OXIESEC PANEL

Name	Size	Modified	Perms
📁 ..	-	03/31/2022 06:22:39 AM	rwxr-xr-x
📄 __init__.py	108 bytes	09/08/2017 10:38:36 AM	rw-r--r--
📁 __pycache__	-	03/31/2022 06:22:40 AM	rwxr-xr-x
📄 _util.py	2.51 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 injectionhelpers.py	5.5 KB	03/22/2022 11:03:56 AM	rw-r--r--
📄 requesthelper.py	10.6 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_agent.py	113.19 KB	03/22/2022 11:03:56 AM	rw-r--r--
📄 test_cgi.py	13.29 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_client.py	1.34 KB	09/08/2017 10:38:35 AM	rw-r--r--
📄 test_distrib.py	16.02 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_domhelpers.py	10.84 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_error.py	15.83 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_flatten.py	17.83 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_html.py	1.23 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_http.py	122.6 KB	03/22/2022 11:03:56 AM	rw-r--r--
📄 test_http2.py	105.98 KB	03/22/2022 11:03:56 AM	rw-r--r--
📄 test_http_headers.py	19.91 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_httpauth.py	22.75 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_newclient.py	102.47 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_proxy.py	19.62 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_resource.py	8.02 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_script.py	3.7 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_stan.py	5.53 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_static.py	62.22 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_tap.py	10.34 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_template.py	24.99 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_util.py	12.29 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_vhost.py	7.22 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_web.py	55.24 KB	03/22/2022 11:03:56 AM	rw-r--r--
📄 test_web__responses.py	877 bytes	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_webclient.py	57.45 KB	03/22/2022 11:03:56 AM	rw-r--r--
📄 test_wsgi.py	73.06 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_xml.py	41.36 KB	09/08/2017 10:38:36 AM	rw-r--r--
📄 test_xmlrpc.py	28.24 KB	09/08/2017 10:38:36 AM	rw-r--r--

Editing: injectionhelpers.py

"""
Helpers for URI and method injection tests.

@see: U{CVE-2019-12387}
"""

import string

UNPRINTABLE_ASCII = (
    frozenset(range(0, 128)) -
    frozenset(bytearray(string.printable, 'ascii'))
)

NONASCII = frozenset(range(128, 256))

class MethodInjectionTestsMixin(object):
    """
    A mixin that runs HTTP method injection tests.  Define
    L{MethodInjectionTestsMixin.attemptRequestWithMaliciousMethod} in
    a L{twisted.trial.unittest.SynchronousTestCase} subclass to test
    how HTTP client code behaves when presented with malicious HTTP
    methods.

@see: U{CVE-2019-12387}
    """

def attemptRequestWithMaliciousMethod(self, method):
        """
        Attempt to send a request with the given method.  This should
        synchronously raise a L{ValueError} if either is invalid.

@param method: the method (e.g. C{GET\x00})

@param uri: the URI

@type method:
        """
        raise NotImplementedError()

def test_methodWithCLRFRejected(self):
        """
        Issuing a request with a method that contains a carriage
        return and line feed fails with a L{ValueError}.
        """
        with self.assertRaises(ValueError) as cm:
            method = b"GET\r\nX-Injected-Header: value"
            self.attemptRequestWithMaliciousMethod(method)
        self.assertRegex(str(cm.exception), "^Invalid method")

def test_methodWithUnprintableASCIIRejected(self):
        """
        Issuing a request with a method that contains unprintable
        ASCII characters fails with a L{ValueError}.
        """
        for c in UNPRINTABLE_ASCII:
            method = b"GET%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousMethod(method)
            self.assertRegex(str(cm.exception), "^Invalid method")

def test_methodWithNonASCIIRejected(self):
        """
        Issuing a request with a method that contains non-ASCII
        characters fails with a L{ValueError}.
        """
        for c in NONASCII:
            method = b"GET%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousMethod(method)
            self.assertRegex(str(cm.exception), "^Invalid method")

class URIInjectionTestsMixin(object):
    """
    A mixin that runs HTTP URI injection tests.  Define
    L{MethodInjectionTestsMixin.attemptRequestWithMaliciousURI} in a
    L{twisted.trial.unittest.SynchronousTestCase} subclass to test how
    HTTP client code behaves when presented with malicious HTTP
    URIs.
    """

def attemptRequestWithMaliciousURI(self, method):
        """
        Attempt to send a request with the given URI.  This should
        synchronously raise a L{ValueError} if either is invalid.

@param uri: the URI.

@type method:
        """
        raise NotImplementedError()

def test_hostWithCRLFRejected(self):
        """
        Issuing a request with a URI whose host contains a carriage
        return and line feed fails with a L{ValueError}.
        """
        with self.assertRaises(ValueError) as cm:
            uri = b"http://twisted\r\n.invalid/path"
            self.attemptRequestWithMaliciousURI(uri)
        self.assertRegex(str(cm.exception), "^Invalid URI")

def test_hostWithWithUnprintableASCIIRejected(self):
        """
        Issuing a request with a URI whose host contains unprintable
        ASCII characters fails with a L{ValueError}.
        """
        for c in UNPRINTABLE_ASCII:
            uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")

def test_hostWithNonASCIIRejected(self):
        """
        Issuing a request with a URI whose host contains non-ASCII
        characters fails with a L{ValueError}.
        """
        for c in NONASCII:
            uri = b"http://twisted%s.invalid/OK" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")

def test_pathWithCRLFRejected(self):
        """
        Issuing a request with a URI whose path contains a carriage
        return and line feed fails with a L{ValueError}.
        """
        with self.assertRaises(ValueError) as cm:
            uri = b"http://twisted.invalid/\r\npath"
            self.attemptRequestWithMaliciousURI(uri)
        self.assertRegex(str(cm.exception), "^Invalid URI")

def test_pathWithWithUnprintableASCIIRejected(self):
        """
        Issuing a request with a URI whose path contains unprintable
        ASCII characters fails with a L{ValueError}.
        """
        for c in UNPRINTABLE_ASCII:
            uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")

def test_pathWithNonASCIIRejected(self):
        """
        Issuing a request with a URI whose path contains non-ASCII
        characters fails with a L{ValueError}.
        """
        for c in NONASCII:
            uri = b"http://twisted.invalid/OK%s" % (bytearray([c]),)
            with self.assertRaises(ValueError) as cm:
                self.attemptRequestWithMaliciousURI(uri)
            self.assertRegex(str(cm.exception), "^Invalid URI")