Mercurial > p > roundup > code
comparison test/test_liveserver.py @ 8062:28aa76443f58
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125
Directions for fixing:
* `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are
vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing
tracker homes.
* `CVE-2024-39125`_ - :ref:`if Referer header is set to a script
tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0,
directions available for fixing in prior versions.
* `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from
an issue can contain embedded JavaScript which is
executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions
available for fixing in prior versions.
prior to 2.4.0 release this weekend that fixes the last two CVE's.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Tue, 09 Jul 2024 09:07:09 -0400 |
| parents | 60c98a8a23bd |
| children | 603aa730b067 |
comparison
equal
deleted
inserted
replaced
| 8061:b1d384d23cdb | 8062:28aa76443f58 |
|---|---|
| 260 self.assertEqual(f.status_code, 200) | 260 self.assertEqual(f.status_code, 200) |
| 261 print(f.content) | 261 print(f.content) |
| 262 self.assertTrue(b'Roundup' in f.content) | 262 self.assertTrue(b'Roundup' in f.content) |
| 263 self.assertTrue(b'Aufgabenliste' in f.content) | 263 self.assertTrue(b'Aufgabenliste' in f.content) |
| 264 self.assertTrue(b'dauerhaft anmelden?' in f.content) | 264 self.assertTrue(b'dauerhaft anmelden?' in f.content) |
| 265 | |
| 266 def test_classhelper_reflection(self): | |
| 267 """ simple test that verifies that the generic classhelper | |
| 268 is escaping the url params correctly. | |
| 269 """ | |
| 270 f = requests.get(self.url_base() + "/keyword?@startwith=0&@template=help&properties=name&property=keyword&form=itemSynopsis</script><script>%3balert(1)%2f%2f&type=checkbox&@sort=name&@pagesize=50") | |
| 271 self.assertEqual(f.status_code, 200) | |
| 272 self.assertNotIn(b"<script>;alert(1)//;\n", f.content) | |
| 273 self.assertIn( | |
| 274 b"itemSynopsis</script><script>;alert(1)//;\n", | |
| 275 f.content) | |
| 276 | |
| 277 f = requests.get(self.url_base() + "/keyword?@startwith=0&@template=help&properties=name&property=keyword</script><script>%3balert(1)%2f%2f&form=itemSynopsis&type=checkbox&@sort=name&@pagesize=50") | |
| 278 self.assertEqual(f.status_code, 200) | |
| 279 self.assertNotIn(b"<script>;alert(1)//;\n", f.content) | |
| 280 self.assertIn( | |
| 281 b"keyword</script><script>;alert(1)//';</script>\n", | |
| 282 f.content) | |
| 265 | 283 |
| 266 def test_byte_Ranges(self): | 284 def test_byte_Ranges(self): |
| 267 """ Roundup only handles one simple two number range, or | 285 """ Roundup only handles one simple two number range, or |
| 268 a single number to start from: | 286 a single number to start from: |
| 269 Range: 10-20 | 287 Range: 10-20 |
| 1306 | 1324 |
| 1307 # download file and verify content | 1325 # download file and verify content |
| 1308 f = session.get(self.url_base()+'/file%(file)s/text1.txt'%m.groupdict()) | 1326 f = session.get(self.url_base()+'/file%(file)s/text1.txt'%m.groupdict()) |
| 1309 self.assertEqual(f.text, file_content) | 1327 self.assertEqual(f.text, file_content) |
| 1310 self.assertEqual(f.headers["X-Content-Type-Options"], "nosniff") | 1328 self.assertEqual(f.headers["X-Content-Type-Options"], "nosniff") |
| 1329 self.assertEqual(f.headers["Content-Security-Policy"], "script-src 'none'") | |
| 1311 print(f.text) | 1330 print(f.text) |
| 1312 | 1331 |
| 1313 def test_new_file_via_rest(self): | 1332 def test_new_file_via_rest(self): |
| 1314 | 1333 |
| 1315 session = requests.Session() | 1334 session = requests.Session() |