Merge pull request #722 from gratipay/disable-verbs

Allow only GET/HEAD/POST
gratipay · Jul 19, 2016 · e82054b · e82054b
2 parents 3e1f3f6 + d80b494
commit e82054b
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 10 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@
 local.env
 *.egg-info
 www/appendices/disclosures.json
+tests/.cache
diff --git a/.travis.yml b/.travis.yml
@@ -1,18 +1,21 @@
 language: python
 
+sudo: false
+
 python:
   - "2.7"
 
 install:
+  - if [ "${TRAVIS_BRANCH}" = "master" -a "${TRAVIS_PULL_REQUEST}" = "false" ]; then rm -rf env; fi
+  - touch requirements.txt requirements_tests.txt
   - make env
 
-before_script:
-  - make run&
-  - sleep 3  # Give webserver some time to start
+cache:
+  directories:
+    - env/bin
+    - env/lib/python2.7/site-packages
 
-# Dummy command until we have real tests
-script:
-  - curl http://localhost:8536/
+script: make test
 
 branches:
   only:
@@ -41,5 +44,3 @@ notifications:
     template:
       - "%{repository} (%{branch}:%{commit} by %{author}): %{message} (%{build_url})"
     skip_join: true
-
-sudo: false
diff --git a/Makefile b/Makefile
@@ -6,14 +6,15 @@ bin_dir := $(shell $(python) -c 'import sys; bin = "Scripts" if sys.platform ==
 env_bin := env/$(bin_dir)
 venv := "./vendor/virtualenv-12.0.7.py"
 
-env:
+env: requirements.txt requirements_tests.txt
 	$(python)  $(venv)\
 				--prompt="[inside.gratipay.com] " \
 				--never-download \
 				--extra-search-dir=./vendor/ \
 				./env/
 	./$(env_bin)/pip --version
 	./$(env_bin)/pip install -f file:///$(PWD)/vendor -r requirements.txt
+	./$(env_bin)/pip install -f file:///$(PWD)/vendor -r requirements_tests.txt
 
 clean:
 	rm -rf env
@@ -22,3 +23,6 @@ clean:
 run: env
 	./$(env_bin)/honcho -e defaults.env,local.env run ./env/bin/python \
 		./startapp.py --port=8536
+
+test:
+	./$(env_bin)/py.test ./tests/
diff --git a/configure-aspen.py b/configure-aspen.py
@@ -3,6 +3,7 @@
 import random
 from os.path import basename, dirname, join, realpath, isdir
 
+from aspen import Response
 import canonizer
 import gfm
 from nav import NavItem
@@ -35,8 +36,12 @@ def add_nav_current_to_context(dispatch_result, website):
 def add_nav_next_to_context(nav_current, website):
     return {'nav_next': nav_current.next_child}
 
-add_nav_to_website(website)
+def only_allow_certain_methods(request):
+    whitelisted = ['GET', 'HEAD', 'POST']
+    if request.method.upper() not in whitelisted:
+        raise Response(405)
 
+website.algorithm.insert_before('dispatch_request_to_filesystem', only_allow_certain_methods)
 website.algorithm.insert_after('dispatch_request_to_filesystem', add_nav_to_website)
 website.algorithm.insert_after('add_nav_to_website', add_nav_current_to_context)
 website.algorithm.insert_after('add_nav_current_to_context', add_nav_next_to_context)

diff --git a/requirements_tests.txt b/requirements_tests.txt
@@ -0,0 +1 @@
+pytest==2.9.2
diff --git a/tests/py/test_security.py b/tests/py/test_security.py
@@ -0,0 +1,18 @@
+from __future__ import unicode_literals
+from pytest import yield_fixture
+
+from aspen.testing.client import Client
+
+@yield_fixture
+def client():
+    yield Client(www_root='www', project_root='')
+
+def test_disallowed_methods(client):
+    for disallowed in ['TRACE', 'trAce', 'DELETE', 'PUT', 'OPTIONS', 'JUNK']:
+        response = client.hxt(disallowed, '/')
+        assert response.code == 405
+
+def test_allowed_methods(client):
+    for allowed in ['GET', 'gEt', 'POST', 'HEAD']:
+        response = client.hit('GET', trace='/')
+        assert response.code == 200