pgadmin4/web/regression/feature_tests/xss_checks_pgadmin_debugger_test.py
Aditya Toshniwal 862f101772
Significant changes to use ReactJS extensively.
1. Replace the current layout library wcDocker with ReactJS based rc-dock. #6479
2. Have close buttons on individual panel tabs instead of common. #2821
3. Changes in the context menu on panel tabs - Add close, close all and close others menu items. #5394
4. Allow closing all the tabs, including SQL and Properties. #4733
5. Changes in docking behaviour of different tabs based on user requests and remove lock layout menu.
6. Fix an issue where the scroll position of panels was not remembered on Firefox. #2986
7. Reset layout now will not require page refresh and is done spontaneously.
8. Use the zustand store for storing preferences instead of plain JS objects. This will help reflecting preferences immediately.
9. The above fix incorrect format (no indent) of SQL stored functions/procedures. #6720
10. New version check is moved to an async request now instead of app start to improve startup performance.
11. Remove jQuery and Bootstrap completely.
12. Replace jasmine and karma test runner with jest. Migrate all the JS test cases to jest. This will save time in writing and debugging JS tests.
13. Other important code improvements and cleanup.
2023-10-23 17:43:17 +05:30

151 lines
5.8 KiB
Python

##########################################################################
#
# pgAdmin 4 - PostgreSQL Tools
#
# Copyright (C) 2013 - 2023, The pgAdmin Development Team
# This software is released under the PostgreSQL Licence
#
##########################################################################
import secrets
import time
from selenium.webdriver import ActionChains
from selenium.common.exceptions import TimeoutException
from regression.python_test_utils import test_utils
from regression.feature_utils.base_feature_test import BaseFeatureTest
from regression.feature_utils.tree_area_locators import TreeAreaLocators
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.common.by import By
from regression.feature_utils.locators import NavMenuLocators
class CheckDebuggerForXssFeatureTest(BaseFeatureTest):
"""Tests to check if Debugger is vulnerable to XSS."""
scenarios = [
("Tests to check if Debugger is vulnerable to XSS", dict())
]
function_name = ""
def before(self):
# Some test function is needed for debugger
self.function_name = "a_test_function" + \
str(secrets.choice(range(10000, 65535)))
test_utils.create_debug_function(
self.server, self.test_db, self.function_name
)
if test_utils.does_function_exist(self.server, self.test_db,
self.function_name) != 'True':
raise RuntimeError("The required function is not found")
def runTest(self):
self.page.wait_for_spinner_to_disappear()
self.page.add_server(self.server)
self._function_node_expandable()
self._debug_function()
def after(self):
self.page.remove_server(self.server)
test_utils.drop_debug_function(self.server, self.test_db,
self.function_name)
def _function_node_expandable(self):
self.page.expand_schema_child_node("Server", self.server['name'],
self.server['db_password'],
self.test_db, 'public', "Functions")
function_node = self.page.check_if_element_exists_with_scroll(
TreeAreaLocators.function_node(self.function_name + "()"))
self.assertTrue(bool(function_node),
self.function_name + ' function node not found.')
function_node.click()
def _debug_function(self):
self.page.driver.find_element(By.CSS_SELECTOR,
NavMenuLocators.object_menu_css).click()
ActionChains(
self.page.driver
).move_to_element(
self.page.driver.find_element(
By.CSS_SELECTOR, "div[data-label='Debugging']")
).perform()
time.sleep(2)
self.page.driver.find_element(
By.CSS_SELECTOR, "li[data-label='Debug']").click()
# We need to check if debugger plugin is installed or not
try:
wait = WebDriverWait(self.page.driver, 2)
is_error = wait.until(EC.presence_of_element_located(
(By.XPATH, "//div[contains(@class,'MuiDialogTitle-root')]"
"//div[text()='Debugger Error']")
))
except TimeoutException:
is_error = None
# If debugger plugin is not found
if is_error and is_error.text == "Debugger Error":
click = True
while click:
try:
self.page.click_modal('OK')
wait.until(EC.invisibility_of_element(
(By.XPATH, "//div[@class ='MuiDialogTitle-root']"
"//div[text()='Debugger Error']")
))
click = False
except TimeoutException:
pass
self.skipTest(
"Please make sure that debugger plugin is properly configured"
)
else:
self.page.driver.switch_to.frame(
self.page.driver.find_element(By.TAG_NAME, 'iframe')
)
wait.until(EC.presence_of_element_located(
(By.XPATH, "//span[contains(.,'Hello, pgAdmin4')]"))
)
self.page.click_element(
self.page.driver.find_elements(By.XPATH, "//button")[2]
)
wait.until(EC.presence_of_element_located(
(By.XPATH, "//div[@id='id-results']//td "
"[contains(.,'Hello, pgAdmin4')]"))
)
# Only this tab is vulnerable rest are Code Mirror
# control which are already tested in Query tool test case
self.page.click_tab('Messages')
source_code = self.page.find_by_xpath(
"//div[@id='id-debugger-messages'] //div[@id='debugger-msg']"
).get_attribute('innerHTML')
self.assertIsNotNone(source_code, 'Messages tab is empty.')
self._check_escaped_characters(
source_code,
'NOTICE: <img src="x" onerror="console.log(1)">',
'Debugger'
)
self._close_debugger()
def _close_debugger(self):
self.page.driver.switch_to.default_content()
self.page.find_by_css_selector("div[data-dockid='id-main'] "
".dock-tab.dock-tab-active "
"button[data-label='Close']").click()
def _check_escaped_characters(self, source_code, string_to_find, source):
# For XSS we need to search against element's html code
assert source_code.find(
string_to_find) != -1, "{0} might be vulnerable to XSS ".format(
source)