frontend: add tests against XSS

frontend/bgpmap_test.go

@@ -0,0 +1,74 @@
+package main
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestGetASNRepresentation(t *testing.T) {
+	setting.dnsInterface = "asn.cymru.com"
+	result := getASNRepresentation("6939")
+	if !strings.Contains(result, "HURRICANE") {
+		t.Errorf("Lookup AS6939 failed, got %s", result)
+	}
+}
+
+func TestGetASNRepresentationFallback(t *testing.T) {
+	setting.dnsInterface = ""
+	result := getASNRepresentation("6939")
+	if result != "AS6939" {
+		t.Errorf("Lookup AS6939 failed, got %s", result)
+	}
+}
+
+func TestBirdRouteToGraphviz(t *testing.T) {
+	setting.dnsInterface = ""
+
+	// Don't change formatting of the following strings!
+
+	fakeResult := `192.168.0.1/32       unicast [alpha 2021-01-14 from 192.168.0.2] * (100) [AS12345i]
+	via 192.168.0.2 on eth0
+	Type: BGP univ
+	BGP.origin: IGP
+	BGP.as_path: 4242422601
+	BGP.next_hop: 172.18.0.2`
+
+	expectedResult := `digraph {
+"Nexthop:\n172.18.0.2" -> "AS4242422601" [color=red];
+"Nexthop:\n172.18.0.2" [shape=diamond];
+"AS4242422601" -> "Target: 192.168.0.1" [color=red];
+"Target: 192.168.0.1" [color=red,shape=diamond];
+"alpha" [color=blue,shape=box];
+"alpha" -> "Nexthop:\n172.18.0.2" [color=red];
+}`
+
+	result := birdRouteToGraphviz([]string{
+		"alpha",
+	}, []string{
+		fakeResult,
+	}, "192.168.0.1")
+
+	for _, line := range strings.Split(result, "\n") {
+		if !strings.Contains(expectedResult, line) {
+			t.Errorf("Unexpected line in result: %s", line)
+		}
+	}
+}
+
+func TestBirdRouteToGraphvizXSS(t *testing.T) {
+	setting.dnsInterface = ""
+
+	// Don't change formatting of the following strings!
+
+	fakeResult := `<script>alert("evil!")</script>`
+
+	result := birdRouteToGraphviz([]string{
+		"alpha",
+	}, []string{
+		fakeResult,
+	}, fakeResult)
+
+	if strings.Contains(result, "<script>") {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}

frontend/bindata/templates/summary.tpl

@@ -19,8 +19,3 @@
 {{ end }}
   </tbody>
 </table>
-
-<!-- 
-{{ .Raw }}
--->
-

frontend/dn42_test.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"testing"
+)
+
+func TestDN42WhoisFilter(t *testing.T) {
+	input := "name: Testing\ndescr: Description"
+
+	result := dn42WhoisFilter(input)
+
+	expectedResult := `name: Testing
+
+1 line(s) skipped.
+`
+
+	if result != expectedResult {
+		t.Errorf("Output doesn't match expected: %s", result)
+	}
+}
+
+func TestDN42WhoisFilterUnneeded(t *testing.T) {
+	input := "name: Testing\nwhatever: Description"
+
+	result := dn42WhoisFilter(input)
+
+	if result != input+"\n" {
+		t.Errorf("Output doesn't match expected: %s", result)
+	}
+}

frontend/render_test.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"io/ioutil"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+func initSettings() {
+	setting.servers = []string{"alpha"}
+	setting.titleBrand = "Bird-lg Go"
+	setting.navBarBrand = "Bird-lg Go"
+
+	ImportTemplates()
+}
+
+func TestRenderPageTemplate(t *testing.T) {
+	initSettings()
+
+	title := "Test Title"
+	content := "Test Content"
+
+	r := httptest.NewRequest("GET", "/route/alpha/192.168.0.1/", nil)
+	w := httptest.NewRecorder()
+	renderPageTemplate(w, r, title, content)
+
+	resultBytes, _ := ioutil.ReadAll(w.Result().Body)
+	result := string(resultBytes)
+
+	if !strings.Contains(result, title) {
+		t.Error("Title not found in output")
+	}
+	if !strings.Contains(result, content) {
+		t.Error("Content not found in output")
+	}
+}
+
+func TestRenderPageTemplateXSS(t *testing.T) {
+	initSettings()
+
+	evil := "<script>alert('evil');</script>"
+
+	r := httptest.NewRequest("GET", "/whois/"+url.PathEscape(evil), nil)
+	w := httptest.NewRecorder()
+
+	// renderPageTemplate doesn't escape content, filter is done beforehand
+	renderPageTemplate(w, r, evil, "Test Content")
+
+	resultBytes, _ := ioutil.ReadAll(w.Result().Body)
+	result := string(resultBytes)
+
+	if strings.Contains(result, evil) {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}
+
+func TestSmartFormatterXSS(t *testing.T) {
+	evil := "<script>alert('evil');</script>"
+	result := smartFormatter(evil)
+
+	if strings.Contains(result, evil) {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}
+
+func TestSummaryTableXSS(t *testing.T) {
+	evil := "<script>alert('evil');</script>"
+	evilData := `Name       Proto      Table      State  Since         Info
+` + evil + ` ` + evil + `       ---        up     2021-01-04 17:21:44  ` + evil
+
+	result := summaryTable(evilData, evil)
+
+	if strings.Contains(result, evil) {
+		t.Errorf("XSS injection succeeded: %s", result)
+	}
+}