changeset 694:4284b6ad8aa3

tests: plugin text syntaxes sanitisation tests
author Goffi <goffi@goffi.org>
date Tue, 12 Nov 2013 14:16:11 +0100
parents 65b30bc7f1b3
children ddd2781bdd8c
files src/test/helpers.py src/test/test_plugin_text_syntaxes.py
diffstat 2 files changed, 92 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/test/helpers.py	Tue Nov 12 14:16:11 2013 +0100
+++ b/src/test/helpers.py	Tue Nov 12 14:16:11 2013 +0100
@@ -72,6 +72,8 @@
 
         setattr(self, name, checkCall)
 
+    def addMethod(self, name, int_suffix, in_sign, out_sign, method, async=False):
+        pass
 
 class FakeMemory(object):
     """Class to simulate and test memory object"""
@@ -94,6 +96,8 @@
     def delWaitingSub(self, contact_jid, profile_key):
         pass
 
+    def updateParams(self, xml):
+        pass
 
 class FakeTriggerManager(object):
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/test/test_plugin_text_syntaxes.py	Tue Nov 12 14:16:11 2013 +0100
@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# SAT: a jabber client
+# Copyright (C) 2009, 2010, 2011, 2012, 2013  Jérôme Poisson (goffi@goffi.org)
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+""" Plugin text syntaxes tests """
+
+from sat.test import helpers
+from sat.plugins import plugin_misc_text_syntaxes
+
+
+class SanitisationTest(helpers.SatTestCase):
+
+    def setUp(self):
+        self.host = helpers.FakeSAT()
+        self.text_syntaxes = plugin_misc_text_syntaxes.TextSyntaxes(self.host)
+
+
+    def test_xhtml_sanitise(self):
+        evil_html = """
+   <html>
+    <head>
+      <script type="text/javascript" src="evil-site"></script>
+      <link rel="alternate" type="text/rss" src="evil-rss">
+      <style>
+        body {background-image: url(javascript:do_evil)};
+        div {color: expression(evil)};
+      </style>
+    </head>
+    <body onload="evil_function()">
+      <!-- I am interpreted for EVIL! -->
+      <a href="javascript:evil_function()">a link</a>
+      <a href="#" onclick="evil_function()">another link</a>
+      <p onclick="evil_function()">a paragraph</p>
+      <div style="display: none">secret EVIL!</div>
+      <object> of EVIL! </object>
+      <iframe src="evil-site"></iframe>
+      <form action="evil-site">
+        Password: <input type="password" name="password">
+      </form>
+      <blink>annoying EVIL!</blink>
+      <a href="evil-site">spam spam SPAM!</a>
+      <image src="evil!">
+    </body>
+   </html>""" # example from lxml: /usr/share/doc/python-lxml-doc/html/lxmlhtml.html#cleaning-up-html
+
+        expected = """<div>
+      <style>/* deleted */</style>
+    <body>
+      <a href="">a link</a>
+      <a href="#">another link</a>
+      <p>a paragraph</p>
+      <div style="">secret EVIL!</div>
+       of EVIL!
+        Password:
+      annoying EVIL!
+      <a href="evil-site">spam spam SPAM!</a>
+      <img src="evil!">
+    </img></body>
+   </div>"""
+
+        d = self.text_syntaxes.clean_xhtml(evil_html)
+        d.addCallback(self.assertEqualXML, expected, ignore_blank=True)
+        return d
+
+
+    def test_styles_sanitise(self):
+        evil_html = """<p style='display: None; test: blah; background: url(: alert()); color: blue;'>test <strong>retest</strong><br><span style="background-color: (alert('bouh')); titi; color: #cf2828; font-size: 3px; direction: !important; color: red; color: red !important; font-size: 100px       !important; font-size: 100px  ! important; font-size: 100%; font-size: 100ox; font-size: 100px; font-size: 100;;;; font-size: 100 %; color: 100 px 1.7em; color: rgba(0, 0, 0, 0.1); color: rgb(35,79,255); background-color: no-repeat; background-color: :alert(1); color: (alert('XSS')); color: (window.location='http://example.org/'); color: url(:window.location='http://example.org/'); "> toto </span></p>"""
+
+        expected = """<p style="color: blue">test <strong>retest</strong><br/><span style="color: #cf2828; font-size: 3px; color: red; color: red !important; font-size: 100px       !important; font-size: 100%; font-size: 100px; font-size: 100; font-size: 100 %; color: rgba(0, 0, 0, 0.1); color: rgb(35,79,255); background-color: no-repeat"> toto </span></p>"""
+
+        d = self.text_syntaxes.clean_xhtml(evil_html)
+        d.addCallback(self.assertEqualXML, expected)
+        return d