bbb2b983bc
A 20-attempts-per-60s budget keyed by IP doesn't slow a distributed brute force that rotates source IPs. Add a parallel per-username bucket with the same threshold so a single account can't burn through more than 20 failed logins/min regardless of where they come from. Empty usernames aren't bucketed (would DoS the anonymous 401 path). Successful login clears both buckets.
143 lines
5 KiB
Python
143 lines
5 KiB
Python
import pytest
|
|
|
|
from l4d2web.app import create_app
|
|
from l4d2web.auth import hash_password
|
|
from l4d2web.db import init_db, session_scope
|
|
from l4d2web.models import User
|
|
|
|
|
|
@pytest.fixture
|
|
def client(tmp_path, monkeypatch):
|
|
db_url = f"sqlite:///{tmp_path/'security.db'}"
|
|
monkeypatch.setenv("DATABASE_URL", db_url)
|
|
app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
|
|
init_db()
|
|
with session_scope() as session:
|
|
session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))
|
|
return app.test_client()
|
|
|
|
|
|
def test_csrf_required(client) -> None:
|
|
response = client.post("/servers", data={"name": "x"})
|
|
assert response.status_code == 400
|
|
|
|
|
|
def test_login_rate_limit(client) -> None:
|
|
for _ in range(20):
|
|
client.post("/login", data={"username": "x", "password": "y"})
|
|
|
|
response = client.post("/login", data={"username": "x", "password": "y"})
|
|
assert response.status_code == 429
|
|
|
|
|
|
def test_login_rate_limit_per_username_across_ips(client) -> None:
|
|
"""A distributed brute-force that rotates the source IP must still be
|
|
slowed once the per-username budget for a single account is exhausted."""
|
|
for i in range(20):
|
|
client.post(
|
|
"/login",
|
|
data={"username": "alice", "password": "wrong"},
|
|
environ_overrides={"REMOTE_ADDR": f"10.0.0.{i}"},
|
|
)
|
|
|
|
response = client.post(
|
|
"/login",
|
|
data={"username": "alice", "password": "wrong"},
|
|
environ_overrides={"REMOTE_ADDR": "10.99.99.99"},
|
|
)
|
|
assert response.status_code == 429
|
|
|
|
|
|
def test_login_rate_limit_empty_username_does_not_bucket(client) -> None:
|
|
"""Anonymous probes with no username must not all share one bucket — that
|
|
would let an attacker DoS legitimate empty-username 401s. We just don't
|
|
track them per-username."""
|
|
for i in range(25):
|
|
client.post(
|
|
"/login",
|
|
data={"username": "", "password": "wrong"},
|
|
environ_overrides={"REMOTE_ADDR": f"10.1.0.{i}"},
|
|
)
|
|
|
|
# A real username from a fresh IP must still get through to the
|
|
# 401 path (i.e. not be 429ed by empty-username spillover).
|
|
response = client.post(
|
|
"/login",
|
|
data={"username": "alice", "password": "wrong"},
|
|
environ_overrides={"REMOTE_ADDR": "10.2.0.1"},
|
|
)
|
|
assert response.status_code == 401
|
|
|
|
|
|
def test_security_headers_present(client) -> None:
|
|
response = client.get("/login")
|
|
assert response.headers.get("X-Content-Type-Options") == "nosniff"
|
|
assert response.headers.get("X-Frame-Options") == "DENY"
|
|
assert response.headers.get("Referrer-Policy") == "strict-origin-when-cross-origin"
|
|
csp = response.headers.get("Content-Security-Policy")
|
|
assert csp is not None
|
|
assert "default-src 'self'" in csp
|
|
assert "frame-ancestors 'none'" in csp
|
|
assert "form-action 'self'" in csp
|
|
|
|
|
|
def test_csp_nonce_matches_inline_script(client) -> None:
|
|
"""Pages that emit inline <script> blocks must tag them with the
|
|
per-request CSP nonce, otherwise the browser blocks them."""
|
|
import re
|
|
|
|
with client.session_transaction() as sess:
|
|
sess["csrf_token"] = "tok"
|
|
|
|
# Log in so we can hit /servers.
|
|
with session_scope() as db:
|
|
from sqlalchemy import select
|
|
alice = db.scalar(select(User).where(User.username == "alice"))
|
|
alice_id = alice.id
|
|
marker = alice.password_changed_at.isoformat()
|
|
with client.session_transaction() as sess:
|
|
sess["user_id"] = alice_id
|
|
sess["pw_changed_at"] = marker
|
|
sess["admin"] = False
|
|
|
|
response = client.get("/servers?prefill_blueprint_id=1")
|
|
csp = response.headers.get("Content-Security-Policy", "")
|
|
nonce_match = re.search(r"'nonce-([^']+)'", csp)
|
|
assert nonce_match, f"expected nonce in CSP, got: {csp}"
|
|
nonce = nonce_match.group(1)
|
|
body = response.get_data(as_text=True)
|
|
if "<script>" in body:
|
|
# An un-nonced inline script slipped through.
|
|
pytest.fail("inline <script> without nonce attribute")
|
|
if "prefill_blueprint_id" in body and "showModal" in body:
|
|
assert f'nonce="{nonce}"' in body
|
|
|
|
|
|
def test_404_response_is_generic(client) -> None:
|
|
response = client.get("/this-route-does-not-exist")
|
|
assert response.status_code == 404
|
|
body = response.get_data(as_text=True)
|
|
assert "Traceback" not in body
|
|
assert "werkzeug" not in body.lower()
|
|
|
|
|
|
def test_500_response_does_not_leak_traceback(tmp_path, monkeypatch) -> None:
|
|
from l4d2web.app import create_app
|
|
db_url = f"sqlite:///{tmp_path/'boom.db'}"
|
|
monkeypatch.setenv("DATABASE_URL", db_url)
|
|
boom_app = create_app({
|
|
"TESTING": True,
|
|
"DATABASE_URL": db_url,
|
|
"SECRET_KEY": "test",
|
|
"PROPAGATE_EXCEPTIONS": False,
|
|
})
|
|
|
|
@boom_app.route("/__boom__")
|
|
def boom():
|
|
raise RuntimeError("internal detail that must not leak")
|
|
|
|
response = boom_app.test_client().get("/__boom__")
|
|
assert response.status_code == 500
|
|
body = response.get_data(as_text=True)
|
|
assert "internal detail" not in body
|
|
assert "Traceback" not in body
|