-
Notifications
You must be signed in to change notification settings - Fork 9
/
regressions_tests.py
144 lines (113 loc) · 4.42 KB
/
regressions_tests.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
import unittest
import requests
from base import ProjectSmokeTest
import config
from pages import helpers
from urllib2 import HTTPError
class RegressionTests2(unittest.TestCase):
def test_username_injection_account_creation(self):
""" Account creation should not allow < or > in fullname fields """
r = requests.post(
url='/'.join((config.osf_home.strip('/'), 'register')),
data={
'register-fullname': 'Bad <script>alert("xss");</script>Guy',
'register-username': '[email protected]',
'register-username2': '[email protected]',
'register-password': 'password',
'register-password2': 'password',
},
verify=False,
)
print r
self.assertRaises(HTTPError)
def test_node_title_injection(self):
"""A node's title should allow < and >, but should HTML encode them.
This test verifies that when a project is renamed, the title is properly
encoded."""
page = helpers.get_new_project()
page.title = 'Bad <script>alert("xss");</script>Project'
page.reload()
self.assertEqual(
page.driver.find_element_by_id(
'nodeTitleEditable'
).get_attribute('innerHTML'),
'Bad <script>alert("xss");</script>Project',
)
page.close()
def test_node_title_injection_creation(self):
"""A node's title should allow < and >, but should HTML encode them.
This test verifies that when a project is created, the title is properly
encoded."""
page = helpers.get_new_project(
title='Bad <script>alert("xss");</script>Project'
)
self.assertEqual(
page.driver.find_element_by_id(
'nodeTitleEditable'
).get_attribute('innerHTML'),
'Bad <script>alert("xss");</script>Project',
)
page.close()
def test_node_description_injection_creation(self):
"""A node's description should allow < and >, but should HTML encode
them.
This test verifies that when a project is created, the description is
properly encoded."""
page = helpers.get_new_project(
description='Bad <script>alert("xss");</script>Project'
)
self.assertIn(
'Bad <script>alert("xss");</script>Project',
page.driver.find_element_by_id(
'contributors'
).get_attribute('innerHTML'),
)
page.close()
class RegressionTests(ProjectSmokeTest):
def test_private_component_of_public_project_not_forked(self):
"""Test that a private components of a public project that is then
forked are not present on registrations of that fork.
"""
# make the project public
self.make_public()
# create a private component
private_component_title = "Private-Component"
private_component_url = self.add_component(
'hypothesis',
private_component_title,
)
# verify that the component is private
if self.is_public(private_component_url):
self.make_private(private_component_url)
# create a public component
public_component_title = "Public-Component"
public_component_url = self.add_component(
'hypothesis',
public_component_title
)
# verify that the component is public
if not self.is_public(public_component_url):
self.make_public(public_component_url)
# Log out and make a new user
self.log_out()
self.second_user = self.create_user()
self.log_in(self.second_user)
# go to the project
self.goto('dashboard')
fork_url = self.create_fork()
# Public component should be there
self.assertIn(
public_component_title,
self.get_element('#Nodes').text
)
# Private component should not be there
self.assertNotIn(
private_component_title,
self.get_element('#Nodes').text
)
# delete the forked project.
self.goto('settings', node_url=fork_url)
self.get_element('button[id="delete-node"]').click()
# log back in as the first user so teardown will work.
self.log_out()
self.log_in()