From 43d1ea6e2ff1982d52faf6b04d613390220e5d7a Mon Sep 17 00:00:00 2001 From: Chris Jerdonek Date: Tue, 29 Jun 2021 10:18:17 -0400 Subject: [PATCH] Refs #32885 -- Used _read_csrf_cookie()/_set_csrf_cookie() in more CSRF tests. --- tests/csrf_tests/tests.py | 40 +++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index a1057c1168..d1f1f7e167 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -349,7 +349,7 @@ class CsrfViewMiddlewareTestMixin: A new token is sent if the csrf_cookie is the empty string. """ req = self._get_request() - req.COOKIES[settings.CSRF_COOKIE_NAME] = "" + self._set_csrf_cookie(req, '') mw = CsrfViewMiddleware(token_view) mw.process_view(req, token_view, (), {}) resp = token_view(req) @@ -881,7 +881,8 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): """ req = self._get_request() resp = ensure_csrf_cookie_view(req) - self.assertTrue(resp.cookies.get(settings.CSRF_COOKIE_NAME, False)) + csrf_cookie = self._read_csrf_cookie(req, resp) + self.assertTrue(csrf_cookie) self.assertIn('Cookie', resp.get('Vary', '')) def test_ensures_csrf_cookie_with_middleware(self): @@ -893,7 +894,8 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): mw = CsrfViewMiddleware(ensure_csrf_cookie_view) mw.process_view(req, ensure_csrf_cookie_view, (), {}) resp = mw(req) - self.assertTrue(resp.cookies.get(settings.CSRF_COOKIE_NAME, False)) + csrf_cookie = self._read_csrf_cookie(req, resp) + self.assertTrue(csrf_cookie) self.assertIn('Cookie', resp.get('Vary', '')) def test_csrf_cookie_age(self): @@ -965,12 +967,12 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): created. """ req = self._get_request() - req.COOKIES[settings.CSRF_COOKIE_NAME] = 'x' * 100000 + self._set_csrf_cookie(req, 'x' * 100000) mw = CsrfViewMiddleware(token_view) mw.process_view(req, token_view, (), {}) resp = mw(req) - csrf_cookie = resp.cookies.get(settings.CSRF_COOKIE_NAME, False) - self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) + csrf_cookie = self._read_csrf_cookie(req, resp) + self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH) def test_process_view_token_invalid_chars(self): """ @@ -979,13 +981,13 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): """ token = ('!@#' + self._csrf_id_token)[:CSRF_TOKEN_LENGTH] req = self._get_request() - req.COOKIES[settings.CSRF_COOKIE_NAME] = token + self._set_csrf_cookie(req, token) mw = CsrfViewMiddleware(token_view) mw.process_view(req, token_view, (), {}) resp = mw(req) - csrf_cookie = resp.cookies.get(settings.CSRF_COOKIE_NAME, False) - self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) - self.assertNotEqual(csrf_cookie.value, token) + csrf_cookie = self._read_csrf_cookie(req, resp) + self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH) + self.assertNotEqual(csrf_cookie, token) def test_masked_unmasked_combinations(self): """ @@ -1024,10 +1026,9 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): resp = mw.process_view(req, token_view, (), {}) self.assertIsNone(resp) resp = mw(req) - self.assertIn(settings.CSRF_COOKIE_NAME, resp.cookies, "Cookie was not reset from bare secret") - csrf_cookie = resp.cookies[settings.CSRF_COOKIE_NAME] - self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) - self._check_token_present(resp, csrf_id=csrf_cookie.value) + csrf_cookie = self._read_csrf_cookie(req, resp) + self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH) + self._check_token_present(resp, csrf_id=csrf_cookie) @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True) def test_https_good_referer_behind_proxy(self): @@ -1080,7 +1081,7 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest def _set_csrf_cookie(self, req, cookie): req.session[CSRF_SESSION_KEY] = cookie - def _read_csrf_cookie(self, req, resp): + def _read_csrf_cookie(self, req, resp=None): """ Return the CSRF cookie as a string, or False if no cookie is present. """ @@ -1124,7 +1125,8 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest """The ensure_csrf_cookie() decorator works without middleware.""" req = self._get_request() ensure_csrf_cookie_view(req) - self.assertTrue(req.session.get(CSRF_SESSION_KEY, False)) + csrf_cookie = self._read_csrf_cookie(req) + self.assertTrue(csrf_cookie) def test_session_modify(self): """The session isn't saved if the CSRF cookie is unchanged.""" @@ -1132,7 +1134,8 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest mw = CsrfViewMiddleware(ensure_csrf_cookie_view) mw.process_view(req, ensure_csrf_cookie_view, (), {}) mw(req) - self.assertIsNotNone(req.session.get(CSRF_SESSION_KEY)) + csrf_cookie = self._read_csrf_cookie(req) + self.assertTrue(csrf_cookie) req.session.modified = False mw.process_view(req, ensure_csrf_cookie_view, (), {}) mw(req) @@ -1147,7 +1150,8 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest mw = CsrfViewMiddleware(ensure_csrf_cookie_view) mw.process_view(req, ensure_csrf_cookie_view, (), {}) mw(req) - self.assertTrue(req.session.get(CSRF_SESSION_KEY, False)) + csrf_cookie = self._read_csrf_cookie(req) + self.assertTrue(csrf_cookie) @override_settings( ALLOWED_HOSTS=['www.example.com'],