cronekorkn/left4me
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
left4me/l4d2web/tests/test_security.py
mwiegand 74b7f61437
harden(l4d2web): default security response headers and generic error handlers 
- after_request hook sets X-Content-Type-Options=nosniff, X-Frame-Options=DENY, Referrer-Policy=strict-origin-when-cross-origin, and a strict CSP (default-src 'self', script-src self+nonce, frame-ancestors 'none', form-action 'self'); HSTS added on secure non-test responses
- per-request CSP nonce minted in g.csp_nonce; servers.html's inline showModal script picks it up
- 404 and 500 handlers return short plain-text responses so a misbehaving deployment can't leak tracebacks via Werkzeug's debug page
2026-05-14 22:21:36 +02:00

104 lines
3.6 KiB
Python
Raw Blame History

import pytest
from l4d2web.app import create_app
from l4d2web.auth import hash_password
from l4d2web.db import init_db, session_scope
from l4d2web.models import User
@pytest.fixture
def client(tmp_path, monkeypatch):
db_url = f"sqlite:///{tmp_path/'security.db'}"
monkeypatch.setenv("DATABASE_URL", db_url)
app = create_app({"TESTING": True, "DATABASE_URL": db_url, "SECRET_KEY": "test"})
init_db()
with session_scope() as session:
session.add(User(username="alice", password_digest=hash_password("secret"), admin=False))
return app.test_client()
def test_csrf_required(client) -> None:
response = client.post("/servers", data={"name": "x"})
assert response.status_code == 400
def test_login_rate_limit(client) -> None:
for _ in range(20):
client.post("/login", data={"username": "x", "password": "y"})
response = client.post("/login", data={"username": "x", "password": "y"})
assert response.status_code == 429
def test_security_headers_present(client) -> None:
response = client.get("/login")
assert response.headers.get("X-Content-Type-Options") == "nosniff"
assert response.headers.get("X-Frame-Options") == "DENY"
assert response.headers.get("Referrer-Policy") == "strict-origin-when-cross-origin"
csp = response.headers.get("Content-Security-Policy")
assert csp is not None
assert "default-src 'self'" in csp
assert "frame-ancestors 'none'" in csp
assert "form-action 'self'" in csp
def test_csp_nonce_matches_inline_script(client) -> None:
"""Pages that emit inline <script> blocks must tag them with the
per-request CSP nonce, otherwise the browser blocks them."""
import re
with client.session_transaction() as sess:
sess["csrf_token"] = "tok"
# Log in so we can hit /servers.
with session_scope() as db:
from sqlalchemy import select
alice = db.scalar(select(User).where(User.username == "alice"))
alice_id = alice.id
marker = alice.password_changed_at.isoformat()
with client.session_transaction() as sess:
sess["user_id"] = alice_id
sess["pw_changed_at"] = marker
sess["admin"] = False
response = client.get("/servers?prefill_blueprint_id=1")
csp = response.headers.get("Content-Security-Policy", "")
nonce_match = re.search(r"'nonce-([^']+)'", csp)
assert nonce_match, f"expected nonce in CSP, got: {csp}"
nonce = nonce_match.group(1)
body = response.get_data(as_text=True)
if "<script>" in body:
# An un-nonced inline script slipped through.
pytest.fail("inline <script> without nonce attribute")
if "prefill_blueprint_id" in body and "showModal" in body:
assert f'nonce="{nonce}"' in body
def test_404_response_is_generic(client) -> None:
response = client.get("/this-route-does-not-exist")
assert response.status_code == 404
body = response.get_data(as_text=True)
assert "Traceback" not in body
assert "werkzeug" not in body.lower()
def test_500_response_does_not_leak_traceback(tmp_path, monkeypatch) -> None:
from l4d2web.app import create_app
db_url = f"sqlite:///{tmp_path/'boom.db'}"
monkeypatch.setenv("DATABASE_URL", db_url)
boom_app = create_app({
"TESTING": True,
"DATABASE_URL": db_url,
"SECRET_KEY": "test",
"PROPAGATE_EXCEPTIONS": False,
})
@boom_app.route("/__boom__")
def boom():
raise RuntimeError("internal detail that must not leak")
response = boom_app.test_client().get("/__boom__")
assert response.status_code == 500
body = response.get_data(as_text=True)
assert "internal detail" not in body
assert "Traceback" not in body
Reference in a new issue View git blame Copy permalink