frontend: add tests against XSS
This commit is contained in:
Lan Tian
parent
1baf325149
commit
a984095282
74
frontend/bgpmap_test.go
Normal file
74
frontend/bgpmap_test.go
Normal file
@ -0,0 +1,74 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestGetASNRepresentation(t *testing.T) {
|
||||
setting.dnsInterface = "asn.cymru.com"
|
||||
result := getASNRepresentation("6939")
|
||||
if !strings.Contains(result, "HURRICANE") {
|
||||
t.Errorf("Lookup AS6939 failed, got %s", result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestGetASNRepresentationFallback(t *testing.T) {
|
||||
setting.dnsInterface = ""
|
||||
result := getASNRepresentation("6939")
|
||||
if result != "AS6939" {
|
||||
t.Errorf("Lookup AS6939 failed, got %s", result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestBirdRouteToGraphviz(t *testing.T) {
|
||||
setting.dnsInterface = ""
|
||||
|
||||
// Don't change formatting of the following strings!
|
||||
|
||||
fakeResult := `192.168.0.1/32 unicast [alpha 2021-01-14 from 192.168.0.2] * (100) [AS12345i]
|
||||
via 192.168.0.2 on eth0
|
||||
Type: BGP univ
|
||||
BGP.origin: IGP
|
||||
BGP.as_path: 4242422601
|
||||
BGP.next_hop: 172.18.0.2`
|
||||
|
||||
expectedResult := `digraph {
|
||||
"Nexthop:\n172.18.0.2" -> "AS4242422601" [color=red];
|
||||
"Nexthop:\n172.18.0.2" [shape=diamond];
|
||||
"AS4242422601" -> "Target: 192.168.0.1" [color=red];
|
||||
"Target: 192.168.0.1" [color=red,shape=diamond];
|
||||
"alpha" [color=blue,shape=box];
|
||||
"alpha" -> "Nexthop:\n172.18.0.2" [color=red];
|
||||
}`
|
||||
|
||||
result := birdRouteToGraphviz([]string{
|
||||
"alpha",
|
||||
}, []string{
|
||||
fakeResult,
|
||||
}, "192.168.0.1")
|
||||
|
||||
for _, line := range strings.Split(result, "\n") {
|
||||
if !strings.Contains(expectedResult, line) {
|
||||
t.Errorf("Unexpected line in result: %s", line)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestBirdRouteToGraphvizXSS(t *testing.T) {
|
||||
setting.dnsInterface = ""
|
||||
|
||||
// Don't change formatting of the following strings!
|
||||
|
||||
fakeResult := `<script>alert("evil!")</script>`
|
||||
|
||||
result := birdRouteToGraphviz([]string{
|
||||
"alpha",
|
||||
}, []string{
|
||||
fakeResult,
|
||||
}, fakeResult)
|
||||
|
||||
if strings.Contains(result, "<script>") {
|
||||
t.Errorf("XSS injection succeeded: %s", result)
|
||||
}
|
||||
}
|
||||
@ -19,8 +19,3 @@
|
||||
{{ end }}
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<!--
|
||||
{{ .Raw }}
|
||||
-->
|
||||
|
||||
|
||||
30
frontend/dn42_test.go
Normal file
30
frontend/dn42_test.go
Normal file
@ -0,0 +1,30 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestDN42WhoisFilter(t *testing.T) {
|
||||
input := "name: Testing\ndescr: Description"
|
||||
|
||||
result := dn42WhoisFilter(input)
|
||||
|
||||
expectedResult := `name: Testing
|
||||
|
||||
1 line(s) skipped.
|
||||
`
|
||||
|
||||
if result != expectedResult {
|
||||
t.Errorf("Output doesn't match expected: %s", result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestDN42WhoisFilterUnneeded(t *testing.T) {
|
||||
input := "name: Testing\nwhatever: Description"
|
||||
|
||||
result := dn42WhoisFilter(input)
|
||||
|
||||
if result != input+"\n" {
|
||||
t.Errorf("Output doesn't match expected: %s", result)
|
||||
}
|
||||
}
|
||||
78
frontend/render_test.go
Normal file
78
frontend/render_test.go
Normal file
@ -0,0 +1,78 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"io/ioutil"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func initSettings() {
|
||||
setting.servers = []string{"alpha"}
|
||||
setting.titleBrand = "Bird-lg Go"
|
||||
setting.navBarBrand = "Bird-lg Go"
|
||||
|
||||
ImportTemplates()
|
||||
}
|
||||
|
||||
func TestRenderPageTemplate(t *testing.T) {
|
||||
initSettings()
|
||||
|
||||
title := "Test Title"
|
||||
content := "Test Content"
|
||||
|
||||
r := httptest.NewRequest("GET", "/route/alpha/192.168.0.1/", nil)
|
||||
w := httptest.NewRecorder()
|
||||
renderPageTemplate(w, r, title, content)
|
||||
|
||||
resultBytes, _ := ioutil.ReadAll(w.Result().Body)
|
||||
result := string(resultBytes)
|
||||
|
||||
if !strings.Contains(result, title) {
|
||||
t.Error("Title not found in output")
|
||||
}
|
||||
if !strings.Contains(result, content) {
|
||||
t.Error("Content not found in output")
|
||||
}
|
||||
}
|
||||
|
||||
func TestRenderPageTemplateXSS(t *testing.T) {
|
||||
initSettings()
|
||||
|
||||
evil := "<script>alert('evil');</script>"
|
||||
|
||||
r := httptest.NewRequest("GET", "/whois/"+url.PathEscape(evil), nil)
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
// renderPageTemplate doesn't escape content, filter is done beforehand
|
||||
renderPageTemplate(w, r, evil, "Test Content")
|
||||
|
||||
resultBytes, _ := ioutil.ReadAll(w.Result().Body)
|
||||
result := string(resultBytes)
|
||||
|
||||
if strings.Contains(result, evil) {
|
||||
t.Errorf("XSS injection succeeded: %s", result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSmartFormatterXSS(t *testing.T) {
|
||||
evil := "<script>alert('evil');</script>"
|
||||
result := smartFormatter(evil)
|
||||
|
||||
if strings.Contains(result, evil) {
|
||||
t.Errorf("XSS injection succeeded: %s", result)
|
||||
}
|
||||
}
|
||||
|
||||
func TestSummaryTableXSS(t *testing.T) {
|
||||
evil := "<script>alert('evil');</script>"
|
||||
evilData := `Name Proto Table State Since Info
|
||||
` + evil + ` ` + evil + ` --- up 2021-01-04 17:21:44 ` + evil
|
||||
|
||||
result := summaryTable(evilData, evil)
|
||||
|
||||
if strings.Contains(result, evil) {
|
||||
t.Errorf("XSS injection succeeded: %s", result)
|
||||
}
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user