test: assert fs endpoints are xss safe
This commit is contained in:
Michael Schurter
Mahmood Ali
parent
5ff458e840
commit
d6d44a8214
|
|
@ -20,6 +20,7 @@ import (
|
|||
|
||||
const (
|
||||
defaultLoggerMockDriverStdout = "Hello from the other side"
|
||||
xssLoggerMockDriverStdout = "<script>alert(document.domain);</script>"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
@ -27,6 +28,10 @@ var (
|
|||
"run_for": "2s",
|
||||
"stdout_string": defaultLoggerMockDriverStdout,
|
||||
}
|
||||
xssLoggerMockDriver = map[string]interface{}{
|
||||
"run_for": "2s",
|
||||
"stdout_string": xssLoggerMockDriverStdout,
|
||||
}
|
||||
)
|
||||
|
||||
type clientAllocWaiter int
|
||||
|
|
@ -322,6 +327,31 @@ func TestHTTP_FS_ReadAt(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
// TestHTTP_FS_ReadAt_XSS asserts that the readat API is safe from XSS.
|
||||
func TestHTTP_FS_ReadAt_XSS(t *testing.T) {
|
||||
t.Parallel()
|
||||
httpTest(t, nil, func(s *TestAgent) {
|
||||
a := mockFSAlloc(s.client.NodeID(), xssLoggerMockDriver)
|
||||
addAllocToClient(s, a, terminalClientAlloc)
|
||||
|
||||
path := fmt.Sprintf("%s/v1/client/fs/readat/%s?path=alloc/logs/web.stdout.0&offset=0&limit=%d",
|
||||
s.HTTPAddr(), a.ID, len(xssLoggerMockDriverStdout))
|
||||
resp, err := http.DefaultClient.Get(path)
|
||||
require.NoError(t, err)
|
||||
defer resp.Body.Close()
|
||||
|
||||
buf, err := ioutil.ReadAll(resp.Body)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, xssLoggerMockDriverStdout, string(buf))
|
||||
|
||||
require.Equal(t, []string{"text/plain"}, resp.Header.Values("Content-Type"))
|
||||
require.Equal(t, []string{"nosniff"}, resp.Header.Values("X-Content-Type-Options"))
|
||||
require.Equal(t, []string{"1; mode=block"}, resp.Header.Values("X-XSS-Protection"))
|
||||
require.Equal(t, []string{"default-src 'none'; style-src 'unsafe-inline'; sandbox"},
|
||||
resp.Header.Values("Content-Security-Policy"))
|
||||
})
|
||||
}
|
||||
|
||||
func TestHTTP_FS_Cat(t *testing.T) {
|
||||
t.Parallel()
|
||||
require := require.New(t)
|
||||
|
|
@ -343,6 +373,30 @@ func TestHTTP_FS_Cat(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
// TestHTTP_FS_Cat_XSS asserts that the cat API is safe from XSS.
|
||||
func TestHTTP_FS_Cat_XSS(t *testing.T) {
|
||||
t.Parallel()
|
||||
httpTest(t, nil, func(s *TestAgent) {
|
||||
a := mockFSAlloc(s.client.NodeID(), xssLoggerMockDriver)
|
||||
addAllocToClient(s, a, terminalClientAlloc)
|
||||
|
||||
path := fmt.Sprintf("%s/v1/client/fs/cat/%s?path=alloc/logs/web.stdout.0", s.HTTPAddr(), a.ID)
|
||||
resp, err := http.DefaultClient.Get(path)
|
||||
require.NoError(t, err)
|
||||
defer resp.Body.Close()
|
||||
|
||||
buf, err := ioutil.ReadAll(resp.Body)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, xssLoggerMockDriverStdout, string(buf))
|
||||
|
||||
require.Equal(t, []string{"text/plain"}, resp.Header.Values("Content-Type"))
|
||||
require.Equal(t, []string{"nosniff"}, resp.Header.Values("X-Content-Type-Options"))
|
||||
require.Equal(t, []string{"1; mode=block"}, resp.Header.Values("X-XSS-Protection"))
|
||||
require.Equal(t, []string{"default-src 'none'; style-src 'unsafe-inline'; sandbox"},
|
||||
resp.Header.Values("Content-Security-Policy"))
|
||||
})
|
||||
}
|
||||
|
||||
func TestHTTP_FS_Stream_NoFollow(t *testing.T) {
|
||||
t.Parallel()
|
||||
require := require.New(t)
|
||||
|
|
@ -387,6 +441,26 @@ func TestHTTP_FS_Stream_NoFollow(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
// TestHTTP_FS_Stream_NoFollow_XSS asserts that the stream API is safe from XSS.
|
||||
func TestHTTP_FS_Stream_NoFollow_XSS(t *testing.T) {
|
||||
t.Parallel()
|
||||
httpTest(t, nil, func(s *TestAgent) {
|
||||
a := mockFSAlloc(s.client.NodeID(), xssLoggerMockDriver)
|
||||
addAllocToClient(s, a, terminalClientAlloc)
|
||||
|
||||
path := fmt.Sprintf("%s/v1/client/fs/stream/%s?path=alloc/logs/web.stdout.0&follow=false",
|
||||
s.HTTPAddr(), a.ID)
|
||||
resp, err := http.DefaultClient.Get(path)
|
||||
require.NoError(t, err)
|
||||
defer resp.Body.Close()
|
||||
|
||||
buf, err := ioutil.ReadAll(resp.Body)
|
||||
require.NoError(t, err)
|
||||
expected := `{"Data":"PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg==","File":"alloc/logs/web.stdout.0","Offset":40}`
|
||||
require.Equal(t, expected, string(buf))
|
||||
})
|
||||
}
|
||||
|
||||
func TestHTTP_FS_Stream_Follow(t *testing.T) {
|
||||
t.Parallel()
|
||||
require := require.New(t)
|
||||
|
|
@ -466,6 +540,30 @@ func TestHTTP_FS_Logs(t *testing.T) {
|
|||
})
|
||||
}
|
||||
|
||||
// TestHTTP_FS_Logs_XSS asserts that the logs endpoint always returns
|
||||
// text/plain or application/json content regardless of whether the logs are
|
||||
// HTML+Javascript or not.
|
||||
func TestHTTP_FS_Logs_XSS(t *testing.T) {
|
||||
t.Parallel()
|
||||
httpTest(t, nil, func(s *TestAgent) {
|
||||
a := mockFSAlloc(s.client.NodeID(), xssLoggerMockDriver)
|
||||
addAllocToClient(s, a, terminalClientAlloc)
|
||||
|
||||
// Must make a "real" request to ensure Go's default content
|
||||
// type detection does not detect text/html
|
||||
path := fmt.Sprintf("%s/v1/client/fs/logs/%s?type=stdout&task=web&plain=true", s.HTTPAddr(), a.ID)
|
||||
resp, err := http.DefaultClient.Get(path)
|
||||
require.NoError(t, err)
|
||||
defer resp.Body.Close()
|
||||
|
||||
buf, err := ioutil.ReadAll(resp.Body)
|
||||
require.NoError(t, err)
|
||||
require.Equal(t, xssLoggerMockDriverStdout, string(buf))
|
||||
|
||||
require.Equal(t, []string{"text/plain"}, resp.Header.Values("Content-Type"))
|
||||
})
|
||||
}
|
||||
|
||||
func TestHTTP_FS_Logs_Follow(t *testing.T) {
|
||||
t.Parallel()
|
||||
require := require.New(t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue