Self-Hosted
/
changedetection.io
mirror of https://github.com/dgtlmoon/changedetection.io.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b850bad038'
${ noResults }
changedetection.io/changedetectionio/tests/test_security.py

66 lines
2.0 KiB
Raw Normal View History Unescape

Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
from flask import url_for
Code refactor for fetchers (#1941)
12 months ago
from .util import set_original_response, set_modified_response, live_server_setup, wait_for_all_checks
Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
import time
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
def test_bad_access(client, live_server):
live_server_setup(live_server)
Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
res = client.post(
url_for("import_page"),
data={"urls": 'https://localhost'},
follow_redirects=True
)
assert b"1 Imported" in res.data
Code refactor for fetchers (#1941)
12 months ago
wait_for_all_checks(client)
Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
# Attempt to add a body with a GET method
res = client.post(
url_for("edit_page", uuid="first"),
data={
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
"url": 'javascript:alert(document.domain)',
UI/Functionality - Ability to manage/apply filters and notifications across tags/groups
1 year ago
"tags": "",
Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
"method": "GET",
"fetch_backend": "html_requests",
"body": ""},
follow_redirects=True
)
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
res = client.post(
url_for("form_quick_watch_add"),
UI/Functionality - Ability to manage/apply filters and notifications across tags/groups
1 year ago
data={"url": ' javascript:alert(123)', "tags": ''},
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
follow_redirects=True
)
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
res = client.post(
url_for("form_quick_watch_add"),
UI/Functionality - Ability to manage/apply filters and notifications across tags/groups
1 year ago
data={"url": '%20%20%20javascript:alert(123)%20%20', "tags": ''},
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
follow_redirects=True
)
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
res = client.post(
url_for("form_quick_watch_add"),
UI/Functionality - Ability to manage/apply filters and notifications across tags/groups
1 year ago
data={"url": ' source:javascript:alert(document.domain)', "tags": ''},
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
follow_redirects=True
)
assert b'Watch protocol is not permitted by SAFE_PROTOCOL_REGEX' in res.data
# file:// is permitted by default, but it will be caught by ALLOW_FILE_URI
client.post(
url_for("form_quick_watch_add"),
UI/Functionality - Ability to manage/apply filters and notifications across tags/groups
1 year ago
data={"url": 'file:///tasty/disk/drive', "tags": ''},
Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
follow_redirects=True
)
Code refactor for fetchers (#1941)
12 months ago
wait_for_all_checks(client)
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
res = client.get(url_for("index"))
Security update - Protect against file:/// type access by webdriver/chrome. (#483)
3 years ago
Security - Possible stored XSS in watch list - Only permit HTTP/HTTP/FTP by default - override with env var `SAFE_PROTOCOL_REGEX` (#1359)
2 years ago
assert b'file:// type access is denied for security reasons.' in res.data