2026-03-06 09:00:56 -05:00
|
|
|
"""Tests for CSRF protection middleware traversal bypasses."""
|
|
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
|
from fastapi import FastAPI
|
|
|
|
|
from fastapi.testclient import TestClient
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
from dashboard.middleware.csrf import CSRFMiddleware
|
|
|
|
|
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
class TestCSRFTraversal:
|
|
|
|
|
"""Test path traversal CSRF bypass."""
|
|
|
|
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
|
|
|
def enable_csrf(self):
|
|
|
|
|
"""Re-enable CSRF for these tests."""
|
2026-03-07 18:49:37 -05:00
|
|
|
from config import settings
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-07 18:49:37 -05:00
|
|
|
original = settings.timmy_disable_csrf
|
|
|
|
|
settings.timmy_disable_csrf = False
|
2026-03-06 09:00:56 -05:00
|
|
|
yield
|
2026-03-07 18:49:37 -05:00
|
|
|
settings.timmy_disable_csrf = original
|
2026-03-06 09:00:56 -05:00
|
|
|
|
|
|
|
|
def test_csrf_middleware_path_traversal_bypass(self):
|
|
|
|
|
"""Test if path traversal can bypass CSRF exempt patterns."""
|
|
|
|
|
app = FastAPI()
|
|
|
|
|
app.add_middleware(CSRFMiddleware)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
@app.post("/test")
|
|
|
|
|
def test_endpoint():
|
|
|
|
|
return {"message": "success"}
|
2026-03-08 12:50:44 -04:00
|
|
|
|
ruff (#169)
* polish: streamline nav, extract inline styles, improve tablet UX
- Restructure desktop nav from 8+ flat links + overflow dropdown into
5 grouped dropdowns (Core, Agents, Intel, System, More) matching
the mobile menu structure to reduce decision fatigue
- Extract all inline styles from mission_control.html and base.html
notification elements into mission-control.css with semantic classes
- Replace JS-built innerHTML with secure DOM construction in
notification loader and chat history
- Add CONNECTING state to connection indicator (amber) instead of
showing OFFLINE before WebSocket connects
- Add tablet breakpoint (1024px) with larger touch targets for
Apple Pencil / stylus use and safe-area padding for iPad toolbar
- Add active-link highlighting in desktop dropdown menus
- Rename "Mission Control" page title to "System Overview" to
disambiguate from the chat home page
- Add "Home — Timmy Time" page title to index.html
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
* fix(security): move auth-gate credentials to environment variables
Hardcoded username, password, and HMAC secret in auth-gate.py replaced
with os.environ lookups. Startup now refuses to run if any variable is
unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example.
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
* refactor(tooling): migrate from black+isort+bandit to ruff
Replace three separate linting/formatting tools with a single ruff
invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs),
.pre-commit-config.yaml, and CI workflow. Fixes all ruff errors
including unused imports, missing raise-from, and undefined names.
Ruff config maps existing bandit skips to equivalent S-rules.
https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h
---------
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-11 12:23:35 -04:00
|
|
|
TestClient(app)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
# We want to check if the middleware logic is flawed.
|
|
|
|
|
# Since TestClient might normalize, we can test the _is_likely_exempt method directly.
|
|
|
|
|
middleware = CSRFMiddleware(app)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
# This path starts with /webhook, but resolves to /test
|
|
|
|
|
traversal_path = "/webhook/../test"
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
# If this returns True, it's a vulnerability because /test is not supposed to be exempt.
|
|
|
|
|
is_exempt = middleware._is_likely_exempt(traversal_path)
|
2026-03-08 12:50:44 -04:00
|
|
|
|
2026-03-06 09:00:56 -05:00
|
|
|
assert is_exempt is False, f"Path {traversal_path} should not be exempt"
|