src/Test/TestWeb.py at main · strawmelonjuice.com/AT-Zero

strawmelonjuice.com / AT-Zero
fork atom
Forking what is left of ZeroNet and hopefully adding an AT Proto Frontend/Proxy
fork atom
AT-Zero / src / Test / TestWeb.py
at main 105 lines 5.3 kB view raw
wrap content
shortcutme Change to Python3 coding style 7y ago
b0b9a4d3
  1import urllib.request
  2
  3import pytest
  4
  5try:
  6    from selenium.webdriver.support.ui import WebDriverWait
  7    from selenium.webdriver.support.expected_conditions import staleness_of, title_is
  8    from selenium.common.exceptions import NoSuchElementException
  9except:
 10    pass
 11
 12
 13class WaitForPageLoad(object):
 14    def __init__(self, browser):
 15        self.browser = browser
 16
 17    def __enter__(self):
 18        self.old_page = self.browser.find_element_by_tag_name('html')
 19
 20    def __exit__(self, *args):
 21        WebDriverWait(self.browser, 10).until(staleness_of(self.old_page))
 22
 23
 24def getContextUrl(browser):
 25    return browser.execute_script("return window.location.toString()")
 26
 27
 28def getUrl(url):
 29    content = urllib.request.urlopen(url).read()
 30    assert "server error" not in content.lower(), "Got a server error! " + repr(url)
 31    return content
 32
 33@pytest.mark.usefixtures("resetSettings")
 34@pytest.mark.webtest
 35class TestWeb:
 36    def testFileSecurity(self, site_url):
 37        assert "Not Found" in getUrl("%s/media/sites.json" % site_url)
 38        assert "Forbidden" in getUrl("%s/media/./sites.json" % site_url)
 39        assert "Forbidden" in getUrl("%s/media/../config.py" % site_url)
 40        assert "Forbidden" in getUrl("%s/media/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
 41        assert "Forbidden" in getUrl("%s/media/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
 42        assert "Forbidden" in getUrl("%s/media/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
 43
 44        assert "Not Found" in getUrl("%s/raw/sites.json" % site_url)
 45        assert "Forbidden" in getUrl("%s/raw/./sites.json" % site_url)
 46        assert "Forbidden" in getUrl("%s/raw/../config.py" % site_url)
 47        assert "Forbidden" in getUrl("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
 48        assert "Forbidden" in getUrl("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
 49        assert "Forbidden" in getUrl("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
 50
 51        assert "Forbidden" in getUrl("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../sites.json" % site_url)
 52        assert "Forbidden" in getUrl("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/..//sites.json" % site_url)
 53        assert "Forbidden" in getUrl("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/../../zeronet.py" % site_url)
 54
 55        assert "Forbidden" in getUrl("%s/content.db" % site_url)
 56        assert "Forbidden" in getUrl("%s/./users.json" % site_url)
 57        assert "Forbidden" in getUrl("%s/./key-rsa.pem" % site_url)
 58        assert "Forbidden" in getUrl("%s/././././././././././//////sites.json" % site_url)
 59
 60    def testLinkSecurity(self, browser, site_url):
 61        browser.get("%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url)
 62        WebDriverWait(browser, 10).until(title_is("ZeroHello - ZeroNet"))
 63        assert getContextUrl(browser) == "%s/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url
 64
 65        # Switch to inner frame
 66        browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
 67        assert "wrapper_nonce" in getContextUrl(browser)
 68        assert browser.find_element_by_id("script_output").text == "Result: Works"
 69        browser.switch_to.default_content()
 70
 71        # Clicking on links without target
 72        browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
 73        with WaitForPageLoad(browser):
 74            browser.find_element_by_id("link_to_current").click()
 75        assert "wrapper_nonce" not in getContextUrl(browser)  # The browser object back to default content
 76        assert "Forbidden" not in browser.page_source
 77        # Check if we have frame inside frame
 78        browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
 79        with pytest.raises(NoSuchElementException):
 80            assert not browser.find_element_by_id("inner-iframe")
 81        browser.switch_to.default_content()
 82
 83        # Clicking on link with target=_top
 84        browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
 85        with WaitForPageLoad(browser):
 86            browser.find_element_by_id("link_to_top").click()
 87        assert "wrapper_nonce" not in getContextUrl(browser)  # The browser object back to default content
 88        assert "Forbidden" not in browser.page_source
 89        browser.switch_to.default_content()
 90
 91        # Try to escape from inner_frame
 92        browser.switch_to.frame(browser.find_element_by_id("inner-iframe"))
 93        assert "wrapper_nonce" in getContextUrl(browser)  # Make sure we are inside of the inner-iframe
 94        with WaitForPageLoad(browser):
 95            browser.execute_script("window.top.location = window.location")
 96        assert "wrapper_nonce" in getContextUrl(browser)  # We try to use nonce-ed html without iframe
 97        assert "<iframe" in browser.page_source  # Only allow to use nonce once-time
 98        browser.switch_to.default_content()
 99
100    def testRaw(self, browser, site_url):
101        browser.get("%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url)
102        WebDriverWait(browser, 10).until(title_is("Security tests"))
103        assert getContextUrl(browser) == "%s/raw/1EU1tbG9oC1A8jz2ouVwGZyQ5asrNsE4Vr/test/security.html" % site_url
104
105        assert browser.find_element_by_id("script_output").text == "Result: Fail"