '/view?param=ftp://example.com', + 'view/?param=//example.com', + 'https://testserver/', + 'HTTPS://testserver/', + '//testserver/', + '/url%20with%20spaces/', + ) + for good_url in good_urls: + with self.subTest(good_url=good_url): + safe_url = '%(url)s?%(next)s=%(good_url)s' % { + 'url': login_url, + 'next': REDIRECT_FIELD_NAME, + 'good_url': quote(good_url), + } + response = self.client.post(safe_url, { + 'username': 'testclient', + 'password': 'password', + }) + self.assertEqual(response.status_code, 302) + self.assertIn(good_url, response.url, '%s should be allowed' % good_url) def test_security_check_https(self): login_url = reverse('login') @@ -988,45 +995,52 @@ class LogoutTest(AuthViewsTestCase): def test_security_check(self): logout_url = reverse('logout') - # Those URLs should not pass the security check - for bad_url in ('http://example.com', - 'http:///example.com', - 'https://example.com', - 'ftp://example.com', - '///example.com', - '//example.com', - 'javascript:alert("XSS")'): - nasty_url = '%(url)s?%(next)s=%(bad_url)s' % { - 'url': logout_url, - 'next': REDIRECT_FIELD_NAME, - 'bad_url': quote(bad_url), - } - self.login() - response = self.client.get(nasty_url) - self.assertEqual(response.status_code, 302) - self.assertNotIn(bad_url, response.url, - "%s should be blocked" % bad_url) - self.confirm_logged_out() + # These URLs should not pass the security check. + bad_urls = ( + 'http://example.com', + 'http:///example.com', + 'https://example.com', + 'ftp://example.com', + '///example.com', + '//example.com', + 'javascript:alert("XSS")', + ) + for bad_url in bad_urls: + with self.subTest(bad_url=bad_url): + nasty_url = '%(url)s?%(next)s=%(bad_url)s' % { + 'url': logout_url, + 'next': REDIRECT_FIELD_NAME, + 'bad_url': quote(bad_url), + } + self.login() + response = self.client.get(nasty_url) + self.assertEqual(response.status_code, 302) + self.assertNotIn(bad_url, response.url, '%s should be blocked' % bad_url) + self.confirm_logged_out() - # These URLs *should* still pass the security check - for good_url in ('/view/?param=http://example.com', - '/view/?param=https://example.com', - '/view?param=ftp://example.com', - 'view/?param=//example.com', - 'https://testserver/', - 'HTTPS://testserver/', - '//testserver/', - '/url%20with%20spaces/'): # see ticket #12534 - safe_url = '%(url)s?%(next)s=%(good_url)s' % { - 'url': logout_url, - 'next': REDIRECT_FIELD_NAME, - 'good_url': quote(good_url), - } - self.login() - response = self.client.get(safe_url) - self.assertEqual(response.status_code, 302) - self.assertIn(good_url, response.url, "%s should be allowed" % good_url) - self.confirm_logged_out() + # These URLs should pass the security check. + good_urls = ( + '/view/?param=http://example.com', + '/view/?param=https://example.com', + '/view?param=ftp://example.com', + 'view/?param=//example.com', + 'https://testserver/', + 'HTTPS://testserver/', + '//testserver/', + '/url%20with%20spaces/', + ) + for good_url in good_urls: + with self.subTest(good_url=good_url): + safe_url = '%(url)s?%(next)s=%(good_url)s' % { + 'url': logout_url, + 'next': REDIRECT_FIELD_NAME, + 'good_url': quote(good_url), + } + self.login() + response = self.client.get(safe_url) + self.assertEqual(response.status_code, 302) + self.assertIn(good_url, response.url, '%s should be allowed' % good_url) + self.confirm_logged_out() def test_security_check_https(self): logout_url = reverse('logout') |