API: add CSRF tests

gnosischain · Apr 11, 2024 · db980a1 · db980a1
1 parent 1425b63
commit db980a1
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 14 deletions.
diff --git a/api/api/services/csrf.py b/api/api/services/csrf.py
@@ -27,13 +27,16 @@ def generate_token(self):
         return CSRFTokenItem(request_id, token.hex())
 
     def validate_token(self, request_id, token):
-        cipher_rsa = PKCS1_OAEP.new(self._privkey)
-        decrypted_text = cipher_rsa.decrypt(bytes.fromhex(token)).decode()
-
-        expected_text = '%s%s' % (request_id, self._salt)
-        if decrypted_text == expected_text:
-            return True
-        return False
+        try:
+            cipher_rsa = PKCS1_OAEP.new(self._privkey)
+            decrypted_text = cipher_rsa.decrypt(bytes.fromhex(token)).decode()
+
+            expected_text = '%s%s' % (request_id, self._salt)
+            if decrypted_text == expected_text:
+                return True
+            return False
+        except Exception:
+            return False
 
 
 class CSRF:

diff --git a/api/api/services/validator.py b/api/api/services/validator.py
@@ -86,13 +86,8 @@ def csrf_validation(self):
             self.errors.append('Bad request')
             self.http_return_code = 400
 
-        try:
-            csrf_valid = self.csrf.validate_token(request_id, token)
-            if not csrf_valid:
-                self.errors.append('Bad request')
-                self.http_return_code = 400
-        except Exception as e:
-            logging.error(e)
+        csrf_valid = self.csrf.validate_token(request_id, token)
+        if not csrf_valid:
             self.errors.append('Bad request')
             self.http_return_code = 400
 

diff --git a/api/tests/test_csrf.py b/api/tests/test_csrf.py
@@ -0,0 +1,19 @@
+from .conftest import BaseTest
+
+
+class TestCSRF(BaseTest):
+
+    def test_values(self):
+        token_obj = self.csrf.generate_token()
+        self.assertTrue(
+            self.csrf.validate_token(token_obj.request_id, token_obj.token)
+        )
+        self.assertFalse(
+            self.csrf.validate_token('myfakeid', token_obj.token)
+        )
+        self.assertFalse(
+            self.csrf.validate_token('myfakeid', 'myfaketoken')
+        )
+        self.assertFalse(
+            self.csrf.validate_token(token_obj.request_id, 'myfaketoken')
+        )