-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest_themes.py
143 lines (119 loc) · 5.23 KB
/
test_themes.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from tests.helpers import create_ctfd, destroy_ctfd, login_as_user, gen_user
from CTFd.utils import get_config
from jinja2.sandbox import SecurityError
from werkzeug.test import Client
from flask import request
def test_themes_run_in_sandbox():
"""Does get_config and set_config work properly"""
app = create_ctfd()
with app.app_context():
try:
app.jinja_env.from_string(
"{{ ().__class__.__bases__[0].__subclasses__()[40]('./test_utils.py').read() }}"
).render()
except SecurityError:
pass
except Exception as e:
raise e
destroy_ctfd(app)
def test_themes_cant_access_configpy_attributes():
"""Themes should not be able to access config.py attributes"""
app = create_ctfd()
with app.app_context():
assert app.config["SECRET_KEY"] == "AAAAAAAAAAAAAAAAAAAA"
assert (
app.jinja_env.from_string("{{ get_config('SECRET_KEY') }}").render()
!= app.config["SECRET_KEY"]
)
destroy_ctfd(app)
def test_themes_escape_html():
"""Themes should escape XSS properly"""
app = create_ctfd()
with app.app_context():
user = gen_user(app.db, name="<script>alert(1)</script>")
user.affiliation = "<script>alert(1)</script>"
user.website = "<script>alert(1)</script>"
user.country = "<script>alert(1)</script>"
with app.test_client() as client:
r = client.get("/users")
assert r.status_code == 200
assert "<script>alert(1)</script>" not in r.get_data(as_text=True)
destroy_ctfd(app)
def test_custom_css():
"""Config should be able to properly set CSS"""
app = create_ctfd()
with app.app_context():
with login_as_user(app, "admin") as admin:
css_value = """.test{}"""
css_value2 = """.test2{}"""
r = admin.patch("/api/v1/configs", json={"css": css_value})
assert r.status_code == 200
assert get_config("css") == css_value
r = admin.get("/static/user.css")
assert r.get_data(as_text=True) == css_value
r = admin.patch("/api/v1/configs", json={"css": css_value2})
r = admin.get("/static/user.css")
assert r.get_data(as_text=True) == css_value2
destroy_ctfd(app)
def test_that_ctfd_can_be_deployed_in_subdir():
"""Test that CTFd can be deployed in a subdirectory"""
# This test is quite complicated. I do not suggest modifying it haphazardly.
# Flask is automatically inserting the APPLICATION_ROOT into the
# test urls which means when we hit /setup we hit /ctf/setup.
# You can use the raw Werkzeug client to bypass this as we do below.
app = create_ctfd(setup=False, application_root="/ctf")
with app.app_context():
with app.test_client() as client:
r = client.get("/")
assert r.status_code == 302
assert r.location == "http://localhost/ctf/setup"
r = client.get("/setup")
with client.session_transaction() as sess:
data = {
"ctf_name": "CTFd",
"ctf_description": "CTF description",
"name": "admin",
"email": "[email protected]",
"password": "password",
"user_mode": "users",
"nonce": sess.get("nonce"),
}
r = client.post("/setup", data=data)
assert r.status_code == 302
assert r.location == "http://localhost/ctf/"
c = Client(app)
app_iter, status, headers = c.get("/")
headers = dict(headers)
assert status == "302 FOUND"
assert headers["Location"] == "http://localhost/ctf/"
r = client.get("/challenges")
assert r.status_code == 200
assert "Challenges" in r.get_data(as_text=True)
r = client.get("/scoreboard")
assert r.status_code == 200
assert "Scoreboard" in r.get_data(as_text=True)
destroy_ctfd(app)
def test_that_request_path_hijacking_works_properly():
"""Test that the CTFdRequest subclass correctly mimics the Flask Request when it should"""
app = create_ctfd(setup=False, application_root="/ctf")
assert app.request_class.__name__ == "CTFdRequest"
with app.app_context():
# Despite loading /challenges request.path should actually be /ctf/challenges because we are
# preprending script_root and the test context already accounts for the application_root
with app.test_request_context("/challenges"):
assert request.path == "/ctf/challenges"
destroy_ctfd(app)
app = create_ctfd()
assert app.request_class.__name__ == "CTFdRequest"
with app.app_context():
# Under normal circumstances we should be an exact clone of BaseRequest
with app.test_request_context("/challenges"):
assert request.path == "/challenges"
from flask import Flask
test_app = Flask("test")
assert test_app.request_class.__name__ == "Request"
with test_app.test_request_context("/challenges"):
assert request.path == "/challenges"
destroy_ctfd(app)