From be1fd6645d4219b5c74152776e74d9e636b08554 Mon Sep 17 00:00:00 2001 From: Chris Jerdonek Date: Mon, 2 Aug 2021 17:08:16 -0400 Subject: [PATCH] Refs #32800 -- Added test_masked_secret_accepted_and_not_replaced(). This improves test_bare_secret_accepted_and_replaced() by adding a stronger assertion. It also adds a parallel test for the non-bare (masked) case. --- tests/csrf_tests/tests.py | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/tests/csrf_tests/tests.py b/tests/csrf_tests/tests.py index 10171adb2a..0ae1eca516 100644 --- a/tests/csrf_tests/tests.py +++ b/tests/csrf_tests/tests.py @@ -1177,9 +1177,23 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): self.assertTrue(csrf_cookie, msg='No CSRF cookie was sent.') self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH) + def test_masked_secret_accepted_and_not_replaced(self): + """ + The csrf cookie is left unchanged if originally masked. + """ + req = self._get_POST_request_with_token(cookie=MASKED_TEST_SECRET1) + mw = CsrfViewMiddleware(token_view) + mw.process_request(req) + resp = mw.process_view(req, token_view, (), {}) + self.assertIsNone(resp) + resp = mw(req) + csrf_cookie = self._read_csrf_cookie(req, resp) + self.assertEqual(csrf_cookie, MASKED_TEST_SECRET1) + self._check_token_present(resp, csrf_cookie) + def test_bare_secret_accepted_and_replaced(self): """ - The csrf token is reset from a bare secret. + The csrf cookie is reset (masked) if originally not masked. """ req = self._get_POST_request_with_token(cookie=TEST_SECRET) mw = CsrfViewMiddleware(token_view) @@ -1188,7 +1202,8 @@ class CsrfViewMiddlewareTests(CsrfViewMiddlewareTestMixin, SimpleTestCase): self.assertIsNone(resp) resp = mw(req) csrf_cookie = self._read_csrf_cookie(req, resp) - self.assertEqual(len(csrf_cookie), CSRF_TOKEN_LENGTH) + # This also checks that csrf_cookie now has length CSRF_TOKEN_LENGTH. + self.assertMaskedSecretCorrect(csrf_cookie, TEST_SECRET) self._check_token_present(resp, csrf_cookie) @override_settings(ALLOWED_HOSTS=['www.example.com'], CSRF_COOKIE_DOMAIN='.example.com', USE_X_FORWARDED_PORT=True)