From 57a239df90910a677abded0dedc626f5fcda2eaa Mon Sep 17 00:00:00 2001 From: Daniel Grams Date: Tue, 31 Oct 2023 22:47:08 +0100 Subject: [PATCH] Security updates #555 --- requirements.txt | 14 +++++++------- tests/utils.py | 18 +++++++++++++++--- .../views/test_admin_unit_member_invitation.py | 2 +- tests/views/test_manage.py | 4 ++-- tests/views/test_user.py | 3 ++- 5 files changed, 27 insertions(+), 14 deletions(-) diff --git a/requirements.txt b/requirements.txt index d04a93d..fab2266 100644 --- a/requirements.txt +++ b/requirements.txt @@ -19,7 +19,7 @@ blinker==1.4 cached-property==1.5.2 cachetools==5.3.0 celery==5.2.7 -certifi==2022.12.7 +certifi==2023.7.22 cffi==1.14.4 cfgv==3.2.0 chardet==3.0.4 @@ -30,7 +30,7 @@ click-repl==0.2.0 colour==0.1.5 coverage==5.5 coveralls==3.3.1 -cryptography==41.0.3 +cryptography==41.0.4 decorator==5.1.0 distlib==0.3.6 dnspython==2.0.0 @@ -47,7 +47,7 @@ Flask-Bootstrap==3.3.7.1 Flask-Cors==3.0.10 Flask-Dance==6.2.0 Flask-gzip==0.2 -Flask-Login==0.6.2 +Flask-Login==0.6.3 Flask-Mail==0.9.1 flask-marshmallow==0.15.0 Flask-Migrate==4.0.4 @@ -56,7 +56,7 @@ Flask-QRcode==3.1.0 Flask-RESTful==0.3.9 Flask-Security-Too==5.1.2 Flask-SQLAlchemy==3.0.3 -Flask-WTF==1.1.1 +Flask-WTF==1.2.1 GeoAlchemy2==0.13.1 googlemaps==4.10.0 greenlet==2.0.2 @@ -87,7 +87,7 @@ packaging==23.0 passlib==1.7.4 pathspec==0.11.0 pilkit==2.0 -Pillow==9.5.0 +Pillow==10.0.1 pipdeptree==2.7.0 pkginfo==1.9.6 platformdirs==3.1.0 @@ -133,7 +133,7 @@ toml==0.10.2 tomli==2.0.1 typed-ast==1.5.4 typing_extensions==4.5.0 -urllib3==1.26.5 +urllib3==1.26.18 URLObject==2.4.3 validators==0.20.0 vine==5.0.0 @@ -141,7 +141,7 @@ virtualenv==20.21.0 visitor==0.1.3 wcwidth==0.2.6 webargs==7.0.1 -Werkzeug==2.2.3 +Werkzeug==3.0.1 wimpy==0.6 WTForms==3.0.1 WTForms-SQLAlchemy==0.3 diff --git a/tests/utils.py b/tests/utils.py index 5266695..b014c77 100644 --- a/tests/utils.py +++ b/tests/utils.py @@ -5,6 +5,7 @@ from urllib.parse import parse_qs, urlsplit import googlemaps from bs4 import BeautifulSoup from flask import g, url_for +from flask_login import login_url from sqlalchemy.exc import IntegrityError @@ -312,13 +313,24 @@ class UtilActions(object): return self.get_ok(self.get_url(endpoint, **values)) def assert_response_redirect(self, response, endpoint, **values): - assert response.status_code == 302 + redirect_url = self.get_url(endpoint, **values) + self.assert_response_redirect_to_url(response, redirect_url) + + def assert_response_redirect_to_url(self, response, redirect_url): + absolute_url = "http://localhost" + redirect_url response_location = response.headers["Location"] - redirect_url = self.get_url(endpoint, **values) - absolute_url = "http://localhost" + redirect_url assert response_location == redirect_url or response_location == absolute_url + def assert_response_redirect_to_login(self, response, next_url): + assert response.status_code == 302 + + with self._client: + with self._app.test_request_context(): + redirect_url = login_url("security.login", next_url) + + self.assert_response_redirect_to_url(response, redirect_url) + def assert_response_contains_alert(self, response, category, message=None): assert response.status_code == 200 diff --git a/tests/views/test_admin_unit_member_invitation.py b/tests/views/test_admin_unit_member_invitation.py index 0f51448..0419a53 100644 --- a/tests/views/test_admin_unit_member_invitation.py +++ b/tests/views/test_admin_unit_member_invitation.py @@ -224,7 +224,7 @@ def test_read_new_member_not_authenticated(client, app, utils, seeder): url = "/invitations/%d" % invitation_id response = client.get(url) - utils.assert_response_redirect(response, "security.login", next=url) + utils.assert_response_redirect_to_login(response, url) @pytest.mark.parametrize("user_exists", [True, False]) diff --git a/tests/views/test_manage.py b/tests/views/test_manage.py index 11b337b..a6b0ace 100644 --- a/tests/views/test_manage.py +++ b/tests/views/test_manage.py @@ -18,7 +18,7 @@ def test_index_withValidCookie(client, seeder, app, utils): with app.app_context(): encoded = encode_cookie(str(admin_unit_id)) - client.set_cookie("localhost", "manage_admin_unit_id", encoded) + client.set_cookie("manage_admin_unit_id", encoded) response = utils.get_endpoint("manage") utils.assert_response_redirect(response, "manage_admin_unit", id=admin_unit_id) @@ -26,7 +26,7 @@ def test_index_withValidCookie(client, seeder, app, utils): def test_index_withInvalidCookie(client, seeder: Seeder, utils: UtilActions): user_id, admin_unit_id = seeder.setup_base() - client.set_cookie("localhost", "manage_admin_unit_id", "invalid") + client.set_cookie("manage_admin_unit_id", "invalid") response = utils.get_endpoint("manage") utils.assert_response_redirect(response, "manage_admin_units") diff --git a/tests/views/test_user.py b/tests/views/test_user.py index 93092ca..f95d7a5 100644 --- a/tests/views/test_user.py +++ b/tests/views/test_user.py @@ -27,8 +27,9 @@ def test_organization_invitation_not_authenticated(client, app, utils, seeder): seeder.create_user("invited@test.de") url = utils.get_url("user_organization_invitation", id=invitation_id) + response = client.get(url) - utils.assert_response_redirect(response, "security.login", next=url) + utils.assert_response_redirect_to_login(response, url) @pytest.mark.parametrize("user_exists", [True, False])