o b@sXdZddlZeeddeeejdZeeddZGdddZGdd d Z dS) zF Helpers for URI and method injection tests. @see: U{CVE-2019-12387} Nasciic@s0eZdZdZddZddZddZdd Zd S) MethodInjectionTestsMixina9 A mixin that runs HTTP method injection tests. Define L{MethodInjectionTestsMixin.attemptRequestWithMaliciousMethod} in a L{twisted.trial.unittest.SynchronousTestCase} subclass to test how HTTP client code behaves when presented with malicious HTTP methods. @see: U{CVE-2019-12387} cCt)z Attempt to send a request with the given method. This should synchronously raise a L{ValueError} if either is invalid. @param method: the method (e.g. C{GET}) @param uri: the URI @type method: NotImplementedErrorselfmethodr C/usr/lib/python3/dist-packages/twisted/web/test/injectionhelpers.py!attemptRequestWithMaliciousMethods z;MethodInjectionTestsMixin.attemptRequestWithMaliciousMethodcCN|t}d}||Wdn1swY|t|jddS)z Issuing a request with a method that contains a carriage return and line feed fails with a L{ValueError}. sGET X-Injected-Header: valueN^Invalid method) assertRaises ValueErrorr assertRegexstr exception)r cmr r r r test_methodWithCLRFRejected(  z5MethodInjectionTestsMixin.test_methodWithCLRFRejectedc CdtD]-}dt|gf}|t }||Wdn1s!wY|t|jdqdS)z Issuing a request with a method that contains unprintable ASCII characters fails with a L{ValueError}. GET%sNr)UNPRINTABLE_ASCII bytearrayrrrrrrr cr rr r r 'test_methodWithUnprintableASCIIRejected2  zAMethodInjectionTestsMixin.test_methodWithUnprintableASCIIRejectedc Cr)zx Issuing a request with a method that contains non-ASCII characters fails with a L{ValueError}. rNr)NONASCIIrrrrrrrrr r r test_methodWithNonASCIIRejected=r z9MethodInjectionTestsMixin.test_methodWithNonASCIIRejectedN)__name__ __module__ __qualname____doc__rrrr"r r r r rs    rc@sHeZdZdZddZddZddZdd Zd d Zd d Z ddZ dS)URIInjectionTestsMixina A mixin that runs HTTP URI injection tests. Define L{MethodInjectionTestsMixin.attemptRequestWithMaliciousURI} in a L{twisted.trial.unittest.SynchronousTestCase} subclass to test how HTTP client code behaves when presented with malicious HTTP URIs. cCr)z Attempt to send a request with the given URI. This should synchronously raise a L{ValueError} if either is invalid. @param uri: the URI. @type method: rr r r r attemptRequestWithMaliciousURIRs z5URIInjectionTestsMixin.attemptRequestWithMaliciousURIcCr)z Issuing a request with a URI whose host contains a carriage return and line feed fails with a L{ValueError}. shttp://twisted .invalid/pathN ^Invalid URIrrr(rrrr rurir r r test_hostWithCRLFRejected]rz0URIInjectionTestsMixin.test_hostWithCRLFRejectedc Cr)z Issuing a request with a URI whose host contains unprintable ASCII characters fails with a L{ValueError}. http://twisted%s.invalid/OKNr)rrrrr(rrrr rr,rr r r )test_hostWithWithUnprintableASCIIRejectedgr z@URIInjectionTestsMixin.test_hostWithWithUnprintableASCIIRejectedc Cr)z{ Issuing a request with a URI whose host contains non-ASCII characters fails with a L{ValueError}. r.Nr)r!rrrr(rrrr0r r r test_hostWithNonASCIIRejectedrr z4URIInjectionTestsMixin.test_hostWithNonASCIIRejectedcCr)z Issuing a request with a URI whose path contains a carriage return and line feed fails with a L{ValueError}. shttp://twisted.invalid/ pathNr)r*r+r r r test_pathWithCRLFRejected}rz0URIInjectionTestsMixin.test_pathWithCRLFRejectedc Cr)z Issuing a request with a URI whose path contains unprintable ASCII characters fails with a L{ValueError}. http://twisted.invalid/OK%sNr)r/r0r r r )test_pathWithWithUnprintableASCIIRejectedr z@URIInjectionTestsMixin.test_pathWithWithUnprintableASCIIRejectedc Cr)z{ Issuing a request with a URI whose path contains non-ASCII characters fails with a L{ValueError}. r5Nr)r2r0r r r test_pathWithNonASCIIRejectedr z4URIInjectionTestsMixin.test_pathWithNonASCIIRejectedN) r#r$r%r&r(r-r1r3r4r6r7r r r r r'Is     r') r&string frozensetranger printablerr!rr'r r r r s 9