checks/personal_area_php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

api

Browse Source
This commit is contained in:
Kavalar
2024-05-24 15:27:07 +03:00
parent 17df2ce6a9
commit fc1da2c238
643 changed files with 110185 additions and 231 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
frontend/web/api-doc/test/e2e-cypress/tests/security/anonymous.js Normal file
View File

@ -0,0 +1,22 @@
describe("#6767: Operation should be considered anonymous if its security only includes empty object (this was decided by implementation choice and may change or be extended in the future)", () => {
it("Should consider method anonymous if security contains only empty object", () => {
cy
.visit("/?url=/documents/security/anonymous.yaml")
.get("#operations-default-get_onlyEmpty .authorization__btn")
.should("not.exist")
})
it("Should consider method as secured if security contains no empty object", () => {
cy
.visit("/?url=/documents/security/anonymous.yaml")
.get("#operations-default-get_required .authorization__btn")
.should("exist")
})
it("Should consider method as secured if security contains empty object but has at least one more security defined", () => {
cy
.visit("/?url=/documents/security/anonymous.yaml")
.get("#operations-default-get_withBoth .authorization__btn")
.should("exist")
})
})

23
frontend/web/api-doc/test/e2e-cypress/tests/security/oauth2.js Normal file
View File

@ -0,0 +1,23 @@
describe("XSS: OAuth2 authorizationUrl sanitization", () => {
it("should filter out a javascript URL", () => {
cy.visit("/?url=/documents/security/xss-oauth2.yaml")
.window()
.then(win => {
let args = null
const stub = cy.stub(win, "open", (...callArgs) => {
args = callArgs
}).as("windowOpen")
cy.get(".authorize")
.click()
.get(".modal-btn.authorize")
.click()
.wait(100)
.then(() => {
console.log(args)
expect(args[0]).to.match(/^about:blank/)
})
})
})
})

58
frontend/web/api-doc/test/e2e-cypress/tests/security/sequential-import-chaining.js Normal file
View File

@ -0,0 +1,58 @@
describe("Security: CSS Sequential Import Chaining", () => {
describe("in OpenAPI 3.0", () => {
describe("CSS Injection via Markdown", () => {
it("should filter <style> tags out of Markdown fields", () => {
cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")
.get("div.information-container")
.should("exist")
.and("not.have.descendants", "style")
})
it("should not apply `@import`ed CSS stylesheets", () => {
cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")
.wait(500) // HACK: wait for CSS import to settle
.get("div.info h4")
.should("have.length", 1)
.and("not.be.hidden")
})
})
describe("Value Exfiltration via CSS", () => {
it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {
cy.visit("/?url=/documents/petstore-expanded.openapi.yaml")
.get(".scheme-container > .schemes > .auth-wrapper > .btn > span")
.click()
.get("div > div > .wrapper > .block-tablet > #client_id")
.clear()
.type("abc")
.should("not.have.attr", "value", "abc")
})
})
})
describe("in Swagger 2.0", () => {
describe("CSS Injection via Markdown", () => {
it("should filter <style> tags out of Markdown fields", () => {
cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")
.get("div.information-container")
.should("exist")
.and("not.have.descendants", "style")
})
it("should not apply `@import`ed CSS stylesheets", () => {
cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")
.wait(500) // HACK: wait for CSS import to settle
.get("div.info h4")
.should("have.length", 1)
.and("not.be.hidden")
})
})
describe("Value Exfiltration via CSS", () => {
it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {
cy.visit("/?url=/documents/petstore.swagger.yaml")
.get(".scheme-container > .schemes > .auth-wrapper > .btn > span")
.click()
.get("div > div > .wrapper > .block-tablet > #client_id")
.clear()
.type("abc")
.should("not.have.attr", "value", "abc")
})
})
})
})