331 lines
17 KiB
Python
331 lines
17 KiB
Python
# -*- coding: utf-8 -*-
|
|
# Part of Odoo, Flectra. See LICENSE file for full copyright and licensing details.
|
|
|
|
import unittest
|
|
|
|
from flectra.tools import html_sanitize, append_content_to_html, plaintext2html, email_split, misc
|
|
from . import test_mail_examples
|
|
|
|
|
|
class TestSanitizer(unittest.TestCase):
|
|
""" Test the html sanitizer that filters html to remove unwanted attributes """
|
|
|
|
def test_basic_sanitizer(self):
|
|
cases = [
|
|
("yop", "<p>yop</p>"), # simple
|
|
("lala<p>yop</p>xxx", "<p>lala</p><p>yop</p>xxx"), # trailing text
|
|
("Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci",
|
|
u"<p>Merci à l'intérêt pour notre produit.nous vous contacterons bientôt. Merci</p>"), # unicode
|
|
]
|
|
for content, expected in cases:
|
|
html = html_sanitize(content)
|
|
self.assertEqual(html, expected, 'html_sanitize is broken')
|
|
|
|
def test_mako(self):
|
|
cases = [
|
|
('''<p>Some text</p>
|
|
<% set signup_url = object.get_signup_url() %>
|
|
% if signup_url:
|
|
<p>
|
|
You can access this document and pay online via our Customer Portal:
|
|
</p>''', '''<p>Some text</p>
|
|
<% set signup_url = object.get_signup_url() %>
|
|
% if signup_url:
|
|
<p>
|
|
You can access this document and pay online via our Customer Portal:
|
|
</p>''')
|
|
]
|
|
for content, expected in cases:
|
|
html = html_sanitize(content, silent=False)
|
|
self.assertEqual(html, expected, 'html_sanitize: broken mako management')
|
|
|
|
def test_evil_malicious_code(self):
|
|
# taken from https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Tests
|
|
cases = [
|
|
("<IMG SRC=javascript:alert('XSS')>"), # no quotes and semicolons
|
|
("<IMG SRC=javascript:alert('XSS')>"), # UTF-8 Unicode encoding
|
|
("<IMG SRC=javascript:alert('XSS')>"), # hex encoding
|
|
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded carriage return
|
|
("<IMG SRC=\"jav
ascript:alert('XSS');\">"), # embedded newline
|
|
("<IMG SRC=\"jav ascript:alert('XSS');\">"), # embedded tab
|
|
("<IMG SRC=\"jav	ascript:alert('XSS');\">"), # embedded encoded tab
|
|
("<IMG SRC=\"  javascript:alert('XSS');\">"), # spaces and meta-characters
|
|
("<IMG SRC=\"javascript:alert('XSS')\""), # half-open html
|
|
("<IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\">"), # malformed tag
|
|
("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
|
|
("<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>"), # non-alpha-non-digits
|
|
("<<SCRIPT>alert(\"XSS\");//<</SCRIPT>"), # extraneous open brackets
|
|
("<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >"), # non-closing script tags
|
|
("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"), # input image
|
|
("<BODY BACKGROUND=\"javascript:alert('XSS')\">"), # body image
|
|
("<IMG DYNSRC=\"javascript:alert('XSS')\">"), # img dynsrc
|
|
("<IMG LOWSRC=\"javascript:alert('XSS')\">"), # img lowsrc
|
|
("<TABLE BACKGROUND=\"javascript:alert('XSS')\">"), # table
|
|
("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"), # td
|
|
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background
|
|
("<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">"), # div background with unicoded exploit
|
|
("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"), # div background + extra characters
|
|
("<IMG SRC='vbscript:msgbox(\"XSS\")'>"), # VBscrip in an image
|
|
("<BODY ONLOAD=alert('XSS')>"), # event handler
|
|
("<BR SIZE=\"&{alert('XSS')}\>"), # & javascript includes
|
|
("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">"), # style sheet
|
|
("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">"), # remote style sheet
|
|
("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>"), # remote style sheet 2
|
|
("<META HTTP-EQUIV=\"Link\" Content=\"<http://ha.ckers.org/xss.css>; REL=stylesheet\">"), # remote style sheet 3
|
|
("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>"), # remote style sheet 4
|
|
("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"), # style attribute using a comment to break up expression
|
|
]
|
|
for content in cases:
|
|
html = html_sanitize(content)
|
|
self.assertNotIn('javascript', html, 'html_sanitize did not remove a malicious javascript')
|
|
self.assertTrue('ha.ckers.org' not in html or 'http://ha.ckers.org/xss.css' in html, 'html_sanitize did not remove a malicious code in %s (%s)' % (content, html))
|
|
|
|
content = "<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->" # down-level hidden block
|
|
self.assertEquals(html_sanitize(content, silent=False), '')
|
|
|
|
def test_html(self):
|
|
sanitized_html = html_sanitize(test_mail_examples.MISC_HTML_SOURCE)
|
|
for tag in ['<div', '<b', '<i', '<u', '<strike', '<li', '<blockquote', '<a href']:
|
|
self.assertIn(tag, sanitized_html, 'html_sanitize stripped too much of original html')
|
|
for attr in ['javascript']:
|
|
self.assertNotIn(attr, sanitized_html, 'html_sanitize did not remove enough unwanted attributes')
|
|
|
|
def test_sanitize_escape_emails(self):
|
|
emails = [
|
|
"Charles <charles.bidule@truc.fr>",
|
|
"Dupuis <'tr/-: ${dupuis#$'@truc.baz.fr>",
|
|
"Technical <service/technical+2@open.com>",
|
|
"Div nico <div-nico@open.com>"
|
|
]
|
|
for email in emails:
|
|
self.assertIn(misc.html_escape(email), html_sanitize(email), 'html_sanitize stripped emails of original html')
|
|
|
|
def test_sanitize_unescape_emails(self):
|
|
not_emails = [
|
|
'<blockquote cite="mid:CAEJSRZvWvud8c6Qp=wfNG6O1+wK3i_jb33qVrF7XyrgPNjnyUA@mail.gmail.com" type="cite">cat</blockquote>',
|
|
'<img alt="@github-login" class="avatar" src="/web/image/pi" height="36" width="36">']
|
|
for email in not_emails:
|
|
sanitized = html_sanitize(email)
|
|
left_part = email.split('>')[0] # take only left part, as the sanitizer could add data information on node
|
|
self.assertNotIn(misc.html_escape(email), sanitized, 'html_sanitize stripped emails of original html')
|
|
self.assertIn(left_part, sanitized)
|
|
|
|
def test_style_parsing(self):
|
|
test_data = [
|
|
(
|
|
'<span style="position: fixed; top: 0px; left: 50px; width: 40%; height: 50%; background-color: red;">Coin coin </span>',
|
|
['background-color: red', 'Coin coin'],
|
|
['position', 'top', 'left']
|
|
), (
|
|
"""<div style='before: "Email Address; coincoin cheval: lapin";
|
|
font-size: 30px; max-width: 100%; after: "Not sure
|
|
|
|
this; means: anything ?#ùµ"
|
|
; some-property: 2px; top: 3'>youplaboum</div>""",
|
|
['font-size: 30px', 'youplaboum'],
|
|
['some-property', 'top', 'cheval']
|
|
), (
|
|
'<span style="width">Coincoin</span>',
|
|
[],
|
|
['width']
|
|
)
|
|
]
|
|
|
|
for test, in_lst, out_lst in test_data:
|
|
new_html = html_sanitize(test, sanitize_attributes=False, sanitize_style=True, strip_style=False, strip_classes=False)
|
|
for text in in_lst:
|
|
self.assertIn(text, new_html)
|
|
for text in out_lst:
|
|
self.assertNotIn(text, new_html)
|
|
|
|
# style should not be sanitized if removed
|
|
new_html = html_sanitize(test_data[0][0], sanitize_attributes=False, strip_style=True, strip_classes=False)
|
|
self.assertEqual(new_html, u'<span>Coin coin </span>')
|
|
|
|
def test_style_class(self):
|
|
html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=True, sanitize_style=True, strip_classes=True)
|
|
for ext in test_mail_examples.REMOVE_CLASS_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.REMOVE_CLASS_OUT:
|
|
self.assertNotIn(ext, html,)
|
|
|
|
def test_style_class_only(self):
|
|
html = html_sanitize(test_mail_examples.REMOVE_CLASS, sanitize_attributes=False, sanitize_style=True, strip_classes=True)
|
|
for ext in test_mail_examples.REMOVE_CLASS_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.REMOVE_CLASS_OUT:
|
|
self.assertNotIn(ext, html,)
|
|
|
|
def test_edi_source(self):
|
|
html = html_sanitize(test_mail_examples.EDI_LIKE_HTML_SOURCE)
|
|
self.assertIn(
|
|
'font-family: \'Lucida Grande\', Ubuntu, Arial, Verdana, sans-serif;', html,
|
|
'html_sanitize removed valid styling')
|
|
self.assertIn(
|
|
'src="https://www.paypal.com/en_US/i/btn/btn_paynowCC_LG.gif"', html,
|
|
'html_sanitize removed valid img')
|
|
self.assertNotIn('</body></html>', html, 'html_sanitize did not remove extra closing tags')
|
|
|
|
def test_quote_blockquote(self):
|
|
html = html_sanitize(test_mail_examples.QUOTE_BLOCKQUOTE)
|
|
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.QUOTE_BLOCKQUOTE_OUT:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s' % misc.html_escape(ext), html)
|
|
|
|
def test_quote_thunderbird(self):
|
|
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_1)
|
|
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.QUOTE_THUNDERBIRD_1_OUT:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
|
|
|
|
def test_quote_hotmail_html(self):
|
|
html = html_sanitize(test_mail_examples.QUOTE_HOTMAIL_HTML)
|
|
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.QUOTE_HOTMAIL_HTML_OUT:
|
|
self.assertIn(ext, html)
|
|
|
|
html = html_sanitize(test_mail_examples.HOTMAIL_1)
|
|
for ext in test_mail_examples.HOTMAIL_1_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.HOTMAIL_1_OUT:
|
|
self.assertIn(ext, html)
|
|
|
|
def test_quote_thunderbird_html(self):
|
|
html = html_sanitize(test_mail_examples.QUOTE_THUNDERBIRD_HTML)
|
|
for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.QUOTE_THUNDERBIRD_HTML_OUT:
|
|
self.assertIn(ext, html)
|
|
|
|
def test_quote_basic_text(self):
|
|
test_data = [
|
|
(
|
|
"""This is Sparta!\n--\nAdministrator\n+9988776655""",
|
|
['This is Sparta!'],
|
|
['\n--\nAdministrator\n+9988776655']
|
|
), (
|
|
"""<p>This is Sparta!\n--\nAdministrator</p>""",
|
|
[],
|
|
['\n--\nAdministrator']
|
|
), (
|
|
"""<p>This is Sparta!<br/>--<br>Administrator</p>""",
|
|
['This is Sparta!'],
|
|
[]
|
|
), (
|
|
"""This is Sparta!\n>Ah bon ?\nCertes\n> Chouette !\nClair""",
|
|
['This is Sparta!', 'Certes', 'Clair'],
|
|
['\n>Ah bon ?', '\n> Chouette !']
|
|
)
|
|
]
|
|
for test, in_lst, out_lst in test_data:
|
|
new_html = html_sanitize(test)
|
|
for text in in_lst:
|
|
self.assertIn(text, new_html)
|
|
for text in out_lst:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(text), new_html)
|
|
|
|
def test_quote_signature(self):
|
|
test_data = [
|
|
(
|
|
"""<div>Hello<pre>--<br />Administrator</pre></div>""",
|
|
["<pre data-o-mail-quote=\"1\">--", "<br data-o-mail-quote=\"1\">"],
|
|
)
|
|
]
|
|
for test, in_lst in test_data:
|
|
new_html = html_sanitize(test)
|
|
for text in in_lst:
|
|
self.assertIn(text, new_html)
|
|
|
|
def test_quote_gmail(self):
|
|
html = html_sanitize(test_mail_examples.GMAIL_1)
|
|
for ext in test_mail_examples.GMAIL_1_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.GMAIL_1_OUT:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
|
|
|
|
def test_quote_text(self):
|
|
html = html_sanitize(test_mail_examples.TEXT_1)
|
|
for ext in test_mail_examples.TEXT_1_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.TEXT_1_OUT:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
|
|
|
|
html = html_sanitize(test_mail_examples.TEXT_2)
|
|
for ext in test_mail_examples.TEXT_2_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.TEXT_2_OUT:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
|
|
|
|
def test_quote_bugs(self):
|
|
html = html_sanitize(test_mail_examples.BUG1)
|
|
for ext in test_mail_examples.BUG_1_IN:
|
|
self.assertIn(ext, html)
|
|
for ext in test_mail_examples.BUG_1_OUT:
|
|
self.assertIn(u'<span data-o-mail-quote="1">%s</span>' % misc.html_escape(ext), html)
|
|
|
|
def test_misc(self):
|
|
# False / void should not crash
|
|
html = html_sanitize('')
|
|
self.assertEqual(html, '')
|
|
html = html_sanitize(False)
|
|
self.assertEqual(html, False)
|
|
|
|
# Message with xml and doctype tags don't crash
|
|
html = html_sanitize(u'<?xml version="1.0" encoding="iso-8859-1"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\n<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">\n <head>\n <title>404 - Not Found</title>\n </head>\n <body>\n <h1>404 - Not Found</h1>\n </body>\n</html>\n')
|
|
self.assertNotIn('encoding', html)
|
|
self.assertNotIn('<title>404 - Not Found</title>', html)
|
|
self.assertIn('<h1>404 - Not Found</h1>', html)
|
|
|
|
# ms office is currently not supported, have to find a way to support it
|
|
# def test_30_email_msoffice(self):
|
|
# new_html = html_sanitize(test_mail_examples.MSOFFICE_1, remove=True)
|
|
# for ext in test_mail_examples.MSOFFICE_1_IN:
|
|
# self.assertIn(ext, new_html)
|
|
# for ext in test_mail_examples.MSOFFICE_1_OUT:
|
|
# self.assertNotIn(ext, new_html)
|
|
|
|
|
|
class TestHtmlTools(unittest.TestCase):
|
|
""" Test some of our generic utility functions about html """
|
|
|
|
def test_plaintext2html(self):
|
|
cases = [
|
|
("First \nSecond \nThird\n \nParagraph\n\r--\nSignature paragraph", 'div',
|
|
"<div><p>First <br/>Second <br/>Third</p><p>Paragraph</p><p>--<br/>Signature paragraph</p></div>"),
|
|
("First<p>It should be escaped</p>\nSignature", False,
|
|
"<p>First<p>It should be escaped</p><br/>Signature</p>")
|
|
]
|
|
for content, container_tag, expected in cases:
|
|
html = plaintext2html(content, container_tag)
|
|
self.assertEqual(html, expected, 'plaintext2html is broken')
|
|
|
|
def test_append_to_html(self):
|
|
test_samples = [
|
|
('<!DOCTYPE...><HTML encoding="blah">some <b>content</b></HtMl>', '--\nYours truly', True, True, False,
|
|
'<!DOCTYPE...><html encoding="blah">some <b>content</b>\n<pre>--\nYours truly</pre>\n</html>'),
|
|
('<!DOCTYPE...><HTML encoding="blah">some <b>content</b></HtMl>', '--\nYours truly', True, False, False,
|
|
'<!DOCTYPE...><html encoding="blah">some <b>content</b>\n<p>--<br/>Yours truly</p>\n</html>'),
|
|
('<html><body>some <b>content</b></body></html>', '<!DOCTYPE...>\n<html><body>\n<p>--</p>\n<p>Yours truly</p>\n</body>\n</html>', False, False, False,
|
|
'<html><body>some <b>content</b>\n\n\n<p>--</p>\n<p>Yours truly</p>\n\n\n</body></html>'),
|
|
]
|
|
for html, content, plaintext_flag, preserve_flag, container_tag, expected in test_samples:
|
|
self.assertEqual(append_content_to_html(html, content, plaintext_flag, preserve_flag, container_tag), expected, 'append_content_to_html is broken')
|
|
|
|
|
|
class TestEmailTools(unittest.TestCase):
|
|
""" Test some of our generic utility functions for emails """
|
|
|
|
def test_email_split(self):
|
|
cases = [
|
|
("John <12345@gmail.com>", ['12345@gmail.com']), # regular form
|
|
("d@x; 1@2", ['d@x', '1@2']), # semi-colon + extra space
|
|
("'(ss)' <123@gmail.com>, 'foo' <foo@bar>", ['123@gmail.com', 'foo@bar']), # comma + single-quoting
|
|
('"john@gmail.com"<johnny@gmail.com>', ['johnny@gmail.com']), # double-quoting
|
|
('"<jg>" <johnny@gmail.com>', ['johnny@gmail.com']), # double-quoting with brackets
|
|
]
|
|
for text, expected in cases:
|
|
self.assertEqual(email_split(text), expected, 'email_split is broken')
|