tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

request-params-check.py (4280B)

      1 def commonCheck(request, mode=b"no-cors", accept=b"application/json"):
      2  if accept:
      3    if request.headers.get(b"Accept") != accept:
      4      return (531, [], "Wrong Accept")
      5  if request.headers.get(b"Sec-Fetch-Dest") != b"webidentity":
      6    return (532, [], "Wrong Sec-Fetch-Dest header")
      7  if request.headers.get(b"Referer"):
      8    return (533, [], "Should not have Referer")
      9  if request.headers.get(b"Sec-Fetch-Mode") != mode:
     10    return (534, [], "Wrong Sec-Fetch-Mode header")
     11 
     12 def commonUncredentialedRequestCheck(request):
     13  if len(request.cookies) > 0:
     14    return (535, [], "Cookie should not be sent to this endpoint")
     15  if request.headers.get(b"Sec-Fetch-Site") != b"cross-site":
     16    return (536, [], "Wrong Sec-Fetch-Site header")
     17 
     18 def commonCredentialedRequestCheck(request):
     19  if request.cookies.get(b"cookie") != b"1":
     20    return (537, [], "Missing cookie")
     21 
     22 def commonPostCheck(request):
     23  if not request.headers.get(b"Origin"):
     24    return (540, [], "Missing Origin")
     25  if request.method != "POST":
     26    return (541, [], "Method is not POST")
     27  if request.headers.get(b"Content-Type") != b"application/x-www-form-urlencoded":
     28    return (542, [], "Wrong Content-Type")
     29  if not request.POST.get(b"client_id"):
     30    return (543, [], "Missing 'client_id' POST parameter")
     31 
     32 def manifestCheck(request):
     33  common_error = commonCheck(request)
     34  if (common_error):
     35    return common_error
     36  common_uncredentialed_error = commonUncredentialedRequestCheck(request)
     37  if (common_uncredentialed_error):
     38    return common_uncredentialed_error
     39 
     40  if request.headers.get(b"Origin"):
     41    return (539, [], "Should not have Origin")
     42 
     43 def clientMetadataCheck(request):
     44  if (request.GET.get(b'skip_checks', b'0') != b'1'):
     45    common_error = commonCheck(request)
     46    if (common_error):
     47      return common_error
     48    common_uncredentialed_error = commonUncredentialedRequestCheck(request)
     49    if (common_uncredentialed_error):
     50      return common_uncredentialed_error
     51 
     52    if not request.headers.get(b"Origin"):
     53      return (540, [], "Missing Origin")
     54 
     55 def accountsCheck(request):
     56  common_error = commonCheck(request)
     57  if (common_error):
     58    return common_error
     59  common_credentialed_error = commonCredentialedRequestCheck(request)
     60  if (common_credentialed_error):
     61    return common_credentialed_error
     62 
     63  if request.headers.get(b"Origin"):
     64    return (539, [], "Should not have Origin")
     65 
     66 def tokenCheck(request):
     67  common_error = commonCheck(request, b"cors")
     68  if (common_error):
     69    return common_error
     70  common_credentialed_error = commonCredentialedRequestCheck(request)
     71  if (common_credentialed_error):
     72    return common_credentialed_error
     73  # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
     74  # but it should not be 'none'.
     75  if request.headers.get(b"Sec-Fetch-Site") == b"none":
     76    return (538, [], "Wrong Sec-Fetch-Site header")
     77 
     78  post_error = commonPostCheck(request)
     79  if (post_error):
     80    return post_error
     81 
     82  if not request.POST.get(b"account_id"):
     83    return (544, [], "Missing 'account_id' POST parameter")
     84  if not request.POST.get(b"disclosure_text_shown"):
     85    return (545, [], "Missing 'disclosure_text_shown' POST parameter")
     86  if not request.headers.get(b"Origin"):
     87    return (540, [], "Missing Origin")
     88 
     89 def revokeCheck(request):
     90  common_error = commonCheck(request, b"cors")
     91  if (common_error):
     92    return common_error
     93 
     94  common_credentialed_error = commonCredentialedRequestCheck(request)
     95  if (common_credentialed_error):
     96    return common_credentialed_error
     97  # The value of the Sec-Fetch-Site header can vary depending on the IdP origin
     98  # but it should not be 'none'.
     99  if request.headers.get(b"Sec-Fetch-Site") == b"none":
    100    return (538, [], "Wrong Sec-Fetch-Site header")
    101 
    102  post_error = commonPostCheck(request)
    103  if (post_error):
    104    return post_error
    105 
    106  if not request.POST.get(b"account_hint"):
    107    return (544, [], "Missing 'account_hint' POST parameter")
    108 
    109 def pictureCheck(request):
    110  common_error = commonCheck(request, accept=None)
    111  if (common_error):
    112    return common_error
    113 
    114  common_uncredentialed_error = commonUncredentialedRequestCheck(request)
    115  if (common_uncredentialed_error):
    116    return common_uncredentialed_error
    117 
    118  if request.headers.get(b"Origin"):
    119    return (539, [], "Should not have Origin")