mirror of
https://github.com/dgtlmoon/changedetection.io.git
synced 2026-02-05 05:46:03 +00:00
3d14df6a11
Multi-language / Translations Support (#3696) - Complete internationalization system implemented - Support for 7 languages: Czech (cs), German (de), French (fr), Italian (it), Korean (ko), Chinese Simplified (zh), Chinese Traditional (zh_TW) - Language selector with localized flags and theming - Flash message translations - Multiple translation fixes and improvements across all languages - Language setting preserved across redirects Pluggable Content Fetchers (#3653) - New architecture for extensible content fetcher system - Allows custom fetcher implementations Image / Screenshot Comparison Processor (#3680) - New processor for visual change detection (disabled for this release) - Supporting CSS/JS infrastructure added UI Improvements Design & Layout - Auto-generated tag color schemes - Simplified login form styling - Removed hard-coded CSS, moved to SCSS variables - Tag UI cleanup and improvements - Automatic tab wrapper functionality - Menu refactoring for better organization - Cleanup of offset settings - Hide sticky tabs on narrow viewports - Improved responsive layout (#3702) User Experience - Modal alerts/confirmations on delete/clear operations (#3693, #3598, #3382) - Auto-add https:// to URLs in quickwatch form if not present - Better redirect handling on login (#3699) - 'Recheck all' now returns to correct group/tag (#3673) - Language set redirect keeps hash fragment - More friendly human-readable text throughout UI Performance & Reliability Scheduler & Processing - Soft delays instead of blocking time.sleep() calls (#3710) - More resilient handling of same UUID being processed (#3700) - Better Puppeteer timeout handling - Improved Puppeteer shutdown/cleanup (#3692) - Requests cleanup now properly async History & Rendering - Faster server-side "difference" rendering on History page (#3442) - Show ignored/triggered rows in history - API: Retry watch data if watch dict changed (more reliable) API Improvements - Watch get endpoint: retry mechanism for changed watch data - WatchHistoryDiff API endpoint includes extra format args (#3703) Testing Improvements - Replace time.sleep with wait_for_notification_endpoint_output (#3716) - Test for mode switching (#3701) - Test for #3720 added (#3725) - Extract-text difference test fixes - Improved dev workflow Bug Fixes - Notification error text output (#3672, #3669, #3280) - HTML validation fixes (#3704) - Template discovery path fixes - Notification debug log now uses system locale for dates/times - Puppeteer spelling mistake in log output - Recalculation on anchor change - Queue bubble update disabled temporarily Dependency Updates - beautifulsoup4 updated (#3724) - psutil 7.1.0 → 7.2.1 (#3723) - python-engineio ~=4.12.3 → ~=4.13.0 (#3707) - python-socketio ~=5.14.3 → ~=5.16.0 (#3706) - flask-socketio ~=5.5.1 → ~=5.6.0 (#3691) - brotli ~=1.1 → ~=1.2 (#3687) - lxml updated (#3590) - pytest ~=7.2 → ~=9.0 (#3676) - jsonschema ~=4.0 → ~=4.25 (#3618) - pluggy ~=1.5 → ~=1.6 (#3616) - cryptography 44.0.1 → 46.0.3 (security) (#3589) Documentation - README updated with viewport size setup information Development Infrastructure - Dev container only built on dev branch - Improved dev workflow tooling
62 lines
2.4 KiB
Python
62 lines
2.4 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# run from dir above changedetectionio/ dir
|
|
# python3 -m unittest changedetectionio.tests.unit.test_jinja2_security
|
|
|
|
import unittest
|
|
from changedetectionio import jinja2_custom as safe_jinja
|
|
|
|
|
|
# mostly
|
|
class TestJinja2SSTI(unittest.TestCase):
|
|
|
|
def test_exception(self):
|
|
import jinja2
|
|
|
|
# Where sandbox should kick in
|
|
attempt_list = [
|
|
"My name is {{ self.__init__.__globals__.__builtins__.__import__('os').system('id') }}",
|
|
"{{ self._TemplateReference__context.cycler.__init__.__globals__.os }}",
|
|
"{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}",
|
|
"{{cycler.__init__.__globals__.os.popen('id').read()}}",
|
|
"{{joiner.__init__.__globals__.os.popen('id').read()}}",
|
|
"{{namespace.__init__.__globals__.os.popen('id').read()}}",
|
|
"{{ ''.__class__.__mro__[2].__subclasses__()[40]('/tmp/hello.txt', 'w').write('Hello here !') }}",
|
|
"My name is {{ self.__init__.__globals__ }}",
|
|
"{{ dict.__base__.__subclasses__() }}"
|
|
]
|
|
for attempt in attempt_list:
|
|
with self.assertRaises(jinja2.exceptions.SecurityError):
|
|
safe_jinja.render(attempt)
|
|
|
|
def test_exception_debug_calls(self):
|
|
import jinja2
|
|
# Where sandbox should kick in - configs and debug calls
|
|
attempt_list = [
|
|
"{% debug %}",
|
|
]
|
|
for attempt in attempt_list:
|
|
# Usually should be something like 'Encountered unknown tag 'debug'.'
|
|
with self.assertRaises(jinja2.exceptions.TemplateSyntaxError):
|
|
safe_jinja.render(attempt)
|
|
|
|
# https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection/jinja2-ssti#accessing-global-objects
|
|
def test_exception_empty_calls(self):
|
|
import jinja2
|
|
attempt_list = [
|
|
"{{config}}",
|
|
"{{ debug }}"
|
|
"{{[].__class__}}",
|
|
]
|
|
for attempt in attempt_list:
|
|
self.assertEqual(len(safe_jinja.render(attempt)), 0, f"string test '{attempt}' is correctly empty")
|
|
|
|
def test_jinja2_escaped_html(self):
|
|
x = safe_jinja.render_fully_escaped('woo <a href="https://google.com">dfdfd</a>')
|
|
self.assertEqual(x, "woo <a href="https://google.com">dfdfd</a>")
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|