2017-08-21 08:00:33 -05:00
|
|
|
##########################################################################
|
|
|
|
|
#
|
|
|
|
|
# pgAdmin 4 - PostgreSQL Tools
|
|
|
|
|
#
|
2024-01-01 02:43:48 -06:00
|
|
|
# Copyright (C) 2013 - 2024, The pgAdmin Development Team
|
2017-08-21 08:00:33 -05:00
|
|
|
# This software is released under the PostgreSQL Licence
|
|
|
|
|
#
|
|
|
|
|
##########################################################################
|
2019-08-28 07:34:08 -05:00
|
|
|
|
2022-08-12 06:40:26 -05:00
|
|
|
import secrets
|
2017-08-21 08:00:33 -05:00
|
|
|
|
|
|
|
|
from regression.python_test_utils import test_utils
|
|
|
|
|
from regression.feature_utils.base_feature_test import BaseFeatureTest
|
2019-08-22 04:20:51 -05:00
|
|
|
from regression.feature_utils.locators import NavMenuLocators
|
2019-11-20 01:20:04 -06:00
|
|
|
from regression.feature_utils.tree_area_locators import TreeAreaLocators
|
2019-08-22 04:20:51 -05:00
|
|
|
from selenium.webdriver.common.by import By
|
|
|
|
|
from selenium.webdriver.support import expected_conditions as EC
|
|
|
|
|
from selenium.webdriver.support.ui import WebDriverWait
|
2017-08-21 08:00:33 -05:00
|
|
|
|
2017-08-29 08:57:56 -05:00
|
|
|
|
2017-08-21 08:00:33 -05:00
|
|
|
class CheckRoleMembershipControlFeatureTest(BaseFeatureTest):
|
|
|
|
|
"""Tests to check role membership control for xss."""
|
|
|
|
|
|
|
|
|
|
scenarios = [
|
|
|
|
|
("Tests to check if Role membership control is vulnerable to XSS",
|
|
|
|
|
dict())
|
|
|
|
|
]
|
|
|
|
|
|
2019-04-05 01:55:03 -05:00
|
|
|
role = ""
|
2022-08-30 03:51:33 -05:00
|
|
|
xss_test_role = "<h1>test</h1>"
|
2019-04-05 02:23:50 -05:00
|
|
|
|
2017-08-21 08:00:33 -05:00
|
|
|
def before(self):
|
2019-04-05 01:55:03 -05:00
|
|
|
# create role
|
2022-08-12 06:40:26 -05:00
|
|
|
self.role = "test_role" + str(secrets.choice(range(10000, 65535)))
|
2019-04-05 01:55:03 -05:00
|
|
|
|
2017-08-21 08:00:33 -05:00
|
|
|
# Some test function is needed for debugger
|
|
|
|
|
test_utils.create_role(self.server, "postgres",
|
2019-04-05 01:55:03 -05:00
|
|
|
self.role)
|
2022-08-30 03:51:33 -05:00
|
|
|
test_utils.create_role(self.server, "postgres", self.xss_test_role)
|
2021-11-10 00:20:20 -06:00
|
|
|
test_utils.grant_role(self.server, "postgres",
|
2022-08-30 03:51:33 -05:00
|
|
|
self.role, self.xss_test_role)
|
2019-08-22 04:20:51 -05:00
|
|
|
self.wait = WebDriverWait(self.page.driver, 20)
|
2017-08-21 08:00:33 -05:00
|
|
|
|
|
|
|
|
def runTest(self):
|
|
|
|
|
self.page.wait_for_spinner_to_disappear()
|
2018-03-19 08:23:29 -05:00
|
|
|
self.page.add_server(self.server)
|
2019-04-05 01:55:03 -05:00
|
|
|
self._role_node_expandable(self.role)
|
2017-08-21 08:00:33 -05:00
|
|
|
self._check_role_membership_control()
|
|
|
|
|
|
|
|
|
|
def after(self):
|
2018-03-19 08:23:29 -05:00
|
|
|
self.page.remove_server(self.server)
|
2017-08-21 08:00:33 -05:00
|
|
|
test_utils.drop_role(self.server, "postgres",
|
2019-04-05 01:55:03 -05:00
|
|
|
self.role)
|
2022-08-30 06:38:12 -05:00
|
|
|
test_utils.drop_role(self.server, "postgres", self.xss_test_role)
|
2017-08-21 08:00:33 -05:00
|
|
|
|
2019-04-05 01:55:03 -05:00
|
|
|
def _role_node_expandable(self, role):
|
2023-03-27 01:21:28 -05:00
|
|
|
retry = 2
|
2022-07-28 00:46:05 -05:00
|
|
|
while retry > 0:
|
|
|
|
|
if self.page.expand_server_child_node(
|
|
|
|
|
"Server", self.server['name'], self.server['db_password'],
|
|
|
|
|
'Login/Group Roles'):
|
|
|
|
|
retry = 0
|
2023-01-03 23:14:22 -06:00
|
|
|
else:
|
|
|
|
|
retry -= 1
|
2021-11-10 00:20:20 -06:00
|
|
|
|
|
|
|
|
role_node = self.page.check_if_element_exists_with_scroll(
|
|
|
|
|
TreeAreaLocators.role_node(role))
|
|
|
|
|
role_node.click()
|
2017-08-21 08:00:33 -05:00
|
|
|
|
|
|
|
|
def _check_role_membership_control(self):
|
2022-06-23 07:49:32 -05:00
|
|
|
self.page.driver.find_element(
|
2022-12-22 02:55:18 -06:00
|
|
|
By.CSS_SELECTOR, NavMenuLocators.object_menu_css).click()
|
2023-03-28 11:50:14 -05:00
|
|
|
edit_object = self.wait.until(EC.visibility_of_element_located(
|
|
|
|
|
(By.CSS_SELECTOR, NavMenuLocators.edit_obj_css)))
|
|
|
|
|
edit_object.click()
|
Improved the extendability of the SchemaView and DataGridView. (#7876)
Restructured these modules for ease of maintenance and apply the single
responsibility principle (wherever applicable).
* SchemaView
- Split the code based on the functionality and responsibility.
- Introduced a new View 'InlineView' instead of using the
'nextInline' configuration of the fields to have a better, and
manageable view.
- Using the separate class 'SchemaState' for managing the data and
states of the SchemaView (separated from the 'useSchemaState'
custom hook).
- Introduced three new custom hooks 'useFieldValue',
'useFieldOptions', 'useFieldError' for the individual control to
use for each Schema Field.
- Don't pass value as the parameter props, and let the
'useFieldValue' and other custom hooks to decide, whether to
rerender the control itself or the whole dialog/view. (single
responsibility principle)
- Introduced a new data store with a subscription facility.
- Moving the field metadata (option) evaluation to a separate place
for better management, and each option can be defined for a
particular kind of field (for example - collection, row, cell,
general, etc).
- Allow to provide custom control for all kind of Schema field.
* DataGridView
- Same as SchemaView, split the DataGridView call into smaller,
manageable chunks. (For example - grid, row, mappedCell, etc).
- Use context based approach for providing the row and table data
instead of passing them as parameters to every component
separately.
- Have a facility to extend this feature separately in future.
(for example - selectable cell, column grouping, etc.)
- Separated the features like deletable, editable, reorder,
expandable etc. cells using the above feature support.
- Added ability to provide the CustomHeader, and CustomRow through the
Schema field, which will extend the ability to customize better.
- Removed the 'DataGridViewWithHeaderForm' as it has been achieved
through providing 'CustomHeader', and also introduced
'DataGridFormHeader' (a custom header) to achieve the same feature
as 'DataGridViewWithHeaderForm'.
2024-09-09 03:57:31 -05:00
|
|
|
membership_tab = WebDriverWait(self.page.driver, 2).until(
|
2020-06-23 08:13:54 -05:00
|
|
|
EC.presence_of_element_located((
|
2024-04-08 21:51:14 -05:00
|
|
|
By.XPATH, "//button[normalize-space(text())='Membership']")))
|
2021-11-10 00:20:20 -06:00
|
|
|
membership_tab.click()
|
|
|
|
|
|
2017-08-21 08:00:33 -05:00
|
|
|
# Fetch the source code for our custom control
|
|
|
|
|
source_code = self.page.find_by_xpath(
|
2024-06-18 03:32:23 -05:00
|
|
|
"//div[contains(@class, 'pgrd-row-cell')]"
|
|
|
|
|
"//span[contains(@class,'icon-')]/following-sibling::span"
|
2021-11-18 05:43:32 -06:00
|
|
|
).get_attribute('innerHTML')
|
2017-08-21 08:00:33 -05:00
|
|
|
|
|
|
|
|
self._check_escaped_characters(
|
|
|
|
|
source_code,
|
|
|
|
|
'<h1>test</h1>',
|
|
|
|
|
'Role Membership Control'
|
|
|
|
|
)
|
2024-04-08 21:51:14 -05:00
|
|
|
self.page.find_by_xpath("//button[text()='Close']").click()
|
2017-08-21 08:00:33 -05:00
|
|
|
|
|
|
|
|
def _check_escaped_characters(self, source_code, string_to_find, source):
|
|
|
|
|
# For XSS we need to search against element's html code
|
2018-02-09 06:57:37 -06:00
|
|
|
assert source_code.find(string_to_find) != - \
|
|
|
|
|
1, "{0} might be vulnerable to XSS ".format(source)
|
2019-05-23 03:31:52 -05:00
|
|
|
|
|
|
|
|
def click_membership_tab(self):
|
|
|
|
|
"""This will click and open membership tab of role"""
|
2019-08-28 07:34:08 -05:00
|
|
|
|
|
|
|
|
self.page.retry_click(
|
2019-11-10 23:19:00 -06:00
|
|
|
(By.LINK_TEXT,
|
|
|
|
|
"Membership"),
|
2019-08-28 07:34:08 -05:00
|
|
|
(By.XPATH, "//input[@placeholder='Select members']"))
|
