Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
never-indexed fields to ensure they don't get added to header compression
contexts.
This function currently implements two rules:
- 'authorization' and 'proxy-authorization' fields are automatically made
never-indexed.
- Any 'cookie' header field shorter than 20 bytes long is made
never-indexed.
These fields are the most at-risk. These rules are inspired by Firefox
and nghttp2.
"""
for header in headers:
if header[0] in _SECURE_HEADERS:
yield NeverIndexedHeaderTuple(*header)
elif header[0] in (b'cookie', u'cookie') and len(header[1]) < 20:
yield NeverIndexedHeaderTuple(*header)
else:
yield header
(u'Authorization', u'test'),
(u'authorization', u'really long test'),
HeaderTuple(u'authorization', u'test'),
HeaderTuple(u'Authorization', u'test'),
HeaderTuple(u'authorization', u'really long test'),
NeverIndexedHeaderTuple(u'authorization', u'test'),
NeverIndexedHeaderTuple(u'Authorization', u'test'),
NeverIndexedHeaderTuple(u'authorization', u'really long test'),
(b'authorization', b'test'),
(b'Authorization', b'test'),
(b'authorization', b'really long test'),
HeaderTuple(b'authorization', b'test'),
HeaderTuple(b'Authorization', b'test'),
HeaderTuple(b'authorization', b'really long test'),
NeverIndexedHeaderTuple(b'authorization', b'test'),
NeverIndexedHeaderTuple(b'Authorization', b'test'),
NeverIndexedHeaderTuple(b'authorization', b'really long test'),
(u'proxy-authorization', u'test'),
(u'Proxy-Authorization', u'test'),
(u'proxy-authorization', u'really long test'),
HeaderTuple(u'proxy-authorization', u'test'),
HeaderTuple(u'Proxy-Authorization', u'test'),
HeaderTuple(u'proxy-authorization', u'really long test'),
NeverIndexedHeaderTuple(u'proxy-authorization', u'test'),
NeverIndexedHeaderTuple(u'Proxy-Authorization', u'test'),
NeverIndexedHeaderTuple(u'proxy-authorization', u'really long test'),
(b'proxy-authorization', b'test'),
(b'Proxy-Authorization', b'test'),
(b'proxy-authorization', b'really long test'),
HeaderTuple(b'proxy-authorization', b'test'),
HeaderTuple(b'Proxy-Authorization', b'test'),
HeaderTuple(b'proxy-authorization', b'really long test'),
(u'cookie', u'nineteen byte cooki'),
HeaderTuple(u'cookie', u'short'),
HeaderTuple(u'Cookie', u'short'),
HeaderTuple(u'cookie', u'nineteen byte cooki'),
NeverIndexedHeaderTuple(u'cookie', u'short'),
NeverIndexedHeaderTuple(u'Cookie', u'short'),
NeverIndexedHeaderTuple(u'cookie', u'nineteen byte cooki'),
NeverIndexedHeaderTuple(u'cookie', u'longer manually secured cookie'),
(b'cookie', b'short'),
(b'Cookie', b'short'),
(b'cookie', b'nineteen byte cooki'),
HeaderTuple(b'cookie', b'short'),
HeaderTuple(b'Cookie', b'short'),
HeaderTuple(b'cookie', b'nineteen byte cooki'),
NeverIndexedHeaderTuple(b'cookie', b'short'),
NeverIndexedHeaderTuple(b'Cookie', b'short'),
NeverIndexedHeaderTuple(b'cookie', b'nineteen byte cooki'),
NeverIndexedHeaderTuple(b'cookie', b'longer manually secured cookie'),
]
unsecured_cookie_headers = [
(u'cookie', u'twenty byte cookie!!'),
(u'Cookie', u'twenty byte cookie!!'),
(u'cookie', u'substantially longer than 20 byte cookie'),
HeaderTuple(u'cookie', u'twenty byte cookie!!'),
HeaderTuple(u'cookie', u'twenty byte cookie!!'),
HeaderTuple(u'Cookie', u'twenty byte cookie!!'),
(b'cookie', b'twenty byte cookie!!'),
(b'Cookie', b'twenty byte cookie!!'),
(b'cookie', b'substantially longer than 20 byte cookie'),
HeaderTuple(b'cookie', b'twenty byte cookie!!'),
HeaderTuple(b'cookie', b'twenty byte cookie!!'),
HeaderTuple(b'Cookie', b'twenty byte cookie!!'),
(b'proxy-authorization', b'really long test'),
HeaderTuple(b'proxy-authorization', b'test'),
HeaderTuple(b'Proxy-Authorization', b'test'),
HeaderTuple(b'proxy-authorization', b'really long test'),
NeverIndexedHeaderTuple(b'proxy-authorization', b'test'),
NeverIndexedHeaderTuple(b'Proxy-Authorization', b'test'),
NeverIndexedHeaderTuple(b'proxy-authorization', b'really long test'),
]
secured_cookie_headers = [
(u'cookie', u'short'),
(u'Cookie', u'short'),
(u'cookie', u'nineteen byte cooki'),
HeaderTuple(u'cookie', u'short'),
HeaderTuple(u'Cookie', u'short'),
HeaderTuple(u'cookie', u'nineteen byte cooki'),
NeverIndexedHeaderTuple(u'cookie', u'short'),
NeverIndexedHeaderTuple(u'Cookie', u'short'),
NeverIndexedHeaderTuple(u'cookie', u'nineteen byte cooki'),
NeverIndexedHeaderTuple(u'cookie', u'longer manually secured cookie'),
(b'cookie', b'short'),
(b'Cookie', b'short'),
(b'cookie', b'nineteen byte cooki'),
HeaderTuple(b'cookie', b'short'),
HeaderTuple(b'Cookie', b'short'),
HeaderTuple(b'cookie', b'nineteen byte cooki'),
NeverIndexedHeaderTuple(b'cookie', b'short'),
NeverIndexedHeaderTuple(b'Cookie', b'short'),
NeverIndexedHeaderTuple(b'cookie', b'nineteen byte cooki'),
NeverIndexedHeaderTuple(b'cookie', b'longer manually secured cookie'),
]
unsecured_cookie_headers = [
(u'cookie', u'twenty byte cookie!!'),
HeaderTuple(b'proxy-authorization', b'really long test'),
NeverIndexedHeaderTuple(b'proxy-authorization', b'test'),
NeverIndexedHeaderTuple(b'Proxy-Authorization', b'test'),
NeverIndexedHeaderTuple(b'proxy-authorization', b'really long test'),
]
secured_cookie_headers = [
(u'cookie', u'short'),
(u'Cookie', u'short'),
(u'cookie', u'nineteen byte cooki'),
HeaderTuple(u'cookie', u'short'),
HeaderTuple(u'Cookie', u'short'),
HeaderTuple(u'cookie', u'nineteen byte cooki'),
NeverIndexedHeaderTuple(u'cookie', u'short'),
NeverIndexedHeaderTuple(u'Cookie', u'short'),
NeverIndexedHeaderTuple(u'cookie', u'nineteen byte cooki'),
NeverIndexedHeaderTuple(u'cookie', u'longer manually secured cookie'),
(b'cookie', b'short'),
(b'Cookie', b'short'),
(b'cookie', b'nineteen byte cooki'),
HeaderTuple(b'cookie', b'short'),
HeaderTuple(b'Cookie', b'short'),
HeaderTuple(b'cookie', b'nineteen byte cooki'),
NeverIndexedHeaderTuple(b'cookie', b'short'),
NeverIndexedHeaderTuple(b'Cookie', b'short'),
NeverIndexedHeaderTuple(b'cookie', b'nineteen byte cooki'),
NeverIndexedHeaderTuple(b'cookie', b'longer manually secured cookie'),
]
unsecured_cookie_headers = [
(u'cookie', u'twenty byte cookie!!'),
(u'Cookie', u'twenty byte cookie!!'),
(u'cookie', u'substantially longer than 20 byte cookie'),
HeaderTuple(u'cookie', u'twenty byte cookie!!'),
def test_short_cookie_headers_never_indexed_push(self,
headers,
cookie_header,
frame_factory):
"""
Short cookie headers, and cookies provided as NeverIndexedHeaderTuple,
are never indexed when pushed by servers.
"""
# Regardless of what we send, we expect it to be never indexed.
send_headers = headers + [cookie_header]
expected_headers = headers + [
NeverIndexedHeaderTuple(cookie_header[0].lower(), cookie_header[1])
]
c = h2.connection.H2Connection(config=self.server_config)
c.receive_data(frame_factory.preamble())
# We can use normal headers for the request.
f = frame_factory.build_headers_frame(
self.example_request_headers
)
c.receive_data(f.serialize())
frame_factory.refresh_encoder()
expected_frame = frame_factory.build_push_promise_frame(
stream_id=1,
promised_stream_id=2,
headers=expected_headers,
]
bytes_example_request_headers = [
(b':authority', b'example.com'),
(b':path', b'/'),
(b':scheme', b'https'),
(b':method', b'GET'),
]
possible_auth_headers = [
(u'authorization', u'test'),
(u'Authorization', u'test'),
(u'authorization', u'really long test'),
HeaderTuple(u'authorization', u'test'),
HeaderTuple(u'Authorization', u'test'),
HeaderTuple(u'authorization', u'really long test'),
NeverIndexedHeaderTuple(u'authorization', u'test'),
NeverIndexedHeaderTuple(u'Authorization', u'test'),
NeverIndexedHeaderTuple(u'authorization', u'really long test'),
(b'authorization', b'test'),
(b'Authorization', b'test'),
(b'authorization', b'really long test'),
HeaderTuple(b'authorization', b'test'),
HeaderTuple(b'Authorization', b'test'),
HeaderTuple(b'authorization', b'really long test'),
NeverIndexedHeaderTuple(b'authorization', b'test'),
NeverIndexedHeaderTuple(b'Authorization', b'test'),
NeverIndexedHeaderTuple(b'authorization', b'really long test'),
(u'proxy-authorization', u'test'),
(u'Proxy-Authorization', u'test'),
(u'proxy-authorization', u'really long test'),
HeaderTuple(u'proxy-authorization', u'test'),
HeaderTuple(u'Proxy-Authorization', u'test'),
HeaderTuple(u'proxy-authorization', u'really long test'),
def test_authorization_headers_never_indexed_push(self,
headers,
auth_header,
frame_factory):
"""
Authorization and Proxy-Authorization headers are always forced to be
never-indexed, regardless of their form, when pushed by a server.
"""
# Regardless of what we send, we expect it to be never indexed.
send_headers = headers + [auth_header]
expected_headers = headers + [
NeverIndexedHeaderTuple(auth_header[0].lower(), auth_header[1])
]
c = h2.connection.H2Connection(config=self.server_config)
c.receive_data(frame_factory.preamble())
# We can use normal headers for the request.
f = frame_factory.build_headers_frame(
self.example_request_headers
)
c.receive_data(f.serialize())
frame_factory.refresh_encoder()
expected_frame = frame_factory.build_push_promise_frame(
stream_id=1,
promised_stream_id=2,
headers=expected_headers,
never-indexed fields to ensure they don't get added to header compression
contexts.
This function currently implements two rules:
- 'authorization' and 'proxy-authorization' fields are automatically made
never-indexed.
- Any 'cookie' header field shorter than 20 bytes long is made
never-indexed.
These fields are the most at-risk. These rules are inspired by Firefox
and nghttp2.
"""
for header in headers:
if header[0] in _SECURE_HEADERS:
yield NeverIndexedHeaderTuple(*header)
elif header[0] in (b'cookie', u'cookie') and len(header[1]) < 20:
yield NeverIndexedHeaderTuple(*header)
else:
yield header
never-indexed fields to ensure they don't get added to header compression
contexts.
This function currently implements two rules:
- 'authorization' and 'proxy-authorization' fields are automatically made
never-indexed.
- Any 'cookie' header field shorter than 20 bytes long is made
never-indexed.
These fields are the most at-risk. These rules are inspired by Firefox
and nghttp2.
"""
for header in headers:
if header[0] in _SECURE_HEADERS:
yield NeverIndexedHeaderTuple(*header)
elif header[0] in (b'cookie', u'cookie') and len(header[1]) < 20:
yield NeverIndexedHeaderTuple(*header)
else:
yield header