cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
left4me/l4d2web/tests/test_security.py
mwiegand e28d4fad8c
l4d2web/csp: allow Steam avatar CDN in img-src 
The live-state grid renders player avatars as <img src="https://avatars.steamstatic.com/...">,
but the CSP img-src directive was `'self' data:` — so the browser
silently blocked every avatar load, leaving placeholder circles in
place. The DB cache and Steam API path were both healthy; only the
browser-side load was blocked.

Use the wildcard *.steamstatic.com host-source rather than pinning a
single hostname: Steam rotates avatars across steamcdn-a.akamaihd.net,
avatars.akamai/cloudflare/fastly.steamstatic.com over time, and a
single-hostname allowlist would re-break on the next shuffle.

Test now pins img-src explicitly — the previous assertions only
checked default-src/frame-ancestors/form-action, so a regression of
this exact line would have silently passed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 20:23:29 +02:00

147 lines
5.3 KiB
Python
Raw Blame History

import pytest
from l4d2web.app import create_app
from l4d2web.auth import hash_password
from l4d2web.db import init_db, session_scope
from l4d2web.models import User
@pytest.fixture
def client(tmp_path, monkeypatch):
db_url = f"sqlite:///{tmp_path/'security.db'}"
monkeypatch.setenv("DATABASE_URL", db_url)
app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
init_db()
with session_scope() as session:
session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))
return app.test_client()
def test_csrf_required(client) -> None:
response = client.post("/servers", data={"name": "x"})
assert response.status_code == 400
def test_login_rate_limit(client) -> None:
for _ in range(20):
client.post("/login", data={"username": "x", "password": "y"})
response = client.post("/login", data={"username": "x", "password": "y"})
assert response.status_code == 429
def test_login_rate_limit_per_username_across_ips(client) -> None:
"""A distributed brute-force that rotates the source IP must still be
slowed once the per-username budget for a single account is exhausted."""
for i in range(20):
client.post(
"/login",
data={"username": "alice", "password": "wrong"},
environ_overrides={"REMOTE_ADDR": f"10.0.0.{i}"},
)
response = client.post(
"/login",
data={"username": "alice", "password": "wrong"},
environ_overrides={"REMOTE_ADDR": "10.99.99.99"},
)
assert response.status_code == 429
def test_login_rate_limit_empty_username_does_not_bucket(client) -> None:
"""Anonymous probes with no username must not all share one bucket — that
would let an attacker DoS legitimate empty-username 401s. We just don't
track them per-username."""
for i in range(25):
client.post(
"/login",
data={"username": "", "password": "wrong"},
environ_overrides={"REMOTE_ADDR": f"10.1.0.{i}"},
)
# A real username from a fresh IP must still get through to the
# 401 path (i.e. not be 429ed by empty-username spillover).
response = client.post(
"/login",
data={"username": "alice", "password": "wrong"},
environ_overrides={"REMOTE_ADDR": "10.2.0.1"},
)
assert response.status_code == 401
def test_security_headers_present(client) -> None:
response = client.get("/login")
assert response.headers.get("X-Content-Type-Options") == "nosniff"
assert response.headers.get("X-Frame-Options") == "DENY"
assert response.headers.get("Referrer-Policy") == "strict-origin-when-cross-origin"
csp = response.headers.get("Content-Security-Policy")
assert csp is not None
assert "default-src 'self'" in csp
assert "frame-ancestors 'none'" in csp
assert "form-action 'self'" in csp
# Steam avatar CDN must be explicitly allowed; otherwise the browser
# silently blocks the avatar <img> loads and the live-state grid shows
# placeholder circles with names but no faces.
assert "img-src 'self' data: https://*.steamstatic.com" in csp
def test_csp_nonce_matches_inline_script(client) -> None:
"""Pages that emit inline <script> blocks must tag them with the
per-request CSP nonce, otherwise the browser blocks them."""
import re
with client.session_transaction() as sess:
sess["csrf_token"] = "tok"
# Log in so we can hit /servers.
with session_scope() as db:
from sqlalchemy import select
alice = db.scalar(select(User).where(User.username == "alice"))
alice_id = alice.id
marker = alice.password_changed_at.isoformat()
with client.session_transaction() as sess:
sess["user_id"] = alice_id
sess["pw_changed_at"] = marker
sess["admin"] = False
response = client.get("/servers?prefill_blueprint_id=1")
csp = response.headers.get("Content-Security-Policy", "")
nonce_match = re.search(r"'nonce-([^']+)'", csp)
assert nonce_match, f"expected nonce in CSP, got: {csp}"
nonce = nonce_match.group(1)
body = response.get_data(as_text=True)
if "<script>" in body:
# An un-nonced inline script slipped through.
pytest.fail("inline <script> without nonce attribute")
if "prefill_blueprint_id" in body and "showModal" in body:
assert f'nonce="{nonce}"' in body
def test_404_response_is_generic(client) -> None:
response = client.get("/this-route-does-not-exist")
assert response.status_code == 404
body = response.get_data(as_text=True)
assert "Traceback" not in body
assert "werkzeug" not in body.lower()
def test_500_response_does_not_leak_traceback(tmp_path, monkeypatch) -> None:
from l4d2web.app import create_app
db_url = f"sqlite:///{tmp_path/'boom.db'}"
monkeypatch.setenv("DATABASE_URL", db_url)
boom_app = create_app({
"TESTING": True,
"DATABASE_URL": db_url,
"SECRET_KEY": "test",
"PROPAGATE_EXCEPTIONS": False,
})
@boom_app.route("/__boom__")
def boom():
raise RuntimeError("internal detail that must not leak")
response = boom_app.test_client().get("/__boom__")
assert response.status_code == 500
body = response.get_data(as_text=True)
assert "internal detail" not in body
assert "Traceback" not in body
Reference in a new issue View git blame Copy permalink