-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtest_broken_access_control.py
More file actions
186 lines (144 loc) · 5.9 KB
/
test_broken_access_control.py
File metadata and controls
186 lines (144 loc) · 5.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
from urllib.parse import urlencode
import pytest
from fastapi import status
from pydantic import BaseModel
class Profiles(BaseModel):
alpha: str
beta: str
@pytest.fixture
def v1_base_endpoint():
return "/v1/broken-access-control"
@pytest.fixture
def v2_base_endpoint():
return "/v2/broken-access-control"
@pytest.fixture
def profile_alpha_filename():
return "profiles/alpha.json"
@pytest.fixture
def profile_beta_filename():
return "profiles/beta.json"
@pytest.fixture
def profiles(profile_alpha_filename, profile_beta_filename):
alpha = open(profile_alpha_filename).read()
beta = open(profile_beta_filename).read()
return Profiles(alpha=alpha, beta=beta)
class TestBrokenAccessControl:
# CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
def test_cwe_22_v1(
self,
client,
v1_base_endpoint,
profiles,
profile_alpha_filename,
):
params = {"profile": profile_alpha_filename}
response = client.get(
f"{v1_base_endpoint}/cwe-22?{urlencode(params)}",
)
assert response.status_code == status.HTTP_200_OK
assert response.json()["profile"] == profiles.alpha
params = {"profile": "/etc/passwd"}
response = client.get(
f"{v1_base_endpoint}/cwe-22?{urlencode(params)}",
)
assert response.status_code == status.HTTP_200_OK
assert response.json()["profile"] == open("/etc/passwd").read()
def test_cwe_22_v2(self, client, v2_base_endpoint, profiles, profile_beta_filename):
params = {"profile": profile_beta_filename}
response = client.get(
f"{v2_base_endpoint}/cwe-22?{urlencode(params)}",
)
assert response.status_code == status.HTTP_200_OK
assert response.json()["profile"] == profiles.beta
params = {"profile": "/etc/passwd"}
response = client.get(
f"{v1_base_endpoint}/cwe-22?{urlencode(params)}",
)
assert response.status_code == status.HTTP_404_NOT_FOUND
# CWE-23 Relative Path Traversal
def test_cwe_23_v1(
self, client, v1_base_endpoint, profiles, profile_alpha_filename
):
params = {"profile": profile_alpha_filename}
response = client.get(
f"{v1_base_endpoint}/cwe-23?{urlencode(params)}",
)
assert response.status_code == status.HTTP_200_OK
assert response.json()["profile"] == profiles.alpha
params = {"profile": "../../../../../../../../../../../etc/passwd"}
response = client.get(
f"{v1_base_endpoint}/cwe-23?{urlencode(params)}",
)
assert response.status_code == status.HTTP_200_OK
assert response.json()["profile"] == open("/etc/passwd").read()
def test_cwe_23_v2(self, client, v2_base_endpoint, profiles, profile_beta_filename):
params = {"profile": profile_beta_filename}
response = client.get(
f"{v2_base_endpoint}/cwe-23?{urlencode(params)}",
)
assert response.status_code == status.HTTP_200_OK
assert response.json()["profile"] == profiles.beta
params = {"profile": "../../../../../../../../../../../etc/passwd"}
response = client.get(
f"{v2_base_endpoint}/cwe-23?{urlencode(params)}",
)
assert response.status_code == status.HTTP_404_NOT_FOUND
# CWE-285 Improper Authorization
def test_cwe_285_invalid(self, client, v1_base_endpoint, v2_base_endpoint):
for base_endpoint in [v1_base_endpoint, v2_base_endpoint]:
response = client.get(
f"{base_endpoint}/cwe-285/items/2",
headers={"Authorization": "Bearer Jeremy"},
)
assert response.status_code == status.HTTP_404_NOT_FOUND
response = client.get(
f"{base_endpoint}/cwe-285/items/0",
headers={"Authorization": "Bearer John"},
)
assert response.status_code == status.HTTP_401_UNAUTHORIZED
response = client.get(
f"{base_endpoint}/cwe-285/items/0",
)
assert response.status_code == status.HTTP_401_UNAUTHORIZED
def test_cwe_285_v1(self, client, v1_base_endpoint):
response = client.get(
f"{v1_base_endpoint}/cwe-285/items/0",
headers={"Authorization": "Bearer Jeremy"},
)
assert response.status_code == status.HTTP_200_OK
response = client.get(
f"{v1_base_endpoint}/cwe-285/items/0",
headers={"Authorization": "Bearer Fatima"},
)
assert response.status_code == status.HTTP_200_OK
response = client.get(
f"{v1_base_endpoint}/cwe-285/items/1",
headers={"Authorization": "Bearer Jeremy"},
)
assert response.status_code == status.HTTP_200_OK
response = client.get(
f"{v1_base_endpoint}/cwe-285/items/1",
headers={"Authorization": "Bearer Fatima"},
)
assert response.status_code == status.HTTP_200_OK
def test_cwe_285_v2(self, client, v2_base_endpoint):
response = client.get(
f"{v2_base_endpoint}/cwe-285/items/0",
headers={"Authorization": "Bearer Jeremy"},
)
assert response.status_code == status.HTTP_200_OK
response = client.get(
f"{v2_base_endpoint}/cwe-285/items/0",
headers={"Authorization": "Bearer Fatima"},
)
assert response.status_code == status.HTTP_403_FORBIDDEN
response = client.get(
f"{v2_base_endpoint}/cwe-285/items/1",
headers={"Authorization": "Bearer Jeremy"},
)
assert response.status_code == status.HTTP_403_FORBIDDEN
response = client.get(
f"{v2_base_endpoint}/cwe-285/items/1",
headers={"Authorization": "Bearer Fatima"},
)
assert response.status_code == status.HTTP_200_OK