rnhmjoj/qutebrowser
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Refactor qute://settings CSRF tests

Browse Source
This commit is contained in:
Florian Bruhin 2019-02-17 17:09:25 +01:00
parent 4c54ebf70f
commit 39cc352253
2 changed files with 45 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
tests/end2end/features/qutescheme.feature
View File

@ -142,29 +142,25 @@ Feature: Special qute:// pages
And I press the key "<Tab>" And I press the key "<Tab>"
Then "Invalid value 'foo' *" should be logged Then "Invalid value 'foo' *" should be logged
@qtwebkit_skip Scenario: qute://settings CSRF via img
Scenario: qute://settings CSRF via img (webengine)
When I open data/misc/qutescheme_csrf.html When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-img And I run :click-element id via-img
Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged Then the img request should be blocked
@qtwebkit_skip Scenario: qute://settings CSRF via link
Scenario: qute://settings CSRF via link (webengine)
When I open data/misc/qutescheme_csrf.html When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-link And I run :click-element id via-link
Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged Then the link request should be blocked
@qtwebkit_skip Scenario: qute://settings CSRF via redirect
Scenario: qute://settings CSRF via redirect (webengine)
When I open data/misc/qutescheme_csrf.html When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-redirect And I run :click-element id via-redirect
Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged Then the redirect request should be blocked
@qtwebkit_skip Scenario: qute://settings CSRF via form
Scenario: qute://settings CSRF via form (webengine)
When I open data/misc/qutescheme_csrf.html When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-form And I run :click-element id via-form
Then "Blocking malicious request from qute://settings/set?* to qute://settings/set?*" should be logged Then the form request should be blocked
@qtwebkit_skip @qtwebkit_skip
Scenario: qute://settings CSRF token (webengine) Scenario: qute://settings CSRF token (webengine)
@ -173,32 +169,6 @@ Feature: Special qute:// pages
Then "RequestDeniedError while handling qute://* URL" should be logged Then "RequestDeniedError while handling qute://* URL" should be logged
And the error "Invalid CSRF token for qute://settings!" should be shown And the error "Invalid CSRF token for qute://settings!" should be shown
@qtwebengine_skip
Scenario: qute://settings CSRF via img (webkit)
When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-img
Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
@qtwebengine_skip
Scenario: qute://settings CSRF via link (webkit)
When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-link
Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
And "Error while loading qute://settings/set?*: Invalid qute://settings request" should be logged
@qtwebengine_skip
Scenario: qute://settings CSRF via redirect (webkit)
When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-redirect
Then "Blocking malicious request from http://localhost:*/data/misc/qutescheme_csrf.html to qute://settings/set?*" should be logged
And "Error while loading qute://settings/set?*: Invalid qute://settings request" should be logged
@qtwebengine_skip
Scenario: qute://settings CSRF via form (webkit)
When I open data/misc/qutescheme_csrf.html
And I run :click-element id via-form
Then "Error while loading qute://settings/set?*: Unsupported request type" should be logged
# pdfjs support # pdfjs support
Scenario: pdfjs is used for pdf files Scenario: pdfjs is used for pdf files

37
tests/end2end/features/test_qutescheme_bdd.py
View File

@ -17,5 +17,42 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with qutebrowser. If not, see <http://www.gnu.org/licenses/>. # along with qutebrowser. If not, see <http://www.gnu.org/licenses/>.
import re
import pytest_bdd as bdd import pytest_bdd as bdd
bdd.scenarios('qutescheme.feature') bdd.scenarios('qutescheme.feature')
@bdd.then(bdd.parsers.parse("the {kind} request should be blocked"))
def request_blocked(request, quteproc, kind):
blocking_set_msg = (
"Blocking malicious request from qute://settings/set?* to "
"qute://settings/set?*")
blocking_csrf_msg = (
"Blocking malicious request from "
"http://localhost:*/data/misc/qutescheme_csrf.html to "
"qute://settings/set?*")
webkit_error_invalid = (
"Error while loading qute://settings/set?*: Invalid qute://settings "
"request")
webkit_error_unsupported = (
"Error while loading qute://settings/set?*: Unsupported request type")
if request.config.webengine:
expected_messages = {
'img': [blocking_csrf_msg],
'link': [blocking_set_msg],
'redirect': [blocking_set_msg],
'form': [blocking_set_msg],
}
else: # QtWebKit
expected_messages = {
'img': [blocking_csrf_msg],
'link': [blocking_csrf_msg, webkit_error_invalid],
'redirect': [blocking_csrf_msg, webkit_error_invalid],
'form': [webkit_error_unsupported],
}
for pattern in expected_messages[kind]:
msg = quteproc.wait_for(message=pattern)
msg.expected = True