From 4f5b40205daca90a9698943176c29fe8e7669acd Mon Sep 17 00:00:00 2001 From: missytake Date: Tue, 17 Oct 2023 17:17:05 +0200 Subject: [PATCH] test: try to forge FROM addresses --- online-tests/test_0_login.py | 117 +++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) diff --git a/online-tests/test_0_login.py b/online-tests/test_0_login.py index 63388b01..ee003c2c 100644 --- a/online-tests/test_0_login.py +++ b/online-tests/test_0_login.py @@ -1,3 +1,5 @@ +import smtplib + import pytest @@ -34,3 +36,118 @@ def test_login_same_password(imap_or_smtp, gencreds): imap_or_smtp.login(user1, password1) imap_or_smtp.connect() imap_or_smtp.login(user2, password1) + + +@pytest.mark.parametrize( + ("authenticated", "existing_from", "outside_to", "log_msg"), + [ + (False, False, False, "Sending message with forged FROM of chatmail user to chatmail user"), + (False, True, False, "Sending message with forged FROM of outside user to chatmail user"), + (False, False, True, "Sending message with forged FROM of chatmail user to outside user"), + (False, True, True, "Sending message with forged FROM of outside user to outside user"), + (True, False, False, "Sending authenticated message with forged FROM of chatmail user to chatmail user"), + (True, True, False, "Sending authenticated message with forged FROM of outside user to chatmail user"), + (True, False, True, "Sending authenticated message with forged FROM of chatmail user to outside user"), + (True, True, True, "Sending authenticated message with forged FROM of outside user to outside user"), + ] +) +def test_send_with_forged_from(smtp, gencreds, lp, authenticated, existing_from, outside_to, log_msg): + """Test that users can't impersonate each other.""" + if outside_to: + to_addr = "recipient@example.org" + else: + to_addr, password = gencreds() + smtp.connect() + smtp.login(to_addr, password) + smtp.conn.close() + + if existing_from: + from_addr, password = gencreds() + smtp.connect() + smtp.login(from_addr, password) + smtp.conn.close() + else: + from_addr = f"9d8znohcoimafiilvsjfovaniufsmdj@{smtp.host}" + + smtp.connect() + if authenticated: + attacker_addr, password = gencreds() + smtp.login(attacker_addr, password) + + mail = "\r\n".join([ + "Subject: ...", + f"From: <{from_addr}>", + f"To: <{to_addr}>", + "Date: Sun, 15 Oct 2023 16:43:21 +0000", + "Message-ID: ", + "In-Reply-To: ", + "References: ", + "\t", + "Chat-Version: 1.0", + f"Autocrypt: addr={from_addr}; prefer-encrypt=mutual;", + "\tkeydata=xjMEZSwWjhYJKwYBBAHaRw8BAQdAQBEhqeJh0GueHB6kF/DUQqYCxARNBVokg/AzT+7LqH", + "\trNFzxiYXJiYXpAYzIudGVzdHJ1bi5vcmc+wosEEBYIADMCGQEFAmUsFo4CGwMECwkIBwYVCAkKCwID", + "\tFgIBFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX9A4AEAnHWHp49eBCMHK5t66gYPiW", + "\tXQuB1mwUjzGfYWB+0RXUoA/0xcQ3FbUNlGKW7Blp6eMFfViv6Mv2d3kNSXACB6nmcMzjgEZSwWjhIK", + "\tKwYBBAGXVQEFAQEHQBpY5L2M1XHo0uxf8SX1wNLBp/OVvidoWHQF2Jz+kJsUAwEIB8J4BBgWCAAgBQ", + "\tJlLBaOAhsMFiEEFTfUNvVnY3b9F7yHnmme1PfUhX8ACgkQnmme1PfUhX/INgEA37AJaNvruYsJVanP", + "\tIXnYw4CKd55UAwl8Zcy+M2diAbkA/0fHHcGV4r78hpbbL1Os52DPOdqYQRauIeJUeG+G6bQO", + "MIME-Version: 1.0", + 'Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";', + '\tboundary="YFrteb74qSXmggbOxZL9dRnhymywAi"', + "", + "", + "--YFrteb74qSXmggbOxZL9dRnhymywAi", + "Content-Description: PGP/MIME version identification", + "Content-Type: application/pgp-encrypted", + "", + "Version: 1", + "", + "", + "--YFrteb74qSXmggbOxZL9dRnhymywAi", + "Content-Description: OpenPGP encrypted message", + 'Content-Disposition: inline; filename="encrypted.asc";', + 'Content-Type: application/octet-stream; name="encrypted.asc"', + "", + "-----BEGIN PGP MESSAGE-----", + "", + "wU4DhW3gBZ/VvCYSAQdA8bMs2spwbKdGjVsL1ByPkNrqD7frpB73maeL6I6SzDYg", + "O5G53tv339RdKq3WRcCtEEvxjHlUx2XNwXzC04BpmfvBTgNfPUyLDzjXnxIBB0Ae", + "8ymwGvXMCCimHXN0Dg8Ui62KOi03h0UgheoHWovJSCDF4CKre/xtFr3nL7lq/PKI", + "JsjVNz7/RK9FSXF6WwfONtLCyQGEuVAsB/KXfCBEyfKhaMwGHvhujRidGW5uV1no", + "lMGl3ODmo29Lgeu2uSE7EpJRZoe6hU6ddmBkqxax61ZtkaFlGFFpdo2K8balNNdz", + "ZsJ/9mmI9x3oOJ4/l1nhQbUO9ADbs7gJhFdV5Qkp30b5fCI7bU+aoe1ccBbLe/WM", + "YUty1PqcuQT7XjA+XmYuL261tvW8pBetT+i33/E2d8PzzYt2IuK9qeevyS+yxdwA", + "kfwejFWzzsUlJaDxs1x4XOxkMgSj+jo+g12dFOb7fyClsAnq23iDb8AuaT/BScAI", + "+lO+gher69+6LmM7VGHLG5k762J1jTaQCaKt1s8TAWV99Eo4491vL6fyvk3l/Cfg", + "RXSwiWFgj19Pn0Rq7CD9v22UE2vdUMBTcV4aw79mClk1YQ23jbF0y5DCjPdJ62Zo", + "tskBgFt3NoWV80jZ76zIBLrrjLwCCll8JjJtFwSkt2GX5RFBsVa4A8IDht9RtEk7", + "rrHgbSZQfkauEi/mH3/6CDZoLqSHudUZ7d4MaJwun1TkFYGe2ORwGJd4OBj3oGJp", + "H8YBwCpk///L/fKjX0Gg3M8nrpM4wrRFhPKidAgO/kcm25X4+ZHlVkWBTCt5RWKI", + "fHh6oLDZCqCfcgMkE1KKmwfIHaUkhq5BPRigwy6i5dh1DM4+1UCLh3dxzVbqE9b9", + "61NB19nXdRtDA2sOUnj9ve6m/wEPyCb6/zBQZqvCBYb1/AjdXpUrFT+DbpfyxaXN", + "XfhDVb5mNqNM/IVj0V5fvTc6vOfYbzQtPm10H+FdWWfb+rJRfyC3MA2w2IqstFe3", + "w3bu2iE6CQvSqRvge+ZqLKt/NqYwOURiUmpuklbl3kPJ97+mfKWoiqk8Iz1VY+bb", + "NMUC7aoGv+jcoj+WS6PYO8N6BeRVUUB3ZJSf8nzjgxm1/BcM+UD3BPrlhT11ODRs", + "baifGbprMWwt3dhb8cQgRT8GPdpO1OsDkzL6iikMjLHWWiA99GV6ruiHsIPw6boW", + "A6/uSOskbDHOROotKmddGTBd0iiHXAoQsJFt1ZjUkt6EHrgWs+GAvrvKpXs1mrz8", + "uj3GwEFrHS+Xuf2UDgpszYT3hI2cL/kUtGakVR7m7vVMZqXBUbZdGAEb1PZNPwsI", + "E4aMK02+EVB+tSN4Fzj99N2YD0inVYt+oPjr2tHhUS6aSGBNS/48Ki47DOg4Sxkn", + "lkOWnEbCD+XTnbDd", + "=agR5", + "-----END PGP MESSAGE-----", + "", + "", + "--YFrteb74qSXmggbOxZL9dRnhymywAi--", + "", + "", + ]).encode() + + if not authenticated: + smtperror = smtplib.SMTPRecipientsRefused + else: + smtperror = smtplib.SMTPException + + lp.sec(log_msg) + with pytest.raises(smtperror): + smtp.conn.sendmail(from_addr, to_addr, mail)