paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-30 03:23:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e4b4f67b44ad149fbe05c72cbb15f9d43fd938d0
zulip/zerver/tests/test_subdomains.py
Greg Price e4b4f67b44 subdomains: Tighten search for EXTERNAL_HOST in get_subdomain. 
If a Zulip install at example.org got a request at an HTTP `Host`
like foo.example.org.evil.com (or even foo.example.orgevil.com),
we would accept it as subdomain foo.  This isn't likely to happen
in practice because it shouldn't pass ALLOWED_HOSTS, and it's not
obvious to me that anything untoward could be done with it even
if ALLOWED_HOSTS were set wide open, but if nothing else it
multiplies the cases in analyzing this logic.

The reason we had a loose match like this, I assume, is to allow
the user to come from arbitrary ports -- especially in development.
So tighten the pattern to allow just that, and add some tests for
that behavior and a comment explaining why this complication is
needed.
2017-10-27 14:42:24 -07:00

49 lines
1.9 KiB
Python
Raw Blame History

import mock
from typing import Any, List
from django.test import TestCase, override_settings
from zerver.lib.subdomains import get_subdomain
from zerver.models import Realm
class SubdomainsTest(TestCase):
def test_get_subdomain(self):
# type: () -> None
def request_mock(host):
# type: (str) -> Any
request = mock.Mock(spec=['get_host'])
request.attach_mock(mock.Mock(return_value=host), 'get_host')
return request
def test(expected, host, *, plusport=True,
external_host='example.org', root_aliases=[]):
# type: (str, str, bool, str, List[str]) -> None
with self.settings(EXTERNAL_HOST=external_host,
ROOT_SUBDOMAIN_ALIASES=root_aliases):
self.assertEqual(get_subdomain(request_mock(host)), expected)
if plusport and ':' not in host:
self.assertEqual(get_subdomain(request_mock(host + ':443')),
expected)
ROOT = Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
# Basics
test(ROOT, 'example.org')
test('foo', 'foo.example.org')
test(ROOT, 'www.example.org', root_aliases=['www'])
# Unrecognized patterns fall back to root
test(ROOT, 'arbitrary.com')
test(ROOT, 'foo.example.org.evil.com')
# Any port is fine in Host if there's none in EXTERNAL_HOST
test('foo', 'foo.example.org:443', external_host='example.org')
test('foo', 'foo.example.org:12345', external_host='example.org')
# Explicit port in EXTERNAL_HOST must be explicitly matched in Host
test(ROOT, 'foo.example.org', external_host='example.org:12345')
test(ROOT, 'foo.example.org', external_host='example.org:443', plusport=False)
test('foo', 'foo.example.org:443', external_host='example.org:443')
Reference in New Issue View Git Blame Copy Permalink