mozillaGH-36 Disallow mixing deprecated settings with CSP_POLICY_DEFI…

…NITIONS
DylanYoung · May 25, 2022 · 76e1894 · 76e1894
1 parent fcc2d6f
commit 76e1894
Show file tree

Hide file tree

Showing 6 changed files with 67 additions and 52 deletions.
diff --git a/csp/tests/test_contrib.py b/csp/tests/test_contrib.py
@@ -1,17 +1,16 @@
 from django.http import HttpResponse
 from django.test import RequestFactory
-from django.test.utils import override_settings
 
 from csp.contrib.rate_limiting import RateLimitedCSPMiddleware
-from csp.tests.utils import response
+from csp.tests.utils import override_legacy_settings, response
 
 
 HEADER = 'Content-Security-Policy'
 mw = RateLimitedCSPMiddleware(response())
 rf = RequestFactory()
 
 
-@override_settings(CSP_REPORT_PERCENTAGE=0.1, CSP_REPORT_URI='x')
+@override_legacy_settings(CSP_REPORT_PERCENTAGE=0.1, CSP_REPORT_URI='x')
 def test_report_percentage():
     times_seen = 0
     for _ in range(5000):

diff --git a/csp/tests/test_decorators.py b/csp/tests/test_decorators.py
@@ -6,7 +6,7 @@
     csp, csp_append, csp_replace, csp_select, csp_update, csp_exempt,
 )
 from csp.middleware import CSPMiddleware
-from csp.tests.utils import response
+from csp.tests.utils import override_legacy_settings, response
 from csp.utils import policy_names, HTTP_HEADERS
 
 
@@ -47,7 +47,7 @@ def view_with_decorator(request):
     assert response[REPORT_ONLY_HEADER] == "default-src 'self'"
 
 
-@override_settings(CSP_IMG_SRC=['foo.com'])
+@override_legacy_settings(CSP_IMG_SRC=['foo.com'])
 def test_csp_update():
     def view_without_decorator(request):
         return HttpResponse()
@@ -91,7 +91,7 @@ def view_with_decorator(request):
     assert policy_list == ["default-src 'self'", "font-src foo.com"]
 
 
-@override_settings(CSP_IMG_SRC=['foo.com'])
+@override_legacy_settings(CSP_IMG_SRC=['foo.com'])
 def test_csp_replace():
     def view_without_decorator(request):
         return HttpResponse()

diff --git a/csp/tests/test_middleware.py b/csp/tests/test_middleware.py
@@ -10,7 +10,7 @@
 import pytest
 
 from csp.middleware import CSPMiddleware
-from csp.tests.utils import response
+from csp.tests.utils import override_legacy_settings, response
 from csp.utils import HTTP_HEADERS
 
 HEADER_SET = set(HTTP_HEADERS)
@@ -54,7 +54,7 @@ def test_exclude():
     settings.CSP_POLICY_DEFINITIONS['default']['exclude_url_prefixes'] = ()
 
 
-@override_settings(CSP_REPORT_ONLY=True)
+@override_legacy_settings(CSP_REPORT_ONLY=True)
 def test_report_only():
     request = rf.get('/')
     response = HttpResponse()
@@ -160,7 +160,7 @@ def test_use_update():
     assert REPORT_ONLY_HEADER not in response
 
 
-@override_settings(CSP_IMG_SRC=['foo.com'])
+@override_legacy_settings(CSP_IMG_SRC=['foo.com'])
 def test_use_replace():
     request = rf.get('/')
     response = HttpResponse()
@@ -170,7 +170,7 @@ def test_use_replace():
     assert policy_list == ["default-src 'self'", "img-src bar.com"]
 
 
-@override_settings(CSP_IMG_SRC=['foo.com'])
+@override_legacy_settings(CSP_IMG_SRC=['foo.com'])
 def test_use_complex_replace():
     request = rf.get('/')
     response = HttpResponse()
@@ -262,7 +262,7 @@ def test_nonce_regenerated_on_new_request():
         assert nonce2 not in response1[header]
 
 
-@override_settings(
+@override_legacy_settings(
     CSP_INCLUDE_NONCE_IN=[],
 )
 def test_no_nonce_when_disabled_by_settings():

diff --git a/csp/tests/test_utils.py b/csp/tests/test_utils.py
@@ -1,11 +1,12 @@
 from __future__ import absolute_import
 
 from django.conf import settings
-from django.test.utils import override_settings
+from django.test import override_settings
 from django.utils.functional import lazy
 
 import pytest
 
+from csp.tests.utils import override_legacy_settings
 from csp.utils import (
     build_policy,
     _policies_from_names_and_kwargs,
@@ -43,122 +44,122 @@ def literal(s):
 lazy_literal = lazy(literal, str)
 
 
-@override_settings(CSP_DEFAULT_SRC=['example.com', 'example2.com'])
+@override_legacy_settings(CSP_DEFAULT_SRC=['example.com', 'example2.com'])
 def test_default_src():
     policy = build_policy()
     policy_eq('default-src example.com example2.com', policy)
 
 
-@override_settings(CSP_SCRIPT_SRC=['example.com'])
+@override_legacy_settings(CSP_SCRIPT_SRC=['example.com'])
 def test_script_src():
     policy = build_policy()
     policy_eq("default-src 'self'; script-src example.com", policy)
 
 
-@override_settings(CSP_SCRIPT_SRC_ATTR=['example.com'])
+@override_legacy_settings(CSP_SCRIPT_SRC_ATTR=['example.com'])
 def test_script_src_attr():
     policy = build_policy()
     policy_eq("default-src 'self'; script-src-attr example.com", policy)
 
 
-@override_settings(CSP_SCRIPT_SRC_ELEM=['example.com'])
+@override_legacy_settings(CSP_SCRIPT_SRC_ELEM=['example.com'])
 def test_script_src_elem():
     policy = build_policy()
     policy_eq("default-src 'self'; script-src-elem example.com", policy)
 
 
-@override_settings(CSP_OBJECT_SRC=['example.com'])
+@override_legacy_settings(CSP_OBJECT_SRC=['example.com'])
 def test_object_src():
     policy = build_policy()
     policy_eq("default-src 'self'; object-src example.com", policy)
 
 
-@override_settings(CSP_PREFETCH_SRC=['example.com'])
+@override_legacy_settings(CSP_PREFETCH_SRC=['example.com'])
 def test_prefetch_src():
     policy = build_policy()
     policy_eq("default-src 'self'; prefetch-src example.com", policy)
 
 
-@override_settings(CSP_STYLE_SRC=['example.com'])
+@override_legacy_settings(CSP_STYLE_SRC=['example.com'])
 def test_style_src():
     policy = build_policy()
     policy_eq("default-src 'self'; style-src example.com", policy)
 
 
-@override_settings(CSP_STYLE_SRC_ATTR=['example.com'])
+@override_legacy_settings(CSP_STYLE_SRC_ATTR=['example.com'])
 def test_style_src_attr():
     policy = build_policy()
     policy_eq("default-src 'self'; style-src-attr example.com", policy)
 
 
-@override_settings(CSP_STYLE_SRC_ELEM=['example.com'])
+@override_legacy_settings(CSP_STYLE_SRC_ELEM=['example.com'])
 def test_style_src_elem():
     policy = build_policy()
     policy_eq("default-src 'self'; style-src-elem example.com", policy)
 
 
-@override_settings(CSP_IMG_SRC=['example.com'])
+@override_legacy_settings(CSP_IMG_SRC=['example.com'])
 def test_img_src():
     policy = build_policy()
     policy_eq("default-src 'self'; img-src example.com", policy)
 
 
-@override_settings(CSP_MEDIA_SRC=['example.com'])
+@override_legacy_settings(CSP_MEDIA_SRC=['example.com'])
 def test_media_src():
     policy = build_policy()
     policy_eq("default-src 'self'; media-src example.com", policy)
 
 
-@override_settings(CSP_FRAME_SRC=['example.com'])
+@override_legacy_settings(CSP_FRAME_SRC=['example.com'])
 def test_frame_src():
     policy = build_policy()
     policy_eq("default-src 'self'; frame-src example.com", policy)
 
 
-@override_settings(CSP_FONT_SRC=['example.com'])
+@override_legacy_settings(CSP_FONT_SRC=['example.com'])
 def test_font_src():
     policy = build_policy()
     policy_eq("default-src 'self'; font-src example.com", policy)
 
 
-@override_settings(CSP_CONNECT_SRC=['example.com'])
+@override_legacy_settings(CSP_CONNECT_SRC=['example.com'])
 def test_connect_src():
     policy = build_policy()
     policy_eq("default-src 'self'; connect-src example.com", policy)
 
 
-@override_settings(CSP_SANDBOX=['allow-scripts'])
+@override_legacy_settings(CSP_SANDBOX=['allow-scripts'])
 def test_sandbox():
     policy = build_policy()
     policy_eq("default-src 'self'; sandbox allow-scripts", policy)
 
 
-@override_settings(CSP_SANDBOX=[])
+@override_legacy_settings(CSP_SANDBOX=[])
 def test_sandbox_empty():
     policy = build_policy()
     policy_eq("default-src 'self'; sandbox", policy)
 
 
-@override_settings(CSP_REPORT_URI='/foo')
+@override_legacy_settings(CSP_REPORT_URI='/foo')
 def test_report_uri():
     policy = build_policy()
     policy_eq("default-src 'self'; report-uri /foo", policy)
 
 
-@override_settings(CSP_REPORT_URI=lazy_literal('/foo'))
+@override_legacy_settings(CSP_REPORT_URI=lazy_literal('/foo'))
 def test_report_uri_lazy():
     policy = build_policy()
     policy_eq("default-src 'self'; report-uri /foo", policy)
 
 
-@override_settings(CSP_REPORT_TO='some_endpoint')
+@override_legacy_settings(CSP_REPORT_TO='some_endpoint')
 def test_report_to():
     policy = build_policy()
     policy_eq("default-src 'self'; report-to some_endpoint",
               policy)
 
 
-@override_settings(CSP_IMG_SRC=['example.com'])
+@override_legacy_settings(CSP_IMG_SRC=['example.com'])
 def test_update_img():
     policy = build_policy(update={'img-src': 'example2.com'})
     policy_eq("default-src 'self'; img-src example.com example2.com",
@@ -171,7 +172,7 @@ def test_update_missing_setting():
     policy_eq("default-src 'self'; img-src example.com", policy)
 
 
-@override_settings(CSP_IMG_SRC=['example.com'])
+@override_legacy_settings(CSP_IMG_SRC=['example.com'])
 def test_replace_img():
     policy = build_policy(replace={'img-src': 'example2.com'})
     policy_eq("default-src 'self'; img-src example2.com", policy)
@@ -189,7 +190,7 @@ def test_config():
     policy_eq("default-src 'none'; img-src 'self'", policy)
 
 
-@override_settings(CSP_IMG_SRC=('example.com',))
+@override_legacy_settings(CSP_IMG_SRC=('example.com',))
 def test_update_string():
     """
     GitHub issue #40 - given project settings as a tuple, and
@@ -200,7 +201,7 @@ def test_update_string():
               policy)
 
 
-@override_settings(CSP_IMG_SRC=('example.com',))
+@override_legacy_settings(CSP_IMG_SRC=('example.com',))
 def test_replace_string():
     """
     Demonstrate that GitHub issue #40 doesn't affect replacements
@@ -210,81 +211,84 @@ def test_replace_string():
               policy)
 
 
-@override_settings(CSP_FORM_ACTION=['example.com'])
+@override_legacy_settings(CSP_FORM_ACTION=['example.com'])
 def test_form_action():
     policy = build_policy()
     policy_eq("default-src 'self'; form-action example.com", policy)
 
 
-@override_settings(CSP_BASE_URI=['example.com'])
+@override_legacy_settings(CSP_BASE_URI=['example.com'])
 def test_base_uri():
     policy = build_policy()
     policy_eq("default-src 'self'; base-uri example.com", policy)
 
 
-@override_settings(CSP_CHILD_SRC=['example.com'])
+@override_legacy_settings(CSP_CHILD_SRC=['example.com'])
 def test_child_src():
     policy = build_policy()
     policy_eq("default-src 'self'; child-src example.com", policy)
 
 
-@override_settings(CSP_FRAME_ANCESTORS=['example.com'])
+@override_legacy_settings(CSP_FRAME_ANCESTORS=['example.com'])
 def test_frame_ancestors():
     policy = build_policy()
     policy_eq("default-src 'self'; frame-ancestors example.com", policy)
 
 
-@override_settings(CSP_NAVIGATE_TO=['example.com'])
+@override_legacy_settings(CSP_NAVIGATE_TO=['example.com'])
 def test_navigate_to():
     policy = build_policy()
     policy_eq("default-src 'self'; navigate-to example.com", policy)
 
 
-@override_settings(CSP_MANIFEST_SRC=['example.com'])
+@override_legacy_settings(CSP_MANIFEST_SRC=['example.com'])
 def test_manifest_src():
     policy = build_policy()
     policy_eq("default-src 'self'; manifest-src example.com", policy)
 
 
-@override_settings(CSP_WORKER_SRC=['example.com'])
+@override_legacy_settings(CSP_WORKER_SRC=['example.com'])
 def test_worker_src():
     policy = build_policy()
     policy_eq("default-src 'self'; worker-src example.com", policy)
 
 
-@override_settings(CSP_PLUGIN_TYPES=['application/pdf'])
+@override_legacy_settings(CSP_PLUGIN_TYPES=['application/pdf'])
 def test_plugin_types():
     policy = build_policy()
     policy_eq("default-src 'self'; plugin-types application/pdf", policy)
 
 
-@override_settings(CSP_REQUIRE_SRI_FOR=['script'])
+@override_legacy_settings(CSP_REQUIRE_SRI_FOR=['script'])
 def test_require_sri_for():
     policy = build_policy()
     policy_eq("default-src 'self'; require-sri-for script", policy)
 
 
-@override_settings(CSP_REQUIRE_TRUSTED_TYPES_FOR=["'script'"])
+@override_legacy_settings(CSP_REQUIRE_TRUSTED_TYPES_FOR=["'script'"])
 def test_require_trusted_types_for():
     policy = build_policy()
     policy_eq("default-src 'self'; require-trusted-types-for 'script'", policy)
 
 
-@override_settings(CSP_TRUSTED_TYPES=["strictPolicy", "laxPolicy",
-                                      "default", "'allow-duplicates'"])
+@override_legacy_settings(
+    CSP_TRUSTED_TYPES=[
+        "strictPolicy", "laxPolicy", "default", "'allow-duplicates'",
+    ],
+)
 def test_trusted_types():
     policy = build_policy()
     policy_eq("default-src 'self'; trusted-types strictPolicy laxPolicy "
               + "default 'allow-duplicates'", policy)
 
 
-@override_settings(CSP_UPGRADE_INSECURE_REQUESTS=True)
+@override_legacy_settings(CSP_UPGRADE_INSECURE_REQUESTS=True)
 def test_upgrade_insecure_requests():
     policy = build_policy()
     policy_eq("default-src 'self'; upgrade-insecure-requests", policy)
 
 
-@override_settings(CSP_BLOCK_ALL_MIXED_CONTENT=True)
+@override_legacy_settings(CSP_BLOCK_ALL_MIXED_CONTENT=True)
 def test_block_all_mixed_content():
     with pytest.warns(DeprecationWarning):
         policy = build_policy()
@@ -296,7 +300,7 @@ def test_nonce():
     policy_eq("default-src 'self' 'nonce-abc123'", policy)
 
 
-@override_settings(CSP_INCLUDE_NONCE_IN=['script-src', 'style-src'])
+@override_legacy_settings(CSP_INCLUDE_NONCE_IN=['script-src', 'style-src'])
 def test_nonce_include_in():
     policy = build_policy(nonce='abc123')
     policy_eq(("default-src 'self'; "