diff options
| author | Jake Howard <git@theorangeone.net> | 2025-06-04 16:08:46 +0100 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2025-06-06 09:24:47 -0300 |
| commit | b597d46bb19c8567615e62029210dab16c70db7d (patch) | |
| tree | ee6258e5a9872817e1f46d6b2fb725b0058086d6 /tests/generic_views | |
| parent | 10ba3f78da2e22bd232dc085e2a8a7c293c3fb73 (diff) | |
[4.2.x] Refs CVE-2025-48432 -- Prevented log injection in remaining response logging.
Migrated remaining response-related logging to use the `log_response()`
helper to avoid potential log injection, to ensure untrusted values like
request paths are safely escaped.
Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
Backport of 957951755259b412d5113333b32bf85871d29814 from main.
Diffstat (limited to 'tests/generic_views')
| -rw-r--r-- | tests/generic_views/test_base.py | 40 |
1 files changed, 38 insertions, 2 deletions
diff --git a/tests/generic_views/test_base.py b/tests/generic_views/test_base.py index add485245a..3cd1ae6a5c 100644 --- a/tests/generic_views/test_base.py +++ b/tests/generic_views/test_base.py @@ -1,5 +1,8 @@ +import logging import time +from logging_tests.tests import LoggingAssertionMixin + from django.core.exceptions import ImproperlyConfigured from django.http import HttpResponse from django.test import RequestFactory, SimpleTestCase, override_settings @@ -63,7 +66,7 @@ class InstanceView(View): return self -class ViewTest(SimpleTestCase): +class ViewTest(LoggingAssertionMixin, SimpleTestCase): rf = RequestFactory() def _assert_simple(self, response): @@ -297,6 +300,25 @@ class ViewTest(SimpleTestCase): response = view.dispatch(self.rf.head("/")) self.assertEqual(response.status_code, 405) + def test_method_not_allowed_response_logged(self): + for path, escaped in [ + ("/foo/", "/foo/"), + (r"/%1B[1;31mNOW IN RED!!!1B[0m/", r"/\x1b[1;31mNOW IN RED!!!1B[0m/"), + ]: + with self.subTest(path=path): + request = self.rf.get(path, REQUEST_METHOD="BOGUS") + with self.assertLogs("django.request", "WARNING") as handler: + response = SimpleView.as_view()(request) + + self.assertLogRecord( + handler, + f"Method Not Allowed (BOGUS): {escaped}", + logging.WARNING, + 405, + request, + ) + self.assertEqual(response.status_code, 405) + @override_settings(ROOT_URLCONF="generic_views.urls") class TemplateViewTest(SimpleTestCase): @@ -425,7 +447,7 @@ class TemplateViewTest(SimpleTestCase): @override_settings(ROOT_URLCONF="generic_views.urls") -class RedirectViewTest(SimpleTestCase): +class RedirectViewTest(LoggingAssertionMixin, SimpleTestCase): rf = RequestFactory() def test_no_url(self): @@ -549,6 +571,20 @@ class RedirectViewTest(SimpleTestCase): response = view.dispatch(self.rf.head("/foo/")) self.assertEqual(response.status_code, 410) + def test_gone_response_logged(self): + for path, escaped in [ + ("/foo/", "/foo/"), + (r"/%1B[1;31mNOW IN RED!!!1B[0m/", r"/\x1b[1;31mNOW IN RED!!!1B[0m/"), + ]: + with self.subTest(path=path): + request = self.rf.get(path) + with self.assertLogs("django.request", "WARNING") as handler: + RedirectView().dispatch(request) + + self.assertLogRecord( + handler, f"Gone: {escaped}", logging.WARNING, 410, request + ) + class GetContextDataTest(SimpleTestCase): def test_get_context_data_super(self): |