txAWS

Merge lp:~ack/txaws/xss-hardening into lp:txaws

xss-hardening
Merge into trunk

Proposed by Alberto Donato on 2013-08-22

Status:	Merged
Merged at revision:	156
Proposed branch:	lp:~ack/txaws/xss-hardening
Merge into:	lp:txaws
Diff against target:	88 lines (+34/-8) 2 files modified txaws/server/resource.py (+7/-6) txaws/server/tests/test_resource.py (+27/-2)
To merge this branch:	bzr merge lp:~ack/txaws/xss-hardening
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Fernando Correa Neto (community)	2013-08-22	Approve on 2013-08-22
txAWS Committers	2013-08-22	Pending
Review via email: mp+181562@code.launchpad.net

Description of the change

Based on Chris' branch lp:~tribaal/txaws/xss-hardening, drops the cgi.escape as json content shoudn't be escaped.

It also adds the "X-Content-Type-Options: nosniff" header, to prevent browsers from guessing the content type, and use the one declared in the response (application/json).

Revision history for this message

Fernando Correa Neto (fcorrea) wrote on 2013-08-22:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Alberto Donato

Duncan McGreggor

 === modified file 'txaws/server/resource.py'
 --- txaws/server/resource.py	2012-05-09 14:21:39 +0000
 +++ txaws/server/resource.py	2013-08-22 14:02:04 +0000
@@ -94,6 +94,8 @@
          def write_response(response):
              request.setHeader("Content-Length", str(len(response)))
              request.setHeader("Content-Type", self.content_type)
++            # Prevent browsers from trying to guess a different content type.
++            request.setHeader("X-Content-Type-Options", "nosniff")
              request.write(response)
              request.finish()
              return response
@@ -109,16 +111,15 @@
                      log.msg("status: %s message: %s" % (
                          status, safe_str(failure.value)))
--                bytes = failure.value.response
--                if bytes is None:
--                    bytes = self.dump_error(failure.value, request)
++                body = failure.value.response
++                if body is None:
++                    body = self.dump_error(failure.value, request)
              else:
                  log.err(failure)
--                bytes = safe_str(failure.value)
++                body = safe_str(failure.value)
                  status = 500
              request.setResponseCode(status)
--            request.write(bytes)
--            request.finish()
++            write_response(body)
          deferred.addCallback(write_response)
          deferred.addErrback(write_error)
 === modified file 'txaws/server/tests/test_resource.py'
 --- txaws/server/tests/test_resource.py	2012-05-09 14:21:39 +0000
 +++ txaws/server/tests/test_resource.py	2013-08-22 14:02:04 +0000
@@ -120,8 +120,7 @@
              "access_key_id": request.args["access_key"][0],
              "signature_method": "Hmacsha256",
              "signature_version": 2,
--            "signature": request.args["signature"][0],
--            }
++            "signature": request.args["signature"][0]}
          params = dict((k, v[-1]) for k, v in request.args.iteritems())
          raw = params.copy()
          raw.pop("signature")
@@ -153,6 +152,8 @@
              self.assertEqual("data", request.response)
              self.assertEqual("4", request.headers["Content-Length"])
              self.assertEqual("text/plain", request.headers["Content-Type"])
++            self.assertEqual(
++                "nosniff", request.headers["X-Content-Type-Options"])
              self.assertEqual(200, request.code)
          self.api.principal = TestPrincipal(creds)
@@ -428,6 +429,30 @@
          return self.api.handle(request).addCallback(check)
++    def test_handle_error_is_api_content_type(self):
++        """
++        If an error occurs while parsing the parameters, L{QueryAPI.handle}
++        responds with HTTP status 400, and the resulting response has a
++        Content-Type header matching the content type defined in the QueryAPI.
++        """
++        creds = AWSCredentials("access", "secret")
++        endpoint = AWSServiceEndpoint("http://uri")
++        query = Query(action="SomeAction", creds=creds, endpoint=endpoint)
++        query.sign()
++        query.params.pop("Action")
++        request = FakeRequest(query.params, endpoint)
++
++        def check(ignored):
++            errors = self.flushLoggedErrors()
++            self.assertEquals(0, len(errors))
++            self.assertEqual(400, request.code)
++            self.assertEqual(
++                self.api.content_type, request.headers['Content-Type'])
++            self.assertEqual(
++                "nosniff", request.headers["X-Content-Type-Options"])
++
++        return self.api.handle(request).addCallback(check)
++
      def test_handle_unicode_api_error(self):
          """
          If an L{APIError} contains a unicode message, L{QueryAPI} is able to

txAWS

Merge lp:~ack/txaws/xss-hardening into lp:txaws

Commit message

Description of the change

Preview Diff

Subscribers