Sutty/trabajo-afectivo
5
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Maintenance: Improve handling of XSS timeouts in tests.

Browse source
This commit is contained in:
Martin Gruner 2022-01-31 16:34:33 +01:00
parent f79e8c72cd
commit b40ca87b2a
3 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
spec/models/concerns/has_xss_sanitized_note_examples.rb
View file

@ -5,6 +5,11 @@ RSpec.shared_examples 'HasXssSanitizedNote' do |model_factory:|
context 'with injected JS' do context 'with injected JS' do
subject { create(model_factory, note: 'test 123 <script type="text/javascript">alert("XSS!");</script> <b>some text</b>') } subject { create(model_factory, note: 'test 123 <script type="text/javascript">alert("XSS!");</script> <b>some text</b>') }
before do
# XSS processing may run into a timeout on slow CI systems, so turn the timeout off for the test.
stub_const("#{HtmlSanitizer}::PROCESSING_TIMEOUT", nil)
end
it 'strips out <script> tag with content' do it 'strips out <script> tag with content' do
expect(subject.note).to eq('test 123 <b>some text</b>') expect(subject.note).to eq('test 123 <b>some text</b>')
end end

5
spec/models/ticket/article_spec.rb
View file

@ -85,6 +85,11 @@ RSpec.describe Ticket::Article, type: :model do
describe 'XSS protection:' do describe 'XSS protection:' do
subject(:article) { create(:ticket_article, body: body, content_type: 'text/html') } subject(:article) { create(:ticket_article, body: body, content_type: 'text/html') }
before do
# XSS processing may run into a timeout on slow CI systems, so turn the timeout off for the test.
stub_const("#{HtmlSanitizer}::PROCESSING_TIMEOUT", nil)
end
context 'when body contains only injected JS' do context 'when body contains only injected JS' do
let(:body) { <<~RAW.chomp } let(:body) { <<~RAW.chomp }
<script type="text/javascript">alert("XSS!");</script> some other text <script type="text/javascript">alert("XSS!");</script> some other text

7
test/unit/html_sanitizer_test.rb
View file

@ -4,6 +4,11 @@ require 'test_helper'
class HtmlSanitizerTest < ActiveSupport::TestCase class HtmlSanitizerTest < ActiveSupport::TestCase
processing_timeout = HtmlSanitizer.const_get(:PROCESSING_TIMEOUT)
# XSS processing may run into a timeout on slow CI systems, so turn the timeout off for the test.
HtmlSanitizer.const_set(:PROCESSING_TIMEOUT, nil)
test 'xss' do test 'xss' do
assert_equal(HtmlSanitizer.strict('<b>123</b>'), '<b>123</b>') assert_equal(HtmlSanitizer.strict('<b>123</b>'), '<b>123</b>')
assert_equal(HtmlSanitizer.strict('<script><b>123</b></script>'), '') assert_equal(HtmlSanitizer.strict('<script><b>123</b></script>'), '')
@ -153,4 +158,6 @@ test 123
assert_equal(HtmlSanitizer.strict('<a href="mailto:testäöü@example.com" id="123">test</a>'), '<a href="mailto:test%C3%A4%C3%B6%C3%BC@example.com">test</a>') assert_equal(HtmlSanitizer.strict('<a href="mailto:testäöü@example.com" id="123">test</a>'), '<a href="mailto:test%C3%A4%C3%B6%C3%BC@example.com">test</a>')
end end
HtmlSanitizer.const_set(:PROCESSING_TIMEOUT, processing_timeout)
end end