IntenseWebs/pgadmin4
3
0
Fork 0
mirror of https://github.com/pgadmin-org/pgadmin4.git synced 2025-01-24 15:26:46 -06:00
Code Issues Packages Projects Releases Wiki Activity
3bcac26ff9
pgadmin4/web/regression/feature_tests/xss_checks_roles_control_test.py
Aditya Toshniwal 862f101772
Significant changes to use ReactJS extensively. 
1. Replace the current layout library wcDocker with ReactJS based rc-dock. #6479
2. Have close buttons on individual panel tabs instead of common. #2821
3. Changes in the context menu on panel tabs - Add close, close all and close others menu items. #5394
4. Allow closing all the tabs, including SQL and Properties. #4733
5. Changes in docking behaviour of different tabs based on user requests and remove lock layout menu.
6. Fix an issue where the scroll position of panels was not remembered on Firefox. #2986
7. Reset layout now will not require page refresh and is done spontaneously.
8. Use the zustand store for storing preferences instead of plain JS objects. This will help reflecting preferences immediately.
9. The above fix incorrect format (no indent) of SQL stored functions/procedures. #6720
10. New version check is moved to an async request now instead of app start to improve startup performance.
11. Remove jQuery and Bootstrap completely.
12. Replace jasmine and karma test runner with jest. Migrate all the JS test cases to jest. This will save time in writing and debugging JS tests.
13. Other important code improvements and cleanup.
2023-10-23 17:43:17 +05:30

106 lines
3.9 KiB
Python
Raw Blame History

##########################################################################
#
# pgAdmin 4 - PostgreSQL Tools
#
# Copyright (C) 2013 - 2023, The pgAdmin Development Team
# This software is released under the PostgreSQL Licence
#
##########################################################################
import secrets
from regression.python_test_utils import test_utils
from regression.feature_utils.base_feature_test import BaseFeatureTest
from regression.feature_utils.locators import NavMenuLocators
from regression.feature_utils.tree_area_locators import TreeAreaLocators
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.support.ui import WebDriverWait
class CheckRoleMembershipControlFeatureTest(BaseFeatureTest):
"""Tests to check role membership control for xss."""
scenarios = [
("Tests to check if Role membership control is vulnerable to XSS",
dict())
]
role = ""
xss_test_role = "<h1>test</h1>"
def before(self):
# create role
self.role = "test_role" + str(secrets.choice(range(10000, 65535)))
# Some test function is needed for debugger
test_utils.create_role(self.server, "postgres",
self.role)
test_utils.create_role(self.server, "postgres", self.xss_test_role)
test_utils.grant_role(self.server, "postgres",
self.role, self.xss_test_role)
self.wait = WebDriverWait(self.page.driver, 20)
def runTest(self):
self.page.wait_for_spinner_to_disappear()
self.page.add_server(self.server)
self._role_node_expandable(self.role)
self._check_role_membership_control()
def after(self):
self.page.remove_server(self.server)
test_utils.drop_role(self.server, "postgres",
self.role)
test_utils.drop_role(self.server, "postgres", self.xss_test_role)
def _role_node_expandable(self, role):
retry = 2
while retry > 0:
if self.page.expand_server_child_node(
"Server", self.server['name'], self.server['db_password'],
'Login/Group Roles'):
retry = 0
else:
retry -= 1
role_node = self.page.check_if_element_exists_with_scroll(
TreeAreaLocators.role_node(role))
role_node.click()
def _check_role_membership_control(self):
self.page.driver.find_element(
By.CSS_SELECTOR, NavMenuLocators.object_menu_css).click()
edit_object = self.wait.until(EC.visibility_of_element_located(
(By.CSS_SELECTOR, NavMenuLocators.edit_obj_css)))
edit_object.click()
membership_tab = WebDriverWait(self.page.driver, 4).until(
EC.presence_of_element_located((
By.XPATH, "//span[normalize-space(text())='Membership']")))
membership_tab.click()
# Fetch the source code for our custom control
source_code = self.page.find_by_xpath(
"//div[contains(@role, 'cell')]//span[contains(@class,'icon-')]"
"/following-sibling::span"
).get_attribute('innerHTML')
self._check_escaped_characters(
source_code,
'&lt;h1&gt;test&lt;/h1&gt;',
'Role Membership Control'
)
self.page.find_by_xpath("//button/span[text()='Close']").click()
def _check_escaped_characters(self, source_code, string_to_find, source):
# For XSS we need to search against element's html code
assert source_code.find(string_to_find) != - \
1, "{0} might be vulnerable to XSS ".format(source)
def click_membership_tab(self):
"""This will click and open membership tab of role"""
self.page.retry_click(
(By.LINK_TEXT,
"Membership"),
(By.XPATH, "//input[@placeholder='Select members']"))
Reference in New Issue View Git Blame Copy Permalink