From 3bb72da76ddca83ba705bee6fdd0e55c46c26a53 Mon Sep 17 00:00:00 2001 From: Christo Goosen Date: Tue, 27 May 2025 17:04:48 +0200 Subject: [PATCH 1/5] Escape javascript breaking on backlash or special characters in finding titel --- dojo/templates/dojo/filter_js_snippet.html | 4 +- tests/finding_test.py | 46 ++++++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/dojo/templates/dojo/filter_js_snippet.html b/dojo/templates/dojo/filter_js_snippet.html index 2dbad1c4b33..5afd9187818 100644 --- a/dojo/templates/dojo/filter_js_snippet.html +++ b/dojo/templates/dojo/filter_js_snippet.html @@ -37,7 +37,7 @@ {% if title_words %} var title_words = [ {% for word in title_words %} - "{{word}}", + "{{word|escapejs}}", {% endfor %} ]; {% comment %}ideally we use the form.prefix but then we have the trailing dash... django templates are hard{% endcomment %} @@ -49,7 +49,7 @@ {% if component_words %} var component_words = [ {% for word in component_words %} - "{{word}}", + "{{word|escapejs}}", {% endfor %} ]; diff --git a/tests/finding_test.py b/tests/finding_test.py index c836c9bf717..4bcea074e2c 100644 --- a/tests/finding_test.py +++ b/tests/finding_test.py @@ -518,6 +518,52 @@ def test_create_finding_from_template(self): # Assert to the query to determine status of failure self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template")) + + @on_exception_html_source_logger + def test_create_finding_with_unqiue_characters(self): + driver = self.driver + # Navigate to All Finding page + # goto engagemnent list (and wait for javascript to load) + self.goto_all_engagements_overview(driver) + + # Select a previously created engagement title + driver.find_element(By.PARTIAL_LINK_TEXT, "Ad Hoc Engagement").click() + driver.find_element(By.PARTIAL_LINK_TEXT, "Pen Test").click() + + # Click on the 'dropdownMenu1 button' + # logger.info("\nClicking on dropdown menu \n") + driver.find_element(By.ID, "dropdownMenu_test_add").click() + self.assertNoConsoleErrors() + + # Click on `Apply Template to Finding` + driver.find_element(By.LINK_TEXT, "Finding From Template").click() + self.assertNoConsoleErrors() + # click on the template of 'App Vulnerable to XSS' + logger.info("\nClicking on the template \n") + driver.find_element(By.LINK_TEXT, "Use This Template").click() + self.assertNoConsoleErrors() + + driver.find_element(By.ID, "id_title").clear() + # Backslash causes error + driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \Template") + self.assertNoConsoleErrors() + # Click the 'finished' button to submit + driver.find_element(By.ID, "id_finished").click() + self.assertNoConsoleErrors() + # Query the site to determine if the finding has been added + + # Assert to the query to determine status of failure + self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template")) + + # Navigate back to the finding list + driver.find_element(By.LINK_TEXT, "Findings").click() + self.assertNoConsoleErrors() + driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \Template").click() + self.assertNoConsoleErrors() + + # Assert that the finding is present + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \Template")) @on_exception_html_source_logger def test_delete_finding_template(self): From 8885acb70ed40aae16866366a1da5930c9c318ac Mon Sep 17 00:00:00 2001 From: Christo Goosen Date: Tue, 27 May 2025 17:40:49 +0200 Subject: [PATCH 2/5] Ruff formatting and W605 ignore --- tests/finding_test.py | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/tests/finding_test.py b/tests/finding_test.py index 4bcea074e2c..4629682bbfd 100644 --- a/tests/finding_test.py +++ b/tests/finding_test.py @@ -518,7 +518,7 @@ def test_create_finding_from_template(self): # Assert to the query to determine status of failure self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template")) - + @on_exception_html_source_logger def test_create_finding_with_unqiue_characters(self): driver = self.driver @@ -534,7 +534,6 @@ def test_create_finding_with_unqiue_characters(self): # logger.info("\nClicking on dropdown menu \n") driver.find_element(By.ID, "dropdownMenu_test_add").click() self.assertNoConsoleErrors() - # Click on `Apply Template to Finding` driver.find_element(By.LINK_TEXT, "Finding From Template").click() self.assertNoConsoleErrors() @@ -542,16 +541,14 @@ def test_create_finding_with_unqiue_characters(self): logger.info("\nClicking on the template \n") driver.find_element(By.LINK_TEXT, "Use This Template").click() self.assertNoConsoleErrors() - driver.find_element(By.ID, "id_title").clear() - # Backslash causes error - driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \Template") + # Backslash causes error + driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \Template") # noqa: W605 self.assertNoConsoleErrors() # Click the 'finished' button to submit driver.find_element(By.ID, "id_finished").click() self.assertNoConsoleErrors() # Query the site to determine if the finding has been added - # Assert to the query to determine status of failure self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template")) @@ -559,11 +556,11 @@ def test_create_finding_with_unqiue_characters(self): # Navigate back to the finding list driver.find_element(By.LINK_TEXT, "Findings").click() self.assertNoConsoleErrors() - driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \Template").click() + driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \Template").click() # noqa: W605 self.assertNoConsoleErrors() - + # Assert that the finding is present - self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \Template")) + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \Template")) # noqa: W605 @on_exception_html_source_logger def test_delete_finding_template(self): From 962f3fbf11a789604945b527004449dc02c0238d Mon Sep 17 00:00:00 2001 From: Christo Goosen Date: Tue, 27 May 2025 17:44:47 +0200 Subject: [PATCH 3/5] Fix escape character issue with \ --- tests/finding_test.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/finding_test.py b/tests/finding_test.py index 4629682bbfd..f5da45e0f4c 100644 --- a/tests/finding_test.py +++ b/tests/finding_test.py @@ -543,7 +543,7 @@ def test_create_finding_with_unqiue_characters(self): self.assertNoConsoleErrors() driver.find_element(By.ID, "id_title").clear() # Backslash causes error - driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \Template") # noqa: W605 + driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \\Template") # noqa: W605 self.assertNoConsoleErrors() # Click the 'finished' button to submit driver.find_element(By.ID, "id_finished").click() @@ -551,16 +551,16 @@ def test_create_finding_with_unqiue_characters(self): # Query the site to determine if the finding has been added # Assert to the query to determine status of failure self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) - self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From Template")) + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template")) # noqa: W605 # Navigate back to the finding list driver.find_element(By.LINK_TEXT, "Findings").click() self.assertNoConsoleErrors() - driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \Template").click() # noqa: W605 + driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \\Template").click() # noqa: W605 self.assertNoConsoleErrors() # Assert that the finding is present - self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \Template")) # noqa: W605 + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \\Template")) # noqa: W605 @on_exception_html_source_logger def test_delete_finding_template(self): From 4958d6b914a11744ca502a4909eb41d2e5bcd037 Mon Sep 17 00:00:00 2001 From: Christo Goosen Date: Wed, 28 May 2025 10:40:34 +0200 Subject: [PATCH 4/5] Remove ruff noqa comments. --- tests/finding_test.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/finding_test.py b/tests/finding_test.py index f5da45e0f4c..93b2fd93810 100644 --- a/tests/finding_test.py +++ b/tests/finding_test.py @@ -543,7 +543,7 @@ def test_create_finding_with_unqiue_characters(self): self.assertNoConsoleErrors() driver.find_element(By.ID, "id_title").clear() # Backslash causes error - driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \\Template") # noqa: W605 + driver.find_element(By.ID, "id_title").send_keys("App Vulnerable to XSS from \\Template") self.assertNoConsoleErrors() # Click the 'finished' button to submit driver.find_element(By.ID, "id_finished").click() @@ -551,16 +551,16 @@ def test_create_finding_with_unqiue_characters(self): # Query the site to determine if the finding has been added # Assert to the query to determine status of failure self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) - self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template")) # noqa: W605 + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template")) # Navigate back to the finding list driver.find_element(By.LINK_TEXT, "Findings").click() self.assertNoConsoleErrors() - driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \\Template").click() # noqa: W605 + driver.find_element(By.LINK_TEXT, "App Vulnerable to XSS from \\Template").click() self.assertNoConsoleErrors() # Assert that the finding is present - self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \\Template")) # noqa: W605 + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS from \\Template")) @on_exception_html_source_logger def test_delete_finding_template(self): From 395e171a472fa8ed26eadf18f4ecbf780dc6deb6 Mon Sep 17 00:00:00 2001 From: Christo Goosen Date: Wed, 28 May 2025 13:23:34 +0200 Subject: [PATCH 5/5] Fix ruff failure on w291 --- tests/finding_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/finding_test.py b/tests/finding_test.py index 93b2fd93810..0f7ec62a5dc 100644 --- a/tests/finding_test.py +++ b/tests/finding_test.py @@ -551,7 +551,7 @@ def test_create_finding_with_unqiue_characters(self): # Query the site to determine if the finding has been added # Assert to the query to determine status of failure self.assertTrue(self.is_success_message_present(text="Finding from template added successfully.")) - self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template")) + self.assertTrue(self.is_text_present_on_page(text="App Vulnerable to XSS From \\Template")) # Navigate back to the finding list driver.find_element(By.LINK_TEXT, "Findings").click()