imacat/mia-accounting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 41 Wiki Activity

Revised the NextUriTestCase view, split the test_next_uri test into the two test_next_uri and test_no_next_uri tests, and replaced the decorator with add_url_rule to work around the security audit from SonarQube.

Browse Source
This commit is contained in:
依瑪貓 2023-02-27 15:57:39 +08:00
parent 6d43b14862
commit 488e72679e
1 changed files with 43 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
tests/test_utils.py
View File

@ -31,52 +31,47 @@ from test_site import create_app
class NextUriTestCase(unittest.TestCase): class NextUriTestCase(unittest.TestCase):
"""The test case for the next URI utilities.""" """The test case for the next URI utilities."""
TARGET: str = "/target"
def test_next_uri(self) -> None: def setUp(self) -> None:
"""Tests the next URI utilities. """Sets up the test.
This is run once per test.
:return: None. :return: None.
""" """
app: Flask = create_app(is_testing=True) self.app: Flask = create_app(is_testing=True)
target: str = "/target"
@app.get("/test-csrf") @self.app.get("/test-csrf")
def test_csrf() -> str: def test_csrf() -> str:
"""The test view to return the CSRF token.""" """The test view to return the CSRF token."""
return render_template_string("{{csrf_token()}}") return render_template_string("{{csrf_token()}}")
@app.route("/test-next", methods=["GET", "POST"]) def test_next_uri(self) -> None:
def test_next_view() -> str: """Tests the next URI utilities with the next URI.
:return: None.
"""
def test_next_uri_view() -> str:
"""The test view with the next URI.""" """The test view with the next URI."""
current_uri: str = request.full_path if request.query_string \ current_uri: str = request.full_path if request.query_string \
else request.path else request.path
self.assertEqual(append_next(target), self.assertEqual(append_next(self.TARGET),
f"{target}?next={quote_plus(current_uri)}") f"{self.TARGET}?next={quote_plus(current_uri)}")
next_uri: str = request.form["next"] if request.method == "POST" \ next_uri: str = request.form["next"] if request.method == "POST" \
else request.args["next"] else request.args["next"]
self.assertEqual(inherit_next(target), self.assertEqual(inherit_next(self.TARGET),
f"{target}?next={quote_plus(next_uri)}") f"{self.TARGET}?next={quote_plus(next_uri)}")
self.assertEqual(or_next(target), next_uri) self.assertEqual(or_next(self.TARGET), next_uri)
return "" return ""
@app.route("/test-no-next", methods=["GET", "POST"]) self.app.add_url_rule("/test-next", view_func=test_next_uri_view,
def test_no_next_view() -> str: methods=["GET", "POST"])
"""The test view without the next URI.""" client: httpx.Client = httpx.Client(app=self.app,
current_uri: str = request.full_path if request.query_string \
else request.path
self.assertEqual(append_next(target),
f"{target}?next={quote_plus(current_uri)}")
self.assertEqual(inherit_next(target), target)
self.assertEqual(or_next(target), target)
return ""
client: httpx.Client = httpx.Client(app=app,
base_url="https://testserver") base_url="https://testserver")
client.headers["Referer"] = "https://testserver" client.headers["Referer"] = "https://testserver"
csrf_token: str = client.get("/test-csrf").text csrf_token: str = client.get("/test-csrf").text
response: httpx.Response response: httpx.Response
# With the next URI
response = client.get("/test-next?next=/next&q=abc&page-no=4") response = client.get("/test-next?next=/next&q=abc&page-no=4")
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
response = client.post("/test-next", data={"csrf_token": csrf_token, response = client.post("/test-next", data={"csrf_token": csrf_token,
@ -84,7 +79,29 @@ class NextUriTestCase(unittest.TestCase):
"name": "viewer"}) "name": "viewer"})
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
# Without the next URI def test_no_next_uri(self) -> None:
"""Tests the next URI utilities without the next URI.
:return: None.
"""
def test_no_next_uri_view() -> str:
"""The test view without the next URI."""
current_uri: str = request.full_path if request.query_string \
else request.path
self.assertEqual(append_next(self.TARGET),
f"{self.TARGET}?next={quote_plus(current_uri)}")
self.assertEqual(inherit_next(self.TARGET), self.TARGET)
self.assertEqual(or_next(self.TARGET), self.TARGET)
return ""
self.app.add_url_rule("/test-no-next", view_func=test_no_next_uri_view,
methods=["GET", "POST"])
client: httpx.Client = httpx.Client(app=self.app,
base_url="https://testserver")
client.headers["Referer"] = "https://testserver"
csrf_token: str = client.get("/test-csrf").text
response: httpx.Response
response = client.get("/test-no-next?q=abc&page-no=4") response = client.get("/test-no-next?q=abc&page-no=4")
self.assertEqual(response.status_code, 200) self.assertEqual(response.status_code, 200)
response = client.post("/test-no-next", data={"csrf_token": csrf_token, response = client.post("/test-no-next", data={"csrf_token": csrf_token,