-
Notifications
You must be signed in to change notification settings - Fork 32
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: Prevent XSS attack from comments - Escaped comment text - Fixed SQL Linter test comment text because of escaping characters - Added a unittest for testing escaping html in comment text - Fixed a linter test
- Loading branch information
Showing
5 changed files
with
46 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
from flask import json | ||
|
||
from lms.lmsdb.models import Solution, User | ||
from lms.tests import conftest | ||
|
||
|
||
USER_COMMENT_BEFORE_ESCAPING = '<html><body><p>Welcome "LMS"</p></body></html>' | ||
USER_COMMENT_AFTER_ESCAPING = ( | ||
'<html><body><p>Welcome "LMS"' | ||
'</p></body></html>' | ||
) | ||
|
||
|
||
class TestHtmlEscaping: | ||
@staticmethod | ||
def test_comment_text_escaping(student_user: User, solution: Solution): | ||
client = conftest.get_logged_user(student_user.username) | ||
|
||
# Creating a comment | ||
comment_response = client.post('/comments', data=json.dumps(dict( | ||
fileId=solution.files[0].id, act='create', kind='text', | ||
comment=USER_COMMENT_BEFORE_ESCAPING, line=1, | ||
)), content_type='application/json') | ||
assert comment_response.status_code == 200 | ||
assert solution.comments[0].comment.text == USER_COMMENT_AFTER_ESCAPING |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,30 +1,30 @@ | ||
from lms.lmsdb import models | ||
from lms.lmsdb.models import Comment, Solution | ||
from lms.lmstests.public.linters import tasks | ||
|
||
|
||
INVALID_CODE = 's1\n' | ||
INVALID_CODE_MESSAGE = "Found unparsable section: 's1'" | ||
INVALID_CODE_MESSAGE = 'Found unparsable section: 's1'' # Escape | ||
|
||
VALID_CODE = 'SELECT 1\n' | ||
|
||
|
||
class TestSQLLinter: | ||
def test_invalid_solution(self, solution: models.Solution): | ||
def test_invalid_solution(self, solution: Solution): | ||
solution_file = solution.solution_files.get() | ||
solution_file.path = 'sql.sql' | ||
solution_file.code = INVALID_CODE | ||
solution_file.save() | ||
tasks.run_linter_on_solution(solution.id) | ||
comments = tuple(models.Comment.by_solution(solution)) | ||
comments = tuple(Comment.by_solution(solution)) | ||
assert comments | ||
assert len(comments) == 1 | ||
assert comments[0].comment.text == INVALID_CODE_MESSAGE | ||
|
||
def test_valid_solution(self, solution: models.Solution): | ||
def test_valid_solution(self, solution: Solution): | ||
solution_file = solution.solution_files.get() | ||
solution_file.path = 'sql.sql' | ||
solution_file.code = VALID_CODE | ||
solution_file.save() | ||
tasks.run_linter_on_solution(solution.id) | ||
comments = tuple(models.Comment.by_solution(solution)) | ||
comments = tuple(Comment.by_solution(solution)) | ||
assert not comments |