Mercurial > p > roundup > code

diff test/test_liveserver.py @ 8062:28aa76443f58

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125 Directions for fixing: * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing tracker homes. * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0, directions available for fixing in prior versions. * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an issue can contain embedded JavaScript which is executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions available for fixing in prior versions. prior to 2.4.0 release this weekend that fixes the last two CVE's.
author John Rouillard <rouilj@ieee.org>
date Tue, 09 Jul 2024 09:07:09 -0400
parents 60c98a8a23bd
children 603aa730b067
line wrap: on
line diff
--- a/test/test_liveserver.py	Mon Jul 08 13:04:05 2024 -0400
+++ b/test/test_liveserver.py	Tue Jul 09 09:07:09 2024 -0400
@@ -263,6 +263,24 @@
         self.assertTrue(b'Aufgabenliste' in f.content)
         self.assertTrue(b'dauerhaft anmelden?' in f.content)
 
+    def test_classhelper_reflection(self):
+        """ simple test that verifies that the generic classhelper
+            is escaping the url params correctly.
+        """
+        f = requests.get(self.url_base() + "/keyword?@startwith=0&@template=help&properties=name&property=keyword&form=itemSynopsis</script><script>%3balert(1)%2f%2f&type=checkbox&@sort=name&@pagesize=50")
+        self.assertEqual(f.status_code, 200)
+        self.assertNotIn(b"<script>;alert(1)//;\n", f.content)
+        self.assertIn(
+            b"itemSynopsis&lt;/script&gt;&lt;script&gt;;alert(1)//;\n",
+            f.content)
+
+        f = requests.get(self.url_base() + "/keyword?@startwith=0&@template=help&properties=name&property=keyword</script><script>%3balert(1)%2f%2f&form=itemSynopsis&type=checkbox&@sort=name&@pagesize=50")
+        self.assertEqual(f.status_code, 200)
+        self.assertNotIn(b"<script>;alert(1)//;\n", f.content)
+        self.assertIn(
+            b"keyword&lt;/script&gt;&lt;script&gt;;alert(1)//';</script>\n",
+            f.content)
+
     def test_byte_Ranges(self):
         """ Roundup only handles one simple two number range, or
             a single number to start from:
@@ -1308,6 +1326,7 @@
         f = session.get(self.url_base()+'/file%(file)s/text1.txt'%m.groupdict())
         self.assertEqual(f.text, file_content)
         self.assertEqual(f.headers["X-Content-Type-Options"], "nosniff")
+        self.assertEqual(f.headers["Content-Security-Policy"], "script-src 'none'")
         print(f.text)
 
     def test_new_file_via_rest(self):
Roundup Issue Tracker: http://roundup-tracker.org/