Bug 22478: Add tests
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
This commit is contained in:
parent
f021ca30a5
commit
3b12416dc8
2 changed files with 79 additions and 4 deletions
|
@ -19,7 +19,7 @@ use Modern::Perl;
|
||||||
|
|
||||||
use C4::Context;
|
use C4::Context;
|
||||||
|
|
||||||
use Test::More tests => 4;
|
use Test::More tests => 5;
|
||||||
use Test::MockModule;
|
use Test::MockModule;
|
||||||
|
|
||||||
use C4::Context;
|
use C4::Context;
|
||||||
|
@ -187,6 +187,52 @@ subtest 'Display circulation table correctly' => sub {
|
||||||
$patron->category, $library;
|
$patron->category, $library;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
subtest 'XSS vulnerabilities in pagination' => sub {
|
||||||
|
plan tests => 3;
|
||||||
|
|
||||||
|
my $patron = $builder->build_object({ class => 'Koha::Patrons' });
|
||||||
|
for ( 1 .. 30 ) { # We want the pagination to be displayed
|
||||||
|
push @cleanup, $builder->build_object(
|
||||||
|
{
|
||||||
|
class => 'Koha::Virtualshelves',
|
||||||
|
value => {
|
||||||
|
category => 1,
|
||||||
|
allow_change_from_owner => 1,
|
||||||
|
allow_change_from_others => 0,
|
||||||
|
owner => $patron->borrowernumber
|
||||||
|
}
|
||||||
|
}
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
my $password = Koha::AuthUtils::generate_password();
|
||||||
|
t::lib::Mocks::mock_preference( 'RequireStrongPassword', 0 );
|
||||||
|
$patron->set_password({ password => $password });
|
||||||
|
$s->opac_auth( $patron->userid, $password );
|
||||||
|
|
||||||
|
my $public_lists = $s->opac_base_url . q|opac-shelves.pl?op=list&category=1|;
|
||||||
|
$driver->get($public_lists);
|
||||||
|
|
||||||
|
$s->remove_error_handler;
|
||||||
|
my $alert_text = eval { $driver->get_alert_text() };
|
||||||
|
$s->add_error_handler;
|
||||||
|
is( $alert_text, undef, 'No alert box displayed' );
|
||||||
|
|
||||||
|
my $booh_alert = 'booh!';
|
||||||
|
$public_lists = $s->opac_base_url . qq|opac-shelves.pl?op=list&category=1"><script>alert('$booh_alert')</script>|;
|
||||||
|
$driver->get($public_lists);
|
||||||
|
|
||||||
|
$s->remove_error_handler;
|
||||||
|
$alert_text = eval { $driver->get_alert_text() };
|
||||||
|
$s->add_error_handler;
|
||||||
|
is( $alert_text, undef, 'No alert box displayed, even if evil intent' );
|
||||||
|
|
||||||
|
my $second_page = $driver->find_element('//div[@class="pages"]/span[@class="currentPage"]/following-sibling::a');
|
||||||
|
like( $second_page->get_attribute('href'), qr{category=1%22%3E%3Cscript%3Ealert%28%27booh%21%27%29%3C%2Fscript%3E}, 'The second patch should displayed the variables and attributes correctly URI escaped' );
|
||||||
|
|
||||||
|
push @cleanup, $patron, $patron->category, $patron->library;
|
||||||
|
};
|
||||||
|
|
||||||
END {
|
END {
|
||||||
C4::Context->set_preference('SearchEngine', $SearchEngine_value);
|
C4::Context->set_preference('SearchEngine', $SearchEngine_value);
|
||||||
C4::Context->set_preference('AudioAlerts', $AudioAlerts_value);
|
C4::Context->set_preference('AudioAlerts', $AudioAlerts_value);
|
||||||
|
|
|
@ -49,7 +49,16 @@ sub new {
|
||||||
$self->{driver} = Selenium::Remote::Driver->new(
|
$self->{driver} = Selenium::Remote::Driver->new(
|
||||||
port => $self->{selenium_port},
|
port => $self->{selenium_port},
|
||||||
remote_server_addr => $self->{selenium_addr},
|
remote_server_addr => $self->{selenium_addr},
|
||||||
error_handler => sub {
|
);
|
||||||
|
bless $self, $class;
|
||||||
|
$self->add_error_handler;
|
||||||
|
return $self;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub add_error_handler {
|
||||||
|
my ( $self ) = @_;
|
||||||
|
$self->{driver}->error_handler(
|
||||||
|
sub {
|
||||||
my ( $driver, $selenium_error ) = @_;
|
my ( $driver, $selenium_error ) = @_;
|
||||||
print STDERR "\nSTRACE:";
|
print STDERR "\nSTRACE:";
|
||||||
my $i = 1;
|
my $i = 1;
|
||||||
|
@ -57,11 +66,15 @@ sub new {
|
||||||
print STDERR "\t" . $call_details[1]. ":" . $call_details[2] . " in " . $call_details[3]."\n";
|
print STDERR "\t" . $call_details[1]. ":" . $call_details[2] . " in " . $call_details[3]."\n";
|
||||||
}
|
}
|
||||||
print STDERR "\n";
|
print STDERR "\n";
|
||||||
$class->capture( $driver );
|
$self->capture( $driver );
|
||||||
croak $selenium_error;
|
croak $selenium_error;
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
return bless $self, $class;
|
}
|
||||||
|
|
||||||
|
sub remove_error_handler {
|
||||||
|
my ( $self ) = @_;
|
||||||
|
$self->{driver}->error_handler( sub {} );
|
||||||
}
|
}
|
||||||
|
|
||||||
sub config {
|
sub config {
|
||||||
|
@ -95,6 +108,7 @@ sub opac_auth {
|
||||||
$password ||= $self->password;
|
$password ||= $self->password;
|
||||||
my $mainpage = $self->opac_base_url . 'opac-main.pl';
|
my $mainpage = $self->opac_base_url . 'opac-main.pl';
|
||||||
|
|
||||||
|
$self->driver->get($mainpage . q|?logout.x=1|); # Logout before, to make sure we will see the login form
|
||||||
$self->driver->get($mainpage);
|
$self->driver->get($mainpage);
|
||||||
$self->fill_form( { userid => $login, password => $password } );
|
$self->fill_form( { userid => $login, password => $password } );
|
||||||
$self->submit_form;
|
$self->submit_form;
|
||||||
|
@ -240,6 +254,21 @@ when we use automation test using Selenium
|
||||||
Capture a screenshot and upload it using the excellent lut.im service provided by framasoft
|
Capture a screenshot and upload it using the excellent lut.im service provided by framasoft
|
||||||
The url of the image will be printed on STDERR (it should be better to return it instead)
|
The url of the image will be printed on STDERR (it should be better to return it instead)
|
||||||
|
|
||||||
|
=head2 add_error_handler
|
||||||
|
$c->add_error_handler
|
||||||
|
|
||||||
|
Add our specific error handler to the driver.
|
||||||
|
It will displayed a trace as well as capture a screenshot of the current screen.
|
||||||
|
So only case you should need it is after you called remove_error_handler
|
||||||
|
|
||||||
|
=head remove_error_handler
|
||||||
|
$c->remove_error_handler
|
||||||
|
|
||||||
|
Do *not* call this method if you are not aware of what it will do!
|
||||||
|
It will remove any kinds of error raised by the driver.
|
||||||
|
It can be useful in some cases, for instance if you want to make sure something will not happen and that could make the driver exploses otherwise.
|
||||||
|
You certainly should call it for only one statement then must call add_error_handler right after.
|
||||||
|
|
||||||
=head1 AUTHORS
|
=head1 AUTHORS
|
||||||
|
|
||||||
Jonathan Druart <jonathan.druart@bugs.koha-community.org>
|
Jonathan Druart <jonathan.druart@bugs.koha-community.org>
|
||||||
|
|
Loading…
Reference in a new issue