pgadmin4/web/regression/feature_tests/xss_checks_pgadmin_debugger_test.py

##########################################################################
#
# pgAdmin 4 - PostgreSQL Tools
#
# Copyright (C) 2013 - 2023, The pgAdmin Development Team
# This software is released under the PostgreSQL Licence
#
##########################################################################

import secrets
import time

from selenium.webdriver import ActionChains
from selenium.common.exceptions import TimeoutException
from regression.python_test_utils import test_utils
from regression.feature_utils.base_feature_test import BaseFeatureTest
from regression.feature_utils.tree_area_locators import TreeAreaLocators
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
from regression.feature_utils.locators import NavMenuLocators


class CheckDebuggerForXssFeatureTest(BaseFeatureTest):
    """Tests to check if Debugger is vulnerable to XSS."""

    scenarios = [
        ("Tests to check if Debugger is vulnerable to XSS", dict())
    ]
    function_name = ""

    def before(self):
        # Some test function is needed for debugger
        self.function_name = "a_test_function" + \
                             str(secrets.choice(range(10000, 65535)))
        test_utils.create_debug_function(
            self.server, self.test_db, self.function_name
        )

        if test_utils.does_function_exist(self.server, self.test_db,
                                          self.function_name) != 'True':
            raise RuntimeError("The required function is not found")

    def runTest(self):
        self.page.wait_for_spinner_to_disappear()
        self.page.add_server(self.server)
        self._function_node_expandable()
        self._debug_function()

    def after(self):
        self.page.remove_server(self.server)
        test_utils.drop_debug_function(self.server, self.test_db,
                                       self.function_name)

    def _function_node_expandable(self):
        self.page.expand_schema_child_node("Server", self.server['name'],
                                           self.server['db_password'],
                                           self.test_db, 'public', "Functions")
        function_node = self.page.check_if_element_exists_with_scroll(
            TreeAreaLocators.function_node(self.function_name + "()"))

        self.assertTrue(bool(function_node),
                        self.function_name + ' function node not found.')

        function_node.click()

    def _debug_function(self):
        self.page.driver.find_element(By.CSS_SELECTOR,
                                      NavMenuLocators.object_menu_css).click()
        ActionChains(
            self.page.driver
        ).move_to_element(
            self.page.driver.find_element(
                By.CSS_SELECTOR, "div[data-label='Debugging']")
        ).perform()
        time.sleep(2)
        self.page.driver.find_element(
            By.CSS_SELECTOR, "li[data-label='Debug']").click()

        # We need to check if debugger plugin is installed or not
        try:
            wait = WebDriverWait(self.page.driver, 2)
            is_error = wait.until(EC.presence_of_element_located(
                (By.XPATH, "//div[contains(@class,'MuiDialogTitle-root')]"
                           "//div[text()='Debugger Error']")
            ))

        except TimeoutException:
            is_error = None

        # If debugger plugin is not found
        if is_error and is_error.text == "Debugger Error":
            click = True
            while click:
                try:
                    self.page.click_modal('OK')
                    wait.until(EC.invisibility_of_element(
                        (By.XPATH, "//div[@class ='MuiDialogTitle-root']"
                                   "//div[text()='Debugger Error']")
                    ))
                    click = False
                except TimeoutException:
                    pass
            self.skipTest(
                "Please make sure that debugger plugin is properly configured"
            )
        else:
            self.page.driver.switch_to.frame(
                self.page.driver.find_element(By.TAG_NAME, 'iframe')
            )

            wait.until(EC.presence_of_element_located(
                (By.XPATH, "//span[contains(.,'Hello, pgAdmin4')]"))
            )
            self.page.click_element(
                self.page.driver.find_elements(By.XPATH, "//button")[2]
            )

            wait.until(EC.presence_of_element_located(
                (By.XPATH, "//div[@id='id-results']//td "
                           "[contains(.,'Hello, pgAdmin4')]"))
            )

            # Only this tab is vulnerable rest are Code Mirror
            # control which are already tested in Query tool test case
            self.page.click_tab('id-debugger-messages', rc_dock=True)
            source_code = self.page.find_by_xpath(
                "//div[@id='id-debugger-messages'] //div[@id='debugger-msg']"
            ).get_attribute('innerHTML')

            self.assertIsNotNone(source_code, 'Messages tab is empty.')

            self._check_escaped_characters(
                source_code,
                'NOTICE:  &lt;img src="x" onerror="console.log(1)"&gt;',
                'Debugger'
            )
            self._close_debugger()

    def _close_debugger(self):
        self.page.driver.switch_to.default_content()
        self.page.click_element(
            self.page.find_by_xpath(
                "//*[@id='dockerContainer']/div/div[3]/div/div[2]/div[1]")
        )

    def _check_escaped_characters(self, source_code, string_to_find, source):
        # For XSS we need to search against element's html code
        assert source_code.find(
            string_to_find) != -1, "{0} might be vulnerable to XSS ".format(
            source)
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`##########################################################################`
			`#`
			`# pgAdmin 4 - PostgreSQL Tools`
			`#`
Update copyright notices for 2023 2023-01-02 00:23:55 -06:00			`# Copyright (C) 2013 - 2023, The pgAdmin Development Team`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`# This software is released under the PostgreSQL Licence`
			`#`
			`##########################################################################`

Fixed Securtiy Hotspot reported by SonarQube. 2022-08-12 06:40:26 -05:00			`import secrets`
Rewrite pgAdmin main menu bar to use React. #5615 2022-12-22 02:55:18 -06:00			`import time`
Ensure that successful maintenance tasks don't leave a notifier window behind when running regression tests. 2019-06-03 10:33:32 -05:00
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`from selenium.webdriver import ActionChains`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`from selenium.common.exceptions import TimeoutException`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`from regression.python_test_utils import test_utils`
			`from regression.feature_utils.base_feature_test import BaseFeatureTest`
Fixed feature tests related to process watcher. 2019-11-12 23:49:21 -06:00			`from regression.feature_utils.tree_area_locators import TreeAreaLocators`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`from selenium.webdriver.support.ui import WebDriverWait`
			`from selenium.webdriver.support import expected_conditions as EC`
			`from selenium.webdriver.common.by import By`
Rewrite pgAdmin main menu bar to use React. #5615 2022-12-22 02:55:18 -06:00			`from regression.feature_utils.locators import NavMenuLocators`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00
			`class CheckDebuggerForXssFeatureTest(BaseFeatureTest):`
			`"""Tests to check if Debugger is vulnerable to XSS."""`

			`scenarios = [`
1) Splits the SQL query used to retrieve the Dependents, Dependencies, and Roles SQL file into multiple versioned files. 2) Add Unit Tests for each file. 3) Add ORDER BY into Copy Selection Feature test to ensure the results are retrieved always in the same order 4) Renamed the Scenario of the xss_checks_pgadmin_debugger_test and skip it for versions less than 9.1 5) Deleted unused __init__.py files. 2017-05-15 00:10:46 -05:00			`("Tests to check if Debugger is vulnerable to XSS", dict())`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`]`
Ensure that successful maintenance tasks don't leave a notifier window behind when running regression tests. 2019-06-03 10:33:32 -05:00			`function_name = ""`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00
			`def before(self):`
			`# Some test function is needed for debugger`
Ensure that successful maintenance tasks don't leave a notifier window behind when running regression tests. 2019-06-03 10:33:32 -05:00			`self.function_name = "a_test_function" + \`
Fixed Securtiy Hotspot reported by SonarQube. 2022-08-12 06:40:26 -05:00			`str(secrets.choice(range(10000, 65535)))`
Fix PEP-8 issues in feature_tests, dashboard, about and misc module's python code. Fixes #3082 2018-02-09 06:57:37 -06:00			`test_utils.create_debug_function(`
Fixed feature tests. Changes included: 1. Created function for traversing the browser tree. 2. Fixed some synchronization issues. 3. Modified locators. 4. Test cases fix for the recent commits. 2019-11-10 23:19:00 -06:00			`self.server, self.test_db, self.function_name`
Fix PEP-8 issues in feature_tests, dashboard, about and misc module's python code. Fixes #3082 2018-02-09 06:57:37 -06:00			`)`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00
Fixed feature tests. Changes included: 1. Created function for traversing the browser tree. 2. Fixed some synchronization issues. 3. Modified locators. 4. Test cases fix for the recent commits. 2019-11-10 23:19:00 -06:00			`if test_utils.does_function_exist(self.server, self.test_db,`
Ensure that successful maintenance tasks don't leave a notifier window behind when running regression tests. 2019-06-03 10:33:32 -05:00			`self.function_name) != 'True':`
Replace the generic exception class with a more specific one. 2020-08-07 02:07:00 -05:00			`raise RuntimeError("The required function is not found")`
Feature test stabilisation. 2019-05-23 03:31:52 -05:00
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`def runTest(self):`
			`self.page.wait_for_spinner_to_disappear()`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`self.page.add_server(self.server)`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`self._function_node_expandable()`
			`self._debug_function()`

			`def after(self):`
Use a common function for sever setup in the testsuite. 2018-03-19 08:23:29 -05:00			`self.page.remove_server(self.server)`
Fixed feature tests. Changes included: 1. Created function for traversing the browser tree. 2. Fixed some synchronization issues. 3. Modified locators. 4. Test cases fix for the recent commits. 2019-11-10 23:19:00 -06:00			`test_utils.drop_debug_function(self.server, self.test_db,`
Ensure that successful maintenance tasks don't leave a notifier window behind when running regression tests. 2019-06-03 10:33:32 -05:00			`self.function_name)`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00
			`def _function_node_expandable(self):`
Fixed feature test cases after react porting. 2021-11-10 00:20:20 -06:00			`self.page.expand_schema_child_node("Server", self.server['name'],`
			`self.server['db_password'],`
			`self.test_db, 'public', "Functions")`
			`function_node = self.page.check_if_element_exists_with_scroll(`
			`TreeAreaLocators.function_node(self.function_name + "()"))`
Fixed feature test failures occurring due to tree changes. 2023-01-03 23:14:22 -06:00
			`self.assertTrue(bool(function_node),`
			`self.function_name + ' function node not found.')`

Fixed feature test cases after react porting. 2021-11-10 00:20:20 -06:00			`function_node.click()`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00
			`def _debug_function(self):`
Rewrite pgAdmin main menu bar to use React. #5615 2022-12-22 02:55:18 -06:00			`self.page.driver.find_element(By.CSS_SELECTOR,`
			`NavMenuLocators.object_menu_css).click()`
Fix PEP-8 issues in feature_tests, dashboard, about and misc module's python code. Fixes #3082 2018-02-09 06:57:37 -06:00			`ActionChains(`
			`self.page.driver`
			`).move_to_element(`
Rewrite pgAdmin main menu bar to use React. #5615 2022-12-22 02:55:18 -06:00			`self.page.driver.find_element(`
			`By.CSS_SELECTOR, "div[data-label='Debugging']")`
Fix PEP-8 issues in feature_tests, dashboard, about and misc module's python code. Fixes #3082 2018-02-09 06:57:37 -06:00			`).perform()`
Rewrite pgAdmin main menu bar to use React. #5615 2022-12-22 02:55:18 -06:00			`time.sleep(2)`
			`self.page.driver.find_element(`
			`By.CSS_SELECTOR, "li[data-label='Debug']").click()`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`# We need to check if debugger plugin is installed or not`
			`try:`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`wait = WebDriverWait(self.page.driver, 2)`
			`is_error = wait.until(EC.presence_of_element_located(`
Fixed feature test failure. 2022-03-07 04:06:10 -06:00			`(By.XPATH, "//div[contains(@class,'MuiDialogTitle-root')]"`
Replace Alertify alert and confirm with React-based model dialog. Fixes #7053 2021-12-07 07:22:40 -06:00			`"//div[text()='Debugger Error']")`
Fix PEP-8 issues in feature_tests, dashboard, about and misc module's python code. Fixes #3082 2018-02-09 06:57:37 -06:00			`))`
Fix feature tests following button tooltip changes. 2018-01-23 04:01:20 -06:00
Fixed code smell 'Unused local variables should be removed'. 2020-07-24 01:45:29 -05:00			`except TimeoutException:`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`is_error = None`

			`# If debugger plugin is not found`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`if is_error and is_error.text == "Debugger Error":`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`click = True`
			`while click:`
			`try:`
Fixed 'Remove the unnecessary boolean literals' code smell. 2022-09-09 04:53:18 -05:00			`self.page.click_modal('OK')`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`wait.until(EC.invisibility_of_element(`
Replace Alertify alert and confirm with React-based model dialog. Fixes #7053 2021-12-07 07:22:40 -06:00			`(By.XPATH, "//div[@class ='MuiDialogTitle-root']"`
			`"//div[text()='Debugger Error']")`
Feature test improvement and fix intermittent failures part of #3936 2019-08-22 04:20:51 -05:00			`))`
			`click = False`
			`except TimeoutException:`
			`pass`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`self.skipTest(`
			`"Please make sure that debugger plugin is properly configured"`
			`)`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`else:`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`self.page.driver.switch_to.frame(`
Fixed an issue where users would not be able to authenticate in Azure on Linux platforms. Fixes #7495 2022-06-23 07:49:32 -05:00			`self.page.driver.find_element(By.TAG_NAME, 'iframe')`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`)`

			`wait.until(EC.presence_of_element_located(`
			`(By.XPATH, "//span[contains(.,'Hello, pgAdmin4')]"))`
			`)`
			`self.page.click_element(`
Fixed an issue where users would not be able to authenticate in Azure on Linux platforms. Fixes #7495 2022-06-23 07:49:32 -05:00			`self.page.driver.find_elements(By.XPATH, "//button")[2]`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`)`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`wait.until(EC.presence_of_element_located(`
1) Added mouse over indication for breakpoint area in the Debugger. Fixes #2647 2) Added search text option to the Debugger panel. Fixes #2648 3) Port Debugger to React. Fixes #6132 2022-06-15 01:07:54 -05:00			`(By.XPATH, "//div[@id='id-results']//td "`
			`"[contains(.,'Hello, pgAdmin4')]"))`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`)`

Remove Backgrid and Backform. Fixes #6134 2022-09-10 03:52:49 -05:00			`# Only this tab is vulnerable rest are Code Mirror`
Cleanup feature tests. Fixes #2586 2017-08-29 08:57:56 -05:00			`# control which are already tested in Query tool test case`
1) Added mouse over indication for breakpoint area in the Debugger. Fixes #2647 2) Added search text option to the Debugger panel. Fixes #2648 3) Port Debugger to React. Fixes #6132 2022-06-15 01:07:54 -05:00			`self.page.click_tab('id-debugger-messages', rc_dock=True)`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`source_code = self.page.find_by_xpath(`
1) Added mouse over indication for breakpoint area in the Debugger. Fixes #2647 2) Added search text option to the Debugger panel. Fixes #2648 3) Port Debugger to React. Fixes #6132 2022-06-15 01:07:54 -05:00			`"//div[@id='id-debugger-messages'] //div[@id='debugger-msg']"`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`).get_attribute('innerHTML')`
Fix feature test failures caused due to invalid binary path. 2023-03-15 08:24:22 -05:00
			`self.assertIsNotNone(source_code, 'Messages tab is empty.')`

Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`self._check_escaped_characters(`
			`source_code,`
			`'NOTICE: <img src="x" onerror="console.log(1)">',`
			`'Debugger'`
			`)`
			`self._close_debugger()`

			`def _close_debugger(self):`
Uses selenium 4.0.0a6 which works with python 3.6 2021-11-12 00:26:44 -06:00			`self.page.driver.switch_to.default_content()`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`self.page.click_element(`
Fix PEP-8 issues in feature_tests, dashboard, about and misc module's python code. Fixes #3082 2018-02-09 06:57:37 -06:00			`self.page.find_by_xpath(`
			`"//*[@id='dockerContainer']/div/div[3]/div/div[2]/div[1]")`
Ensure the query tool displays but does not render HTML returned by the server in the results grid. Fixes #2330. 2017-04-10 08:07:48 -05:00			`)`

			`def _check_escaped_characters(self, source_code, string_to_find, source):`
			`# For XSS we need to search against element's html code`
1) Added mouse over indication for breakpoint area in the Debugger. Fixes #2647 2) Added search text option to the Debugger panel. Fixes #2648 3) Port Debugger to React. Fixes #6132 2022-06-15 01:07:54 -05:00			`assert source_code.find(`
			`string_to_find) != -1, "{0} might be vulnerable to XSS ".format(`
			`source)`