2019-03-15 21:06:59 +01:00
|
|
|
import urllib.request
|
2015-09-20 00:27:54 +02:00
|
|
|
|
|
|
|
import pytest
|
|
|
|
|
|
|
|
try:
|
|
|
|
from selenium.webdriver.support.ui import WebDriverWait
|
2018-03-20 22:27:32 +01:00
|
|
|
from selenium.webdriver.support.expected_conditions import staleness_of, title_is
|
2015-09-20 00:27:54 +02:00
|
|
|
from selenium.common.exceptions import NoSuchElementException
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
class WaitForPageLoad(object):
|
|
|
|
def __init__(self, browser):
|
|
|
|
self.browser = browser
|
|
|
|
|
|
|
|
def __enter__(self):
|
|
|
|
self.old_page = self.browser.find_element_by_tag_name('html')
|
|
|
|
|
|
|
|
def __exit__(self, *args):
|
2018-03-21 21:40:44 +01:00
|
|
|
WebDriverWait(self.browser, 10).until(staleness_of(self.old_page))
|
2015-09-20 00:27:54 +02:00
|
|
|
|
|
|
|
|
2018-11-26 00:11:58 +01:00
|
|
|
def getContextUrl(browser):
|
|
|
|
return browser.execute_script("return window.location.toString()")
|
|
|
|
|
|
|
|
|
2018-11-26 00:11:25 +01:00
|
|
|
def getUrl(url):
|
2019-03-15 21:06:59 +01:00
|
|
|
content = urllib.request.urlopen(url).read()
|
2017-04-07 01:14:46 +02:00
|
|
|
assert "server error" not in content.lower(), "Got a server error! " + repr(url)
|
|
|
|
return content
|
|
|
|
|
2015-09-20 00:27:54 +02:00
|
|
|
@pytest.mark.usefixtures("resetSettings")
|
Rev426, Fix for nonce error on bigsites asking, Dont display error details on 404 error, Dont log Websocket close errors, Add travis pip caching and osx test, Add build status to readme, Test for site files after cloning, Test for json to db mapping, Test site deleteFiles command, Test user certificate and auth address generation, Exclude debug lines from coverage, Dont run webtests every time
2015-09-20 22:35:45 +02:00
|
|
|
@pytest.mark.webtest
|
2015-09-20 00:27:54 +02:00
|
|
|
class TestWeb:
|
|
|
|
def testFileSecurity(self, site_url):
|
2018-11-26 00:11:25 +01:00
|
|
|
assert "Not Found" in getUrl("%s/media/sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/media/./sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/media/../config.py" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/media/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/media/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/media/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
|
|
|
|
|
|
|
|
assert "Not Found" in getUrl("%s/raw/sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/raw/./sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/raw/../config.py" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
|
|
|
|
|
|
|
|
assert "Forbidden" in getUrl("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
|
|
|
|
|
|
|
|
assert "Forbidden" in getUrl("%s/content.db" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/./users.json" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/./key-rsa.pem" % site_url)
|
|
|
|
assert "Forbidden" in getUrl("%s/././././././././././//////sites.json" % site_url)
|
2015-09-20 00:27:54 +02:00
|
|
|
|
|
|
|
def testLinkSecurity(self, browser, site_url):
|
|
|
|
browser.get("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url)
|
2018-03-21 21:40:44 +01:00
|
|
|
WebDriverWait(browser, 10).until(title_is("ZeroHello - ZeroNet"))
|
2018-11-26 00:11:58 +01:00
|
|
|
assert getContextUrl(browser) == "%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url
|
2015-09-20 00:27:54 +02:00
|
|
|
|
|
|
|
# Switch to inner frame
|
|
|
|
browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
|
2018-11-26 00:11:58 +01:00
|
|
|
assert "wrapper_nonce" in getContextUrl(browser)
|
2018-11-26 00:12:12 +01:00
|
|
|
assert browser.find_element_by_id("script_output").text == "Result: Works"
|
2015-09-20 00:27:54 +02:00
|
|
|
browser.switch_to.default_content()
|
|
|
|
|
|
|
|
# Clicking on links without target
|
|
|
|
browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
|
|
|
|
with WaitForPageLoad(browser):
|
|
|
|
browser.find_element_by_id("link_to_current").click()
|
2018-11-26 00:11:58 +01:00
|
|
|
assert "wrapper_nonce" not in getContextUrl(browser) # The browser object back to default content
|
2015-09-20 00:27:54 +02:00
|
|
|
assert "Forbidden" not in browser.page_source
|
|
|
|
# Check if we have frame inside frame
|
|
|
|
browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
|
|
|
|
with pytest.raises(NoSuchElementException):
|
|
|
|
assert not browser.find_element_by_id("inner-iframe")
|
|
|
|
browser.switch_to.default_content()
|
|
|
|
|
|
|
|
# Clicking on link with target=_top
|
|
|
|
browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
|
|
|
|
with WaitForPageLoad(browser):
|
|
|
|
browser.find_element_by_id("link_to_top").click()
|
2018-11-26 00:11:58 +01:00
|
|
|
assert "wrapper_nonce" not in getContextUrl(browser) # The browser object back to default content
|
2015-09-20 00:27:54 +02:00
|
|
|
assert "Forbidden" not in browser.page_source
|
|
|
|
browser.switch_to.default_content()
|
|
|
|
|
|
|
|
# Try to escape from inner_frame
|
|
|
|
browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
|
2018-11-26 00:11:58 +01:00
|
|
|
assert "wrapper_nonce" in getContextUrl(browser) # Make sure we are inside of the inner-iframe
|
2015-09-20 00:27:54 +02:00
|
|
|
with WaitForPageLoad(browser):
|
|
|
|
browser.execute_script("window.top.location = window.location")
|
2018-11-26 00:11:58 +01:00
|
|
|
assert "wrapper_nonce" in getContextUrl(browser) # We try to use nonce-ed html without iframe
|
2017-10-04 12:48:16 +02:00
|
|
|
assert "<iframe" in browser.page_source # Only allow to use nonce once-time
|
2015-09-20 00:27:54 +02:00
|
|
|
browser.switch_to.default_content()
|
2018-11-26 00:12:12 +01:00
|
|
|
|
|
|
|
def testRaw(self, browser, site_url):
|
|
|
|
browser.get("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url)
|
|
|
|
WebDriverWait(browser, 10).until(title_is("Security tests"))
|
|
|
|
assert getContextUrl(browser) == "%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url
|
|
|
|
|
|
|
|
assert browser.find_element_by_id("script_output").text == "Result: Fail"
|