pgadmin4/web/pgadmin/feature_tests/file_manager_test.py

##########################################################################
#
# pgAdmin 4 - PostgreSQL Tools
#
# Copyright (C) 2013 - 2022, The pgAdmin Development Team
# This software is released under the PostgreSQL Licence
#
##########################################################################

import os
import random
import string
import sys
import time

from selenium.webdriver.common.keys import Keys
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
from selenium.common.exceptions import StaleElementReferenceException, \
    TimeoutException
from regression.feature_utils.base_feature_test import BaseFeatureTest
from regression.feature_utils.locators import QueryToolLocators


class CheckFileManagerFeatureTest(BaseFeatureTest):
    """Tests to check file manager for XSS."""

    scenarios = [
        ("File manager feature test",
         dict())
    ]

    def before(self):
        if os.name == 'nt':
            self.skipTest("This test is skipped for Windows. As Windows "
                          "does not allow the '<' and '>' character while "
                          "specifying the file name.")

        self.page.add_server(self.server)
        self.wait = WebDriverWait(self.page.driver, 10)
        filename = self.server_information['type'] + \
            str(self.server_information['server_version'])
        if self.parallel_ui_tests:
            self.XSS_FILE = '/<img src=x ' + filename + '=alert("1")>.sql'
        else:
            self.XSS_FILE = '/tmp/<img src=x ' + filename + '=alert("1")>.sql'
        # Remove any previous file
        if os.path.isfile(self.XSS_FILE):
            os.remove(self.XSS_FILE)

    def after(self):
        self.page.close_query_tool(False)
        self.page.remove_server(self.server)

    def runTest(self):
        print("Tests to check if File manager is vulnerable to XSS... ",
              file=sys.stderr, end="")
        self._navigate_to_query_tool()
        self.page.fill_codemirror_area_with("SELECT 1;")
        self._create_new_file()
        self._open_file_manager_and_check_xss_file()
        print("OK.", file=sys.stderr)

        print("File manager sorting of data", file=sys.stderr)
        self._check_file_sorting()
        print("OK.", file=sys.stderr)

    def _navigate_to_query_tool(self):
        self.page.expand_database_node("Server", self.server['name'],
                                       self.server['db_password'],
                                       self.test_db)
        self.page.open_query_tool()

    def _create_new_file(self):
        self.page.find_by_css_selector(QueryToolLocators.btn_save_file) \
            .click()
        # Set the XSS value in input
        WebDriverWait(self.driver, 10).until(EC.presence_of_element_located(
            (By.CSS_SELECTOR, ".change_file_types")))
        self.page.find_by_css_selector('.change_file_types')
        self.page.fill_input_by_css_selector(
            QueryToolLocators.input_file_path_css, self.XSS_FILE)
        # Save the file
        self.page.click_modal('Create')
        self.page.wait_for_query_tool_loading_indicator_to_disappear()

    def _open_file_manager_and_check_xss_file(self):
        load_file = self.page.find_by_css_selector(
            QueryToolLocators.btn_load_file_css)
        load_file.click()
        WebDriverWait(self.driver, 10).until(EC.presence_of_element_located(
            (By.CSS_SELECTOR, ".change_file_types")))
        self.page.find_by_css_selector('.change_file_types')
        self.page.fill_input_by_css_selector(
            QueryToolLocators.input_file_path_css,
            "/tmp", key_after_input=Keys.RETURN)
        time.sleep(2)

        self.wait.until(EC.visibility_of_element_located(
            (By.CSS_SELECTOR, QueryToolLocators.select_file_content_css)))

        table = self.page.driver.find_element_by_css_selector(
            QueryToolLocators.select_file_content_css)

        retry_count = 0
        while retry_count < 5:
            try:
                contents = table.get_attribute('innerHTML')
                break
            except (StaleElementReferenceException, TimeoutException):
                retry_count += 1

        self.page.click_modal('Cancel')
        self.page.wait_for_query_tool_loading_indicator_to_disappear()
        filename = self.server_information['type'] + \
            str(self.server_information['server_version'])
        self._check_escaped_characters(
            contents,
            '&lt;img src=x ' + filename +
            '=alert("1")&gt;.sql', 'File manager'
        )

    def _check_escaped_characters(self, source_code, string_to_find, source):
        # For XSS we need to search against element's html code
        assert source_code.find(
            string_to_find
        ) != -1, "{0} might be vulnerable to XSS, source code is: {1}".format(
            source, source_code)

    def _check_file_sorting(self):
        load_file = self.page.find_by_css_selector(
            QueryToolLocators.btn_load_file_css)
        load_file.click()
        self.page.find_by_css_selector("#contents th[data-column='0']")

        # Added time.sleep so that the element to be clicked.
        time.sleep(0.05)

        # Intermittently facing issue on first click it is not successful
        # so tried couple of times.
        success = self.page.retry_click(
            (By.XPATH,
             "//th[@data-column='0']/div/span[text()='Name']"),
            (By.CSS_SELECTOR,
             "#contents th[data-column='0'].tablesorter-headerAsc"))

        if not success:
            raise RuntimeError("Unable to sort in ascending order while "
                               "clicked on 'Name' column")
        # Added time.sleep so that the element to be clicked.
        time.sleep(0.05)

        # Click and Check for sort Descending
        # Intermittently facing issue on first click it is not successful
        # so tried couple of times.
        success = self.page.retry_click(
            (By.XPATH,
             "//th[@data-column='0']/div/span[text()='Name']"),
            (By.CSS_SELECTOR,
             "#contents th[data-column='0'].tablesorter-headerDesc"))

        if not success:
            raise RuntimeError("Unable to sort in descending order while "
                               "clicked on 'Name' column")

        self.page.click_modal('Cancel')
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`##########################################################################`
			`#`
			`# pgAdmin 4 - PostgreSQL Tools`
			`#`
Update copyright notices for 2022 2022-01-04 02:24:25 -06:00			`# Copyright (C) 2013 - 2022, The pgAdmin Development Team`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`# This software is released under the PostgreSQL Licence`
			`#`
			`##########################################################################`

			`import os`
1) Fixes parallel test execution failures. 2) Added capability to pass browser-name via command line for parallel execution. 2020-06-22 02:35:13 -05:00			`import random`
			`import string`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00			`import sys`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`import time`
Further code refactoring to stabilise the Feature Tests. Fixes #3936 2019-08-28 07:34:08 -05:00
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`from selenium.webdriver.common.keys import Keys`
			`from selenium.webdriver.support.ui import WebDriverWait`
			`from selenium.webdriver.common.by import By`
Fixed following feature tests: 1. Process watcher loading logs fix 2. Auto commit/rollback issue in query_tool_tests 3. Fixed the scrolling issue while verifying values in a table. 4. Modified some functions in pgadmin_page.py 2019-11-15 06:32:17 -06:00			`from selenium.webdriver.support import expected_conditions as EC`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`from selenium.common.exceptions import StaleElementReferenceException, \`
			`TimeoutException`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`from regression.feature_utils.base_feature_test import BaseFeatureTest`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`from regression.feature_utils.locators import QueryToolLocators`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00

			`class CheckFileManagerFeatureTest(BaseFeatureTest):`
			`"""Tests to check file manager for XSS."""`

			`scenarios = [`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00			`("File manager feature test",`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`dict())`
			`]`

			`def before(self):`
Stabilise feature tests for continuous running on CI systems. Fixes #3136. 2018-08-21 07:09:36 -05:00			`if os.name == 'nt':`
			`self.skipTest("This test is skipped for Windows. As Windows "`
			`"does not allow the '<' and '>' character while "`
			`"specifying the file name.")`

Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self.page.add_server(self.server)`
			`self.wait = WebDriverWait(self.page.driver, 10)`
1) Fixes parallel test execution failures. 2) Added capability to pass browser-name via command line for parallel execution. 2020-06-22 02:35:13 -05:00			`filename = self.server_information['type'] + \`
			`str(self.server_information['server_version'])`
Modifies the way to execute feature tests in parallel and it should be configured in Server Mode. 2021-05-27 00:31:25 -05:00			`if self.parallel_ui_tests:`
			`self.XSS_FILE = '/<img src=x ' + filename + '=alert("1")>.sql'`
			`else:`
			`self.XSS_FILE = '/tmp/<img src=x ' + filename + '=alert("1")>.sql'`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`# Remove any previous file`
			`if os.path.isfile(self.XSS_FILE):`
			`os.remove(self.XSS_FILE)`

			`def after(self):`
Many fixes to the stability of the feature tests, including: tree toggle issue Query tool inteliSence issue eg. when there is only one option and drop down is not shown Backup and restore windows locator changes Fixes required due to resolving rm # 4041 Dependent tab not showing data sometime, so refreshed the page and handled it Due to change of logic for auto commit, did the required changes Due to fix of RM 4062, did the required workaround which broke the test case. 2019-03-21 07:04:37 -05:00			`self.page.close_query_tool(False)`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self.page.remove_server(self.server)`

			`def runTest(self):`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00			`print("Tests to check if File manager is vulnerable to XSS... ",`
			`file=sys.stderr, end="")`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self._navigate_to_query_tool()`
			`self.page.fill_codemirror_area_with("SELECT 1;")`
			`self._create_new_file()`
			`self._open_file_manager_and_check_xss_file()`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00			`print("OK.", file=sys.stderr)`

			`print("File manager sorting of data", file=sys.stderr)`
			`self._check_file_sorting()`
			`print("OK.", file=sys.stderr)`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00
			`def _navigate_to_query_tool(self):`
Fixed feature test cases after react porting. 2021-11-10 00:20:20 -06:00			`self.page.expand_database_node("Server", self.server['name'],`
			`self.server['db_password'],`
			`self.test_db)`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self.page.open_query_tool()`

			`def _create_new_file(self):`
Implement Selenium Grid to run multiple tests across different browsers, operating systems, and machines in parallel. Fixes #5255 2020-05-11 01:41:31 -05:00			`self.page.find_by_css_selector(QueryToolLocators.btn_save_file) \`
Add support for editing of resultsets in the Query Tool, if the data can be identified as updatable. Fixes #1760 When a query is run in the Query Tool, check if the source of the columns can be identified as being from a single table, and that we have all columns that make up the primary key. If so, consider the resultset to be editable and allow the user to edit data and add/remove rows in the grid. Changes to data are saved using SAVEPOINTs as part of any transaction that's in progress, and rolled back if there are integrity violations, without otherwise affecting the ongoing transaction. Implemented by Yosry Muhammad as a Google Summer of Code project. 2019-07-17 05:45:20 -05:00			`.click()`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`# Set the XSS value in input`
Fixed feature test failures on the selenium grid for concurrent execution. 2020-05-21 09:14:28 -05:00			`WebDriverWait(self.driver, 10).until(EC.presence_of_element_located(`
			`(By.CSS_SELECTOR, ".change_file_types")))`
Many fixes to the stability of the feature tests, including: tree toggle issue Query tool inteliSence issue eg. when there is only one option and drop down is not shown Backup and restore windows locator changes Fixes required due to resolving rm # 4041 Dependent tab not showing data sometime, so refreshed the page and handled it Due to change of logic for auto commit, did the required changes Due to fix of RM 4062, did the required workaround which broke the test case. 2019-03-21 07:04:37 -05:00			`self.page.find_by_css_selector('.change_file_types')`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`self.page.fill_input_by_css_selector(`
			`QueryToolLocators.input_file_path_css, self.XSS_FILE)`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`# Save the file`
Improvement in the look and feel of the whole application Changed the SCSS/CSS for the below third party libraries to adopt the new look 'n' feel: - wcDocker - Alertify dialogs, and notifications - AciTree - Bootstrap Navbar - Bootstrap Tabs - Bootstrap Drop-Down menu - Backgrid - Select2 Adopated the new the look 'n' feel for the dialogs, wizard, properties, tab panels, tabs, fieldset, subnode control, spinner control, HTML table, and other form controls. - Font is changed to Roboto - Using SCSS variables to define the look 'n' feel - Designer background images for the Login, and Forget password pages in 'web' mode - Improved the look 'n' feel for the key selection in the preferences dialog - Table classes consistency changes across the application - File Open and Save dialog list view changes Author(s): Aditya Toshniwal & Khushboo Vashi 2018-12-21 05:44:55 -06:00			`self.page.click_modal('Create')`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self.page.wait_for_query_tool_loading_indicator_to_disappear()`

			`def _open_file_manager_and_check_xss_file(self):`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`load_file = self.page.find_by_css_selector(`
			`QueryToolLocators.btn_load_file_css)`
			`load_file.click()`
Fixed feature test failures on the selenium grid for concurrent execution. 2020-05-21 09:14:28 -05:00			`WebDriverWait(self.driver, 10).until(EC.presence_of_element_located(`
			`(By.CSS_SELECTOR, ".change_file_types")))`
Improvement in the look and feel of the whole application Changed the SCSS/CSS for the below third party libraries to adopt the new look 'n' feel: - wcDocker - Alertify dialogs, and notifications - AciTree - Bootstrap Navbar - Bootstrap Tabs - Bootstrap Drop-Down menu - Backgrid - Select2 Adopated the new the look 'n' feel for the dialogs, wizard, properties, tab panels, tabs, fieldset, subnode control, spinner control, HTML table, and other form controls. - Font is changed to Roboto - Using SCSS variables to define the look 'n' feel - Designer background images for the Login, and Forget password pages in 'web' mode - Improved the look 'n' feel for the key selection in the preferences dialog - Table classes consistency changes across the application - File Open and Save dialog list view changes Author(s): Aditya Toshniwal & Khushboo Vashi 2018-12-21 05:44:55 -06:00			`self.page.find_by_css_selector('.change_file_types')`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`self.page.fill_input_by_css_selector(`
			`QueryToolLocators.input_file_path_css,`
Fixed following feature tests: 1. Process watcher loading logs fix 2. Auto commit/rollback issue in query_tool_tests 3. Fixed the scrolling issue while verifying values in a table. 4. Modified some functions in pgadmin_page.py 2019-11-15 06:32:17 -06:00			`"/tmp", key_after_input=Keys.RETURN)`
Modifies the way to execute feature tests in parallel and it should be configured in Server Mode. 2021-05-27 00:31:25 -05:00			`time.sleep(2)`

			`self.wait.until(EC.visibility_of_element_located(`
			`(By.CSS_SELECTOR, QueryToolLocators.select_file_content_css)))`

			`table = self.page.driver.find_element_by_css_selector(`
			`QueryToolLocators.select_file_content_css)`
Support running feature tests against Firefox. Fixes #3270 2018-05-15 09:10:11 -05:00
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`retry_count = 0`
			`while retry_count < 5:`
			`try:`
			`contents = table.get_attribute('innerHTML')`
			`break`
			`except (StaleElementReferenceException, TimeoutException):`
			`retry_count += 1`
Support running feature tests against Firefox. Fixes #3270 2018-05-15 09:10:11 -05:00
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self.page.click_modal('Cancel')`
			`self.page.wait_for_query_tool_loading_indicator_to_disappear()`
1) Fixes parallel test execution failures. 2) Added capability to pass browser-name via command line for parallel execution. 2020-06-22 02:35:13 -05:00			`filename = self.server_information['type'] + \`
			`str(self.server_information['server_version'])`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`self._check_escaped_characters(`
			`contents,`
1) Fixes parallel test execution failures. 2) Added capability to pass browser-name via command line for parallel execution. 2020-06-22 02:35:13 -05:00			`'<img src=x ' + filename +`
Implement Selenium Grid to run multiple tests across different browsers, operating systems, and machines in parallel. Fixes #5255 2020-05-11 01:41:31 -05:00			`'=alert("1")>.sql', 'File manager'`
Ensure the file manager properly escapes file & directory names. Fixes #3196 2018-03-19 05:58:12 -05:00			`)`

			`def _check_escaped_characters(self, source_code, string_to_find, source):`
			`# For XSS we need to search against element's html code`
			`assert source_code.find(`
			`string_to_find`
Fixed following feature tests: 1. Process watcher loading logs fix 2. Auto commit/rollback issue in query_tool_tests 3. Fixed the scrolling issue while verifying values in a table. 4. Modified some functions in pgadmin_page.py 2019-11-15 06:32:17 -06:00			`) != -1, "{0} might be vulnerable to XSS, source code is: {1}".format(`
			`source, source_code)`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00
			`def _check_file_sorting(self):`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`load_file = self.page.find_by_css_selector(`
			`QueryToolLocators.btn_load_file_css)`
			`load_file.click()`
Improvement in the look and feel of the whole application Changed the SCSS/CSS for the below third party libraries to adopt the new look 'n' feel: - wcDocker - Alertify dialogs, and notifications - AciTree - Bootstrap Navbar - Bootstrap Tabs - Bootstrap Drop-Down menu - Backgrid - Select2 Adopated the new the look 'n' feel for the dialogs, wizard, properties, tab panels, tabs, fieldset, subnode control, spinner control, HTML table, and other form controls. - Font is changed to Roboto - Using SCSS variables to define the look 'n' feel - Designer background images for the Login, and Forget password pages in 'web' mode - Improved the look 'n' feel for the key selection in the preferences dialog - Table classes consistency changes across the application - File Open and Save dialog list view changes Author(s): Aditya Toshniwal & Khushboo Vashi 2018-12-21 05:44:55 -06:00			`self.page.find_by_css_selector("#contents th[data-column='0']")`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00
			`# Added time.sleep so that the element to be clicked.`
			`time.sleep(0.05)`
Stabilise feature tests for continuous running on CI systems. Fixes #3136. 2018-08-21 07:09:36 -05:00
			`# Intermittently facing issue on first click it is not successful`
			`# so tried couple of times.`
Further code refactoring to stabilise the Feature Tests. Fixes #3936 2019-08-28 07:34:08 -05:00			`success = self.page.retry_click(`
			`(By.XPATH,`
			`"//th[@data-column='0']/div/span[text()='Name']"),`
			`(By.CSS_SELECTOR,`
			`"#contents th[data-column='0'].tablesorter-headerAsc"))`
Stabilise feature tests for continuous running on CI systems. Fixes #3136. 2018-08-21 07:09:36 -05:00
			`if not success:`
Replace the generic exception class with a more specific one. 2020-08-07 02:07:00 -05:00			`raise RuntimeError("Unable to sort in ascending order while "`
			`"clicked on 'Name' column")`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`# Added time.sleep so that the element to be clicked.`
Stabilise feature tests for continuous running on CI systems. Fixes #3136. 2018-08-21 07:09:36 -05:00			`time.sleep(0.05)`
Allow sorting in the file dialogue. Fixes #3273 2018-06-25 08:41:07 -05:00
			`# Click and Check for sort Descending`
Stabilise feature tests for continuous running on CI systems. Fixes #3136. 2018-08-21 07:09:36 -05:00			`# Intermittently facing issue on first click it is not successful`
			`# so tried couple of times.`
Further code refactoring to stabilise the Feature Tests. Fixes #3936 2019-08-28 07:34:08 -05:00			`success = self.page.retry_click(`
			`(By.XPATH,`
			`"//th[@data-column='0']/div/span[text()='Name']"),`
			`(By.CSS_SELECTOR,`
			`"#contents th[data-column='0'].tablesorter-headerDesc"))`
Stabilise feature tests for continuous running on CI systems. Fixes #3136. 2018-08-21 07:09:36 -05:00
			`if not success:`
Replace the generic exception class with a more specific one. 2020-08-07 02:07:00 -05:00			`raise RuntimeError("Unable to sort in descending order while "`
			`"clicked on 'Name' column")`
Additional feature test fixes: 1) Changes required for working with Bootstrap 4. 2) Change to fix the timeout exception when waiting for element (tested multiple times on multiple server, did not occur to me thereafter) 3) Removed reset layout after each test case. Instead, delete the layout entry from sqlite db file and do a plain refresh. This will save some time and will also remove dependency on reset layout menu. 4) Disables tree state saving when feature test run starts. Feature tests got confused with auto expanding tree. 2018-10-17 05:50:22 -05:00
			`self.page.click_modal('Cancel')`