perplexity/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Issues Pull Requests 1 Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ae3bb1cc217bbc32cda89f1af8601205b3e2f7c3
Timmy-time-dashboard/tests/dashboard/middleware/test_csrf_bypass.py

74 lines
2.7 KiB
Python
Raw Blame History

"""Tests for CSRF protection middleware bypasses."""
import pytest
from fastapi import FastAPI
from fastapi.testclient import TestClient
from dashboard.middleware.csrf import CSRFMiddleware
class TestCSRFBypass:
"""Test potential CSRF bypasses."""
@pytest.fixture(autouse=True)
def enable_csrf(self):
"""Re-enable CSRF for these tests."""
from config import settings
original = settings.timmy_disable_csrf
settings.timmy_disable_csrf = False
yield
settings.timmy_disable_csrf = original
def test_csrf_middleware_blocks_unsafe_methods_without_token(self):
"""POST should require CSRF token even with AJAX headers (if not explicitly allowed)."""
app = FastAPI()
app.add_middleware(CSRFMiddleware)
@app.post("/test")
def test_endpoint():
return {"message": "success"}
client = TestClient(app)
# POST with X-Requested-With should STILL fail if it's not a valid CSRF token
# Some older middlewares used to trust this header blindly.
response = client.post("/test", headers={"X-Requested-With": "XMLHttpRequest"})
# This should fail with 403 because no CSRF token is provided
assert response.status_code == 403
def test_csrf_middleware_path_traversal_bypass(self):
"""Test if path traversal can bypass CSRF exempt patterns."""
app = FastAPI()
app.add_middleware(CSRFMiddleware)
@app.post("/test")
def test_endpoint():
return {"message": "success"}
client = TestClient(app)
# If the middleware checks path starts with /webhook,
# can we use /webhook/../test to bypass?
# Note: TestClient/FastAPI might normalize this, but we should check the logic.
response = client.post("/webhook/../test")
# If it bypassed, it would return 200 (if normalized to /test) or 404 (if not).
# But it should definitely not return 200 success without CSRF.
if response.status_code == 200:
assert response.json() != {"message": "success"}
def test_csrf_middleware_null_byte_bypass(self):
"""Test if null byte in path can bypass CSRF exempt patterns."""
app = FastAPI()
middleware = CSRFMiddleware(app)
# Test directly since TestClient blocks null bytes
path = "/webhook\0/test"
is_exempt = middleware._is_likely_exempt(path)
# It should either be not exempt or the null byte should be handled
# In our current implementation, it might still be exempt if normalized to /webhook\0/test
# But it's better than /webhook/../test
assert is_exempt is False or "\0" in path
Reference in New Issue View Git Blame Copy Permalink