Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Making sure the cache key accepts any data #110

Merged
merged 1 commit into from
Aug 1, 2024
Merged

Making sure the cache key accepts any data #110

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[tool.poetry]
name = "django-security"
version = "1.0.2"
version = "1.0.3"
homepage = "https://github.com/sdelements/django-security"
description = "Models, views, middlewares and forms to facilitate security hardening of Django applications."
authors = ["Security Compass <[email protected]>"]
Expand Down
5 changes: 3 additions & 2 deletions security/auth_throttling/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import hashlib
import logging
import time
import typing
import urllib.parse
from math import ceil

Expand Down Expand Up @@ -44,8 +45,8 @@ def delay_message(remainder):
return _("%d seconds") % ceil(remainder)


def _to_ascii_compatible(value: str):
if not value.isascii():
def _to_ascii_compatible(value: typing.Any):
if isinstance(value, str) and not value.isascii():
value = urllib.parse.quote(value)

return value
Expand Down
29 changes: 22 additions & 7 deletions tests/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1078,13 +1078,28 @@ class UnicodeDataTests(TestCase):
IP_ADDRESS = "127.0.0.1"

def test_unicode_data_in_cache_key(self):
self._execute_with_unicode_data(self.USERNAME, self.IP_ADDRESS)
self._execute_with_data(self.USERNAME, self.IP_ADDRESS)

def _execute_with_unicode_data(self, username, ip):
def test_types_in_cache_key(self):
"""
We can send any kind of data for the downstream functions,
usually strings (maybe the username or email) and ints (maybe the userId)
"""

self._execute_with_data(1, self.IP_ADDRESS)
self._execute_with_data(2.67, self.IP_ADDRESS)
self._execute_with_data(bool, self.IP_ADDRESS)
self._execute_with_data({"key": "value"}, self.IP_ADDRESS)
self._execute_with_data([1], self.IP_ADDRESS)
self._execute_with_data({1, 2}, self.IP_ADDRESS)
self._execute_with_data((1, 2), self.IP_ADDRESS)
self._execute_with_data("some_string", self.IP_ADDRESS)

def _execute_with_data(self, data, ip):
try:
increment_counters(username=username, ip=ip)
reset_counters(username=username, ip=ip)
throttling_delay(username=username, ip=ip)
attempt_count(attempt_type="auth", id=username)
increment_counters(key=data, ip=ip)
reset_counters(key=data, ip=ip)
throttling_delay(username=data, ip=ip)
attempt_count(attempt_type="auth", id=data)
except Exception:
self.fail("Unicode data not allowed")
self.fail("Unicode or incompatible data not allowed")