Skip to content

Commit

Permalink
Merge pull request #59 from geoadmin/master
Browse files Browse the repository at this point in the history 
Update develop with hotfixes from master.
  • Loading branch information
@ltshb
ltshb authored Jun 9, 2022
2 parents 89caa9d + 74b4c47 commit 94d0c58
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 8 deletions.
24 changes: 16 additions & 8 deletions app/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,19 +82,27 @@ def validate_origin():
origin = request.headers.get('Origin', None)
referrer = request.headers.get('Referer', None)

if origin is None and referrer is None and sec_fetch_site is None:
logger.error('Referer and/or Origin and/or Sec-Fetch-Site headers not set')
abort(403, 'Permission denied')
if origin is not None and not is_domain_allowed(origin):
if origin is not None:
if is_domain_allowed(origin):
return
logger.error('Origin=%s is not allowed', origin)
abort(403, 'Permission denied')
if referrer is not None and not is_domain_allowed(referrer):
logger.error('Referer=%s is not allowed', referrer)
abort(403, 'Permission denied')
if sec_fetch_site is not None and sec_fetch_site != 'same-origin':

if sec_fetch_site is not None:
if sec_fetch_site in ['same-origin', 'same-site']:
return
logger.error('Sec-Fetch-Site=%s is not allowed', sec_fetch_site)
abort(403, 'Permission denied')

if referrer is not None:
if is_domain_allowed(referrer):
return
logger.error('Referer=%s is not allowed', referrer)
abort(403, 'Permission denied')

logger.error('Referer and/or Origin and/or Sec-Fetch-Site headers not set')
abort(403, 'Permission denied')


@app.after_request
def log_response(response):
Expand Down
46 changes: 46 additions & 0 deletions tests/unit_tests/test_routes.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
from datetime import timedelta
from unittest.mock import patch

from nose2.tools import params

from flask import url_for

from app.settings import AWS_DB_TABLE_NAME
Expand Down Expand Up @@ -230,6 +232,50 @@ def test_get_metadata_non_allowed_origin(self):
self.assertEqual(response.content_type, "application/json")
self.assertEqual(response.json["error"]["message"], "Permission denied")

@params(
None,
{'Origin': 'www.example'},
{
'Origin': 'www.example', 'Sec-Fetch-Site': 'cross-site'
},
{
'Origin': 'www.example', 'Sec-Fetch-Site': 'same-site'
},
{
'Origin': 'www.example', 'Sec-Fetch-Site': 'same-origin'
},
{
'Referer': 'http://www.example',
},
)
def test_get_metadata_origin_not_allowed(self, headers):
id_to_fetch = self.sample_kml['id']
response = self.app.get(url_for('get_kml_metadata', kml_id=id_to_fetch), headers=headers)
self.assertEqual(response.status_code, 403)
self.assertCors(response, ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PUT'])

@params(
{'Origin': 'map.geo.admin.ch'},
{
'Origin': 'map.geo.admin.ch', 'Sec-Fetch-Site': 'same-site'
},
{
'Origin': 'public.geo.admin.ch', 'Sec-Fetch-Site': 'same-origin'
},
{
'Origin': 'http://localhost', 'Sec-Fetch-Site': 'cross-site'
},
{'Sec-Fetch-Site': 'same-origin'},
{
'Referer': 'https://map.geo.admin.ch',
},
)
def test_get_metadata_origin_allowed(self, headers):
id_to_fetch = self.sample_kml['id']
response = self.app.get(url_for('get_kml_metadata', kml_id=id_to_fetch), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertCors(response, ['DELETE', 'GET', 'HEAD', 'OPTIONS', 'PUT'])


class TestPutEndpoint(BaseRouteTestCase):

Expand Down

0 comments on commit 94d0c58

Please sign in to comment.