Mercurial > hg

view tests/test-hgweb-csp.t @ 48014:0dc4cc654d96

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
typing: drop annotations on `mercurial/logcmdutil.walkopts` attributes Pytype 2021-09-09 must have learned some things about `@attr`, because while these were presumably required to help it before (c1d0f83d62c4::9a26fea2b518 and c11099cc1de4::224c786f4fce), these instances now get flagged as an assignment mismatch: File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 717, in walkopts: Type annotation for pats does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 718, in walkopts: Type annotation for opts does not match type of assignment [annotation-type-mismatch] Annotation: Dict[bytes, Any] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 722, in walkopts: Type annotation for revspec does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 725, in walkopts: Type annotation for bookmarks does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 726, in walkopts: Type annotation for branches does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 727, in walkopts: Type annotation for date does not match type of assignment [annotation-type-mismatch] Annotation: Optional[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 728, in walkopts: Type annotation for keywords does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 729, in walkopts: Type annotation for no_merges does not match type of assignment [annotation-type-mismatch] Annotation: bool Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 730, in walkopts: Type annotation for only_merges does not match type of assignment [annotation-type-mismatch] Annotation: bool Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 731, in walkopts: Type annotation for prune_ancestors does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 732, in walkopts: Type annotation for users does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 735, in walkopts: Type annotation for include_pats does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 736, in walkopts: Type annotation for exclude_pats does not match type of assignment [annotation-type-mismatch] Annotation: List[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 739, in walkopts: Type annotation for follow does not match type of assignment [annotation-type-mismatch] Annotation: int Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 743, in walkopts: Type annotation for force_changelog_traversal does not match type of assignment [annotation-type-mismatch] Annotation: bool Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 747, in walkopts: Type annotation for filter_revisions_by_pats does not match type of assignment [annotation-type-mismatch] Annotation: bool Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 750, in walkopts: Type annotation for sort_revisions does not match type of assignment [annotation-type-mismatch] Annotation: Optional[bytes] Assignment: mercurial.thirdparty.attr._make._CountingAttr File "/mnt/c/Users/Matt/hg/mercurial/logcmdutil.py", line 753, in walkopts: Type annotation for limit does not match type of assignment [annotation-type-mismatch] Annotation: Optional[int] Assignment: mercurial.thirdparty.attr._make._CountingAttr Differential Revision: https://phab.mercurial-scm.org/D11474
author Matt Harbison <matt_harbison@yahoo.com>
date Mon, 20 Sep 2021 11:22:27 -0400
parents 3e3acf5d6a07
children 7e5be4a7cda7
line wrap: on
line source

#require serve

  $ cat > web.conf << EOF
  > [paths]
  > / = $TESTTMP/*
  > EOF

  $ hg init repo1
  $ cd repo1
  $ touch foo
  $ hg -q commit -A -m initial
  $ cd ..

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid >> $DAEMON_PIDS

repo index should not send Content-Security-Policy header by default

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows

static page should not send CSP by default

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows

repo page should not send CSP by default, should send ETag

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  etag: W/"*" (glob)

  $ killdaemons.py

Configure CSP without nonce

  $ cat >> web.conf << EOF
  > [web]
  > csp = script-src https://example.com/ 'unsafe-inline'
  > EOF

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid > $DAEMON_PIDS

repo index should send Content-Security-Policy header when enabled

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

static page should send CSP when enabled

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

  $ get-with-headers.py --twice --headeronly localhost:$HGPORT repo1/static/style.css content-security-policy
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
  304 Not Modified
  content-security-policy: script-src https://example.com/ 'unsafe-inline'

repo page should send CSP by default, include etag w/o nonce

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  content-security-policy: script-src https://example.com/ 'unsafe-inline'
  etag: W/"*" (glob)

nonce should not be added to html if CSP doesn't use it

  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip | egrep 'content-security-policy|<script'
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
  <script type="text/javascript">
  <script type="text/javascript">

Configure CSP with nonce

  $ killdaemons.py
  $ cat >> web.conf << EOF
  > csp = image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'
  > EOF

  $ hg serve -p $HGPORT -d --pid-file=hg.pid --web-conf web.conf
  $ cat hg.pid > $DAEMON_PIDS

nonce should be substituted in CSP header

  $ get-with-headers.py --headeronly localhost:$HGPORT '' content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce should be included in CSP for static pages

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

repo page should have nonce, no ETag

  $ get-with-headers.py --headeronly localhost:$HGPORT repo1 content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce should be added to html when used

  $ get-with-headers.py localhost:$HGPORT repo1/graph/tip content-security-policy | egrep 'content-security-policy|<script'
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
  <script type="text/javascript" src="/repo1/static/mercurial.js"></script>
  <script type="text/javascript" nonce="*"> (glob)
  <script type="text/javascript" nonce="*"> (glob)

hgweb_mod w/o hgwebdir works as expected

  $ killdaemons.py

  $ hg serve -R repo1 -p $HGPORT -d --pid-file=hg.pid --config "web.csp=image-src 'self'; script-src https://example.com/ 'nonce-%nonce%'"
  $ cat hg.pid > $DAEMON_PIDS

static page sends CSP

  $ get-with-headers.py --headeronly localhost:$HGPORT static/mercurial.js content-security-policy etag
  200 Script output follows
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)

nonce included in <script> and headers

  $ get-with-headers.py localhost:$HGPORT graph/tip content-security-policy  | egrep 'content-security-policy|<script'
  content-security-policy: image-src 'self'; script-src https://example.com/ 'nonce-*' (glob)
  <script type="text/javascript" src="/static/mercurial.js"></script>
  <script type="text/javascript" nonce="*"> (glob)
  <script type="text/javascript" nonce="*"> (glob)