mirror of
https://github.com/aljazceru/CTFd.git
synced 2025-12-17 05:54:19 +01:00
4233d683b8
* Fix creating users, teams from the API, hash password in models vs in schemas, stop caching CSS at the decorator level, fix tests * Fix whitelisted emails and add test * Set proper defaults in accounts config
65 lines
2.1 KiB
Python
65 lines
2.1 KiB
Python
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
|
|
from tests.helpers import *
|
|
from jinja2.sandbox import SecurityError
|
|
|
|
|
|
def test_themes_run_in_sandbox():
|
|
"""Does get_config and set_config work properly"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
try:
|
|
app.jinja_env.from_string("{{ ().__class__.__bases__[0].__subclasses__()[40]('./test_utils.py').read() }}").render()
|
|
except SecurityError:
|
|
pass
|
|
except Exception as e:
|
|
raise e
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_themes_cant_access_configpy_attributes():
|
|
"""Themes should not be able to access config.py attributes"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
assert app.config['SECRET_KEY'] == 'AAAAAAAAAAAAAAAAAAAA'
|
|
assert app.jinja_env.from_string("{{ get_config('SECRET_KEY') }}").render() != app.config['SECRET_KEY']
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_themes_escape_html():
|
|
"""Themes should escape XSS properly"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
user = gen_user(app.db, name="<script>alert(1)</script>")
|
|
user.affiliation = "<script>alert(1)</script>"
|
|
user.website = "<script>alert(1)</script>"
|
|
user.country = "<script>alert(1)</script>"
|
|
|
|
with app.test_client() as client:
|
|
r = client.get('/users')
|
|
assert r.status_code == 200
|
|
assert "<script>alert(1)</script>" not in r.get_data(as_text=True)
|
|
destroy_ctfd(app)
|
|
|
|
|
|
def test_custom_css():
|
|
"""Config should be able to properly set CSS"""
|
|
app = create_ctfd()
|
|
with app.app_context():
|
|
|
|
with login_as_user(app, "admin") as admin:
|
|
css_value = """.test{}"""
|
|
css_value2 = """.test2{}"""
|
|
r = admin.patch('/api/v1/configs', json={"css": css_value})
|
|
assert r.status_code == 200
|
|
assert get_config('css') == css_value
|
|
|
|
r = admin.get('/static/user.css')
|
|
assert r.get_data(as_text=True) == css_value
|
|
|
|
r = admin.patch('/api/v1/configs', json={"css": css_value2})
|
|
r = admin.get('/static/user.css')
|
|
assert r.get_data(as_text=True) == css_value2
|
|
destroy_ctfd(app)
|