pgadmin4/web/pgadmin/feature_tests/xss_checks_roles_control_test.py

102 lines
3.7 KiB
Python
Raw Normal View History

##########################################################################
#
# pgAdmin 4 - PostgreSQL Tools
#
2020-01-02 08:43:50 -06:00
# Copyright (C) 2013 - 2020, The pgAdmin Development Team
# This software is released under the PostgreSQL Licence
#
##########################################################################
from __future__ import print_function
2019-04-05 01:55:03 -05:00
import random
from regression.python_test_utils import test_utils
from regression.feature_utils.base_feature_test import BaseFeatureTest
from regression.feature_utils.locators import NavMenuLocators
from regression.feature_utils.tree_area_locators import TreeAreaLocators
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.support.ui import WebDriverWait
2017-08-29 08:57:56 -05:00
class CheckRoleMembershipControlFeatureTest(BaseFeatureTest):
"""Tests to check role membership control for xss."""
scenarios = [
("Tests to check if Role membership control is vulnerable to XSS",
dict())
]
2019-04-05 01:55:03 -05:00
role = ""
2019-04-05 02:23:50 -05:00
def before(self):
with test_utils.Database(self.server) as (connection, _):
if connection.server_version < 90100:
self.skipTest(
"Membership is not present in Postgres below PG v9.1")
2019-04-05 01:55:03 -05:00
# create role
self.role = "test_role" + str(random.randint(10000, 65535))
# Some test function is needed for debugger
test_utils.create_role(self.server, "postgres",
2019-04-05 01:55:03 -05:00
self.role)
test_utils.create_role(self.server, "postgres",
2017-08-29 08:57:56 -05:00
"<h1>test</h1>")
self.wait = WebDriverWait(self.page.driver, 20)
def runTest(self):
self.page.wait_for_spinner_to_disappear()
self.page.add_server(self.server)
2019-04-05 01:55:03 -05:00
self._role_node_expandable(self.role)
self._check_role_membership_control()
def after(self):
self.page.remove_server(self.server)
test_utils.drop_role(self.server, "postgres",
2019-04-05 01:55:03 -05:00
self.role)
test_utils.drop_role(self.server, "postgres",
2017-08-29 08:57:56 -05:00
"<h1>test</h1>")
2019-04-05 01:55:03 -05:00
def _role_node_expandable(self, role):
self.page.expand_server_node(
self.server['name'], self.server['db_password'])
self.page.toggle_open_tree_item('Login/Group Roles')
self.page.click_a_tree_node(
role, TreeAreaLocators.sub_nodes_of_login_group_node)
def _check_role_membership_control(self):
self.page.driver.find_element_by_link_text(
NavMenuLocators.object_menu_link_text).click()
property_object = self.wait.until(EC.visibility_of_element_located(
(By.CSS_SELECTOR, NavMenuLocators.properties_obj_css)))
property_object.click()
2019-05-23 03:31:52 -05:00
self.click_membership_tab()
# Fetch the source code for our custom control
source_code = self.page.find_by_xpath(
"//div[contains(@class,'rolmembership')]"
).get_attribute('innerHTML')
self._check_escaped_characters(
source_code,
'&lt;h1&gt;test&lt;/h1&gt;',
'Role Membership Control'
)
self.page.find_by_xpath(
"//button[contains(@type, 'cancel') and "
"contains(.,'Cancel')]"
).click()
def _check_escaped_characters(self, source_code, string_to_find, source):
# For XSS we need to search against element's html code
assert source_code.find(string_to_find) != - \
1, "{0} might be vulnerable to XSS ".format(source)
2019-05-23 03:31:52 -05:00
def click_membership_tab(self):
"""This will click and open membership tab of role"""
self.page.retry_click(
(By.LINK_TEXT,
"Membership"),
(By.XPATH, "//input[@placeholder='Select members']"))