forked from potsda.mn/mobilizon
test: add new tests for XSS in actors summary
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
parent
41227d994c
commit
58e50e3c9f
92
test/federation/activity_pub/types/actors_test.exs
Normal file
92
test/federation/activity_pub/types/actors_test.exs
Normal file
|
|
@ -0,0 +1,92 @@
|
||||||
|
defmodule Mobilizon.Federation.ActivityPub.Types.ActorsTest do
|
||||||
|
use Mobilizon.DataCase
|
||||||
|
|
||||||
|
import Mobilizon.Factory
|
||||||
|
|
||||||
|
alias Mobilizon.Actors.Actor
|
||||||
|
alias Mobilizon.Federation.ActivityPub.Types.Actors
|
||||||
|
|
||||||
|
describe "group creation" do
|
||||||
|
test "with no public key" do
|
||||||
|
%Actor{id: creator_actor_id} = insert(:actor)
|
||||||
|
|
||||||
|
assert_raise RuntimeError, "No publickey found in private keys", fn ->
|
||||||
|
Actors.create(
|
||||||
|
%{
|
||||||
|
preferred_username: "hello",
|
||||||
|
summary: "hi",
|
||||||
|
url: "https://some-unique-url.test/@actor",
|
||||||
|
keys: "yool",
|
||||||
|
creator_actor_id: creator_actor_id
|
||||||
|
},
|
||||||
|
%{}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
test "with XSS" do
|
||||||
|
%Actor{id: creator_actor_id} = insert(:actor)
|
||||||
|
|
||||||
|
preferred_username =
|
||||||
|
"hello <meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
|
||||||
|
|
||||||
|
summary =
|
||||||
|
"<p>Some text before <meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" /></p>"
|
||||||
|
|
||||||
|
assert {:ok, %Actor{preferred_username: saved_preferred_username, summary: saved_summary},
|
||||||
|
_} =
|
||||||
|
Actors.create(
|
||||||
|
%{
|
||||||
|
preferred_username: preferred_username,
|
||||||
|
summary: summary,
|
||||||
|
url: "https://some-unique-url.test/@actor",
|
||||||
|
creator_actor_id: creator_actor_id,
|
||||||
|
type: :Group
|
||||||
|
},
|
||||||
|
%{}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert saved_preferred_username == "hello"
|
||||||
|
assert saved_summary == "<p>Some text before </p>"
|
||||||
|
|
||||||
|
preferred_username =
|
||||||
|
"<<img src=''/>meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
|
||||||
|
|
||||||
|
summary =
|
||||||
|
"<<img src=''/>meta http-equiv=\"refresh\" content=\"0; url=http://example.com/\" />"
|
||||||
|
|
||||||
|
assert {:error, %Ecto.Changeset{errors: errors}} =
|
||||||
|
Actors.create(
|
||||||
|
%{
|
||||||
|
preferred_username: preferred_username,
|
||||||
|
summary: summary,
|
||||||
|
url: "https://some-unique-url.test/@actor",
|
||||||
|
creator_actor_id: creator_actor_id,
|
||||||
|
type: :Group
|
||||||
|
},
|
||||||
|
%{}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert errors === [
|
||||||
|
preferred_username:
|
||||||
|
{"Username must only contain alphanumeric lowercased characters and underscores.",
|
||||||
|
[]}
|
||||||
|
]
|
||||||
|
|
||||||
|
assert {:ok, %Actor{summary: saved_summary}, _} =
|
||||||
|
Actors.create(
|
||||||
|
%{
|
||||||
|
preferred_username: "hello184",
|
||||||
|
summary: summary,
|
||||||
|
url: "https://some-unique-url.test/@actor",
|
||||||
|
creator_actor_id: creator_actor_id,
|
||||||
|
type: :Group
|
||||||
|
},
|
||||||
|
%{}
|
||||||
|
)
|
||||||
|
|
||||||
|
assert saved_summary ==
|
||||||
|
"<<img src=\"\"/>meta http-equiv="refresh" content="0; url=http://example.com/" />"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
Loading…
Reference in a new issue