429
431
return self.api.handle(request).addCallback(check)
433
def test_handle_error_is_api_content_type(self):
435
If an error occurs while parsing the parameters, L{QueryAPI.handle}
436
responds with HTTP status 400, and the resulting response has a
437
Content-Type header matching the content type defined in the QueryAPI.
439
creds = AWSCredentials("access", "secret")
440
endpoint = AWSServiceEndpoint("http://uri")
441
query = Query(action="SomeAction", creds=creds, endpoint=endpoint)
443
query.params.pop("Action")
444
request = FakeRequest(query.params, endpoint)
447
errors = self.flushLoggedErrors()
448
self.assertEquals(0, len(errors))
449
self.assertEqual(400, request.code)
451
request_type = request.headers['Content-Type']
452
self.assertEqual(self.api.content_type, request_type)
454
return self.api.handle(request).addCallback(check)
431
456
def test_handle_unicode_api_error(self):
433
458
If an L{APIError} contains a unicode message, L{QueryAPI} is able to
454
479
self.api.principal = TestPrincipal(creds)
455
480
return self.api.handle(request).addCallback(check)
482
def test_api_error_is_HTML_safe(self):
484
In some cases, an attacker can trigger an API error in which the passed
485
value is returned in the error message. Should a victim be tricked to
486
a properly crafted URL, the error message would be passed unchecked to
487
her web browser, resulting in arbitrary code execution.
489
creds = AWSCredentials("access", "secret")
490
endpoint = AWSServiceEndpoint("http://uri")
491
query = Query(action="SomeAction", creds=creds, endpoint=endpoint)
493
request = FakeRequest(query.params, endpoint)
495
toxic = u"<script>alert(\"Owned!\");</script>"
497
escaped = escape(toxic, True)
499
def fail_execute(call):
500
raise APIError(400, code="LangError", message=toxic)
501
self.api.execute = fail_execute
504
errors = self.flushLoggedErrors()
505
self.assertEqual(0, len(errors))
506
self.assertTrue(request.finished)
508
self.assertNotIn(toxic, request.response)
509
self.assertIn(escaped, request.response)
510
self.assertEqual(400, request.code)
512
self.api.principal = TestPrincipal(creds)
513
return self.api.handle(request).addCallback(check)
457
515
def test_handle_unicode_error(self):
459
517
If an arbitrary error raised by an API method contains a unicode