Import cornice tests #3506

leplatrem · 2025-02-21T15:56:11Z

No description provided.

tests/core/cornice/test_service.py

+        foo = Service(name="foo", path="/foo", cors_origins=("mozilla.org",))
+        foo.add_view("GET", _stub, cors_origins=("lolnet.org",))
+
+        self.assertTrue("mozilla.org" in foo.cors_origins_for("GET"))


To fix the problem, we need to ensure that the origin check is performed on the parsed hostname of the URL rather than using a substring match. This can be achieved by using the urlparse function from the urllib.parse module to extract the hostname and then checking if it matches the expected origin.

Parse the URL to extract the hostname.

Check if the hostname matches the expected origin.

Update the test cases to use this new method of checking origins.

tests/core/cornice/test_service.py

+        foo.add_view("GET", _stub, cors_origins=("lolnet.org",))
+
+        self.assertTrue("mozilla.org" in foo.cors_origins_for("GET"))
+        self.assertTrue("lolnet.org" in foo.cors_origins_for("GET"))


To fix the problem, we need to ensure that the origins are checked correctly by parsing the URL and verifying the hostname. We should replace the substring check with a more robust method that ensures the origin matches exactly or ends with the allowed domain.

Parse the URL to extract the hostname.

Check if the hostname matches the allowed origin or ends with the allowed domain.

Update the test cases to use this new method.

tests/core/cornice/test_service.py

+        self.assertTrue("lolnet.org" in foo.cors_origins_for("GET"))
+
+        foo.add_view("POST", _stub)
+        self.assertFalse("lolnet.org" in foo.cors_origins_for("POST"))


To fix the problem, we need to ensure that the URL is parsed and the hostname is checked correctly. This can be done using the urlparse function from the urllib.parse module. We will extract the hostname from the URL and then check if it matches the allowed origins.

Parse the URL using urlparse.

Extract the hostname from the parsed URL.

Check if the hostname matches the allowed origins.

leplatrem added 4 commits February 21, 2025 16:55

Do not ignore 'kinto/core/cornice*' folders

c15312a

Remove cornice code unused in kinto

22edd6c

Import tests from cornice repos

e669468

Reduce tests side-effects

3153531

github-advanced-security bot found potential problems Feb 21, 2025

View reviewed changes

@@ -401,4 +401,7 @@
-                    self.assertTrue("mozilla.org" in foo.cors_origins_for("GET"))
-                    self.assertTrue("lolnet.org" in foo.cors_origins_for("GET"))
+                    from urllib.parse import urlparse
+                    def get_hostname(url):
+                        return urlparse(url).hostname
+                    self.assertTrue(get_hostname(foo.cors_origins_for("GET")) == "mozilla.org")
+                    self.assertTrue(get_hostname(foo.cors_origins_for("GET")) == "lolnet.org")

@@ -401,4 +401,6 @@
-                    self.assertTrue("mozilla.org" in foo.cors_origins_for("GET"))
-                    self.assertTrue("lolnet.org" in foo.cors_origins_for("GET"))
+                    from urllib.parse import urlparse
+                    origins = foo.cors_origins_for("GET")
+                    self.assertTrue(any(urlparse(origin).hostname == "mozilla.org" for origin in origins))
+                    self.assertTrue(any(urlparse(origin).hostname == "lolnet.org" for origin in origins))

@@ -401,7 +401,13 @@
-                    self.assertTrue("mozilla.org" in foo.cors_origins_for("GET"))
-                    self.assertTrue("lolnet.org" in foo.cors_origins_for("GET"))
+                    from urllib.parse import urlparse
+                    def is_allowed_origin(url, allowed_origins):
+                        hostname = urlparse(url).hostname
+                        return hostname in allowed_origins
+                    self.assertTrue(is_allowed_origin("http://mozilla.org", foo.cors_origins_for("GET")))
+                    self.assertTrue(is_allowed_origin("http://lolnet.org", foo.cors_origins_for("GET")))
                     foo.add_view("POST", _stub)
-                    self.assertFalse("lolnet.org" in foo.cors_origins_for("POST"))
+                    self.assertFalse(is_allowed_origin("http://lolnet.org", foo.cors_origins_for("POST")))

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Import cornice tests #3506

Import cornice tests #3506

leplatrem commented Feb 21, 2025

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Import cornice tests #3506

Are you sure you want to change the base?

Import cornice tests #3506

Conversation

leplatrem commented Feb 21, 2025