fix(flask): preserve html content-type for error routes

When we introduces the direct usage of the Response type we purged the
content-type and returned text/plain instead.
Fix this behavior by explicitly setting the content-type and add asserts
for all expected content-types.

Author: anthraxx

test/test_admin.py

@@ -183,11 +183,13 @@ def test_edit_requires_admin(db, client):
     resp = client.post(url_for('tracker.edit_user', username=USERNAME), follow_redirects=True,
                        data=dict(username=USERNAME, email=EMAIL, password=PASSWORD))
     assert resp.status_code == Forbidden.code
+    assert 'text/html; charset=utf-8' == resp.content_type
 
 
 @create_user(username=USERNAME, password=PASSWORD)
 @logged_in(role=UserRole.security_team)
 def test_list_user(db, client):
     resp = client.get(url_for('tracker.list_user'), follow_redirects=True)
     assert resp.status_code == 200
+    assert 'text/html; charset=utf-8' == resp.content_type
     assert USERNAME in resp.data.decode()

test/test_advisory.py

@@ -208,6 +208,7 @@ def test_edit_advisory(db, client):
     resp = client.post(url_for('tracker.edit_advisory', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True,
                        data={'workaround': workaround, 'impact': impact})
     assert 200 == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
     assert_advisory_data(DEFAULT_ADVISORY_ID, workaround=workaround, impact=impact)
     assert 1 == advisory_count()
 
@@ -217,6 +218,7 @@ def test_edit_advisory_not_found(db, client):
     resp = client.post(url_for('tracker.edit_advisory', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True,
                        data={'workaround': 'nothing', 'impact': 'nothing'})
     assert resp.status_code == NotFound.code
+    assert 'text/html; charset=utf-8' == resp.content_type
 
 
 @create_package(name='foo', version='1.2.3-4')
@@ -360,6 +362,7 @@ def test_advisory_atom(db, client):
 def test_advisory_json_no_data(db, client):
     resp = client.get(url_for('tracker.advisory_json', postfix='/json'), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
     data = resp.get_json()
     assert data == []
 
@@ -370,6 +373,7 @@ def test_advisory_json_no_data(db, client):
 def test_advisory_json(db, client):
     resp = client.get(url_for('tracker.advisory_json', postfix='/json'), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
     data = resp.get_json()
     assert len(data) == 1
     assert data[0]['name'] == DEFAULT_ADVISORY_ID
@@ -400,6 +404,7 @@ def test_advisory_format_issue_listing_raw(db, client):
                               advisory_id=DEFAULT_ADVISORY_ID),
                       follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'text/plain; charset=utf-8' == resp.content_type
     data = resp.data.decode()
     assert 'CVE-ID  : CVE-1111-1234  CVE-1111-12345  CVE-1234-11111 CVE-1234-11112\n' + \
            '          CVE-1234-12345 CVE-1234-123456\n' in data
@@ -466,6 +471,7 @@ def test_advisory_publish_advisory(db, client, patch_get):
 def test_advisory_raw(db, client):
     resp = client.get(url_for('tracker.show_advisory_raw', advisory_id=DEFAULT_ADVISORY_ID), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'text/plain; charset=utf-8' == resp.content_type
     data = resp.data.decode()
     assert 'Arch Linux Security Advisory {}'.format(DEFAULT_ADVISORY_ID) in data
 

test/test_cve.py

@@ -236,13 +236,15 @@ def test_copy_needs_login(db, client):
 def test_show_issue(db, client):
     resp = client.get(url_for('tracker.show_cve', cve=DEFAULT_ISSUE_ID, path=''))
     assert 200 == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
     assert DEFAULT_ISSUE_ID in resp.data.decode()
 
 
 @logged_in
 def test_show_issue_not_found(db, client):
     resp = client.get(url_for('tracker.show_cve', cve='CVE-2011-0000', path=''), follow_redirects=True)
     assert resp.status_code == NotFound.code
+    assert 'text/html; charset=utf-8' == resp.content_type
 
 
 @create_issue
@@ -278,6 +280,7 @@ def test_delete_issue_not_found(db, client):
 def test_issue_json(db, client):
     resp = client.get(url_for('tracker.show_cve_json', cve=DEFAULT_ISSUE_ID, path='', suffix='.json'), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
 
     data = resp.get_json()
     assert DEFAULT_ISSUE_ID == data['name']
@@ -286,6 +289,7 @@ def test_issue_json(db, client):
 def test_issue_json_not_found(db, client):
     resp = client.get(url_for('tracker.show_cve_json', cve=DEFAULT_ISSUE_ID, path='', suffix='.json'), follow_redirects=True)
     assert resp.status_code == NotFound.code
+    assert 'application/json; charset=utf-8' == resp.content_type
 
 
 @create_issue
@@ -426,6 +430,7 @@ def test_edit_issue_as_reporter_with_referenced_advisory_fails(db, client):
     resp = client.post(url_for('tracker.edit_cve', cve=DEFAULT_ISSUE_ID), follow_redirects=True,
                        data=default_issue_dict(dict(description='changed')))
     assert Forbidden.code == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
 
     data = resp.data.decode()
     assert f'Edited {DEFAULT_ISSUE_ID}' not in data

test/test_group.py

@@ -143,6 +143,7 @@ def test_copy_needs_login(db, client):
 def test_show_group_not_found(db, client):
     resp = client.get(url_for('tracker.show_group', avg='AVG-42'), follow_redirects=True)
     assert resp.status_code == NotFound.code
+    assert 'text/html; charset=utf-8' == resp.content_type
 
 
 @logged_in
@@ -329,11 +330,20 @@ def test_show_group_sort_cve_entries(db, client):
             'CVE-1111-12345',
             'CVE-1111-1234'] == cves
 
+@create_group(id=DEFAULT_GROUP_ID, packages=['foo'], affected='1.2.3-3', fixed='1.2.3-4')
+@create_advisory(id=DEFAULT_ADVISORY_ID, group_package_id=DEFAULT_GROUP_ID, advisory_type=issue_types[1])
+def test_show_group(db, client):
+    resp = client.get(url_for('tracker.show_group', avg=DEFAULT_GROUP_NAME), follow_redirects=True)
+    assert 200 == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
+    assert DEFAULT_GROUP_NAME in resp.data.decode()
+
 @create_group(id=DEFAULT_GROUP_ID, packages=['foo'], affected='1.2.3-3', fixed='1.2.3-4')
 @create_advisory(id=DEFAULT_ADVISORY_ID, group_package_id=DEFAULT_GROUP_ID, advisory_type=issue_types[1])
 def test_show_group_json(db, client):
     resp = client.get(url_for('tracker.show_group_json', avg=DEFAULT_GROUP_NAME, postfix='/json'), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
     data = resp.get_json()
     assert data['name'] == DEFAULT_GROUP_NAME
     assert data['issues'] == [DEFAULT_ISSUE_ID]
@@ -344,6 +354,7 @@ def test_show_group_json(db, client):
 def test_show_group_json_not_found(db, client):
     resp = client.get(url_for('tracker.show_group_json', avg=DEFAULT_GROUP_NAME, postfix='/json'), follow_redirects=True)
     assert NotFound.code == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
 
 @create_package(name='foo', version='1.2.3-4')
 @create_group(id=DEFAULT_GROUP_ID, packages=['foo'], affected='1.2.3-3', fixed='1.2.3-4')

test/test_index.py

@@ -1,5 +1,4 @@
 from flask import url_for
-from werkzeug.exceptions import NotFound
 
 from .conftest import DEFAULT_GROUP_ID
 from .conftest import DEFAULT_GROUP_NAME
@@ -12,6 +11,7 @@
 def test_index(db, client):
     resp = client.get(url_for('tracker.index'), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
     assert DEFAULT_GROUP_NAME not in resp.data.decode()
 
 
@@ -37,6 +37,7 @@ def test_index_json(db, client):
     resp = client.get(url_for('tracker.index_json', only_vulernable=False, path='all.json'), follow_redirects=True)
     assert 200 == resp.status_code
     data = resp.get_json()
+    assert 'application/json; charset=utf-8' == resp.content_type
     assert len(data) == 1
     assert data[0]['name'] == DEFAULT_GROUP_NAME
 

test/test_login.py

@@ -16,6 +16,7 @@
 def test_login_view(db, client):
     resp = client.get(url_for('tracker.login'))
     assert 200 == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
 
 
 @create_user
@@ -31,6 +32,7 @@ def test_login_invalid_credentials(db, client):
     resp = client.post(url_for('tracker.login'), data={'username': DEFAULT_USERNAME,
                                                'password': 'N' * TRACKER_PASSWORD_LENGTH_MIN})
     assert_not_logged_in(resp, status_code=Unauthorized.code)
+    assert 'text/html; charset=utf-8' == resp.content_type
     assert ERROR_INVALID_USERNAME_PASSWORD in resp.data.decode()
 
 

test/test_package.py

@@ -18,6 +18,7 @@
 def test_show_package_json(db, client):
     resp = client.get(url_for('tracker.show_package_json', pkgname='foo', suffix='/json'), follow_redirects=True)
     assert 200 == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
     data = resp.get_json()
     assert len(data['groups']) == 1
     assert len(data['versions']) == 1
@@ -29,10 +30,14 @@ def test_show_package_json(db, client):
 def test_show_package_json_not_found(db, client):
     resp = client.get(url_for('tracker.show_package_json', pkgname='foo', suffix='/json'), follow_redirects=True)
     assert NotFound.code == resp.status_code
+    assert 'application/json; charset=utf-8' == resp.content_type
+
 
 def test_show_package_not_found(db, client):
     resp = client.get(url_for('tracker.show_package', pkgname='foo'), follow_redirects=True)
     assert NotFound.code == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
+
 
 @create_package(name='foo', version='1.2.3-4')
 @create_group(id=DEFAULT_GROUP_ID, packages=['foo'], affected='1.2.3-3', fixed='1.2.3-4')
@@ -42,4 +47,5 @@ def test_show_package(db, client):
     html = AssertionHTMLParser()
     html.feed(resp.data.decode())
     assert 200 == resp.status_code
+    assert 'text/html; charset=utf-8' == resp.content_type
     assert 'foo' in resp.data.decode()

tracker/view/error.py

@@ -4,8 +4,8 @@
 from os import urandom
 from random import randint
 
+from flask import make_response
 from flask import render_template
-from werkzeug import Response
 from werkzeug.exceptions import BadRequest
 from werkzeug.exceptions import Forbidden
 from werkzeug.exceptions import Gone
@@ -34,10 +34,10 @@ def wrapped(*args, **kwargs):
 def handle_error(e, code, json=False):
     if json:
         return {'message': e}, code
-    return Response(render_template('error.html',
-                                    smiley=smileys_sad[randint(0, len(smileys_sad) - 1)],
-                                    text=e,
-                                    title='{}'.format(code)), code)
+    return make_response(render_template('error.html',
+                         smiley=smileys_sad[randint(0, len(smileys_sad) - 1)],
+                         text=e,
+                         title='{}'.format(code)), code)
 
 
 @errorhandler(NotFound.code)