MrSphay/odysseus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Guard image and QR DOM attributes (#2500)

Browse Source
This commit is contained in:
Vykos
2026-06-04 20:51:23 +02:00
committed by GitHub
parent b59bbe80ce
commit ca8ca38a32
5 changed files with 114 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
tests/test_notes_dom_xss_helpers.py Normal file
View File

@@ -0,0 +1,34 @@
"""Regression guards for Notes DOM rendering helpers."""
from pathlib import Path
_REPO = Path(__file__).resolve().parent.parent
def test_notes_image_src_guard_rejects_script_capable_data_images():
src = (_REPO / "static" / "js" / "notes.js").read_text(encoding="utf-8")
assert "function _safeImgSrc(s)" in src
assert r"^data:image\/(?:png|jpe?g|gif|webp);base64," in src
assert r"^data:image\/i.test(v)" not in src
def test_notes_linkify_escapes_href_attribute():
src = (_REPO / "static" / "js" / "notes.js").read_text(encoding="utf-8")
assert "function _attrEsc(s)" in src
assert 'href="${_attrEsc(href)}"' in src
assert 'href="${href}"' not in src
def test_notes_edit_form_uses_safe_image_src_guard():
src = (_REPO / "static" / "js" / "notes.js").read_text(encoding="utf-8")
assert "let currentImageUrl = _safeImgSrc(note?.image_url || '');" in src
assert "let _stashedDrawUrl = (type === 'draw') ? (_safeImgSrc(note?.image_url) || null) : null;" in src
assert "_wireCanvas(bodyEl, _stashedDrawUrl || currentImageUrl || _safeImgSrc(note?.image_url) || null)" in src
assert "_wireCanvas(form.querySelector('.note-form-body'), _safeImgSrc(note?.image_url) || null)" in src
assert "const safeInitialImageUrl = _safeImgSrc(initialImageUrl);" in src
assert "img.src = safeInitialImageUrl;" in src
assert "img.src = initialImageUrl;" not in src

26
tests/test_signature_settings_dom_xss.py Normal file
View File

@@ -0,0 +1,26 @@
"""Regression guards for DOM attribute sinks in signature/settings UI."""
from pathlib import Path
_REPO = Path(__file__).resolve().parent.parent
def test_signature_picker_allows_only_raster_data_urls():
src = (_REPO / "static" / "js" / "signature.js").read_text(encoding="utf-8")
assert "function _safeSignatureDataUrl(raw)" in src
assert r"^data:image\/(?:png|jpe?g);base64," in src
assert '<img src="${_esc(dataUrl)}"/>' in src
assert 'dataUrl: s.data_url' not in src
def test_settings_2fa_setup_escapes_secret_and_qr_src():
src = (_REPO / "static" / "js" / "settings.js").read_text(encoding="utf-8")
assert "function safeRasterDataUrl(raw)" in src
assert "const qrCode = safeRasterDataUrl(setup.qr_code);" in src
assert '<img src="${esc(qrCode)}"' in src
assert "${esc(setup.secret)}" in src
assert 'src="${setup.qr_code}"' not in src
assert ">${setup.secret}</div>" not in src