U s@g@s\dZddlZeeddeeejdZeeddZGdddeZ Gdd d eZ dS) zF Helpers for URI and method injection tests. @see: U{CVE-2019-12387} Nasciic@s0eZdZdZddZddZddZdd Zd S) MethodInjectionTestsMixina9 A mixin that runs HTTP method injection tests. Define L{MethodInjectionTestsMixin.attemptRequestWithMaliciousMethod} in a L{twisted.trial.unittest.SynchronousTestCase} subclass to test how HTTP client code behaves when presented with malicious HTTP methods. @see: U{CVE-2019-12387} cCs tdS)z Attempt to send a request with the given method. This should synchronously raise a L{ValueError} if either is invalid. @param method: the method (e.g. C{GET}) @param uri: the URI @type method: NNotImplementedErrorselfmethodr C/usr/lib/python3/dist-packages/twisted/web/test/injectionhelpers.py!attemptRequestWithMaliciousMethods z;MethodInjectionTestsMixin.attemptRequestWithMaliciousMethodc Cs:|t}d}||W5QRX|t|jddS)z Issuing a request with a method that contains a carriage return and line feed fails with a L{ValueError}. sGET X-Injected-Header: value^Invalid methodN) assertRaises ValueErrorr assertRegexstr exception)r cmr r r r test_methodWithCLRFRejected,s z5MethodInjectionTestsMixin.test_methodWithCLRFRejectedc CsPtD]F}dt|gf}|t}||W5QRX|t|jdqdS)z Issuing a request with a method that contains unprintable ASCII characters fails with a L{ValueError}. GET%srN)UNPRINTABLE_ASCII bytearrayrrr rrrr cr rr r r 'test_methodWithUnprintableASCIIRejected7s  zAMethodInjectionTestsMixin.test_methodWithUnprintableASCIIRejectedc CsPtD]F}dt|gf}|t}||W5QRX|t|jdqdS)zx Issuing a request with a method that contains non-ASCII characters fails with a L{ValueError}. rrN)NONASCIIrrrr rrrrr r r test_methodWithNonASCIIRejectedCs  z9MethodInjectionTestsMixin.test_methodWithNonASCIIRejectedN)__name__ __module__ __qualname____doc__r rrrr r r r rs    rc@sHeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS)URIInjectionTestsMixina A mixin that runs HTTP URI injection tests. Define L{MethodInjectionTestsMixin.attemptRequestWithMaliciousURI} in a L{twisted.trial.unittest.SynchronousTestCase} subclass to test how HTTP client code behaves when presented with malicious HTTP URIs. cCs tdS)z Attempt to send a request with the given URI. This should synchronously raise a L{ValueError} if either is invalid. @param uri: the URI. @type method: Nrrr r r attemptRequestWithMaliciousURIYs z5URIInjectionTestsMixin.attemptRequestWithMaliciousURIc Cs:|t}d}||W5QRX|t|jddS)z Issuing a request with a URI whose host contains a carriage return and line feed fails with a L{ValueError}. shttp://twisted .invalid/path ^Invalid URINrrr#rrrr rurir r r test_hostWithCRLFRejectedes z0URIInjectionTestsMixin.test_hostWithCRLFRejectedc CsPtD]F}dt|gf}|t}||W5QRX|t|jdqdS)z Issuing a request with a URI whose host contains unprintable ASCII characters fails with a L{ValueError}. http://twisted%s.invalid/OKr$Nrrrrr#rrrr rr'rr r r )test_hostWithWithUnprintableASCIIRejectedps  z@URIInjectionTestsMixin.test_hostWithWithUnprintableASCIIRejectedc CsPtD]F}dt|gf}|t}||W5QRX|t|jdqdS)z{ Issuing a request with a URI whose host contains non-ASCII characters fails with a L{ValueError}. r)r$Nrrrrr#rrrr+r r r test_hostWithNonASCIIRejected|s  z4URIInjectionTestsMixin.test_hostWithNonASCIIRejectedc Cs:|t}d}||W5QRX|t|jddS)z Issuing a request with a URI whose path contains a carriage return and line feed fails with a L{ValueError}. shttp://twisted.invalid/ pathr$Nr%r&r r r test_pathWithCRLFRejecteds z0URIInjectionTestsMixin.test_pathWithCRLFRejectedc CsPtD]F}dt|gf}|t}||W5QRX|t|jdqdS)z Issuing a request with a URI whose path contains unprintable ASCII characters fails with a L{ValueError}. http://twisted.invalid/OK%sr$Nr*r+r r r )test_pathWithWithUnprintableASCIIRejecteds  z@URIInjectionTestsMixin.test_pathWithWithUnprintableASCIIRejectedc CsPtD]F}dt|gf}|t}||W5QRX|t|jdqdS)z{ Issuing a request with a URI whose path contains non-ASCII characters fails with a L{ValueError}. r0r$Nr-r+r r r test_pathWithNonASCIIRejecteds  z4URIInjectionTestsMixin.test_pathWithNonASCIIRejectedN) rrr r!r#r(r,r.r/r1r2r r r r r"Ps      r") r!string frozensetrangerZ printablerrobjectrr"r r r r s =