netv/util_test.py at main · bbenich/netv · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
"""Tests for util.py."""

from __future__ import annotations

from typing import Any

import urllib.error

import pytest

import util


def _fake_request(url: str) -> Any:
    """Create a minimal request object for testing."""

    class _Req:
        full_url = url
        headers: dict[str, str] = {}
        data = None
        origin_req_host = "original.com"

        def get_method(self) -> str:
            return "GET"

    return _Req()


class TestSafeRedirectHandler:
    def test_handler_allows_http(self):
        handler = util._SafeRedirectHandler()
        req = _fake_request("http://original.com")
        result = handler.redirect_request(
            req,
            fp=None,
            code=302,
            msg="Found",
            headers={},
            newurl="http://redirect.com/path",
        )
        assert result is not None

    def test_handler_allows_https(self):
        handler = util._SafeRedirectHandler()
        req = _fake_request("https://original.com")
        result = handler.redirect_request(
            req,
            fp=None,
            code=302,
            msg="Found",
            headers={},
            newurl="https://secure.com/path",
        )
        assert result is not None

    def test_handler_rejects_file_scheme(self):
        handler = util._SafeRedirectHandler()
        req = _fake_request("http://original.com")
        with pytest.raises(urllib.error.URLError, match="Unsafe redirect scheme"):
            handler.redirect_request(
                req,
                fp=None,
                code=302,
                msg="Found",
                headers={},
                newurl="file:///etc/passwd",
            )

    def test_handler_rejects_data_scheme(self):
        handler = util._SafeRedirectHandler()
        req = _fake_request("http://original.com")
        with pytest.raises(urllib.error.URLError, match="Unsafe redirect scheme"):
            handler.redirect_request(
                req,
                fp=None,
                code=302,
                msg="Found",
                headers={},
                newurl="data:text/html,<script>alert(1)</script>",
            )

    def test_handler_rejects_javascript_scheme(self):
        handler = util._SafeRedirectHandler()
        req = _fake_request("http://original.com")
        with pytest.raises(urllib.error.URLError, match="Unsafe redirect scheme"):
            handler.redirect_request(
                req,
                fp=None,
                code=302,
                msg="Found",
                headers={},
                newurl="javascript:alert(1)",
            )


if __name__ == "__main__":
    from testing import run_tests

    run_tests(__file__)