From ac70488ee2f70f9a1dd8f98170ed477e609ed01a Mon Sep 17 00:00:00 2001 From: debugtalk Date: Mon, 4 Mar 2019 19:34:49 +0800 Subject: [PATCH 1/3] fix: xss in response json --- httprunner/templates/report_template.html | 4 +-- tests/test_api.py | 42 ++++++++++++++++++++--- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/httprunner/templates/report_template.html b/httprunner/templates/report_template.html index 36b11bfd..633b97c5 100644 --- a/httprunner/templates/report_template.html +++ b/httprunner/templates/report_template.html @@ -266,8 +266,8 @@ {% else %} {{ value }} {% endif %} - {% elif key == "text" %} - 
{{ req_resp.response.text | e }}
+ {% elif key in ["text", "json"] %} + 
{{ value | e }}
{% else %} {{ value }} {% endif %} diff --git a/tests/test_api.py b/tests/test_api.py index 9affc00a..da78f9b5 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -185,10 +185,6 @@ class TestHttpRunner(ApiServerUnittest): { "config": { 'name': "post data", - 'request': { - 'base_url': '', - 'headers': {'User-Agent': 'python-requests/2.18.4'} - }, 'variables': [] }, "teststeps": [ @@ -198,6 +194,7 @@ class TestHttpRunner(ApiServerUnittest): "url": "{}/post".format(HTTPBIN_SERVER), "method": "POST", "headers": { + "User-Agent": "python-requests/2.18.4", "Content-Type": "application/json" }, "data": "abc" @@ -508,6 +505,43 @@ class TestHttpRunner(ApiServerUnittest): # self.runner.run(testcase_file_path) # self.assertTrue(self.runner.summary["success"]) + def test_html_report_xss(self): + testcases = [ + { + "config": { + 'name': "post data" + }, + "teststeps": [ + { + "name": "post data", + "request": { + "url": "{}/anything".format(HTTPBIN_SERVER), + "method": "POST", + "headers": { + "Content-Type": "application/json" + }, + "json": { + 'success': False, + "person": "" + } + }, + "validate": [ + {"eq": ["status_code", 200]} + ] + } + ] + } + ] + tests_mapping = { + "testcases": testcases + } + report_path = self.runner.run(tests_mapping) + with open(report_path) as f: + self.assertIn( + ""<img src=x onerror=alert(1)>"}'", + f.read() + ) + class TestApi(ApiServerUnittest): From 7151a5d6aa21f09fbbc49c4d023ce8d1b37398d7 Mon Sep 17 00:00:00 2001 From: debugtalk Date: Mon, 4 Mar 2019 19:37:20 +0800 Subject: [PATCH 2/3] bump to 2.0.5 --- HISTORY.md | 10 ++++++++++ httprunner/__about__.py | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/HISTORY.md b/HISTORY.md index 6878672c..d8b9072e 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -1,5 +1,15 @@ # Release History +## 2.0.5 (2019-03-04) + +**Features** + +- implement method to get variables and output + +**Bugfixes** + +- fix xss in response json + ## 2.0.4 (2019-02-28) **Bugfixes** diff --git a/httprunner/__about__.py b/httprunner/__about__.py index 5d2399c0..952b6b7c 100644 --- a/httprunner/__about__.py +++ b/httprunner/__about__.py @@ -1,7 +1,7 @@ __title__ = 'HttpRunner' __description__ = 'One-stop solution for HTTP(S) testing.' __url__ = 'https://github.com/HttpRunner/HttpRunner' -__version__ = '2.0.4' +__version__ = '2.0.5' __author__ = 'debugtalk' __author_email__ = 'mail@debugtalk.com' __license__ = 'Apache-2.0' From 6c76f2d8b4c16142724712d62b09f166c7862099 Mon Sep 17 00:00:00 2001 From: debugtalk Date: Mon, 4 Mar 2019 20:23:26 +0800 Subject: [PATCH 3/3] fix compatibility in Python version < 3.6 --- tests/test_api.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/test_api.py b/tests/test_api.py index da78f9b5..b0b240f3 100644 --- a/tests/test_api.py +++ b/tests/test_api.py @@ -1,4 +1,5 @@ import os +import re import shutil import time import unittest @@ -537,10 +538,12 @@ class TestHttpRunner(ApiServerUnittest): } report_path = self.runner.run(tests_mapping) with open(report_path) as f: - self.assertIn( - ""<img src=x onerror=alert(1)>"}'", - f.read() + content = f.read() + m = re.findall( + re.escape(""person": "<img src=x onerror=alert(1)>""), + content ) + self.assertEqual(len(m), 2) class TestApi(ApiServerUnittest):