From 615c80aba654fc1b897424ad69da29855d179e4f Mon Sep 17 00:00:00 2001 From: Natalia <124304+nessita@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:35:45 -0300 Subject: [PATCH] Improved view_tests.tests.test_debug.ExceptionReporterFilterTests. --- tests/view_tests/tests/test_debug.py | 70 ++++++++++++++++------------ 1 file changed, 39 insertions(+), 31 deletions(-) diff --git a/tests/view_tests/tests/test_debug.py b/tests/view_tests/tests/test_debug.py index 9383c0d873..0cc6348920 100644 --- a/tests/view_tests/tests/test_debug.py +++ b/tests/view_tests/tests/test_debug.py @@ -1552,6 +1552,13 @@ class ExceptionReporterFilterTests( """ rf = RequestFactory() + sensitive_settings = [ + "SECRET_KEY", + "SECRET_KEY_FALLBACKS", + "PASSWORD", + "API_KEY", + "AUTH_TOKEN", + ] def test_non_sensitive_request(self): """ @@ -1774,42 +1781,30 @@ class ExceptionReporterFilterTests( The debug page should not show some sensitive settings (password, secret key, ...). """ - sensitive_settings = [ - "SECRET_KEY", - "SECRET_KEY_FALLBACKS", - "PASSWORD", - "API_KEY", - "AUTH_TOKEN", - ] - for setting in sensitive_settings: - with self.settings(DEBUG=True, **{setting: "should not be displayed"}): - response = self.client.get("/raises500/") - self.assertNotContains( - response, "should not be displayed", status_code=500 - ) + for setting in self.sensitive_settings: + with self.subTest(setting=setting): + with self.settings(DEBUG=True, **{setting: "should not be displayed"}): + response = self.client.get("/raises500/") + self.assertNotContains( + response, "should not be displayed", status_code=500 + ) def test_settings_with_sensitive_keys(self): """ The debug page should filter out some sensitive information found in dict settings. """ - sensitive_settings = [ - "SECRET_KEY", - "SECRET_KEY_FALLBACKS", - "PASSWORD", - "API_KEY", - "AUTH_TOKEN", - ] - for setting in sensitive_settings: + for setting in self.sensitive_settings: FOOBAR = { setting: "should not be displayed", "recursive": {setting: "should not be displayed"}, } - with self.settings(DEBUG=True, FOOBAR=FOOBAR): - response = self.client.get("/raises500/") - self.assertNotContains( - response, "should not be displayed", status_code=500 - ) + with self.subTest(setting=setting): + with self.settings(DEBUG=True, FOOBAR=FOOBAR): + response = self.client.get("/raises500/") + self.assertNotContains( + response, "should not be displayed", status_code=500 + ) def test_cleanse_setting_basic(self): reporter_filter = SafeExceptionReporterFilter() @@ -1883,10 +1878,25 @@ class ExceptionReporterFilterTests( ) def test_request_meta_filtering(self): - request = self.rf.get("/", headers={"secret-header": "super_secret"}) + headers = { + "API_URL": "super secret", + "A_SIGNATURE_VALUE": "super secret", + "MY_KEY": "super secret", + "PASSWORD": "super secret", + "SECRET_VALUE": "super secret", + "SOME_TOKEN": "super secret", + } + request = self.rf.get("/", headers=headers) reporter_filter = SafeExceptionReporterFilter() + cleansed_headers = reporter_filter.get_safe_request_meta(request) + for header in headers: + with self.subTest(header=header): + self.assertEqual( + cleansed_headers[f"HTTP_{header}"], + reporter_filter.cleansed_substitute, + ) self.assertEqual( - reporter_filter.get_safe_request_meta(request)["HTTP_SECRET_HEADER"], + cleansed_headers["HTTP_COOKIE"], reporter_filter.cleansed_substitute, ) @@ -1910,9 +1920,7 @@ class ExceptionReporterFilterTests( class CustomExceptionReporterFilter(SafeExceptionReporterFilter): cleansed_substitute = "XXXXXXXXXXXXXXXXXXXX" - hidden_settings = _lazy_re_compile( - "API|TOKEN|KEY|SECRET|PASS|SIGNATURE|DATABASE_URL", flags=re.I - ) + hidden_settings = _lazy_re_compile("PASS|DATABASE", flags=re.I) @override_settings(