本文整理汇总了Python中sentry.utils.http.is_valid_origin函数的典型用法代码示例。如果您正苦于以下问题:Python is_valid_origin函数的具体用法?Python is_valid_origin怎么用?Python is_valid_origin使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了is_valid_origin函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: is_valid_csp_report
def is_valid_csp_report(report, project=None):
# Some reports from Chrome report blocked-uri as just 'about'.
# In this case, this is not actionable and is just noisy.
# Observed in Chrome 45 and 46.
if report.get('effective_directive') not in ALLOWED_DIRECTIVES:
return False
blocked_uri = report.get('blocked_uri')
if blocked_uri == 'about':
return False
source_file = report.get('source_file')
# We must have one of these to do anyting sensible
if not any((blocked_uri, source_file)):
return False
if project is None or bool(project.get_option('sentry:csp_ignored_sources_defaults', True)):
disallowed_sources = DISALLOWED_SOURCES
else:
disallowed_sources = ()
if project is not None:
disallowed_sources += tuple(project.get_option('sentry:csp_ignored_sources', []))
if not disallowed_sources:
return True
if source_file and is_valid_origin(source_file, allowed=disallowed_sources):
return False
if blocked_uri and is_valid_origin(blocked_uri, allowed=disallowed_sources):
return False
return True示例2: _dispatch
def _dispatch(self, request, helper, project_id=None, origin=None, *args, **kwargs):
request.user = AnonymousUser()
project = self._get_project_from_id(project_id)
if project:
helper.context.bind_project(project)
Raven.tags_context(helper.context.get_tags_context())
if origin is not None:
# This check is specific for clients who need CORS support
if not project:
raise APIError("Client must be upgraded for CORS support")
if not is_valid_origin(origin, project):
raise APIForbidden("Invalid origin: %s" % (origin,))
# XXX: It seems that the OPTIONS call does not always include custom headers
if request.method == "OPTIONS":
response = self.options(request, project)
else:
auth = self._parse_header(request, helper, project)
project_ = helper.project_from_auth(auth)
# Legacy API was /api/store/ and the project ID was only available elsewhere
if not project:
if not project_:
raise APIError("Unable to identify project")
project = project_
helper.context.bind_project(project)
elif project_ != project:
raise APIError("Two different project were specified")
helper.context.bind_auth(auth)
Raven.tags_context(helper.context.get_tags_context())
if auth.version != "2.0":
if not auth.secret_key:
# If we're missing a secret_key, check if we are allowed
# to do a CORS request.
# If we're missing an Origin/Referrer header entirely,
# we only want to support this on GET requests. By allowing
# un-authenticated CORS checks for POST, we basially
# are obsoleting our need for a secret key entirely.
if origin is None and request.method != "GET":
raise APIForbidden("Missing required attribute in authentication header: sentry_secret")
if not is_valid_origin(origin, project):
raise APIForbidden("Missing required Origin or Referer header")
response = super(APIView, self).dispatch(
request=request, project=project, auth=auth, helper=helper, **kwargs
)
if origin:
response["Access-Control-Allow-Origin"] = origin
return response示例3: test_project_and_setting
def test_project_and_setting(self):
from sentry.models import Project, ProjectOption
project = Project.objects.get()
ProjectOption.objects.create(project=project, key='sentry:origins', value=['http://foo.example'])
with self.Settings(SENTRY_ALLOW_ORIGIN='http://example.com'):
self.assertTrue(is_valid_origin('http://example.com', project))示例4: post
def post(self, request, project, helper, **kwargs):
data = helper.safely_load_json_string(request.body)
# Do origin check based on the `document-uri` key as explained
# in `_dispatch`.
try:
report = data['csp-report']
except KeyError:
raise APIError('Missing csp-report')
origin = report.get('document-uri')
# No idea, but this is garbage
if origin == 'about:blank':
raise APIForbidden('Invalid document-uri')
if not is_valid_origin(origin, project):
if project:
tsdb.incr(tsdb.models.project_total_received_cors,
project.id)
raise APIForbidden('Invalid document-uri')
# Attach on collected meta data. This data obviously isn't a part
# of the spec, but we need to append to the report sentry specific things.
report['_meta'] = {
'release': request.GET.get('sentry_release'),
}
response_or_event_id = self.process(
request, project=project, helper=helper, data=report, **kwargs
)
if isinstance(response_or_event_id, HttpResponse):
return response_or_event_id
return HttpResponse(status=201)示例5: dispatch
def dispatch(self, request, *args, **kwargs):
"""
Identical to rest framework's dispatch except we add the ability
to convert arguments (for common URL params).
"""
self.args = args
self.kwargs = kwargs
request = self.initialize_request(request, *args, **kwargs)
self.load_json_body(request)
self.request = request
self.headers = self.default_response_headers # deprecate?
if settings.SENTRY_API_RESPONSE_DELAY:
time.sleep(settings.SENTRY_API_RESPONSE_DELAY / 1000.0)
origin = request.META.get('HTTP_ORIGIN', 'null')
# A "null" value should be treated as no Origin for us.
# See RFC6454 for more information on this behavior.
if origin == 'null':
origin = None
try:
if origin and request.auth:
allowed_origins = request.auth.get_allowed_origins()
if not is_valid_origin(origin, allowed=allowed_origins):
response = Response('Invalid origin: %s' %
(origin, ), status=400)
self.response = self.finalize_response(
request, response, *args, **kwargs)
return self.response
self.initial(request, *args, **kwargs)
# Get the appropriate handler method
if request.method.lower() in self.http_method_names:
handler = getattr(self, request.method.lower(),
self.http_method_not_allowed)
(args, kwargs) = self.convert_args(request, *args, **kwargs)
self.args = args
self.kwargs = kwargs
else:
handler = self.http_method_not_allowed
if getattr(request, 'access', None) is None:
# setup default access
request.access = access.from_request(request)
response = handler(request, *args, **kwargs)
except Exception as exc:
response = self.handle_exception(request, exc)
if origin:
self.add_cors_headers(request, response)
self.response = self.finalize_response(
request, response, *args, **kwargs)
return self.response示例6: post
def post(self, request, project, helper, **kwargs):
json_body = helper.safely_load_json_string(request.body)
report_type = self.security_report_type(json_body)
if report_type is None:
raise APIError('Unrecognized security report type')
interface = get_interface(report_type)
try:
instance = interface.from_raw(json_body)
except jsonschema.ValidationError as e:
raise APIError('Invalid security report: %s' % str(e).splitlines()[0])
# Do origin check based on the `document-uri` key as explained in `_dispatch`.
origin = instance.get_origin()
if not is_valid_origin(origin, project):
if project:
tsdb.incr(tsdb.models.project_total_received_cors, project.id)
raise APIForbidden('Invalid origin')
data = {
'interface': interface.path,
'report': instance,
'release': request.GET.get('sentry_release'),
'environment': request.GET.get('sentry_environment'),
}
response_or_event_id = self.process(
request, project=project, helper=helper, data=data, **kwargs
)
if isinstance(response_or_event_id, HttpResponse):
return response_or_event_id
return HttpResponse(content_type='application/javascript', status=201)示例7: post
def post(self, request, project, auth, helper, **kwargs):
data = helper.safely_load_json_string(request.body)
# Do origin check based on the `document-uri` key as explained
# in `_dispatch`.
try:
report = data['csp-report']
except KeyError:
raise APIError('Missing csp-report')
origin = report.get('document-uri')
# No idea, but this is garbage
if origin == 'about:blank':
raise APIForbidden('Invalid document-uri')
if not is_valid_origin(origin, project):
raise APIForbidden('Invalid document-uri')
response_or_event_id = self.process(
request,
project=project,
auth=auth,
helper=helper,
data=report,
**kwargs
)
if isinstance(response_or_event_id, HttpResponse):
return response_or_event_id
return HttpResponse(status=201)示例8: dispatch
def dispatch(self, request):
try:
event_id = request.GET['eventId']
except KeyError:
return self._json_response(request, status=400)
key = self._get_project_key(request)
if not key:
return self._json_response(request, status=404)
origin = self._get_origin(request)
if not origin:
return self._json_response(request, status=403)
if not is_valid_origin(origin, key.project):
return HttpResponse(status=403)
if request.method == 'OPTIONS':
return self._json_response(request)
# TODO(dcramer): since we cant use a csrf cookie we should at the very
# least sign the request / add some kind of nonce
initial = {
'name': request.GET.get('name'),
'email': request.GET.get('email'),
}
form = UserReportForm(request.POST if request.method == 'POST' else None,
initial=initial)
if form.is_valid():
report = form.save(commit=False)
report.project = key.project
report.event_id = event_id
try:
report.group = Group.objects.get(
eventmapping__event_id=report.event_id,
eventmapping__project=key.project,
)
except Group.DoesNotExist:
# XXX(dcramer): the system should fill this in later
pass
report.save()
return HttpResponse(status=200)
elif request.method == 'POST':
return self._json_response(request, {
"errors": dict(form.errors),
}, status=400)
template = render_to_string('sentry/error-page-embed.html', {
'form': form,
})
context = {
'endpoint': mark_safe(json.dumps(request.get_full_path())),
'template': mark_safe(json.dumps(template)),
}
return render_to_response('sentry/error-page-embed.js', context, request,
content_type='text/javascript')示例9: _dispatch
def _dispatch(self, request, helper, project_id=None, origin=None, *args, **kwargs):
request.user = AnonymousUser()
project = self._get_project_from_id(project_id)
if project:
helper.context.bind_project(project)
Raven.tags_context(helper.context.get_tags_context())
if origin is not None:
# This check is specific for clients who need CORS support
if not project:
raise APIError('Client must be upgraded for CORS support')
if not is_valid_origin(origin, project):
tsdb.incr(tsdb.models.project_total_received_cors,
project.id)
raise APIForbidden('Invalid origin: %s' % (origin, ))
# XXX: It seems that the OPTIONS call does not always include custom headers
if request.method == 'OPTIONS':
response = self.options(request, project)
else:
auth = self._parse_header(request, helper, project)
key = helper.project_key_from_auth(auth)
# Legacy API was /api/store/ and the project ID was only available elsewhere
if not project:
project = Project.objects.get_from_cache(id=key.project_id)
helper.context.bind_project(project)
elif key.project_id != project.id:
raise APIError('Two different projects were specified')
helper.context.bind_auth(auth)
Raven.tags_context(helper.context.get_tags_context())
# Explicitly bind Organization so we don't implicitly query it later
# this just allows us to comfortably assure that `project.organization` is safe.
# This also allows us to pull the object from cache, instead of being
# implicitly fetched from database.
project.organization = Organization.objects.get_from_cache(
id=project.organization_id)
response = super(APIView, self).dispatch(
request=request, project=project, auth=auth, helper=helper, key=key, **kwargs
)
if origin:
if origin == 'null':
# If an Origin is `null`, but we got this far, that means
# we've gotten past our CORS check for some reason. But the
# problem is that we can't return "null" as a valid response
# to `Access-Control-Allow-Origin` and we don't have another
# value to work with, so just allow '*' since they've gotten
# this far.
response['Access-Control-Allow-Origin'] = '*'
else:
response['Access-Control-Allow-Origin'] = origin
return response示例10: fetch_url
def fetch_url(url, project=None):
"""
Pull down a URL, returning a UrlResult object.
Attempts to fetch from the cache.
"""
cache_key = 'source:%s' % (
hashlib.md5(url.encode('utf-8')).hexdigest(),)
result = cache.get(cache_key)
if result is None:
# lock down domains that are problematic
domain = urlparse(url).netloc
domain_key = 'source:%s' % (hashlib.md5(domain.encode('utf-8')).hexdigest(),)
domain_result = cache.get(domain_key)
if domain_result:
return BAD_SOURCE
headers = []
if project and is_valid_origin(url, project=project):
token = project.get_option('sentry:token')
if token:
headers.append(('X-Sentry-Token', token))
try:
request = safe_urlopen(
url,
allow_redirects=True,
headers=headers,
timeout=settings.SENTRY_SOURCE_FETCH_TIMEOUT,
)
except HTTPError:
result = BAD_SOURCE
except Exception:
# it's likely we've failed due to a timeout, dns, etc so let's
# ensure we can't cascade the failure by pinning this for 5 minutes
cache.set(domain_key, 1, 300)
logger.warning('Disabling sources to %s for %ss', domain, 300,
exc_info=True)
return BAD_SOURCE
else:
try:
body = safe_urlread(request)
except Exception:
result = BAD_SOURCE
else:
result = (dict(request.headers), body)
cache.set(cache_key, result, 60)
if result == BAD_SOURCE:
return result
return UrlResult(url, *result)示例11: add_cors_headers
def add_cors_headers(self, request, response):
if not request.auth:
return
origin = request.META.get('HTTP_ORIGIN')
if not origin:
return
allowed_origins = request.auth.get_allowed_origins()
if is_valid_origin(origin, allowed=allowed_origins):
response['Access-Control-Allow-Origin'] = origin
response['Access-Control-Allow-Methods'] = ', '.join(self.http_method_names)
return示例12: dispatch
def dispatch(self, request, *args, **kwargs):
"""
Identical to rest framework's dispatch except we add the ability
to convert arguments (for common URL params).
"""
self.args = args
self.kwargs = kwargs
request = self.initialize_request(request, *args, **kwargs)
self.request = request
self.headers = self.default_response_headers # deprecate?
metric_name = '{}.{}'.format(type(self).__name__, request.method.lower())
if settings.SENTRY_API_RESPONSE_DELAY:
time.sleep(settings.SENTRY_API_RESPONSE_DELAY / 1000.0)
origin = request.META.get('HTTP_ORIGIN')
if origin and request.auth:
allowed_origins = request.auth.get_allowed_origins()
if not is_valid_origin(origin, allowed=allowed_origins):
response = Response('Invalid origin: %s' % (origin,), status=400)
self.response = self.finalize_response(request, response, *args, **kwargs)
return self.response
try:
self.initial(request, *args, **kwargs)
# Get the appropriate handler method
if request.method.lower() in self.http_method_names:
handler = getattr(self, request.method.lower(),
self.http_method_not_allowed)
(args, kwargs) = self.convert_args(request, *args, **kwargs)
self.args = args
self.kwargs = kwargs
else:
handler = self.http_method_not_allowed
with SqlQueryCountMonitor(metric_name):
response = handler(request, *args, **kwargs)
except Exception as exc:
response = self.handle_exception(request, exc)
if origin:
self.add_cors_headers(request, response)
self.response = self.finalize_response(request, response, *args, **kwargs)
return self.response示例13: should_filter
def should_filter(self, project=None):
disallowed = ()
paths = ['blocked_uri', 'source_file']
uris = [getattr(self, path) for path in paths if hasattr(self, path)]
if project is None or bool(project.get_option('sentry:csp_ignored_sources_defaults', True)):
disallowed += DEFAULT_DISALLOWED_SOURCES
if project is not None:
disallowed += tuple(project.get_option('sentry:csp_ignored_sources', []))
if disallowed and any(is_valid_origin(uri and uri, allowed=disallowed) for uri in uris):
return True
return False示例14: post
def post(self, request, project, helper, key, **kwargs):
json_body = safely_load_json_string(request.body)
report_type = self.security_report_type(json_body)
if report_type is None:
track_outcome(
project.organization_id,
project.id,
key.id,
Outcome.INVALID,
"security_report_type")
raise APIError('Unrecognized security report type')
interface = get_interface(report_type)
try:
instance = interface.from_raw(json_body)
except jsonschema.ValidationError as e:
track_outcome(
project.organization_id,
project.id,
key.id,
Outcome.INVALID,
"security_report")
raise APIError('Invalid security report: %s' % str(e).splitlines()[0])
# Do origin check based on the `document-uri` key as explained in `_dispatch`.
origin = instance.get_origin()
if not is_valid_origin(origin, project):
if project:
track_outcome(
project.organization_id,
project.id,
key.id,
Outcome.INVALID,
FilterStatKeys.CORS)
raise APIForbidden('Invalid origin')
data = {
'interface': interface.path,
'report': instance,
'release': request.GET.get('sentry_release'),
'environment': request.GET.get('sentry_environment'),
}
self.process(request, project=project, helper=helper, data=data, key=key, **kwargs)
return HttpResponse(content_type='application/javascript', status=201)示例15: post
def post(self, request, project, auth, helper, **kwargs):
data = helper.safely_load_json_string(request.body)
# Do origin check based on the `document-uri` key as explained
# in `_dispatch`.
try:
report = data['csp-report']
except KeyError:
raise APIError('Missing csp-report')
origin = report.get('document-uri')
# No idea, but this is garbage
if origin == 'about:blank':
raise APIForbidden('Invalid document-uri')
if not is_valid_origin(origin, project):
raise APIForbidden('Invalid document-uri')
# An invalid CSP report must go against quota
if not is_valid_csp_report(report, project):
app.tsdb.incr_multi([
(app.tsdb.models.project_total_received, project.id),
(app.tsdb.models.project_total_blacklisted, project.id),
(app.tsdb.models.organization_total_received, project.organization_id),
(app.tsdb.models.organization_total_blacklisted, project.organization_id),
])
metrics.incr('events.blacklisted')
raise APIForbidden('Rejected CSP report')
response_or_event_id = self.process(
request,
project=project,
auth=auth,
helper=helper,
data=report,
**kwargs
)
if isinstance(response_or_event_id, HttpResponse):
return response_or_event_id
return HttpResponse(status=201)