Merge pull request #3 from gratipay/109054-whitelist-methods

only allow certain methods

gratipay/main.py

@@ -4,10 +4,10 @@
 
 import gratipay
 import gratipay.wireup
-from gratipay import utils
+from gratipay import utils, security
 from gratipay.cron import Cron
 from gratipay.models.participant import Participant
-from gratipay.security import authentication, csrf, security_headers
+from gratipay.security import authentication, csrf
 from gratipay.utils import erase_cookie, http_caching, i18n, set_cookie, timer
 from gratipay.version import get_version
 from gratipay.renderers import csv_dump, jinja2_htmlescaped, eval_, scss
@@ -97,7 +97,8 @@
     timer.start,
     algorithm['parse_environ_into_request'],
     algorithm['parse_body_into_request'],
-    algorithm['raise_200_for_OPTIONS'],
+
+    security.only_allow_certain_methods,
 
     utils.use_tildes_for_participants,
     algorithm['redirect_to_base_url'],
@@ -124,7 +125,7 @@
     authentication.add_auth_to_response,
     csrf.add_token_to_response,
     http_caching.add_caching_to_response,
-    security_headers,
+    security.add_headers_to_response,
 
     algorithm['log_traceback_for_5xx'],
     algorithm['delegate_error_to_simplate'],

gratipay/security/__init__.py

@@ -1,4 +1,13 @@
-def security_headers(response):
+from aspen import Response
+
+
+def only_allow_certain_methods(request):
+    whitelisted = ['GET', 'HEAD', 'POST']
+    if request.method.upper() not in whitelisted:
+        raise Response(405)
+
+
+def add_headers_to_response(response):
     """Add security headers.
     """
 

tests/py/test_pages.py

@@ -196,18 +196,6 @@ def test_team_slug__not__redirected_from_tilde(self):
         assert self.client.GET("/TheEnterprise/").code == 200
         assert self.client.GxT("/~TheEnterprise/").code == 404
 
-    def test_security_headers_sets_x_frame_options(self):
-        headers = self.client.GET('/about/').headers
-        assert headers['X-Frame-Options'] == 'SAMEORIGIN'
-
-    def test_security_headers_sets_x_content_type_options(self):
-        headers = self.client.GET('/about/').headers
-        assert headers['X-Content-Type-Options'] == 'nosniff'
-
-    def test_security_headers_sets_x_xss_protection(self):
-        headers = self.client.GET('/about/').headers
-        assert headers['X-XSS-Protection'] == '1; mode=block'
-
     @mock.patch('gratipay.models.participant.Participant.get_braintree_account')
     @mock.patch('gratipay.models.participant.Participant.get_braintree_token')
     def test_braintree_linked_from_credit_card_page(self, foo, bar):

tests/py/test_security.py

@@ -0,0 +1,41 @@
+from __future__ import absolute_import, division, print_function, unicode_literals
+
+from aspen import Response
+from aspen.http.request import Request
+from gratipay import security
+from gratipay.testing import Harness
+from pytest import raises
+
+
+class TestSecurity(Harness):
+
+    # oacm - only_allow_certain_methods
+
+    def test_oacm_is_installed_properly(self):
+        assert self.client.hxt('TRaCE', '/').code == 405
+
+    def test_oacm_allows_certain_methods(self):
+        for allowed in ('GEt', 'HEaD', 'PosT'):
+            request = Request(allowed)
+            assert security.only_allow_certain_methods(request) is None
+
+    def test_oacm_disallows_a_bunch_of_other_stuff(self):
+        for disallowed in ('OPTIONS', 'TRACE', 'TRACK', 'PUT', 'DELETE'):
+            request = Request(disallowed)
+            response = raises(Response, security.only_allow_certain_methods, request).value
+            assert response.code == 405
+
+
+    # ahtr - add_headers_to_response
+
+    def test_ahtr_sets_x_frame_options(self):
+        headers = self.client.GET('/about/').headers
+        assert headers['X-Frame-Options'] == 'SAMEORIGIN'
+
+    def test_ahtr_sets_x_content_type_options(self):
+        headers = self.client.GET('/about/').headers
+        assert headers['X-Content-Type-Options'] == 'nosniff'
+
+    def test_ahtr_sets_x_xss_protection(self):
+        headers = self.client.GET('/about/').headers
+        assert headers['X-XSS-Protection'] == '1; mode=block'