File: request-params-check.py

package info (click to toggle)
firefox 147.0.3-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,683,320 kB
  • sloc: cpp: 7,607,359; javascript: 6,533,295; ansic: 3,775,223; python: 1,415,500; xml: 634,561; asm: 438,949; java: 186,241; sh: 62,752; makefile: 18,079; objc: 13,092; perl: 12,808; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10; exp: 6
file content (119 lines) | stat: -rw-r--r-- 4,280 bytes parent folder | download | duplicates (12) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
def commonCheck(request, mode=b"no-cors", accept=b"application/json"):
  if accept:
    if request.headers.get(b"Accept") != accept:
      return (531, [], "Wrong Accept")
  if request.headers.get(b"Sec-Fetch-Dest") != b"webidentity":
    return (532, [], "Wrong Sec-Fetch-Dest header")
  if request.headers.get(b"Referer"):
    return (533, [], "Should not have Referer")
  if request.headers.get(b"Sec-Fetch-Mode") != mode:
    return (534, [], "Wrong Sec-Fetch-Mode header")

def commonUncredentialedRequestCheck(request):
  if len(request.cookies) > 0:
    return (535, [], "Cookie should not be sent to this endpoint")
  if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
    return (536, [], "Wrong Sec-Fetch-Site header")

def commonCredentialedRequestCheck(request):
  if request.cookies.get(b"cookie") != b"1":
    return (537, [], "Missing cookie")

def commonPostCheck(request):
  if not request.headers.get(b"Origin"):
    return (540, [], "Missing Origin")
  if request.method != "POST":
    return (541, [], "Method is not POST")
  if request.headers.get(b"Content-Type") != b"application/x-www-form-urlencoded":
    return (542, [], "Wrong Content-Type")
  if not request.POST.get(b"client_id"):
    return (543, [], "Missing 'client_id' POST parameter")

def manifestCheck(request):
  common_error = commonCheck(request)
  if (common_error):
    return common_error
  common_uncredentialed_error = commonUncredentialedRequestCheck(request)
  if (common_uncredentialed_error):
    return common_uncredentialed_error

  if request.headers.get(b"Origin"):
    return (539, [], "Should not have Origin")

def clientMetadataCheck(request):
  if (request.GET.get(b'skip_checks', b'0') != b'1'):
    common_error = commonCheck(request)
    if (common_error):
      return common_error
    common_uncredentialed_error = commonUncredentialedRequestCheck(request)
    if (common_uncredentialed_error):
      return common_uncredentialed_error

    if not request.headers.get(b"Origin"):
      return (540, [], "Missing Origin")

def accountsCheck(request):
  common_error = commonCheck(request)
  if (common_error):
    return common_error
  common_credentialed_error = commonCredentialedRequestCheck(request)
  if (common_credentialed_error):
    return common_credentialed_error

  if request.headers.get(b"Origin"):
    return (539, [], "Should not have Origin")

def tokenCheck(request):
  common_error = commonCheck(request, b"cors")
  if (common_error):
    return common_error
  common_credentialed_error = commonCredentialedRequestCheck(request)
  if (common_credentialed_error):
    return common_credentialed_error
  # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
  # but it should not be 'none'.
  if request.headers.get(b"Sec-Fetch-Site") == b"none":
    return (538, [], "Wrong Sec-Fetch-Site header")

  post_error = commonPostCheck(request)
  if (post_error):
    return post_error

  if not request.POST.get(b"account_id"):
    return (544, [], "Missing 'account_id' POST parameter")
  if not request.POST.get(b"disclosure_text_shown"):
    return (545, [], "Missing 'disclosure_text_shown' POST parameter")
  if not request.headers.get(b"Origin"):
    return (540, [], "Missing Origin")

def revokeCheck(request):
  common_error = commonCheck(request, b"cors")
  if (common_error):
    return common_error

  common_credentialed_error = commonCredentialedRequestCheck(request)
  if (common_credentialed_error):
    return common_credentialed_error
  # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
  # but it should not be 'none'.
  if request.headers.get(b"Sec-Fetch-Site") == b"none":
    return (538, [], "Wrong Sec-Fetch-Site header")

  post_error = commonPostCheck(request)
  if (post_error):
    return post_error

  if not request.POST.get(b"account_hint"):
    return (544, [], "Missing 'account_hint' POST parameter")

def pictureCheck(request):
  common_error = commonCheck(request, accept=None)
  if (common_error):
    return common_error

  common_uncredentialed_error = commonUncredentialedRequestCheck(request)
  if (common_uncredentialed_error):
    return common_uncredentialed_error

  if request.headers.get(b"Origin"):
    return (539, [], "Should not have Origin")