IntenseWebs/pgadmin4
3
0
Fork 0
mirror of https://github.com/pgadmin-org/pgadmin4.git synced 2025-02-25 18:55:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fixed CSRF security vulnerability issue. per Alvin Lindstam. Fixes #4217

Browse Source 
Initial patch by: Khushboo Vashi
Modified by: Ashesh Vashi and Murtuza Zabuawala
This commit is contained in:
Khushboo Vashi
2019-05-28 10:59:51 +05:30
committed by Akshay Joshi
parent 90a45557b9
commit 6f0eafb223
36 changed files with 387 additions and 124 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
web/pgadmin/browser/tests/test_change_password.py
View File

@@ -105,20 +105,13 @@ class ChangePasswordTestCase(BaseTestGenerator):
)
user_id = json.loads(response.data.decode('utf-8'))['id']
# Logout the Administrator before login normal user
test_utils.logout_tester_account(self.tester)
response = self.tester.post(
'/login',
data=dict(
email=self.username,
password=self.password
),
follow_redirects=True
)
self.tester.logout()
response = self.tester.login(self.username, self.password, True)
self.assertEquals(response.status_code, 200)
# test the 'change password' test case
utils.change_password(self)
# Delete the normal user after changing it's password
test_utils.logout_tester_account(self.tester)
self.tester.logout()
# Login the Administrator before deleting normal user
test_utils.login_tester_account(self.tester)
response = self.tester.delete(
@@ -131,4 +124,6 @@ class ChangePasswordTestCase(BaseTestGenerator):
@classmethod
def tearDownClass(cls):
# Make sure - we're already logged out before running
cls.tester.logout()
test_utils.login_tester_account(cls.tester)

13
web/pgadmin/browser/tests/test_gravatar_image_display.py
View File

@@ -41,7 +41,7 @@ class TestLoginUserImage(BaseTestGenerator):
@classmethod
def setUpClass(cls):
"Logout first if already logged in"
utils.logout_tester_account(cls.tester)
cls.tester.logout()
# No need to call baseclass setup function
def setUp(self):
@@ -49,13 +49,8 @@ class TestLoginUserImage(BaseTestGenerator):
def runTest(self):
# Login and check type of image in response
response = self.tester.post(
'/login', data=dict(
email=self.email,
password=self.password
),
follow_redirects=True
)
response = self.tester.login(self.email, self.password, True)
# Should have gravatar image
if config.SHOW_GRAVATAR_IMAGE:
self.assertIn(self.respdata, response.data.decode('utf8'))
@@ -69,4 +64,6 @@ class TestLoginUserImage(BaseTestGenerator):
We need to again login the test client as soon as test scenarios
finishes.
"""
# Make sure - we're already logged out
cls.tester.logout()
utils.login_tester_account(cls.tester)

34
web/pgadmin/browser/tests/test_login.py
View File

@@ -8,7 +8,7 @@
##########################################################################
import uuid
import config as app_config
from pgadmin.utils.route import BaseTestGenerator
from regression.python_test_utils import test_utils as utils
from regression.test_setup import config_data
@@ -28,6 +28,7 @@ class LoginTestCase(BaseTestGenerator):
config_data['pgAdmin4_login_credentials']
['login_username']),
password=str(uuid.uuid4())[4:8],
is_gravtar_image_check=False,
respdata='Invalid password')),
# This test case validates the empty password field
@@ -35,6 +36,7 @@ class LoginTestCase(BaseTestGenerator):
email=(
config_data['pgAdmin4_login_credentials']
['login_username']), password='',
is_gravtar_image_check=False,
respdata='Password not provided')),
# This test case validates blank email field
@@ -42,11 +44,13 @@ class LoginTestCase(BaseTestGenerator):
email='', password=(
config_data['pgAdmin4_login_credentials']
['login_password']),
is_gravtar_image_check=False,
respdata='Email not provided')),
# This test case validates empty email and password
('Empty_Credentials', dict(
email='', password='',
is_gravtar_image_check=False,
respdata='Email not provided')),
# This test case validates the invalid/incorrect email id
@@ -55,12 +59,14 @@ class LoginTestCase(BaseTestGenerator):
password=(
config_data['pgAdmin4_login_credentials']
['login_password']),
is_gravtar_image_check=False,
respdata='Specified user does not exist')),
# This test case validates invalid email and password
('Invalid_Credentials', dict(
email=str(uuid.uuid4())[1:8] + '@xyz.com',
password=str(uuid.uuid4())[4:8],
is_gravtar_image_check=False,
respdata='Specified user does not exist')),
# This test case validates the valid/correct credentials and allow user
@@ -72,9 +78,13 @@ class LoginTestCase(BaseTestGenerator):
password=(
config_data['pgAdmin4_login_credentials']
['login_password']),
is_gravtar_image_check=True,
respdata_without_gravtar=config_data['pgAdmin4_login_credentials']
['login_username'],
respdata='Gravatar image for %s' %
config_data['pgAdmin4_login_credentials']
['login_username']))
['login_username']),
)
]
@classmethod
@@ -84,7 +94,7 @@ class LoginTestCase(BaseTestGenerator):
logging in the client like invalid password, invalid emails,
empty credentials etc.
"""
utils.logout_tester_account(cls.tester)
cls.tester.logout()
# No need to call base class setup function
def setUp(self):
@@ -92,15 +102,14 @@ class LoginTestCase(BaseTestGenerator):
def runTest(self):
"""This function checks login functionality."""
response = self.tester.post(
'/login',
data=dict(
email=self.email,
password=self.password
),
follow_redirects=True
)
self.assertTrue(self.respdata in response.data.decode('utf8'))
res = self.tester.login(self.email, self.password, True)
if self.is_gravtar_image_check:
if app_config.SHOW_GRAVATAR_IMAGE:
self.assertTrue(self.respdata in res.data.decode('utf8'))
else:
print(self.respdata_without_gravtar in res.data.decode('utf8'))
else:
self.assertTrue(self.respdata in res.data.decode('utf8'))
@classmethod
def tearDownClass(cls):
@@ -108,4 +117,5 @@ class LoginTestCase(BaseTestGenerator):
We need to again login the test client as soon as test scenarios
finishes.
"""
cls.tester.logout()
utils.login_tester_account(cls.tester)

12
web/pgadmin/browser/tests/test_reset_password.py
View File

@@ -11,7 +11,6 @@ import uuid
from pgadmin.utils.route import BaseTestGenerator
from regression.python_test_utils.test_utils import login_tester_account
from regression.python_test_utils.test_utils import logout_tester_account
from regression.test_setup import config_data
@@ -40,7 +39,7 @@ class ResetPasswordTestCase(BaseTestGenerator):
@classmethod
def setUpClass(cls):
logout_tester_account(cls.tester)
cls.tester.logout()
# No need to call baseclass setup function
def setUp(self):
@@ -50,8 +49,13 @@ class ResetPasswordTestCase(BaseTestGenerator):
"""This function checks reset password functionality."""
response = self.tester.get('/browser/reset_password')
self.assertTrue('Recover pgAdmin 4 Password' in response.data.decode(
'utf-8'))
self.assertTrue(
'Recover Password' in response.data.decode('utf-8')
)
self.assertTrue(
'Enter the email address for the user account you wish to '
'recover the password for' in response.data.decode('utf-8')
)
response = self.tester.post(
'/browser/reset_password', data=dict(email=self.email),
follow_redirects=True)

7
web/pgadmin/browser/tests/utils.py
View File

@@ -13,15 +13,18 @@ def change_password(self):
'/browser/change_password', follow_redirects=True
)
self.assertTrue(
'pgAdmin 4 Password Change' in response.data.decode('utf-8')
'Password Change' in response.data.decode('utf-8')
)
csrf_token = self.tester.fetch_csrf(response)
response = self.tester.post(
'/browser/change_password',
data=dict(
password=self.password,
new_password=self.new_password,
new_password_confirm=self.new_password_confirm
new_password_confirm=self.new_password_confirm,
csrf_token=csrf_token,
),
follow_redirects=True
)