Show More
@@ -0,0 +1,45 b'' | |||
|
1 | # -*- coding: utf-8 -*- | |
|
2 | ||
|
3 | # Copyright (C) 2016-2018 RhodeCode GmbH | |
|
4 | # | |
|
5 | # This program is free software: you can redistribute it and/or modify | |
|
6 | # it under the terms of the GNU Affero General Public License, version 3 | |
|
7 | # (only), as published by the Free Software Foundation. | |
|
8 | # | |
|
9 | # This program is distributed in the hope that it will be useful, | |
|
10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
|
11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
|
12 | # GNU General Public License for more details. | |
|
13 | # | |
|
14 | # You should have received a copy of the GNU Affero General Public License | |
|
15 | # along with this program. If not, see <http://www.gnu.org/licenses/>. | |
|
16 | # | |
|
17 | # This program is dual-licensed. If you wish to learn more about the | |
|
18 | # RhodeCode Enterprise Edition, including its added features, Support services, | |
|
19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ | |
|
20 | ||
|
21 | import pytest | |
|
22 | ||
|
23 | from rhodecode.tests import TestController | |
|
24 | from rhodecode.tests.fixture import Fixture | |
|
25 | ||
|
26 | ||
|
27 | class TestBadRequestData(TestController): | |
|
28 | ||
|
29 | def test_bad_get_data(self): | |
|
30 | self.app.get( | |
|
31 | '/', params={'f\xfc': '\xfc%f6%22%20onmouseover%3dveA2(9352)%20'}, | |
|
32 | status=400) | |
|
33 | ||
|
34 | def test_bad_url_data(self): | |
|
35 | self.app.post( | |
|
36 | '/f\xfc', | |
|
37 | status=400) | |
|
38 | ||
|
39 | def test_bad_post_data(self, csrf_token, xhr_header): | |
|
40 | self.app.post( | |
|
41 | '/_markup_preview', | |
|
42 | params={'f\xfc': '\xfc%f6%22%20onmouseover%3dveA2(9352)%20', | |
|
43 | 'csrf_token': csrf_token}, | |
|
44 | extra_environ=xhr_header, | |
|
45 | status=400) |
@@ -27,7 +27,6 b' import subprocess32' | |||
|
27 | 27 | |
|
28 | 28 | |
|
29 | 29 | from dateutil.parser import parse |
|
30 | from pyramid.httpexceptions import HTTPBadRequest | |
|
31 | 30 | from pyramid.threadlocal import get_current_request |
|
32 | 31 | from pyramid.interfaces import IRoutesMapper |
|
33 | 32 | from pyramid.settings import asbool |
@@ -39,7 +38,6 b' from rhodecode.config.jsroutes import ge' | |||
|
39 | 38 | from rhodecode.lib import auth |
|
40 | 39 | from rhodecode.lib.base import get_auth_user |
|
41 | 40 | |
|
42 | ||
|
43 | 41 | import rhodecode |
|
44 | 42 | |
|
45 | 43 | |
@@ -61,19 +59,7 b' def add_renderer_globals(event):' | |||
|
61 | 59 | |
|
62 | 60 | def add_localizer(event): |
|
63 | 61 | request = event.request |
|
64 | try: | |
|
65 | 62 |
|
|
66 | except Exception: | |
|
67 | log.exception('Failed to get localizer') | |
|
68 | # NOTE(marcink): Handle bug in pyramid by malformed GET params could crash | |
|
69 | # this resulting on various odd errors on missing translators | |
|
70 | # see: https://github.com/Pylons/pyramid/issues/3399 | |
|
71 | ||
|
72 | def dummy_translate(*args, **kwargs): | |
|
73 | return ''.join(args) | |
|
74 | request.translate = tsf | |
|
75 | request.plularize = dummy_translate | |
|
76 | raise HTTPBadRequest() | |
|
77 | 63 | |
|
78 | 64 | def auto_translate(*args, **kwargs): |
|
79 | 65 | return localizer.translate(tsf(*args, **kwargs)) |
@@ -20,6 +20,7 b'' | |||
|
20 | 20 | |
|
21 | 21 | |
|
22 | 22 | import logging |
|
23 | from pyramid.httpexceptions import HTTPException, HTTPBadRequest | |
|
23 | 24 | |
|
24 | 25 | from rhodecode.lib.middleware.vcs import ( |
|
25 | 26 | detect_vcs_request, VCS_TYPE_KEY, VCS_TYPE_SKIP) |
@@ -56,6 +57,53 b' def vcs_detection_tween_factory(handler,' | |||
|
56 | 57 | return vcs_detection_tween |
|
57 | 58 | |
|
58 | 59 | |
|
60 | def junk_encoding_detector(request): | |
|
61 | """ | |
|
62 | Detect bad encoded GET params, and fail immediately with BadRequest | |
|
63 | """ | |
|
64 | ||
|
65 | try: | |
|
66 | request.GET.get("", None) | |
|
67 | except UnicodeDecodeError: | |
|
68 | raise HTTPBadRequest("Invalid bytes in query string.") | |
|
69 | ||
|
70 | ||
|
71 | def bad_url_data_detector(request): | |
|
72 | """ | |
|
73 | Detect invalid bytes in a path. | |
|
74 | """ | |
|
75 | try: | |
|
76 | request.path_info | |
|
77 | except UnicodeDecodeError: | |
|
78 | raise HTTPBadRequest("Invalid bytes in URL.") | |
|
79 | ||
|
80 | ||
|
81 | def junk_form_data_detector(request): | |
|
82 | """ | |
|
83 | Detect bad encoded POST params, and fail immediately with BadRequest | |
|
84 | """ | |
|
85 | ||
|
86 | if request.method == "POST": | |
|
87 | try: | |
|
88 | request.POST.get("", None) | |
|
89 | except ValueError: | |
|
90 | raise HTTPBadRequest("Invalid bytes in form data.") | |
|
91 | ||
|
92 | ||
|
93 | def sanity_check_factory(handler, registry): | |
|
94 | def sanity_check(request): | |
|
95 | try: | |
|
96 | junk_encoding_detector(request) | |
|
97 | bad_url_data_detector(request) | |
|
98 | junk_form_data_detector(request) | |
|
99 | except HTTPException as exc: | |
|
100 | return exc | |
|
101 | ||
|
102 | return handler(request) | |
|
103 | ||
|
104 | return sanity_check | |
|
105 | ||
|
106 | ||
|
59 | 107 | def includeme(config): |
|
60 | 108 | config.add_subscriber('rhodecode.subscribers.add_renderer_globals', |
|
61 | 109 | 'pyramid.events.BeforeRender') |
@@ -65,5 +113,5 b' def includeme(config):' | |||
|
65 | 113 | 'pyramid.events.NewRequest') |
|
66 | 114 | config.add_subscriber('rhodecode.subscribers.add_request_user_context', |
|
67 | 115 | 'pyramid.events.ContextFound') |
|
68 | ||
|
116 | config.add_tween('rhodecode.tweens.sanity_check_factory') | |
|
69 | 117 | config.add_tween('rhodecode.tweens.vcs_detection_tween_factory') |
General Comments 0
You need to be logged in to leave comments.
Login now