From 292c8817897449c7feeef269ed46f6d600cabceb Mon Sep 17 00:00:00 2001 From: Fons van der Plas Date: Fri, 27 Oct 2023 16:14:18 +0200 Subject: [PATCH] More security tests --- test/Configuration.jl | 56 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 49 insertions(+), 7 deletions(-) diff --git a/test/Configuration.jl b/test/Configuration.jl index eba1b6ee6d..37630b3847 100644 --- a/test/Configuration.jl +++ b/test/Configuration.jl @@ -71,8 +71,8 @@ end local_url(suffix) = "http://$host:$port/$suffix" withsecret(url) = occursin('?', url) ? "$url&secret=$secret" : "$url?secret=$secret" - function request(url, method) - HTTP.request(method, url, nothing, method == "POST" ? read(basic_nb_path) : UInt8[]; status_exception=false, redirect=false) + function request(url, method; kwargs...) + HTTP.request(method, url, nothing, method == "POST" ? read(basic_nb_path) : UInt8[]; status_exception=false, redirect=false, cookies=false, kwargs...) end function shares_secret(response) @@ -140,7 +140,7 @@ end ("notebookupload?execution_allowed=asdf", "POST"), ] - @testset "simple w/o auth $suffix $method" for (suffix, method) in simple_routes ∪ effect_routes + @testset "simple & effect w/o auth $suffix $method" for (suffix, method) in simple_routes ∪ effect_routes url = local_url(suffix) r = request(url, method) @test r.status == 403 @@ -150,12 +150,54 @@ end # no notebooks were opened @test length(🍭.notebooks) == 1 - @test shares_secret(request(local_url(""), "GET")) + @testset "require secret only for open links" begin + @test !shares_secret(request(local_url(""), "GET")) + jar = HTTP.Cookies.CookieJar() + + # Let's test the config + # require_secret_for_access = false + # require_secret_for_open_links = true + 🍭.options.security.require_secret_for_access = false + + # Effectful paths should not work without a secret. + @testset "simple & effect w/o auth 1 $suffix $method" for (suffix, method) in effect_routes + url = local_url(suffix) + r = request(url, method; cookies=true, jar) + @test r.status == 403 + @test !shares_secret(r) + end + + # With this config, the / path should work and share the secret, even when requested without a secret. + r = request(local_url(""), "GET"; cookies=true, jar) + @test r.status == 200 + @test shares_secret(r) + + # Now, the other effectful paths should work bc of the secret. + @testset "simple w/o auth 2 $suffix $method" for (suffix, method) in simple_routes + url = local_url(suffix) + r = request(url, method; cookies=true, jar) + @test r.status ∈ 200:299 # 2xx is OK + @test shares_secret(r) + end + + 🍭.options.security.require_secret_for_access = true + end + + jar = HTTP.Cookies.CookieJar() + + @test shares_secret(request(local_url("") |> withsecret, "GET"; cookies=true, jar)) + @testset "simple w/ auth $suffix $method" for (suffix, method) in simple_routes - url = local_url(suffix) |> withsecret - r = request(url, method) - @test r.status ∈ 200:299 + # should work because of cookie + url = local_url(suffix) + r = request(url, method; cookies=true, jar) + @test r.status ∈ 200:299 # 2xx is OK + @test shares_secret(r) # see reasoning in of https://github.com/fonsp/Pluto.jl/commit/20515dd46678a49ca90e042fcfa3eab1e5c8e162 + + # Without cookies, but with secret in URL + r = request(url |> withsecret, method) + @test r.status ∈ 200:299 # 2xx is OK @test shares_secret(r) end