platform/test/sanitize_test.dart

127 lines
4.3 KiB
Dart
Raw Normal View History

2017-01-12 23:57:13 +00:00
import 'package:angel_framework/angel_framework.dart';
import 'package:angel_security/angel_security.dart';
import 'package:angel_test/angel_test.dart';
import 'package:angel_validate/server.dart';
2019-04-20 14:53:52 +00:00
import 'package:http_parser/http_parser.dart';
2017-12-22 13:39:21 +00:00
import 'package:logging/logging.dart';
2017-01-12 23:57:13 +00:00
import 'package:matcher/matcher.dart';
import 'package:test/test.dart';
2017-12-22 13:39:21 +00:00
import 'pretty_logging.dart';
2017-01-12 23:57:13 +00:00
2019-04-20 14:53:52 +00:00
final Validator untrustedSchema = Validator({'html*': isString});
2017-01-12 23:57:13 +00:00
main() async {
Angel app;
TestClient client;
setUp(() async {
2019-04-20 16:37:50 +00:00
var logger = Logger.detached('angel_security')..onRecord.listen(prettyLog);
app = Angel(logger: logger);
2017-03-29 02:44:56 +00:00
app.chain([validate(untrustedSchema), sanitizeHtmlInput()])
..post('/untrusted', (RequestContext req, ResponseContext res) async {
2019-04-20 14:53:52 +00:00
String untrusted = req.bodyAsMap['html'];
2017-01-12 23:57:13 +00:00
res
2019-04-20 14:53:52 +00:00
..contentType = MediaType('text', 'html')
2017-01-12 23:57:13 +00:00
..write('''
<!DOCTYPE html>
<html>
<head>
<title>Potential Security Hole</title>
</head>
<body>$untrusted</body>
</html>''');
})
2017-03-29 02:44:56 +00:00
..post('/attribute', (RequestContext req, ResponseContext res) async {
2019-04-20 14:53:52 +00:00
String untrusted = req.bodyAsMap['html'];
2017-01-12 23:57:13 +00:00
res
2019-04-20 14:53:52 +00:00
..contentType = MediaType('text', 'html')
2017-01-12 23:57:13 +00:00
..write('''
<!DOCTYPE html>
<html>
<head>
<title>Potential Security Hole</title>
</head>
<body>
<img src="$untrusted" />
</body>
</html>''');
});
2019-04-20 16:37:50 +00:00
var oldHandler = app.errorHandler;
app.errorHandler = (e, req, res) {
app.logger.severe(e, e.error, e.stackTrace);
return oldHandler(e, req, res);
};
2017-01-12 23:57:13 +00:00
client = await connectTo(app);
});
tearDown(() => client.close());
group('script tag', () {
test('normal', () async {
var xss = "<script>alert('XSS')</script>";
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('<script>'), isFalse);
});
test('mixed case', () async {
var xss = "<scRIpT>alert('XSS')</sCRIpt>";
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('<script>'), isFalse);
});
test('spaces', () async {
var xss = "< s c rip t>alert('XSS')</scr ip t>";
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('<script>'), isFalse);
});
test('lines', () async {
var xss = "<scri\npt>\n\nalert('XSS')\t\n</sc\nri\npt>";
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('<script>'), isFalse);
});
test('accents', () async {
var xss = '''<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>''';
var response = await client.post('/untrusted', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('<script>'), isFalse);
});
});
test('quotes', () async {
var xss = '" onclick="<script>alert(\'XSS!\')</script>"';
var response = await client.post('/attribute', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
expect(response.body.toLowerCase().contains('<script>'), isFalse);
});
test('javascript:evil', () async {
var xss = 'javascript:alert(\'XSS!\')';
var response = await client.post('/attribute', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
2017-03-29 02:44:56 +00:00
expect(response.body.toLowerCase().contains(xss), isFalse);
2017-01-12 23:57:13 +00:00
});
test('style attribute', () async {
var xss = "background-image: url(jaVAscRiPt:alert('XSS'))";
var response = await client.post('/attribute', body: {'html': xss});
print(response.body);
expect(response.body.contains(xss), isFalse);
2017-03-29 02:44:56 +00:00
expect(response.body.toLowerCase().contains(xss), isFalse);
2017-01-12 23:57:13 +00:00
});
}