You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2020/01/21 16:03:34 UTC
[allura] 12/12: [#7878] stronger test validation that form submits
are plain strings
This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch db/7878
in repository https://gitbox.apache.org/repos/asf/allura.git
commit 6daa3490fd4aaa69654d5e1d259a111cbc24ec74
Author: Dave Brondsema <db...@slashdotmedia.com>
AuthorDate: Tue Jan 21 15:38:43 2020 +0000
[#7878] stronger test validation that form submits are plain strings
---
Allura/allura/tests/functional/test_admin.py | 2 +-
Allura/allura/tests/functional/test_site_admin.py | 2 +-
Allura/allura/tests/test_webhooks.py | 2 +-
AlluraTest/alluratest/validation.py | 33 ++++++-
ForgeBlog/forgeblog/tests/functional/test_root.py | 2 +-
.../forgediscussion/tests/functional/test_forum.py | 2 +-
.../forgegit/tests/functional/test_controllers.py | 4 +-
.../forgetracker/tests/functional/test_root.py | 104 ++++++++++-----------
ForgeWiki/forgewiki/tests/functional/test_root.py | 4 +-
9 files changed, 90 insertions(+), 65 deletions(-)
diff --git a/Allura/allura/tests/functional/test_admin.py b/Allura/allura/tests/functional/test_admin.py
index d01eca0..a05e85e 100644
--- a/Allura/allura/tests/functional/test_admin.py
+++ b/Allura/allura/tests/functional/test_admin.py
@@ -448,7 +448,7 @@ class TestProjectAdmin(TestController):
screenshots = project.get_screenshots()
assert_equals(screenshots[0].filename, 'admin_24.png')
# reverse order
- params = dict((str(ss._id), len(screenshots) - 1 - i)
+ params = dict((str(ss._id), str(len(screenshots) - 1 - i))
for i, ss in enumerate(screenshots))
self.app.post('/admin/sort_screenshots', params)
assert_equals(project.get_screenshots()[0].filename, 'admin_32.png')
diff --git a/Allura/allura/tests/functional/test_site_admin.py b/Allura/allura/tests/functional/test_site_admin.py
index e287f0a..55c3155 100644
--- a/Allura/allura/tests/functional/test_site_admin.py
+++ b/Allura/allura/tests/functional/test_site_admin.py
@@ -815,7 +815,7 @@ class TestDeleteProjects(TestController):
@patch('allura.controllers.site_admin.DeleteProjects', autospec=True)
def test_admins_and_devs_are_disabled(self, dp):
- data = {'projects': '/p/test\np/test2', 'disable_users': True}
+ data = {'projects': '/p/test\np/test2', 'disable_users': 'True'}
self.app.post('/nf/admin/delete_projects/really_delete', data)
dp.post.assert_called_once_with('--disable-users p/test p/test2')
diff --git a/Allura/allura/tests/test_webhooks.py b/Allura/allura/tests/test_webhooks.py
index 9dbba01..43f0cdf 100644
--- a/Allura/allura/tests/test_webhooks.py
+++ b/Allura/allura/tests/test_webhooks.py
@@ -319,7 +319,7 @@ class TestWebhookController(TestController):
# invalid id in hidden field, just in case
r = self.app.get(self.url + '/repo-push/%s' % wh._id)
- data = {k: v[0].value for (k, v) in r.forms[0].fields.items()}
+ data = {k: v[0].value for (k, v) in r.forms[0].fields.items() if k}
data['webhook'] = six.text_type(invalid._id)
self.app.post(self.url + '/repo-push/edit', data, status=404)
diff --git a/AlluraTest/alluratest/validation.py b/AlluraTest/alluratest/validation.py
index 3972cd4..e7bcd85 100644
--- a/AlluraTest/alluratest/validation.py
+++ b/AlluraTest/alluratest/validation.py
@@ -31,6 +31,7 @@ import json
import urllib2
import re
import pkg_resources
+import six
import webtest
from webtest import TestApp
@@ -261,17 +262,41 @@ class PostParamCheckingTestApp(AntiSpamTestApp):
if not isinstance(k, basestring):
raise TypeError('%s key %s is %s, not str' %
(method, k, type(k)))
- if not isinstance(v, (basestring, webtest.forms.File)):
+ self._validate_val(k, v, method)
+
+ def _validate_val(self, k, v, method):
+ if isinstance(v, (list, tuple)):
+ for vv in v:
+ self._validate_val(k, vv, method)
+ elif not isinstance(v, (basestring, webtest.forms.File, webtest.forms.Upload)):
+ raise TypeError(
+ '%s key %s has value %s of type %s, not str. ' %
+ (method, k, v, type(v)))
+ elif six.PY2 and isinstance(v, six.text_type):
+ try:
+ v.encode('ascii')
+ #pass
+ except UnicodeEncodeError:
raise TypeError(
- '%s key %s has value %s of type %s, not str. ' %
+ '%s key "%s" has value "%s" of type %s, should be utf-8 encoded. ' %
(method, k, v, type(v)))
def get(self, *args, **kwargs):
- self._validate_params(kwargs.get('params'), 'get')
+ params = None
+ if 'params' in kwargs:
+ params = kwargs['params']
+ elif len(args) > 1:
+ params = args[1]
+ self._validate_params(params, 'get')
return super(PostParamCheckingTestApp, self).get(*args, **kwargs)
def post(self, *args, **kwargs):
- self._validate_params(kwargs.get('params'), 'post')
+ params = None
+ if 'params' in kwargs:
+ params = kwargs['params']
+ elif len(args) > 1:
+ params = args[1]
+ self._validate_params(params, 'post')
return super(PostParamCheckingTestApp, self).post(*args, **kwargs)
diff --git a/ForgeBlog/forgeblog/tests/functional/test_root.py b/ForgeBlog/forgeblog/tests/functional/test_root.py
index 87fcc53..c893532 100644
--- a/ForgeBlog/forgeblog/tests/functional/test_root.py
+++ b/ForgeBlog/forgeblog/tests/functional/test_root.py
@@ -239,7 +239,7 @@ class Test(TestController):
def test_post_revert(self):
self._post()
d = self._blog_date()
- self._post('/%s/my-post' % d, text='sometést')
+ self._post('/%s/my-post' % d, text='sometést'.encode('utf-8'))
response = self.app.post('/blog/%s/my-post/revert' % d, params=dict(version='1'))
assert '.' in response.json['location']
response = self.app.get('/blog/%s/my-post/' % d)
diff --git a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
index 3d9752b..0b7a7c0 100644
--- a/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
+++ b/ForgeDiscussion/forgediscussion/tests/functional/test_forum.py
@@ -700,7 +700,7 @@ class TestForum(TestController):
if field.has_attr('name'):
params[field['name']] = field.get('value') or ''
self.app.post(str(subscribe_url), params=params)
- self.app.post('/discussion/general/subscribe_to_forum', {'subscribe': True})
+ self.app.post('/discussion/general/subscribe_to_forum', {'subscribe': 'True'})
f = thread.html.find('div', {'class': 'comment-row reply_post_form'}).find('form')
rep_url = f.get('action')
params = dict()
diff --git a/ForgeGit/forgegit/tests/functional/test_controllers.py b/ForgeGit/forgegit/tests/functional/test_controllers.py
index 88c0338..217c48c 100644
--- a/ForgeGit/forgegit/tests/functional/test_controllers.py
+++ b/ForgeGit/forgegit/tests/functional/test_controllers.py
@@ -367,7 +367,7 @@ class TestRootController(_TestCase):
# subscribe
r = self.app.post(str(ci + 'tree/subscribe'),
- {'subscribe': True},
+ {'subscribe': 'True'},
extra_environ={'username': str(user.username)})
assert_equal(r.json, {'status': 'ok', 'subscribed': True})
# user is subscribed
@@ -379,7 +379,7 @@ class TestRootController(_TestCase):
# unsubscribe
r = self.app.post(str(ci + 'tree/subscribe'),
- {'unsubscribe': True},
+ {'unsubscribe': 'True'},
extra_environ={'username': str(user.username)})
assert_equal(r.json, {'status': 'ok', 'subscribed': False})
# user is not subscribed
diff --git a/ForgeTracker/forgetracker/tests/functional/test_root.py b/ForgeTracker/forgetracker/tests/functional/test_root.py
index 396d01c..8c50d0d 100644
--- a/ForgeTracker/forgetracker/tests/functional/test_root.py
+++ b/ForgeTracker/forgetracker/tests/functional/test_root.py
@@ -420,7 +420,7 @@ class TestFunctionalController(TrackerTestController):
r = self.app.get('/p/test/bugs/edit/?q=ticket')
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
- '__ticket_ids': [first_ticket._id],
+ '__ticket_ids': [str(first_ticket._id)],
'_milestone': '2.0',
})
M.MonQTask.run_ready()
@@ -431,8 +431,8 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- first_ticket._id,
- second_ticket._id),
+ str(first_ticket._id),
+ str(second_ticket._id)),
'_milestone': '1.0',
})
M.MonQTask.run_ready()
@@ -444,8 +444,8 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- first_ticket._id,
- second_ticket._id),
+ str(first_ticket._id),
+ str(second_ticket._id)),
'status': 'accepted',
})
M.MonQTask.run_ready()
@@ -465,9 +465,9 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,
- ticket3._id),
+ str(ticket1._id),
+ str(ticket2._id),
+ str(ticket3._id)),
'labels': 'tag2, tag3',
})
M.MonQTask.run_ready()
@@ -503,8 +503,8 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,),
+ str(ticket1._id),
+ str(ticket2._id),),
'status': 'accepted',
'_major': 'False'
})
@@ -524,8 +524,8 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,),
+ str(ticket1._id),
+ str(ticket2._id),),
'status': 'accepted',
'_major': 'True'
})
@@ -542,7 +542,7 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket2._id,),
+ str(ticket2._id),),
'_major': 'False'
})
M.MonQTask.run_ready()
@@ -552,8 +552,8 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,),
+ str(ticket1._id),
+ str(ticket2._id),),
'status': 'accepted',
'_major': ''
})
@@ -596,9 +596,9 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,),
- 'private': False
+ str(ticket1._id),
+ str(ticket2._id),),
+ 'private': 'False',
})
M.MonQTask.run_ready()
r = self.app.get('/p/test/bugs/1/')
@@ -613,9 +613,9 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,),
- 'private': True
+ str(ticket1._id),
+ str(ticket2._id),),
+ 'private': 'True'
})
M.MonQTask.run_ready()
r = self.app.get('/p/test/bugs/1/')
@@ -631,8 +631,8 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- ticket1._id,
- ticket2._id,),
+ str(ticket1._id),
+ str(ticket2._id),),
'private': ''
})
M.MonQTask.run_ready()
@@ -925,14 +925,14 @@ class TestFunctionalController(TrackerTestController):
params[f.find('textarea')['name']] = 'test comment'
self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/bugs/1/'.encode("utf-8")})
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
post_link = str(r.html.find('div', {'class': 'edit_post_form reply'}).find('form')['action'])
self.app.post(post_link + 'attach',
upload_files=[('file_info', 'test.txt', b'HiThere!')])
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
assert '<i class="fa fa-trash-o" aria-hidden="true"></i>' in r
r.forms[5].submit()
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
assert '<i class="fa fa-trash-o" aria-hidden="true"></i>' not in r
def test_new_text_attachment_content(self):
@@ -1216,7 +1216,7 @@ class TestFunctionalController(TrackerTestController):
'summary': 'zzz',
'description': 'bbb',
'status': 'ccc',
- '_milestone': 'aaaé',
+ '_milestone': 'aaaé'.encode('utf-8'),
'assigned_to': '',
'labels': '',
'comment': ''
@@ -1390,7 +1390,7 @@ class TestFunctionalController(TrackerTestController):
'''Sidebar must be visible even with a strange characters in saved search terms'''
r = self.app.post('/admin/bugs/bins/save_bin', {
'summary': 'Strange chars in terms here',
- 'terms': 'labels:tést',
+ 'terms': 'labels:tést'.encode('utf-8'),
'old_summary': '',
'sort': ''}).follow()
r = self.app.get('/bugs/')
@@ -1514,7 +1514,7 @@ class TestFunctionalController(TrackerTestController):
params[f.find('textarea')['name']] = post_content
r = self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/bugs/1/'.encode("utf-8")})
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
assert_true(post_content in r)
assert_true(len(r.html.findAll(attrs={'class': 'discussion-post'})) == 1)
@@ -1530,7 +1530,7 @@ class TestFunctionalController(TrackerTestController):
params['ticket_form.summary'] = new_summary
r = self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/bugs/1/'.encode("utf-8")})
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
assert_true(summary + ' --> ' + new_summary in r)
assert_true(len(r.html.findAll(attrs={'class': 'discussion-post meta_post'})) == 1)
@@ -1549,9 +1549,9 @@ class TestFunctionalController(TrackerTestController):
params[f.find('textarea')['name']] = post_content
r = self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/bugs/1/'.encode("utf-8")})
- r = self.app.get('/bugs/1/', dict(page=-1))
+ r = self.app.get('/bugs/1/', dict(page='-1'))
assert_true(summary in r)
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
assert_true(post_content in r)
# no pager if just one page
assert_false('Page 1 of 1' in r)
@@ -1559,7 +1559,7 @@ class TestFunctionalController(TrackerTestController):
for i in range(2):
r = self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/bugs/1/'.encode("utf-8")})
- r = self.app.get('/bugs/1/', dict(page=1, limit=2))
+ r = self.app.get('/bugs/1/', dict(page='1', limit='2'))
assert_true('Page 2 of 2' in r)
def test_discussion_feed(self):
@@ -1737,9 +1737,9 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- first_ticket._id,
- second_ticket._id,
- third_ticket._id),
+ str(first_ticket._id),
+ str(second_ticket._id),
+ str(third_ticket._id)),
'status': 'accepted',
'_milestone': '2.0',
'assigned_to': 'test-admin'})
@@ -1815,7 +1815,7 @@ class TestFunctionalController(TrackerTestController):
M.MonQTask.query.remove()
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
- '__ticket_ids': [ticket._id],
+ '__ticket_ids': [str(ticket._id)],
'status': 'accepted'})
M.MonQTask.run_ready()
emails = M.MonQTask.query.find(dict(task_name='allura.tasks.mail_tasks.sendmail')).all()
@@ -1855,7 +1855,7 @@ class TestFunctionalController(TrackerTestController):
M.MonQTask.query.remove()
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'status': 'accepted'})
M.MonQTask.run_ready()
emails = M.MonQTask.query.find(dict(task_name='allura.tasks.mail_tasks.sendmail')).all()
@@ -1896,7 +1896,7 @@ class TestFunctionalController(TrackerTestController):
M.MonQTask.query.remove()
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'status': 'accepted'})
M.MonQTask.run_ready()
emails = M.MonQTask.query.find(dict(task_name='allura.tasks.mail_tasks.sendmail')).all()
@@ -2050,7 +2050,7 @@ class TestFunctionalController(TrackerTestController):
env = {'username': str('test-user')}
post_data = {
'ticket_form.summary': 'Private ticket title',
- 'ticket_form.private': True
+ 'ticket_form.private': 'True'
}
self.app.post('/bugs/save_ticket', post_data, extra_environ=env)
# ... and can see it
@@ -2193,7 +2193,7 @@ class TestFunctionalController(TrackerTestController):
params[f.find('textarea')['name']] = post_content
r = self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/p/test2/bugs2/1/'.encode("utf-8")})
- r = self.app.get('/p/test2/bugs2/1/', dict(page=1))
+ r = self.app.get('/p/test2/bugs2/1/', dict(page='1'))
assert_true(post_content in r)
comments_cnt = len(r.html.findAll(attrs={'class': 'discussion-post'}))
assert_equal(comments_cnt, 2) # moved auto comment + new comment
@@ -2320,7 +2320,7 @@ class TestFunctionalController(TrackerTestController):
user = M.User.query.get(username='test-user')
# subscribe test-user to ticket #2
- self.app.post('/p/test/bugs/2/subscribe', {'subscribe': True},
+ self.app.post('/p/test/bugs/2/subscribe', {'subscribe': 'True'},
extra_environ={'username': str('test-user')})
assert M.Mailbox.query.get(user_id=user._id,
project_id=p._id,
@@ -2443,7 +2443,7 @@ class TestFunctionalController(TrackerTestController):
params[f.find('textarea')['name']] = 'test comment'
self.app.post(f['action'].encode('utf-8'), params=params,
headers={'Referer': '/bugs/1/'.encode("utf-8")})
- r = self.app.get('/bugs/1/', dict(page=1))
+ r = self.app.get('/bugs/1/', dict(page='1'))
post_link = str(r.html.find('div', {'class': 'edit_post_form reply'}).find('form')['action'])
self.app.post(post_link + 'attach',
upload_files=[('file_info', 'test.txt', b'test attach')])
@@ -2572,7 +2572,7 @@ class TestFunctionalController(TrackerTestController):
'status': 'closed',
'assigned_to': '',
'labels': '',
- 'private': True,
+ 'private': 'True',
'comment': 'closing ticket of a user that is gone'
})
self.app.get('/p/test/bugs/1/', status=200)
@@ -2590,9 +2590,9 @@ class TestFunctionalController(TrackerTestController):
self.app.post('/p/test/bugs/update_tickets', {
'__search': '',
'__ticket_ids': (
- first_ticket._id,
- second_ticket._id),
- 'deleted': True})
+ str(first_ticket._id),
+ str(second_ticket._id)),
+ 'deleted': 'True'})
M.MonQTask.run_ready()
r = self.app.get('/bugs/')
@@ -3026,7 +3026,7 @@ class TestBulkMove(TrackerTestController):
original_tracker = original_p.app_instance('bugs')
self.app.post('/p/test/bugs/move_tickets', {
'tracker': str(tracker.config._id),
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'__search': '',
})
M.MonQTask.run_ready()
@@ -3064,7 +3064,7 @@ class TestBulkMove(TrackerTestController):
M.MonQTask.query.remove()
self.app.post('/p/test/bugs/move_tickets', {
'tracker': str(tracker.config._id),
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'__search': '',
})
M.MonQTask.run_ready()
@@ -3127,7 +3127,7 @@ class TestBulkMove(TrackerTestController):
M.MonQTask.query.remove()
self.app.post('/p/test/bugs/move_tickets', {
'tracker': str(tracker.config._id),
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'__search': '',
})
M.MonQTask.run_ready()
@@ -3183,7 +3183,7 @@ class TestBulkMove(TrackerTestController):
tracker = p.app_instance('bugs2')
self.app.post('/p/test/bugs/move_tickets', {
'tracker': str(tracker.config._id),
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'__search': '',
})
M.MonQTask.run_ready()
@@ -3231,7 +3231,7 @@ class TestBulkMove(TrackerTestController):
tracker = p.app_instance('bugs2')
self.app.post('/p/test/bugs/move_tickets', {
'tracker': str(tracker.config._id),
- '__ticket_ids': [t._id for t in tickets],
+ '__ticket_ids': [str(t._id) for t in tickets],
'__search': '',
})
M.MonQTask.run_ready()
diff --git a/ForgeWiki/forgewiki/tests/functional/test_root.py b/ForgeWiki/forgewiki/tests/functional/test_root.py
index 871aabc..8bba3a2 100644
--- a/ForgeWiki/forgewiki/tests/functional/test_root.py
+++ b/ForgeWiki/forgewiki/tests/functional/test_root.py
@@ -844,7 +844,7 @@ class TestRootController(TestController):
sidebar_menu = r.html.find('div', attrs={'id': 'sidebar'})
assert 'Subscribe to wiki' in str(sidebar_menu)
# subscribe
- self.app.post('/p/test/wiki/subscribe', {'subscribe': True},
+ self.app.post('/p/test/wiki/subscribe', {'subscribe': 'True'},
extra_environ={'username': str(user.username)}).follow()
# user is subscribed
assert M.Mailbox.subscribed(user_id=user._id)
@@ -852,7 +852,7 @@ class TestRootController(TestController):
sidebar_menu = r.html.find('div', attrs={'id': 'sidebar'})
assert 'Unsubscribe' in str(sidebar_menu)
# unsubscribe
- self.app.post('/p/test/wiki/subscribe', {'unsubscribe': True},
+ self.app.post('/p/test/wiki/subscribe', {'unsubscribe': 'True'},
extra_environ={'username': str(user.username)}).follow()
# user is not subscribed
assert not M.Mailbox.subscribed(user_id=user._id)