CTFd/tests/api/v1/test_csrf.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-

from flask.testing import FlaskClient
from tests.helpers import create_ctfd, destroy_ctfd, login_as_user


def test_api_csrf_failure():
    """Test that API requests require the CSRF-Token header"""
    app = create_ctfd()
    app.test_client_class = FlaskClient
    with app.app_context():
        with login_as_user(app, "admin") as client:
            r = client.post(
                "/api/v1/challenges",
                json={
                    "name": "chal",
                    "category": "cate",
                    "description": "desc",
                    "value": "100",
                    "state": "hidden",
                    "type": "standard",
                },
            )
            assert r.status_code == 403

            with client.session_transaction() as sess:
                nonce = sess.get("nonce")

            r = client.post(
                "/api/v1/challenges",
                headers={"CSRF-Token": nonce},
                json={
                    "name": "chal",
                    "category": "cate",
                    "description": "desc",
                    "value": "100",
                    "state": "hidden",
                    "type": "standard",
                },
            )
            assert r.status_code == 200
    destroy_ctfd(app)
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`#!/usr/bin/env python`
			`# -- coding: utf-8 --`

			`from flask.testing import FlaskClient`
2.1.0 (#957) https://github.com/CTFd/CTFd/milestone/6 2019-04-17 05:36:30 +00:00			`from tests.helpers import create_ctfd, destroy_ctfd, login_as_user`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00

			`def test_api_csrf_failure():`
2.1.0 (#957) https://github.com/CTFd/CTFd/milestone/6 2019-04-17 05:36:30 +00:00			`"""Test that API requests require the CSRF-Token header"""`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`app = create_ctfd()`
			`app.test_client_class = FlaskClient`
			`with app.app_context():`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`with login_as_user(app, "admin") as client:`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`r = client.post(`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`"/api/v1/challenges",`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`json={`
			`"name": "chal",`
			`"category": "cate",`
			`"description": "desc",`
			`"value": "100",`
			`"state": "hidden",`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`"type": "standard",`
			`},`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`)`
			`assert r.status_code == 403`

			`with client.session_transaction() as sess:`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`nonce = sess.get("nonce")`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00
			`r = client.post(`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`"/api/v1/challenges",`
			`headers={"CSRF-Token": nonce},`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`json={`
			`"name": "chal",`
			`"category": "cate",`
			`"description": "desc",`
			`"value": "100",`
			`"state": "hidden",`
Format all the things (#991) * Format Javascript and CSS files with `prettier`: `prettier --write 'CTFd/themes/*/'` * Format Python with `black`: `black CTFd` & `black tests` * Travis now uses xenial instead of trusty. 2019-05-12 01:09:37 +00:00			`"type": "standard",`
			`},`
Require CSRF-Token header on state changing API requests, require CSRF nonces on more than just POSTs, replace usage of fetch() with custom CTFd.fetch() implementation (#827) * Require CSRF-Token header on state changing API requests * Require CSRF nonces on more than just POSTs, * Replace usage of `fetch()` with custom `CTFd.fetch()` implementation 2019-01-11 03:38:37 +00:00			`)`
			`assert r.status_code == 200`
			`destroy_ctfd(app)`