diff options
author | Bert JW Regeer <xistence@0x58.com> | 2022-03-16 15:26:15 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-16 15:26:15 -0600 |
commit | 9e0b8c801e4d505c2ffc91b891af4ba48af715e0 (patch) | |
tree | 9d072734176f480abc59c06b8b2e03ec1850587d /tests/test_receiver.py | |
parent | 22c03947e3bcd7631120aae40d3d844d4f35e49f (diff) | |
parent | b28c9e8bda326ff2f87bf8eb7ea6b110ee0ae6fe (diff) | |
download | waitress-9e0b8c801e4d505c2ffc91b891af4ba48af715e0.tar.gz |
Merge pull request from GHSA-4f7p-27jc-3c36v2.1.1
Fix for HTTP request smuggling due to incorrect validation
Diffstat (limited to 'tests/test_receiver.py')
-rw-r--r-- | tests/test_receiver.py | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/tests/test_receiver.py b/tests/test_receiver.py index f55aa68..d160cac 100644 --- a/tests/test_receiver.py +++ b/tests/test_receiver.py @@ -1,5 +1,7 @@ import unittest +import pytest + class TestFixedStreamReceiver(unittest.TestCase): def _makeOne(self, cl, buf): @@ -226,6 +228,55 @@ class TestChunkedReceiver(unittest.TestCase): self.assertEqual(inst.error, None) +class TestChunkedReceiverParametrized: + def _makeOne(self, buf): + from waitress.receiver import ChunkedReceiver + + return ChunkedReceiver(buf) + + @pytest.mark.parametrize( + "invalid_extension", [b"\n", b"invalid=", b"\r", b"invalid = true"] + ) + def test_received_invalid_extensions(self, invalid_extension): + from waitress.utilities import BadRequest + + buf = DummyBuffer() + inst = self._makeOne(buf) + data = b"4;" + invalid_extension + b"\r\ntest\r\n" + result = inst.received(data) + assert result == len(data) + assert inst.error.__class__ == BadRequest + assert inst.error.body == "Invalid chunk extension" + + @pytest.mark.parametrize( + "valid_extension", [b"test", b"valid=true", b"valid=true;other=true"] + ) + def test_received_valid_extensions(self, valid_extension): + # While waitress may ignore extensions in Chunked Encoding, we do want + # to make sure that we don't fail when we do encounter one that is + # valid + buf = DummyBuffer() + inst = self._makeOne(buf) + data = b"4;" + valid_extension + b"\r\ntest\r\n" + result = inst.received(data) + assert result == len(data) + assert inst.error == None + + @pytest.mark.parametrize( + "invalid_size", [b"0x04", b"+0x04", b"x04", b"+04", b" 04", b" 0x04"] + ) + def test_received_invalid_size(self, invalid_size): + from waitress.utilities import BadRequest + + buf = DummyBuffer() + inst = self._makeOne(buf) + data = invalid_size + b"\r\ntest\r\n" + result = inst.received(data) + assert result == len(data) + assert inst.error.__class__ == BadRequest + assert inst.error.body == "Invalid chunk size" + + class DummyBuffer: def __init__(self, data=None): if data is None: |