Address PR review: improve tests, Sphinx roles, remove pyupgrade pin

rodrigobnogueira · rodrigobnogueira · commit 861e9652c16e · 2026-04-20T21:32:23.000-03:00
- Use :cve:`2026-3644` and :external+python:exc: roles in changelog
- Add pytest IDs to CTL chars from octal parametrize
- Parametrize literal CTL char test (was two separate tests)
- Use any() instead of list + in for semantic clarity
- Replace unittest.mock.patch with monkeypatch fixture (no new dep)
- Use @pytest.mark.usefixtures for void fixture injection
- Remove pyupgrade language_version: python3.13 pin
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -103,7 +103,6 @@ repos:
   hooks:
   - id: pyupgrade
     args: ['--py37-plus']
-    language_version: python3.13
 - repo: https://github.com/PyCQA/flake8
   rev: '7.3.0'
   hooks:
diff --git a/CHANGES/12395.bugfix.rst b/CHANGES/12395.bugfix.rst
@@ -1,5 +1,5 @@
-Fixed a crash (``CookieError``) in the cookie parser when receiving cookies
-containing ASCII control characters on CPython builds with the CVE-2026-3644
+Fixed a crash (:external+python:exc:`~http.cookies.CookieError`) in the cookie parser when receiving cookies
+containing ASCII control characters on CPython builds with the :cve:`2026-3644`
 patch. The parser now gracefully falls back to storing the raw, still-escaped
 ``coded_value`` when the decoded value contains control characters, and skips
 cookies whose raw header contains literal control characters that cannot be
diff --git a/tests/test_cookie_helpers.py b/tests/test_cookie_helpers.py
@@ -3,14 +3,12 @@
 import logging
 import sys
 import time
-import typing
 from http.cookies import (
     CookieError,
     Morsel,
     SimpleCookie,
     _unquote as simplecookie_unquote,
 )
-from unittest.mock import patch
 
 import pytest
 
@@ -1139,8 +1137,18 @@ def test_parse_set_cookie_headers_uses_unquote_with_octal(
 @pytest.mark.parametrize(
     ("header", "expected_name", "expected_coded"),
     [
-        (r'name="\012newline\012"', "name", r'"\012newline\012"'),
-        (r'tab="\011separated\011values"', "tab", r'"\011separated\011values"'),
+        pytest.param(
+            r'name="\012newline\012"',
+            "name",
+            r'"\012newline\012"',
+            id="newline-octal-012",
+        ),
+        pytest.param(
+            r'tab="\011separated\011values"',
+            "tab",
+            r'"\011separated\011values"',
+            id="tab-octal-011",
+        ),
     ],
 )
 def test_parse_set_cookie_headers_ctl_chars_from_octal(
@@ -1183,8 +1191,7 @@ def test_parse_set_cookie_headers_literal_ctl_chars_preserves_others() -> None:
     result = parse_set_cookie_headers(['bad="a\x07b"; good=value', "another=cookie"])
     # "good" is an attribute of "bad" (same header), so it's not a separate cookie.
     # "another" is in a separate header and must always be preserved.
-    names = [name for name, _ in result]
-    assert "another" in names
+    assert any(name == "another" for name, _ in result)
 
 
 # Tests for parse_cookie_header (RFC 6265 compliant Cookie header parser)
@@ -1660,8 +1667,7 @@ def test_parse_cookie_header_literal_ctl_chars() -> None:
     result = parse_cookie_header('name="a\x07b"; good=cookie')
     # On CPython with CVE-2026-3644 patch the bad cookie is skipped;
     # on older builds it may be accepted.  Either way, no crash.
-    names = [name for name, _ in result]
-    assert "good" in names
+    assert any(name == "good" for name, _ in result)
 
 
 @pytest.mark.parametrize(
@@ -1855,23 +1861,24 @@ def test_unquote_compatibility_with_simplecookie(test_value: str) -> None:
 
 
 @pytest.fixture
-def mock_strict_morsel() -> typing.Iterator[None]:
+def mock_strict_morsel(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
     original_setstate = Morsel.__setstate__  # type: ignore[attr-defined]
 
     def _mock_setstate(self: Morsel[str], state: dict[str, str]) -> None:
         if any(ord(c) < 32 for c in state.get("value", "")):
             raise CookieError()
         original_setstate(self, state)
 
-    with patch(
+    monkeypatch.setattr(
         "aiohttp._cookie_helpers.Morsel.__setstate__",
-        autospec=True,
-        side_effect=_mock_setstate,
-    ):
-        yield
+        _mock_setstate,
+    )
 
 
-def test_cookie_helpers_cve_fallback(mock_strict_morsel: None) -> None:
+@pytest.mark.usefixtures("mock_strict_morsel")
+def test_cookie_helpers_cve_fallback() -> None:
     m: Morsel[str] = Morsel()
     assert helpers._safe_set_morsel_state(m, "k", "v\n", "v\\012") is True
     assert m.value == "v\\012"
