kimi/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Pull Requests Activity

feat: code quality audit + autoresearch integration + infra hardening (#150)

Browse Source
This commit is contained in:
Alexander Whitestone
2026-03-08 12:50:44 -04:00
committed by GitHub
parent fd0ede0d51
commit ae3bb1cc21
186 changed files with 5129 additions and 3289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
tests/dashboard/middleware/test_csrf_bypass_vulnerability.py
View File

@@ -3,8 +3,10 @@
import pytest
from fastapi import FastAPI
from fastapi.testclient import TestClient
from dashboard.middleware.csrf import CSRFMiddleware
class TestCSRFBypassVulnerability:
"""Test CSRF bypass via path normalization and suffix matching."""
@@ -12,6 +14,7 @@ class TestCSRFBypassVulnerability:
def enable_csrf(self):
"""Re-enable CSRF for these tests."""
from config import settings
original = settings.timmy_disable_csrf
settings.timmy_disable_csrf = False
yield
@@ -19,25 +22,25 @@ class TestCSRFBypassVulnerability:
def test_csrf_bypass_via_traversal_to_exempt_pattern(self):
"""Test if a non-exempt route can be accessed by traversing to an exempt pattern.
The middleware uses os.path.normpath() on the request path and then checks
The middleware uses os.path.normpath() on the request path and then checks
if it starts with an exempt pattern. If the request is to '/webhook/../api/chat',
normpath makes it '/api/chat', which DOES NOT start with '/webhook'.
Wait, the vulnerability is actually the OTHER way around:
If I want to access '/api/chat' (protected) but I use '/webhook/../api/chat',
normpath makes it '/api/chat', which is NOT exempt.
HOWEVER, if the middleware DOES NOT use normpath, then '/webhook/../api/chat'
WOULD start with '/webhook' and be exempt.
The current code DOES use normpath:
```python
normalized_path = os.path.normpath(path)
if not normalized_path.startswith("/"):
normalized_path = "/" + normalized_path
```
Let's look at the exempt patterns again:
exempt_patterns = [
"/webhook",
@@ -45,23 +48,23 @@ class TestCSRFBypassVulnerability:
"/lightning/webhook",
"/_internal/",
]
If I have a route '/webhook_attacker' that is NOT exempt,
If I have a route '/webhook_attacker' that is NOT exempt,
but it starts with '/webhook', it WILL be exempt.
"""
app = FastAPI()
app.add_middleware(CSRFMiddleware)
@app.post("/webhook_attacker")
def sensitive_endpoint():
return {"message": "sensitive data accessed"}
client = TestClient(app)
# This route should NOT be exempt, but it starts with '/webhook'
# CSRF validation should fail (403) because we provide no token.
response = client.post("/webhook_attacker")
# If it's 200, it's a bypass!
assert response.status_code == 403, "Route /webhook_attacker should be protected by CSRF"
@@ -76,13 +79,13 @@ class TestCSRFBypassVulnerability:
"""Test if /webhook_secret is exempt because it starts with /webhook."""
app = FastAPI()
app.add_middleware(CSRFMiddleware)
@app.post("/webhook_secret")
def sensitive_endpoint():
return {"message": "sensitive data accessed"}
client = TestClient(app)
# Should be 403
response = client.post("/webhook_secret")
assert response.status_code == 403, "Route /webhook_secret should be protected by CSRF"
@@ -91,21 +94,21 @@ class TestCSRFBypassVulnerability:
"""Test that legitimate exempt paths still work."""
app = FastAPI()
app.add_middleware(CSRFMiddleware)
@app.post("/webhook")
def webhook():
return {"message": "webhook received"}
@app.post("/api/v1/chat")
def api_chat():
return {"message": "api chat"}
client = TestClient(app)
# Legitimate /webhook (exact match)
response = client.post("/webhook")
assert response.status_code == 200
# Legitimate /api/v1/chat (prefix match)
response = client.post("/api/v1/chat")
assert response.status_code == 200