micahmoore/pserv
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix test for IDOR vulnerability by preventing path segment normalization

Browse Source
This commit is contained in:
Godmar Back 2020-08-04 10:50:51 -04:00
parent 7cbe3af927
commit 2c641d678e
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
tests/server_unit_test_pserv.py
View File

@ -1417,19 +1417,18 @@ class Access_Control(Doc_Print_Test_Case):
# Use the session cookie to get the private file # Use the session cookie to get the private file
try: try:
response = self.session.get(url, timeout=2) # prevent path segment normalization
req = requests.Request('GET', url)
response = self.session.send(req.prepare(), timeout=2)
except requests.exceptions.RequestException: except requests.exceptions.RequestException:
raise AssertionError("The server did not respond within 2s") raise AssertionError("The server did not respond within 2s")
if (response.status_code == requests.codes.forbidden): if (response.status_code == requests.codes.forbidden):
raise AssertionError('Server responded with 403 FORBIDDEN instead of 404 NOT FOUND') raise AssertionError('Server responded with 403 FORBIDDEN instead of 404 NOT FOUND')
if (response.status_code == requests.codes.forbidden):
raise AssertionError('Server responded with 403 FORBIDDEN instead of 404 NOT FOUND')
# Ensure that response code is 404 # Ensure that response code is 404
self.assertEqual(response.status_code, requests.codes.not_found, self.assertEqual(response.status_code, requests.codes.not_found,
"Server responded with a private file despite no authentication.") "Server did not respond with 404 when it should have, possible IDOR?")
class Authentication(Doc_Print_Test_Case): class Authentication(Doc_Print_Test_Case):