bubblev
/
swagger-ui
4
0
Förgrening 0
Kod Ärenden 0 Pull-förfrågningar 0 Släpp 0 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
4564 Incheckningar
2 Grenar
306 MiB
 
 
 
 
Träd: 24355ae53e
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '24355ae53e'
${ noResults }
swagger-ui/test/e2e-cypress/tests/security/sequential-import-chaining.js

59 rader
2.4 KiB
Blame Historik 

  1. describe("Security: CSS Sequential Import Chaining", () => {

  2.   describe("in OpenAPI 3.0", () => {

  3.     describe("CSS Injection via Markdown", () => {

  4.       it("should filter <style> tags out of Markdown fields", () => {

  5.         cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")

  6.           .get("div.information-container")

  7.           .should("exist")

  8.           .and("not.have.descendants", "style")

  9.       })

  10.       it("should not apply `@import`ed CSS stylesheets", () => {

  11.         cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")

  12.           .wait(500) // HACK: wait for CSS import to settle

  13.           .get("div.info h4")

  14.           .should("have.length", 1)

  15.           .and("not.be.hidden")

  16.       })

  17.     })

  18.     describe("Value Exfiltration via CSS", () => {

  19.       it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {

  20.         cy.visit("/?url=/documents/petstore-expanded.openapi.yaml")

  21.           .get(".scheme-container > .schemes > .auth-wrapper > .btn > span")

  22.           .click()

  23.           .get("div > div > .wrapper > .block-tablet > #client_id")

  24.           .clear()

  25.           .type("abc")

  26.           .should("not.have.attr", "value", "abc")

  27.       })

  28.     })

  29.   })

  30.   describe("in Swagger 2.0", () => {

  31.     describe("CSS Injection via Markdown", () => {

  32.       it("should filter <style> tags out of Markdown fields", () => {

  33.         cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")

  34.           .get("div.information-container")

  35.           .should("exist")

  36.           .and("not.have.descendants", "style")

  37.       })

  38.       it("should not apply `@import`ed CSS stylesheets", () => {

  39.         cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")

  40.           .wait(500) // HACK: wait for CSS import to settle

  41.           .get("div.info h4")

  42.           .should("have.length", 1)

  43.           .and("not.be.hidden")

  44.       })

  45.     })

  46.     describe("Value Exfiltration via CSS", () => {

  47.       it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {

  48.         cy.visit("/?url=/documents/petstore.swagger.yaml")

  49.           .get(".scheme-container > .schemes > .auth-wrapper > .btn > span")

  50.           .click()

  51.           .get("div > div > .wrapper > .block-tablet > #client_id")

  52.           .clear()

  53.           .type("abc")

  54.           .should("not.have.attr", "value", "abc")

  55.       })

  56.     })

  57.   })

  58. })