diff mbox series

[2/2] tests: Add test for unescaped values in patch detail page

Message ID 20190705020703.6656-3-dja@axtens.net
State Accepted
Headers show
Series XSS in Patchwork - CVE-2019-13122 | expand

Commit Message

Daniel Axtens July 5, 2019, 2:07 a.m. UTC
From: Andrew Donnellan <ajd@linux.ibm.com>

Add a test to check whether we are escaping values from the Patch model on
the patch detail page.

This test shouldn't be relied upon as proof that we've escaped everything
correctly, but may help catch regressions.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 patchwork/tests/test_detail.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
diff mbox series

Patch

diff --git a/patchwork/tests/test_detail.py b/patchwork/tests/test_detail.py
index 4ca1c9cda2f9..18408ecb95f6 100644
--- a/patchwork/tests/test_detail.py
+++ b/patchwork/tests/test_detail.py
@@ -34,6 +34,23 @@  class PatchViewTest(TestCase):
         response = self.client.get(requested_url)
         self.assertRedirects(response, redirect_url)
 
+    def test_escaping(self):
+        # Warning: this test doesn't guarantee anything - it only tests some
+        # fields
+        unescaped_string = 'blah<b>TEST</b>blah'
+        patch = create_patch()
+        patch.diff = unescaped_string
+        patch.commit_ref = unescaped_string
+        patch.pull_url = unescaped_string
+        patch.name = unescaped_string
+        patch.msgid = unescaped_string
+        patch.headers = unescaped_string
+        patch.content = unescaped_string
+        patch.save()
+        requested_url = reverse('patch-detail', kwargs={'patch_id': patch.id})
+        response = self.client.get(requested_url)
+        self.assertNotIn('<b>TEST</b>'.encode('utf-8'), response.content)
+
 
 class CommentRedirectTest(TestCase):