mirror of
https://github.com/dgtlmoon/changedetection.io.git
synced 2025-12-08 09:05:36 +00:00
a95aa67aef
Some checks failed
Build and push containers / metadata (push) Has been cancelled
Build and push containers / build-push-containers (push) Has been cancelled
Publish Python 🐍distribution 📦 to PyPI and TestPyPI / Build distribution 📦 (push) Has been cancelled
Publish Python 🐍distribution 📦 to PyPI and TestPyPI / Test the built 📦 package works basically. (push) Has been cancelled
Publish Python 🐍distribution 📦 to PyPI and TestPyPI / Publish Python 🐍 distribution 📦 to PyPI (push) Has been cancelled
ChangeDetection.io App Test / lint-code (push) Has been cancelled
ChangeDetection.io App Test / test-application-3-10 (push) Has been cancelled
ChangeDetection.io App Test / test-application-3-11 (push) Has been cancelled
ChangeDetection.io App Test / test-application-3-12 (push) Has been cancelled
ChangeDetection.io App Test / test-application-3-13 (push) Has been cancelled
59 lines
2.2 KiB
Python
59 lines
2.2 KiB
Python
#!/usr/bin/env python3
|
|
|
|
import time
|
|
from flask import url_for
|
|
from .util import live_server_setup, wait_for_all_checks
|
|
|
|
|
|
# def test_setup(client, live_server, measure_memory_usage):
|
|
# # live_server_setup(live_server) # Setup on conftest per function
|
|
|
|
# If there was only a change in the whitespacing, then we shouldnt have a change detected
|
|
def test_jinja2_in_url_query(client, live_server, measure_memory_usage):
|
|
|
|
|
|
# Add our URL to the import page
|
|
test_url = url_for('test_return_query', _external=True)
|
|
|
|
# because url_for() will URL-encode the var, but we dont here
|
|
full_url = "{}?{}".format(test_url,
|
|
"date={% now 'Europe/Berlin', '%Y' %}.{% now 'Europe/Berlin', '%m' %}.{% now 'Europe/Berlin', '%d' %}", )
|
|
res = client.post(
|
|
url_for("ui.ui_views.form_quick_watch_add"),
|
|
data={"url": full_url, "tags": "test"},
|
|
follow_redirects=True
|
|
)
|
|
assert b"Watch added" in res.data
|
|
wait_for_all_checks(client)
|
|
|
|
# It should report nothing found (no new 'has-unread-changes' class)
|
|
res = client.get(
|
|
url_for("ui.ui_views.preview_page", uuid="first"),
|
|
follow_redirects=True
|
|
)
|
|
assert b'date=2' in res.data
|
|
|
|
# https://techtonics.medium.com/secure-templating-with-jinja2-understanding-ssti-and-jinja2-sandbox-environment-b956edd60456
|
|
def test_jinja2_security_url_query(client, live_server, measure_memory_usage):
|
|
|
|
|
|
# Add our URL to the import page
|
|
test_url = url_for('test_return_query', _external=True)
|
|
|
|
# because url_for() will URL-encode the var, but we dont here
|
|
full_url = "{}?{}".format(test_url,
|
|
"date={{ ''.__class__.__mro__[1].__subclasses__()}}", )
|
|
res = client.post(
|
|
url_for("ui.ui_views.form_quick_watch_add"),
|
|
data={"url": full_url, "tags": "test"},
|
|
follow_redirects=True
|
|
)
|
|
assert b"Watch added" in res.data
|
|
wait_for_all_checks(client)
|
|
|
|
# It should report nothing found (no new 'has-unread-changes' class)
|
|
res = client.get(url_for("watchlist.index"))
|
|
assert b'is invalid and cannot be used' in res.data
|
|
# Some of the spewed output from the subclasses
|
|
assert b'dict_values' not in res.data
|