From 5e60c3943b04a674ef8687323930a0c7d5087c62 Mon Sep 17 00:00:00 2001 From: Chris Jerdonek Date: Wed, 2 Jun 2021 04:31:27 -0700 Subject: [PATCH] Refs #32800 -- Added CsrfViewMiddleware tests for all combinations of masked/unmasked cookies and tokens. --- tests/csrf_tests/tests.py | 50 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index af801f8283..b6e94a7717 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -975,6 +975,33 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): self.assertEqual(len(csrf_cookie.value), CSRF_TOKEN_LENGTH) self.assertNotEqual(csrf_cookie.value, token) + def test_masked_unmasked_combinations(self): + """ + All combinations are allowed of (1) masked and unmasked cookies, + (2) masked and unmasked tokens, and (3) tokens provided via POST and + the X-CSRFToken header. + """ + cases = [ + (TEST_SECRET, TEST_SECRET, None), + (TEST_SECRET, MASKED_TEST_SECRET2, None), + (TEST_SECRET, None, TEST_SECRET), + (TEST_SECRET, None, MASKED_TEST_SECRET2), + (MASKED_TEST_SECRET1, TEST_SECRET, None), + (MASKED_TEST_SECRET1, MASKED_TEST_SECRET2, None), + (MASKED_TEST_SECRET1, None, TEST_SECRET), + (MASKED_TEST_SECRET1, None, MASKED_TEST_SECRET2), + ] + for args in cases: + with self.subTest(args=args): + cookie, post_token, meta_token = args + req = self._get_POST_csrf_cookie_request( + cookie=cookie, post_token=post_token, meta_token=meta_token, + ) + mw = CsrfViewMiddleware(token_view) + mw.process_request(req) + resp = mw.process_view(req, token_view, (), {}) + self.assertIsNone(resp) + def test_bare_secret_accepted_and_replaced(self): """ The csrf token is reset from a bare secret. @@ -1055,6 +1082,29 @@ class CsrfViewMiddlewareUseSessionsTests(CsrfViewMiddlewareTestMixin, SimpleTest mw = CsrfViewMiddleware(lambda req: HttpResponse()) mw.process_request(HttpRequest()) + def test_masked_unmasked_combinations(self): + """ + Masked and unmasked tokens are allowed both as POST and as the + X-CSRFToken header. + """ + cases = [ + # Bare secrets are not allowed when CSRF_USE_SESSIONS=True. + (MASKED_TEST_SECRET1, TEST_SECRET, None), + (MASKED_TEST_SECRET1, MASKED_TEST_SECRET2, None), + (MASKED_TEST_SECRET1, None, TEST_SECRET), + (MASKED_TEST_SECRET1, None, MASKED_TEST_SECRET2), + ] + for args in cases: + with self.subTest(args=args): + cookie, post_token, meta_token = args + req = self._get_POST_csrf_cookie_request( + cookie=cookie, post_token=post_token, meta_token=meta_token, + ) + mw = CsrfViewMiddleware(token_view) + mw.process_request(req) + resp = mw.process_view(req, token_view, (), {}) + self.assertIsNone(resp) + def test_process_response_get_token_used(self): """The ensure_csrf_cookie() decorator works without middleware.""" req = self._get_GET_no_csrf_cookie_request()