Mercurial Mercurial > mercurial / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
tests/test-hgweb-csp.t
author Pulkit Goyal <7895pulkit@gmail.com>
Wed, 02 Dec 2020 13:55:17 +0530
changeset 46083 81c1f5d1801f
parent 37828 3e3acf5d6a07
child 50725 7e5be4a7cda7
permissions -rw-r--r--
procutils: don't try to get `.buffer` if sys.stdin is None While hunting down following test failure of test-chg.t on Python 3, I stumbled the case when `.buffer` is not available as sys.stdin is None. --- /home/pulkit/repo/hg-committed/tests/test-chg.t +++ /home/pulkit/repo/hg-committed/tests/test-chg.t.err @@ -203,7 +203,31 @@ $ CHGDEBUG=1 chg version -q 0<&- chg: debug: * stdio fds are missing (glob) chg: debug: * execute original hg (glob) - Mercurial Distributed SCM * (glob) + Traceback (most recent call last): + File "/tmp/hgtests.avspvsq4/install/bin/hg", line 43, in <module> + dispatch.run() + File "/usr/lib/python3.6/importlib/util.py", line 233, in __getattribute__ + self.__spec__.loader.exec_module(self) + File "<frozen importlib._bootstrap_external>", line 678, in exec_module + File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed + File "/tmp/hgtests.avspvsq4/install/lib/python/mercurial/dispatch.py", line 726, in <module> + class lazyaliasentry(object): + File "/tmp/hgtests.avspvsq4/install/lib/python/mercurial/dispatch.py", line 737, in lazyaliasentry + @util.propertycache + File "/usr/lib/python3.6/importlib/util.py", line 233, in __getattribute__ + self.__spec__.loader.exec_module(self) + File "<frozen importlib._bootstrap_external>", line 678, in exec_module + File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed + File "/tmp/hgtests.avspvsq4/install/lib/python/mercurial/util.py", line 3473, in <module> + f=procutil.stderr, + File "/usr/lib/python3.6/importlib/util.py", line 233, in __getattribute__ + self.__spec__.loader.exec_module(self) + File "<frozen importlib._bootstrap_external>", line 678, in exec_module + File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed + File "/tmp/hgtests.avspvsq4/install/lib/python/mercurial/utils/procutil.py", line 127, in <module> + stdin = sys.stdin.buffer + AttributeError: 'NoneType' object has no attribute 'buffer' + [1] server lifecycle ---------------- Differential Revision: https://phab.mercurial-scm.org/D9500

#require serve

  $ cat > web.conf << EOF
  > [paths]
  > / = $TESTTMP/*
  > EOF

  $ hg init repo1
  $ cd repo1
  $ touch foo
  $ hg -q commit -A -m initial
  $ cd ..

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid >> $DAEMON_PIDS

repo index should not send Content-Security-Policy header by default

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows

static page should not send CSP by default

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows

repo page should not send CSP by default, should send ETag

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  etag: W/"*" (glob)

  $ killdaemons.py

Configure CSP without nonce

  $ cat >> web.conf << EOF
  > [web]
  > csp = script-src https://example.com/ 'unsafe-inline'
  > EOF

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid > $DAEMON_PIDS

repo index should send Content-Security-Policy header when enabled

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

static page should send CSP when enabled

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

  $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
  304 Not Modified
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

repo page should send CSP by default, include etag w/o nonce

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
  etag: W/"*" (glob)

nonce should not be added to html if CSP doesn't use it

  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
  <script type="text/javascript">
  <script type="text/javascript">

Configure CSP with nonce

  $ killdaemons.py
  $ cat >> web.conf << EOF
  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
  > EOF

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid > $DAEMON_PIDS

nonce should be substituted in CSP header

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce should be included in CSP for static pages

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

repo page should have nonce, no ETag

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce should be added to html when used

  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
  <script type="text/javascript" nonce="*"> (glob)
  <script type="text/javascript" nonce="*"> (glob)

hgweb_mod w/o hgwebdir works as expected

  $ killdaemons.py

  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
  $ cat hg.pid > $DAEMON_PIDS

static page sends CSP

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce included in <script> and headers

  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
  <script type="text/javascript" src="/static/mercurial.js"></script>
  <script type="text/javascript" nonce="*"> (glob)
  <script type="text/javascript" nonce="*"> (glob)
mercurial