From dcd8ba34ab652d7f8678637377c30e26f7efdd25 Mon Sep 17 00:00:00 2001
From: David Kremer <courrier@david-kremer.fr>
Date: Wed, 15 Aug 2018 18:49:22 +0200
Subject: [test/xss_scanner] add fixtures in tests

The previous version of that script made a repetitive use
of the  pytest builtin fixture, with always
the same arguments.

This is a small refactoring and cleanup, mainly adding the 'function'
scope to ensure proper cleaning and using the @pytest.fixture
decorator where I could.
---
 test/examples/test_xss_scanner.py | 75 +++++++++++++++++++++------------------
 1 file changed, 40 insertions(+), 35 deletions(-)

diff --git a/test/examples/test_xss_scanner.py b/test/examples/test_xss_scanner.py
index 1d723d53..25237c4f 100644
--- a/test/examples/test_xss_scanner.py
+++ b/test/examples/test_xss_scanner.py
@@ -252,8 +252,7 @@ class TestXSSScanner():
                 self.text = html
         return MockResponse("<html></html>")
 
-    def test_test_end_of_url_injection(self, monkeypatch):
-        monkeypatch.setattr(requests, 'get', self.mocked_requests_vuln)
+    def test_test_end_of_url_injection(self, get_request_vuln):
         xss_info = xss.test_end_of_URL_injection("<html></html>", "https://example.com/index.html", {})[0]
         expected_xss_info = xss.XSSData('https://example.com/index.html/1029zxcs\'d"ao<ac>so[sb]po(pc)se;sl/bsl\\eq=3847asd',
                                         'End of URL',
@@ -263,8 +262,7 @@ class TestXSSScanner():
         assert xss_info == expected_xss_info
         assert sqli_info is None
 
-    def test_test_referer_injection(self, monkeypatch):
-        monkeypatch.setattr(requests, 'get', self.mocked_requests_vuln)
+    def test_test_referer_injection(self, get_request_vuln):
         xss_info = xss.test_referer_injection("<html></html>", "https://example.com/", {})[0]
         expected_xss_info = xss.XSSData('https://example.com/',
                                         'Referer',
@@ -274,8 +272,7 @@ class TestXSSScanner():
         assert xss_info == expected_xss_info
         assert sqli_info is None
 
-    def test_test_user_agent_injection(self, monkeypatch):
-        monkeypatch.setattr(requests, 'get', self.mocked_requests_vuln)
+    def test_test_user_agent_injection(self, get_request_vuln):
         xss_info = xss.test_user_agent_injection("<html></html>", "https://example.com/", {})[0]
         expected_xss_info = xss.XSSData('https://example.com/',
                                         'User Agent',
@@ -285,8 +282,8 @@ class TestXSSScanner():
         assert xss_info == expected_xss_info
         assert sqli_info is None
 
-    def test_test_query_injection(self, monkeypatch):
-        monkeypatch.setattr(requests, 'get', self.mocked_requests_vuln)
+    def test_test_query_injection(self, get_request_vuln):
+
         xss_info = xss.test_query_injection("<html></html>", "https://example.com/vuln.php?cmd=ls", {})[0]
         expected_xss_info = xss.XSSData('https://example.com/vuln.php?cmd=1029zxcs\'d"ao<ac>so[sb]po(pc)se;sl/bsl\\eq=3847asd',
                                         'Query',
@@ -296,16 +293,8 @@ class TestXSSScanner():
         assert xss_info == expected_xss_info
         assert sqli_info is None
 
-    def mocked_socket_gethostbyname(domain):
-        claimed_domains = ["google.com"]
-        if domain not in claimed_domains:
-            from socket import gaierror
-            raise gaierror("[Errno -2] Name or service not known")
-        else:
-            return '216.58.221.46'
-
-    @pytest.fixture
-    def logger(self):
+    @pytest.fixture(scope='function')
+    def logger(self, monkeypatch):
         class Logger():
             def __init__(self):
                 self.args = []
@@ -315,12 +304,32 @@ class TestXSSScanner():
 
             def error(self, str):
                 self.args.append(str)
-        return Logger()
 
-    def test_find_unclaimed_URLs(self, monkeypatch, logger):
-        logger.args = []
+        logger = Logger()
         monkeypatch.setattr("mitmproxy.ctx.log", logger)
-        monkeypatch.setattr("socket.gethostbyname", self.mocked_socket_gethostbyname)
+        yield logger
+
+    @pytest.fixture(scope='function')
+    def get_request_vuln(self, monkeypatch):
+        monkeypatch.setattr(requests, 'get', self.mocked_requests_vuln)
+
+    @pytest.fixture(scope='function')
+    def get_request_invuln(self, monkeypatch):
+        monkeypatch.setattr(requests, 'get', self.mocked_requests_invuln)
+
+    @pytest.fixture(scope='function')
+    def mock_gethostbyname(self, monkeypatch):
+        def gethostbyname(domain):
+            claimed_domains = ["google.com"]
+            if domain not in claimed_domains:
+                from socket import gaierror
+                raise gaierror("[Errno -2] Name or service not known")
+            else:
+                return '216.58.221.46'
+
+        monkeypatch.setattr("socket.gethostbyname", gethostbyname)
+
+    def test_find_unclaimed_URLs(self, logger, mock_gethostbyname):
         xss.find_unclaimed_URLs("<html><script src=\"http://google.com\"></script></html>",
                                 "https://example.com")
         assert logger.args == []
@@ -329,14 +338,12 @@ class TestXSSScanner():
         assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
         xss.find_unclaimed_URLs("<html><iframe src=\"http://unclaimedDomainName.com\"></iframe></html>",
                                 "https://example.com")
-        assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
+        assert logger.args[1] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
         xss.find_unclaimed_URLs("<html><link rel=\"stylesheet\" href=\"http://unclaimedDomainName.com\"></html>",
                                 "https://example.com")
-        assert logger.args[0] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
+        assert logger.args[2] == 'XSS found in https://example.com due to unclaimed URL "http://unclaimedDomainName.com".'
 
-    def test_log_XSS_data(self, monkeypatch, logger):
-        logger.args = []
-        monkeypatch.setattr("mitmproxy.ctx.log", logger)
+    def test_log_XSS_data(self, logger):
         xss.log_XSS_data(None)
         assert logger.args == []
         # self, url: str, injection_point: str, exploit: str, line: str
@@ -350,9 +357,7 @@ class TestXSSScanner():
         assert logger.args[3] == 'Suggested Exploit: String'
         assert logger.args[4] == 'Line: Line of HTML'
 
-    def test_log_SQLi_data(self, monkeypatch, logger):
-        logger.args = []
-        monkeypatch.setattr("mitmproxy.ctx.log", logger)
+    def test_log_SQLi_data(self, logger):
         xss.log_SQLi_data(None)
         assert logger.args == []
         xss.log_SQLi_data(xss.SQLiData('https://example.com',
@@ -371,11 +376,11 @@ class TestXSSScanner():
         # It only uses the request cookies
         assert xss.get_cookies(mocked_flow) == {"cookieName2": "cookieValue2"}
 
-    def test_response(self, monkeypatch, logger):
-        logger.args = []
-        monkeypatch.setattr("mitmproxy.ctx.log", logger)
-        monkeypatch.setattr(requests, 'get', self.mocked_requests_invuln)
-        mocked_flow = tflow.tflow(req=tutils.treq(path=b"index.html?q=1"), resp=tutils.tresp(content=b'<html></html>'))
+    def test_response(self, get_request_invuln, logger):
+        mocked_flow = tflow.tflow(
+            req=tutils.treq(path=b"index.html?q=1"),
+            resp=tutils.tresp(content=b'<html></html>')
+        )
         xss.response(mocked_flow)
         assert logger.args == []
 
-- 
cgit v1.2.3