fresco 3.3.2__py3-none-any.whl → 3.3.4__py3-none-any.whl

fresco/tests/util/test_http.py

@@ -0,0 +1,323 @@
+# encoding=UTF-8
+# Copyright 2015 Oliver Cope
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+#     Unless required by applicable law or agreed to in writing, software
+#     distributed under the License is distributed on an "AS IS" BASIS,
+#     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#     See the License for the specific language governing permissions and
+#     limitations under the License.
+#
+# See LICENSE.txt for terms of redistribution and use.
+
+from io import BytesIO
+from urllib.parse import quote
+import re
+
+from hypothesis import given, strategies as st
+import pytest
+
+from fresco import FrescoApp
+from fresco import context
+from fresco import Response
+from fresco.exceptions import RequestParseError
+from fresco.routing import POST
+from fresco.util.http import FileUpload
+from fresco.util.http import PostParser
+from fresco.util.http import encode_multipart
+from fresco.util.http import parse_parameters
+from fresco.util.http import parse_post
+from fresco.util.http import parse_querystring
+
+from . import form_data
+
+
+class TestParseQueryString(object):
+    def p(self, value):
+        return list(parse_querystring(value))
+
+    def test_empty(self):
+        self.p("") == []
+
+    def test_simple_key_value(self):
+        assert self.p("a=b") == [("a", "b")]
+
+    def test_key_with_space(self):
+        assert self.p("a+b=c") == [("a b", "c")]
+
+    def test_value_with_space(self):
+        assert self.p("a=b+c") == [("a", "b c")]
+
+    def test_double_equals(self):
+        assert self.p("a==b") == [("a", "=b")]
+
+    def test_escaped_chars(self):
+        assert self.p("%20==c%3D") == [(" ", "=c=")]
+
+    def test_charset(self):
+        assert self.p("a=el%20ni%C3%B1o") == [("a", "el niño")]
+
+
+class TestParseMultipart(object):
+    def _make_env(self, data: bytes):
+        data = b"----XX\r\n" + data + b"----XX--\r\n"
+        return (
+            BytesIO(data),
+            {
+                "CONTENT_LENGTH": len(data),
+                "CONTENT_TYPE": "multipart/form-data; boundary=--XX",
+            },
+        )
+
+    def test_multipart(self):
+        for data in form_data.multipart_samples:
+            io = BytesIO(data["data"])  # type: ignore
+            io.seek(0)
+            environ = {
+                "CONTENT_LENGTH": data["content_length"],
+                "CONTENT_TYPE": data["content_type"],
+            }
+            with PostParser(environ, io, "UTF-8") as parsed:
+                parsed = sorted(list(parsed))
+
+                assert [name for name, value in parsed] == [
+                    "empty-text-input",
+                    "file-upload",
+                    "text-input-ascii",
+                    "text-input-unicode",
+                ]
+
+                assert parsed[0] == ("empty-text-input", "")
+                assert parsed[2] == ("text-input-ascii", "abcdef")
+                assert parsed[3] == (
+                    "text-input-unicode",
+                    b"\xce\xb1\xce\xb2\xce\xb3\xce\xb4".decode("utf8"),
+                )
+
+                fieldname, fileupload = parsed[1]
+                assert isinstance(fileupload, FileUpload)
+                assert fieldname == "file-upload"
+                assert fileupload.filename == "test.data"
+                assert fileupload.headers["content-type"] == "application/octet-stream"
+                assert fileupload.file.read() == form_data.FILE_UPLOAD_DATA
+
+    def test_non_ascii_headers(self):
+        """
+        Ensure that headers containing non-ascii characters are handled.
+        NB the stdlib email.parser module that we use for parsing replaces
+        any 8-bit characters with the unicode replacement character.
+        """
+        filename = "café.txt".encode("utf8")
+        data = (
+            b"----XXXXXX\r\n"
+            b'Content-Disposition: form-data; name="u"; '
+            b'filename="' + filename + b'"\r\n'
+            b"Content-Type: application/octet-stream\r\n\r\n"
+            b"1234567890\r\n"
+            b"----XXXXXX--\r\n"
+        )
+        environ = {
+            "CONTENT_LENGTH": len(data),
+            "CONTENT_TYPE": "multipart/form-data; boundary=--XXXXXX",
+        }
+        f = BytesIO(data)
+        with PostParser(environ, f, "UTF-8") as parsed:
+            fieldname, fileupload = list(parsed)[0]
+            assert isinstance(fileupload, FileUpload)
+            assert fileupload.filename == "caf\uFFFD\uFFFD.txt"
+
+    def test_malformed_headers_raise_exceptions(self):
+        # Missing '=' in parameter
+        data, env = self._make_env(
+            b"Content-Disposition: form-data; name; \r\n\r\n" b"1234567890\r\n"
+        )
+        with pytest.raises(RequestParseError):
+            list(parse_post(env, data))
+
+    def test_fileupload_too_big(self):
+        """\
+        Verify that multipart/form-data encoded POST data raises an exception
+        if the total data size exceeds request.MAX_SIZE bytes
+        """
+
+        def view():
+            request = context.request
+            request.MAX_MULTIPART_SIZE = 500
+            request.get("f1")
+            return Response(["ok"])
+
+        app = FrescoApp()
+        app.route("/", POST, view)
+
+        with app.requestcontext_post(
+            "/", files=[("f1", "filename.txt", "text/plain", "x" * 1000)]
+        ):
+            assert app.view().status == "413 Payload Too Large"
+
+        with app.requestcontext_post(
+            "/",
+            files=[("f1", "filename.txt", "text/plain", "x" * 400)],
+            data={"f2": "x" * 101},
+        ):
+            assert app.view().status == "413 Payload Too Large"
+
+    def test_fileupload_with_invalid_content_length(self):
+        def view():
+            request = context.request
+            request.get("f1")
+            return Response(["ok"])
+
+        app = FrescoApp()
+        app.route("/", POST, view)
+
+        with app.requestcontext_post(
+            "/", files=[("f1", "filename.txt", "text/plain", "x" * 1000)]
+        ) as c:
+            c.request.environ["CONTENT_LENGTH"] = str("500")
+            assert app.view().status == "400 Bad Request"
+
+    def test_multipart_field_too_big(self):
+        """
+        Verify that multipart/form-data encoded POST data raises an exception
+        if it contains a single field exceeding request.MAX_SIZE bytes
+        """
+
+        def view():
+            request = context.request
+            request.MAX_MULTIPART_SIZE = 500
+            request.MAX_SIZE = 100
+            request.get("f1")
+            return Response(["ok"])
+
+        app = FrescoApp()
+        app.route("/", POST, view)
+
+        with app.requestcontext_post("/", multipart=True, data=[("f1", "x" * 200)]):
+            assert app.view().status == "413 Payload Too Large"
+
+
+class TestParseFormEncodedData(object):
+    char_latin1 = b"\xa3"
+    char_utf8 = b"\xc2\xa3"
+    char = char_latin1.decode("latin1")
+
+    assert char_latin1.decode("latin1") == char_utf8.decode("utf8") == char
+
+    def test_formencoded_data_too_big(self):
+        """
+        Verify that application/x-www-form-urlencoded POST data raises an
+        exception if it exceeds request.MAX_SIZE bytes
+        """
+
+        def view():
+            request = context.request
+            request.MAX_SIZE = 100
+            request.get("f1")
+            return Response(["ok"])
+
+        app = FrescoApp()
+        app.route("/", POST, view)
+
+        with app.requestcontext_post("/", data=[("f1", "x" * 200)]):
+            assert app.view().status == "413 Payload Too Large"
+
+    def test_posted_data_contains_non_ascii_chars(self):
+        """
+        Verify that it raises an exception if POST data contains invalid
+        characters.
+        """
+
+        def view():
+            context.request.get("f1")
+
+        app = FrescoApp()
+        app.route("/", POST, view)
+
+        data = "foo=bár".encode("utf8")
+
+        with app.requestcontext(
+            "/",
+            REQUEST_METHOD="POST",
+            CONTENT_LENGTH=str(len(data)),
+            CONTENT_TYPE="application/x-www-form-urlencoded",
+            wsgi_input=data,
+        ):
+            response = app.view()
+            assert response.status == "400 Bad Request"
+
+    def test_non_utf8_data_posted(self):
+        data = b"char=" + quote(self.char_latin1).encode("ascii")
+        env = {
+            "REQUEST_METHOD": "POST",
+            "CONTENT_LENGTH": str(len(data)),
+            "wsgi.input": BytesIO(data),
+        }
+
+        with FrescoApp().requestcontext(environ=env) as c:
+            request = c.request
+            request.charset = "latin1"
+            assert request.form["char"] == self.char
+
+    def test_non_utf8_data_getted(self):
+        data = "char=" + quote(self.char_latin1)
+        env = {"REQUEST_METHOD": "GET", "QUERY_STRING": data}
+
+        with FrescoApp().requestcontext(environ=env) as c:
+            request = c.request
+            request.charset = "latin1"
+            assert request.query["char"] == self.char
+
+
+class TestEncodeMultipart(object):
+    def test_it_encodes_a_data_dict(self):
+        data, headers = encode_multipart([("foo", "bar baf")])
+        data = data.getvalue()
+        assert b'Content-Disposition: form-data; name="foo"\r\n\r\nbar baf' in data
+
+    def test_it_encodes_a_file_tuple(self):
+        data, headers = encode_multipart(files=[("foo", "foo.txt", "ascii", "bar")])
+        data = data.getvalue()
+        expected = (
+            b"Content-Disposition: form-data; "
+            b'name="foo"; filename="foo.txt"\r\n'
+            b"Content-Type: ascii\r\n"
+            b"\r\n"
+            b"bar"
+        )
+        assert expected in data
+
+
+class TestParseParameters(object):
+    token = st.text(
+        alphabet="".join(
+            chr(c) for c in range(33, 127) if chr(c) not in '()<>@,;:\\/[]?="'
+        ),
+        min_size=1,
+    )
+
+    @given(items=st.lists(st.tuples(token, token)))
+    def test_parse_tokens(self, items):
+        s = ";".join("{}={}".format(k, v) for k, v in items)
+        assert parse_parameters(s) == dict(items)
+
+    @given(items=st.lists(st.tuples(token, st.text(min_size=1))))
+    def test_parse_parameters(self, items):
+        def escape(s):
+            return re.sub(r'(["\\\r])', r"\\\1", s)
+
+        s = ";".join('{}="{}"'.format(k, escape(v)) for k, v in items)
+        assert parse_parameters(s) == dict(items)
+
+    def test_semicolons_in_parameters(self):
+        assert parse_parameters('name=";"') == {"name": ";"}
+
+    def test_quoted_strings_in_parameters(self):
+        assert parse_parameters('name="\\""') == {"name": '"'}
+
+    def test_it_preserves_backslashes(self):
+        assert parse_parameters('f="C:\\a.txt"', True) == {"f": "C:\\a.txt"}

fresco/tests/util/test_security.py

@@ -0,0 +1,34 @@
+# Copyright 2015 Oliver Cope
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+#     Unless required by applicable law or agreed to in writing, software
+#     distributed under the License is distributed on an "AS IS" BASIS,
+#     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#     See the License for the specific language governing permissions and
+#     limitations under the License.
+#
+import pytest
+
+from fresco.util.security import check_equal_constant_time
+
+
+class TestSecurity(object):
+    def test_check_equal_constant_time_returns_equality(self):
+        assert check_equal_constant_time("", "") is True
+        assert check_equal_constant_time("abcabcabc", "abcabcabc") is True
+
+    def test_check_equal_constant_time_returns_inequality(self):
+        assert check_equal_constant_time(" ", "") is False
+        assert check_equal_constant_time("abcabcabc", "abcabcabx") is False
+        assert check_equal_constant_time("abcabcabc", "abcabcabx") is False
+        assert check_equal_constant_time("abcabcabc", "abcabcabde") is False
+        assert check_equal_constant_time("abcabcabc", "abcabcab") is False
+
+    def test_check_equal_constant_time_raises_an_error_on_non_strings(self):
+        with pytest.raises(TypeError):
+            check_equal_constant_time(None, None)

fresco/tests/util/test_urls.py

@@ -0,0 +1,176 @@
+# Copyright 2015 Oliver Cope
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+#     Unless required by applicable law or agreed to in writing, software
+#     distributed under the License is distributed on an "AS IS" BASIS,
+#     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#     See the License for the specific language governing permissions and
+#     limitations under the License.
+#
+from fresco.core import FrescoApp
+from fresco.util.urls import normpath, make_query
+from fresco.util.urls import is_safe_url
+
+# Greek letters as unicode strings (require multi-byte representation in UTF-8)
+alpha = b"\xce\xb1".decode("utf8")
+beta = b"\xce\xb2".decode("utf8")
+gamma = b"\xce\xb3".decode("utf8")
+
+
+class TestNormPath(object):
+    def test_empty_string(selfself):
+        assert normpath("") == ""
+
+    def test_root_url(self):
+        assert normpath("/") == "/"
+
+    def test_condenses_consecutive_slashes(self):
+        assert normpath("//") == "/"
+        assert normpath("///") == "/"
+
+    def test_remove_single_dot(self):
+        assert normpath("/./") == "/"
+
+    def test_double_dot_interpreted(self):
+        assert normpath("/../") == "/"
+        assert normpath("/foo/../") == "/"
+
+    def test_triple_dot_preserved(self):
+        assert normpath("/.../") == "/.../"
+
+    def test_combined_patterns(self):
+        assert normpath("/..//../") == "/"
+        assert normpath("/hello/.//dolly//") == "/hello/dolly/"
+        assert normpath("///hello/.//dolly//./..//.//sailor") == "/hello/sailor"
+
+    def test_trailing_slash_preserved(self):
+        assert normpath("/sliced/bread/") == "/sliced/bread/"
+
+
+class TestMakeQuery(object):
+    def test_make_query(self):
+        assert sorted(make_query(a="1", b=2).split("&")) == ["a=1", "b=2"]
+        assert make_query(a="one two three") == "a=one+two+three"
+        assert make_query(a=["one", "two", "three"]) == "a=one&a=two&a=three"
+
+    def test_make_query_unicode(self):
+        assert (
+            make_query(a=[alpha, beta, gamma], charset="utf8")
+            == "a=%CE%B1&a=%CE%B2&a=%CE%B3"
+        )
+
+    def test_make_query_unicode_default_encoding(self):
+        assert make_query(a=[alpha, beta, gamma], charset="utf8") == make_query(
+            a=[alpha, beta, gamma]
+        )
+
+
+class TestSafeURL(object):
+    def test_it_loads_defaults_from_context(self):
+        with FrescoApp().requestcontext(
+            **{"wsgi.url_scheme": "https", "HTTP_HOST": "foo.example.org"}
+        ):
+            assert is_safe_url("http://foo.example.org/") is True
+            assert is_safe_url("https://foo.example.org/") is True
+            assert is_safe_url("//foo.example.org/") is True
+            assert is_safe_url("http://example.org/") is False
+            assert is_safe_url("https://example.org/") is False
+            assert is_safe_url("//example.org/") is False
+
+    def test_it_passes_safe_urls(self):
+        safe = [
+            "/foo",
+            "http://good.example.org/x",
+            "https://good.example.org/",
+            "HTTPS://good.example.org/",
+            "//good.example.org/",
+            "/path?next_url=http://bad.example.org/",
+        ]
+        for u in safe:
+            assert is_safe_url(u, allowed_hosts={"good.example.org"}) is True
+
+    def test_it_handles_port_numbers_correctly(self):
+        def test(scheme, server_name="localhost", server_port="80", http_host=None):
+            env = {
+                "SERVER_NAME": server_name,
+                "SERVER_PORT": server_port,
+                "wsgi.url_scheme": scheme,
+                "HTTP_HOST": http_host,
+            }
+
+            def test(url, expected):
+                with FrescoApp().requestcontext(**env):
+                    assert is_safe_url(url) is expected
+
+            return test
+
+        # server_name, server_port set, but no http_host
+        test("http", "example", "80")("http://example/", True)
+        test("http", "example", "80")("http://example:80/", True)
+        test("http", "example", "80")("https://example/", True)
+        test("http", "example", "80")("https://example:443/", True)
+        test("http", "example", "80")("http://example:443/", False)
+        test("http", "example", "80")("http://example:8080/", False)
+
+        test("https", "example", "443")("http://example/", True)
+        test("https", "example", "443")("http://example:80/", True)
+        test("https", "example", "443")("https://example/", True)
+        test("https", "example", "443")("https://example:443/", True)
+        test("https", "example", "443")("https://example:80/", False)
+
+        test("http", "example", "8080")("http://example:8080/", True)
+        test("http", "example", "8080")("https://example:8080/", True)
+        test("http", "example", "8080")("http://example/", False)
+        test("http", "example", "8080")("http://example:80/", False)
+
+        # http_host set - strict match on origin
+        test("http", http_host="example")("http://example/", True)
+        test("http", http_host="example")("http://example:80/", True)
+        test("http", http_host="example")("https://example/", True)
+        test("http", http_host="example")("https://example:443/", True)
+        test("http", http_host="example")("http://example:443/", False)
+        test("http", http_host="example")("http://example:8080/", False)
+
+        test("https", http_host="example")("http://example/", True)
+        test("https", http_host="example")("http://example:80/", True)
+        test("https", http_host="example")("https://example/", True)
+        test("https", http_host="example")("https://example:443/", True)
+        test("https", http_host="example")("http://example:443/", False)
+        test("https", http_host="example")("http://example:8080/", False)
+
+        test("http", http_host="example:80")("http://example/", True)
+        test("http", http_host="example:80")("http://example:80/", True)
+        test("http", http_host="example:80")("https://example/", True)
+        test("http", http_host="example:80")("https://example:443/", True)
+        test("http", http_host="example:80")("http://example:443/", False)
+        test("http", http_host="example:80")("http://example:8080/", False)
+
+        test("https", http_host="example:443")("http://example/", True)
+        test("https", http_host="example:443")("http://example:80/", True)
+        test("https", http_host="example:443")("https://example/", True)
+        test("https", http_host="example:443")("https://example:443/", True)
+        test("https", http_host="example:443")("http://example:443/", False)
+        test("https", http_host="example:443")("http://example:8080/", False)
+
+        test("http", http_host="example:8080")("http://example:8080/", True)
+        test("http", http_host="example:8080")("https://example:8080/", True)
+        test("http", http_host="example:8080")("http://example/", False)
+        test("http", http_host="example:8080")("http://example:80/", False)
+
+    def test_it_catches_unsafe_urls(self):
+        unsafe = [
+            "///foo",
+            "http://good.example.org@bad.example.org/",
+            "http://good.example.org:good.example.org@bad.example.org/",
+            "javascript:do_something_bad()",
+            "",
+            "\x00http://good.example.org",
+            "http://good.example.org\nHost: http://bad.example.org",
+        ]
+        for u in unsafe:
+            assert is_safe_url(u, allowed_hosts={"good.example.org"}) is False

fresco/tests/util/test_wsgi.py

@@ -0,0 +1,107 @@
+# encoding=UTF-8
+# Copyright 2015 Oliver Cope
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+#     Unless required by applicable law or agreed to in writing, software
+#     distributed under the License is distributed on an "AS IS" BASIS,
+#     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#     See the License for the specific language governing permissions and
+#     limitations under the License.
+#
+from typing import Dict
+
+from fresco import FrescoApp, Response
+from fresco.util.wsgi import (
+    ClosingIterator,
+    StartResponseWrapper,
+    getenv,
+    setenv,
+)
+
+
+class Counter(object):
+    value = 0
+
+    def inc(self):
+        self.value += 1
+
+
+def start_response(status, headers, exc_info=None):
+    pass
+
+
+class _TestException(Exception):
+    pass
+
+
+class TestClosingIterator(object):
+    def app(self, environ, start_response):
+        start_response("200 OK", [("Content-Type: text/plain")])
+        yield "Foo"
+        yield "Bar"
+
+    def test_close_called_after_iterator_finished(self):
+        count = Counter()
+        environ: Dict[str, str] = {}
+
+        result = self.app(environ, start_response)
+        result = ClosingIterator(result, count.inc)
+        assert count.value == 0
+        try:
+            list(result)
+        finally:
+            result.close()
+        assert count.value == 1
+
+    def test_multiple_close_functions_called(self):
+        count1 = Counter()
+        count2 = Counter()
+        environ: Dict[str, str] = {}
+
+        result = self.app(environ, start_response)
+        result = ClosingIterator(result, count1.inc, count2.inc)
+        assert count1.value == 0
+        assert count2.value == 0
+        try:
+            list(result)
+        finally:
+            result.close()
+        assert count1.value == 1
+        assert count2.value == 1
+
+
+class TestStartResponseWrapper(object):
+    def test_write(self):
+        def wsgiapp(environ, start_response):
+            start_response = StartResponseWrapper(start_response)
+            write = start_response("200 OK", [("Content-Type", "text/plain")])
+
+            write(b"cat")
+            write(b"sat")
+            write2 = start_response.call_start_response()
+            write2(b"mat")
+            return []
+
+        with FrescoApp().requestcontext() as c:
+            r = Response.from_wsgi(
+                wsgiapp, c.request.environ, lambda status, headers: None
+            )
+            assert b"".join(r.content) == b"catsatmat"
+
+
+class TestEnvironGetSet(object):
+    wsgibytes = "ø".encode("UTF-8")
+    wsgistr = wsgibytes.decode("ISO-8859-1")
+
+    def test_getenv_returns_bytes(self):
+        assert getenv({"x": self.wsgistr}, "x") == "ø".encode("UTF-8")
+
+    def test_setenv_sets_str(self):
+        env: Dict[str, str] = {}
+        setenv(env, "x", "ø".encode("UTF-8"))
+        assert env["x"] == self.wsgistr

fresco/util/contentencodings.py

@@ -1,6 +1,7 @@
 from operator import methodcaller
 import itertools
 import functools
+import typing
 
 #: Allowed character encodings.
 #: This list is based on the list of standard encodings here:
@@ -312,7 +313,7 @@ ALLOWED_ENCODINGS = {
 # Spelling alternatives that only differ in case or use a hyphen
 # instead of an underscore are valid aliases; for example, 'utf-8' is an
 # alias for the 'utf_8' codec."
-transforms = [
+transforms: list[list[typing.Callable]] = [
     [
         lambda s: s,
         methodcaller("lower"),

fresco/util/http.py

@@ -454,12 +454,14 @@ def parse_multipart(
             f.close()
         raise
 
-    close: Optional[Callable] = None
+    close: Optional[Callable]
     if open_files:
 
         def close():
             for f in open_files:
                 f.close()
+    else:
+        close = None
 
     return fields, close
 

fresco/util/wsgi.py

@@ -310,7 +310,7 @@ class ClosingIterator(object):
                 func()
             except Exception:
                 logger.exception(
-                    "ContentIterator close function {func!r} raised an exception"
+                    f"ContentIterator close function {func!r} raised an exception"
                 )
         self._closed = True