AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/tests/test_setup_banner_render.py
ZdenekSrotyr b3ffc98e9f fix(security): XSS hardening for setup banner + cleanup unused imports 
- Add _sanitize_banner_html() to src/setup_banner.py: strips <script>/
  <iframe> blocks, on* event-handler attributes, and javascript:/data:
  URI schemes post-render (I-2). Defense-in-depth — /setup is partly
  anonymous so malformed admin content must not execute in visitors'
  browsers.
- Apply sanitizer in render_setup_banner() before returning rendered HTML.
- Add 3 unit tests: test_render_strips_script_tags,
  test_render_strips_event_handlers, test_render_strips_javascript_uri.
- Drop unused Optional import from src/repositories/welcome_template.py
  and src/repositories/setup_banner.py (M-6).
2026-05-03 16:12:13 +02:00

121 lines
4.3 KiB
Python
Raw Blame History

"""Unit tests for the setup-banner renderer module."""
import duckdb
import pytest
from src.db import _ensure_schema
from src.repositories.setup_banner import SetupBannerRepository
from src.setup_banner import _sanitize_banner_html, build_setup_banner_context, render_setup_banner
@pytest.fixture
def conn(tmp_path, monkeypatch):
monkeypatch.setenv("DATA_DIR", str(tmp_path))
db_path = tmp_path / "system.duckdb"
c = duckdb.connect(str(db_path))
_ensure_schema(c)
yield c
c.close()
def _user(email="alice@example.com"):
return {"id": "u1", "email": email, "name": "Alice", "is_admin": False}
def test_render_returns_empty_when_no_override(conn):
out = render_setup_banner(conn, user=_user(), server_url="https://example.com")
assert out == ""
def test_render_uses_override(conn):
SetupBannerRepository(conn).set(
"<p>VPN: {{ server.hostname }}</p>", updated_by="admin@example.com"
)
out = render_setup_banner(conn, user=_user(), server_url="https://example.com")
# autoescape=True — rendered as HTML
assert "example.com" in out
assert "<p>" in out
def test_render_returns_empty_on_invalid_template_does_not_raise(conn):
"""A broken admin banner must not raise; it must return "" (defense-in-depth)."""
SetupBannerRepository(conn).set(
"{{ does_not_exist }}", updated_by="admin@example.com"
)
out = render_setup_banner(conn, user=_user(), server_url="https://example.com")
assert out == "" # swallowed, not raised
def test_render_with_anonymous_user(conn):
SetupBannerRepository(conn).set(
"{% if user %}{{ user.email }}{% else %}anonymous{% endif %}",
updated_by="admin@example.com",
)
out = render_setup_banner(conn, user=None, server_url="https://example.com")
assert "anonymous" in out
def test_context_exposes_documented_keys(conn):
ctx = build_setup_banner_context(user=_user(), server_url="https://example.com")
for top in ("instance", "server", "user", "now", "today"):
assert top in ctx, f"missing top-level key: {top}"
assert ctx["server"]["hostname"] == "example.com"
assert ctx["user"]["email"] == "alice@example.com"
def test_context_with_anonymous_user_returns_none(conn):
ctx = build_setup_banner_context(user=None, server_url="https://example.com")
assert ctx["user"] is None
def test_autoescape_escapes_html_entities(conn):
"""autoescape=True must escape < > & in template variable output."""
SetupBannerRepository(conn).set(
"{{ server.hostname }}", updated_by="admin@example.com"
)
out = render_setup_banner(
conn, user=_user(), server_url="https://example.com/<test>"
)
# hostname won't contain < > but the render must succeed without injection
assert out != ""
# ── Sanitizer unit tests ─────────────────────────────────────────────────────
def test_render_strips_script_tags(conn):
"""render_setup_banner must remove <script> blocks from the output."""
SetupBannerRepository(conn).set(
'<p>Hello</p><script>alert(1)</script>',
updated_by="admin@example.com",
)
out = render_setup_banner(conn, user=_user(), server_url="https://example.com")
assert "<script>" not in out
assert "alert" not in out
# Safe content preserved
assert "Hello" in out
def test_render_strips_event_handlers(conn):
"""render_setup_banner must strip on* event-handler attributes."""
SetupBannerRepository(conn).set(
'<button onclick="evil()">Click me</button>',
updated_by="admin@example.com",
)
out = render_setup_banner(conn, user=_user(), server_url="https://example.com")
assert "onclick" not in out
assert "evil" not in out
# Button text preserved
assert "Click me" in out
def test_render_strips_javascript_uri(conn):
"""render_setup_banner must strip javascript: URI schemes from href/src."""
SetupBannerRepository(conn).set(
'<a href="javascript:evil()">link</a>',
updated_by="admin@example.com",
)
out = render_setup_banner(conn, user=_user(), server_url="https://example.com")
assert "javascript:" not in out
assert "evil" not in out
# Link text preserved
assert "link" in out
Reference in a new issue View git blame Copy permalink