diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-02-24 16:33:20 +0100 |
---|---|---|
committer | NavaL <mnandri@thoughtworks.com> | 2016-02-25 09:17:53 +0100 |
commit | 9573bdca55ddc5488066d3af525e41ed1d872ea6 (patch) | |
tree | 228ca246c306bd44faa37c01e52c6d7aefec1531 /service/test/support/test_helper.py | |
parent | b79035b83e81e4fd654b587426083c6033e695ad (diff) |
Backend and frontend protection against csrf attacks:
- root resources changes the csrf token cookie everytime it is loaded, in particular during the intestitial load during login
- it will also add that cookie on single user mode
- initialize will still load all resources
- but they you cant access them if the csrf token do not match
- all ajax calls needs to add the token to the header
- non ajax get requests do not need xsrf token validation
- non ajax post will have to send the token in as a form input or in the content
Issue #612
Diffstat (limited to 'service/test/support/test_helper.py')
-rw-r--r-- | service/test/support/test_helper.py | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/service/test/support/test_helper.py b/service/test/support/test_helper.py index 77c74407..640baf6f 100644 --- a/service/test/support/test_helper.py +++ b/service/test/support/test_helper.py @@ -88,6 +88,7 @@ class PixRequestMock(DummyRequest): DummyRequest.__init__(self, path) self.content = None self.code = None + self.cookies = {} def getWrittenData(self): if len(self.written): @@ -97,8 +98,14 @@ class PixRequestMock(DummyRequest): self.setResponseCode(302) self.setHeader(b"location", url) + def addCookie(self, key, value): + self.cookies[key] = value -def request_mock(path='', method='GET', body='', headers={}): + def getCookie(self, key): + return self.cookies.get(key) + + +def request_mock(path='', method='GET', body='', headers={}, ajax=True, csrf='token'): dummy = PixRequestMock(path.split('/')) for name, val in headers.iteritems(): dummy.headers[name.lower()] = val @@ -108,5 +115,9 @@ def request_mock(path='', method='GET', body='', headers={}): else: for key, val in body.items(): dummy.addArg(key, val) + if ajax: + dummy.headers['x-requested-with'] = 'XMLHttpRequest' + dummy.headers['x-xsrf-token'] = csrf + dummy.addCookie('XSRF-TOKEN', csrf) return dummy |