Blame · xss.spec.js · grove

collab/mermaid/cypress/integration/other/xss.spec.jsblame

6dd74de			1	import { imgSnapshotTest, mermaidUrl, utf8ToB64 } from '../../helpers/util.ts';
6dd74de			2	describe('XSS', () => {
6dd74de			3	it('should handle xss in tags', () => {
6dd74de			4	const str =
6dd74de			5	'eyJjb2RlIjoiXG5ncmFwaCBMUlxuICAgICAgQi0tPkQoPGltZyBvbmVycm9yPWxvY2F0aW9uPWBqYXZhc2NyaXB0XFx1MDAzYXhzc0F0dGFja1xcdTAwMjhkb2N1bWVudC5kb21haW5cXHUwMDI5YCBzcmM9eD4pOyIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0In19';
6dd74de			6
6dd74de			7	const url = mermaidUrl(str, {}, true);
6dd74de			8
6dd74de			9	cy.visit(url);
6dd74de			10	cy.wait(1000).then(() => {
6dd74de			11	cy.get('.mermaid').should('exist');
6dd74de			12	});
6dd74de			13	});
6dd74de			14
6dd74de			15	it('should not allow tags in the css', () => {
6dd74de			16	const str =
6dd74de			17	'eyJjb2RlIjoiJSV7aW5pdDogeyAnZm9udEZhbWlseSc6ICdcXFwiPjwvc3R5bGU+PGltZyBzcmM9eCBvbmVycm9yPXhzc0F0dGFjaygpPid9IH0lJVxuZ3JhcGggTFJcbiAgICAgQSAtLT4gQiIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9';
6dd74de			18
6dd74de			19	const url = mermaidUrl(
6dd74de			20	str,
6dd74de			21	{
6dd74de			22	theme: 'default',
6dd74de			23	flowchart: {
6dd74de			24	htmlMode: false,
6dd74de			25	},
6dd74de			26	},
6dd74de			27	true
6dd74de			28	);
6dd74de			29
6dd74de			30	cy.visit(url);
6dd74de			31	cy.wait(1000).then(() => {
6dd74de			32	cy.get('#the-malware').should('not.exist');
6dd74de			33	});
6dd74de			34	});
6dd74de			35
6dd74de			36	it('should handle xss in tags in non-html mode', () => {
6dd74de			37	const str =
6dd74de			38	'eyJjb2RlIjoiXG5ncmFwaCBMUlxuICAgICAgQi0tPkQoPGltZyBvbmVycm9yPWxvY2F0aW9uPWBqYXZhc2NyaXB0XFx1MDAzYXhzc0F0dGFja1xcdTAwMjhkb2N1bWVudC5kb21haW5cXHUwMDI5YCBzcmM9eD4pOyIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX19';
6dd74de			39
6dd74de			40	const url = mermaidUrl(
6dd74de			41	str,
6dd74de			42	{
6dd74de			43	theme: 'default',
6dd74de			44	flowchart: {
6dd74de			45	htmlMode: false,
6dd74de			46	},
6dd74de			47	},
6dd74de			48	true
6dd74de			49	);
6dd74de			50
6dd74de			51	cy.visit(url);
6dd74de			52	cy.wait(1000);
6dd74de			53
6dd74de			54	cy.get('#the-malware').should('not.exist');
6dd74de			55	});
6dd74de			56
6dd74de			57	it('should not allow changing the __proto__ attribute using config', () => {
6dd74de			58	cy.visit('/xss2.html');
6dd74de			59	cy.wait(1000);
6dd74de			60	cy.get('#the-malware').should('not.exist');
6dd74de			61	});
6dd74de			62	it('should not allow manipulating htmlLabels into a false positive', () => {
6dd74de			63	cy.visit('/xss4.html');
6dd74de			64	cy.wait(1000);
6dd74de			65	cy.get('#the-malware').should('not.exist');
6dd74de			66	});
6dd74de			67	it('should not allow manipulating antiscript to run javascript', () => {
6dd74de			68	cy.visit('/xss5.html');
6dd74de			69	cy.wait(1000);
6dd74de			70	cy.get('#the-malware').should('not.exist');
6dd74de			71	});
6dd74de			72	it('should not allow manipulating antiscript to run javascript using onerror', () => {
6dd74de			73	cy.visit('/xss6.html');
6dd74de			74	cy.wait(1000);
6dd74de			75	cy.get('#the-malware').should('not.exist');
6dd74de			76	});
6dd74de			77	it('should not allow manipulating antiscript to run javascript using onerror in state diagrams with dagre wrapper', () => {
6dd74de			78	cy.visit('/xss8.html');
6dd74de			79	cy.wait(1000);
6dd74de			80	cy.get('#the-malware').should('not.exist');
6dd74de			81	});
6dd74de			82	it('should not allow manipulating antiscript to run javascript using onerror in state diagrams with dagre d3', () => {
6dd74de			83	cy.on('uncaught:exception', (_err, _runnable) => {
6dd74de			84	return false; // continue rendering even if there if mermaid throws an error
6dd74de			85	});
6dd74de			86	cy.visit('/xss9.html');
6dd74de			87	cy.wait(1000);
6dd74de			88	cy.get('#the-malware').should('not.exist');
6dd74de			89	});
6dd74de			90	it('should not allow manipulating antiscript to run javascript using onerror in state diagrams with dagre d3', () => {
6dd74de			91	cy.visit('/xss10.html');
6dd74de			92	cy.wait(1000);
6dd74de			93	cy.get('#the-malware').should('not.exist');
6dd74de			94	});
6dd74de			95	it('should not allow manipulating antiscript to run javascript using onerror in state diagrams with dagre d3', () => {
6dd74de			96	cy.visit('/xss11.html');
6dd74de			97	cy.wait(1000);
6dd74de			98	cy.get('#the-malware').should('not.exist');
6dd74de			99	});
6dd74de			100	it('should not allow manipulating antiscript to run javascript using onerror in state diagrams with dagre d3', () => {
6dd74de			101	cy.visit('/xss12.html');
6dd74de			102	cy.wait(1000);
6dd74de			103	cy.get('#the-malware').should('not.exist');
6dd74de			104	});
6dd74de			105	it('should not allow manipulating antiscript to run javascript using onerror in state diagrams with dagre d3', () => {
6dd74de			106	cy.visit('/xss13.html');
6dd74de			107	cy.wait(1000);
6dd74de			108	cy.get('#the-malware').should('not.exist');
6dd74de			109	});
6dd74de			110	it('should not allow manipulating antiscript to run javascript iframes in class diagrams', () => {
6dd74de			111	cy.visit('/xss14.html');
6dd74de			112	cy.wait(1000);
6dd74de			113	cy.get('#the-malware').should('not.exist');
6dd74de			114	});
6dd74de			115	it('should sanitize cardinalities properly in class diagrams', () => {
6dd74de			116	cy.visit('/xss18.html');
6dd74de			117	cy.wait(1000);
6dd74de			118	cy.get('#the-malware').should('not.exist');
6dd74de			119	});
6dd74de			120	it('should sanitize colons properly', () => {
6dd74de			121	cy.visit('/xss20.html');
6dd74de			122	cy.wait(1000);
6dd74de			123	cy.get('a').click('');
6dd74de			124	cy.wait(1000);
6dd74de			125	cy.get('#the-malware').should('not.exist');
6dd74de			126	});
6dd74de			127	it('should sanitize colons properly', () => {
6dd74de			128	cy.visit('/xss21.html');
6dd74de			129	cy.wait(1000);
6dd74de			130	cy.get('a').click('');
6dd74de			131	cy.wait(1000);
6dd74de			132	cy.get('#the-malware').should('not.exist');
6dd74de			133	});
6dd74de			134	it('should sanitize backticks in class names properly', () => {
6dd74de			135	cy.visit('/xss24.html');
6dd74de			136	cy.wait(1000);
6dd74de			137	cy.get('#the-malware').should('not.exist');
6dd74de			138	});
6dd74de			139	it('should sanitize backticks block diagram labels properly', () => {
6dd74de			140	cy.visit('/xss25.html');
6dd74de			141	cy.wait(1000);
6dd74de			142	cy.get('#the-malware').should('not.exist');
6dd74de			143	});
6dd74de			144
6dd74de			145	it('should sanitize icon labels in architecture diagrams', () => {
6dd74de			146	const str = JSON.stringify({
6dd74de			147	code: `architecture-beta
6dd74de			148	group api(cloud)[API]
6dd74de			149	service db "<img src=x onerror=\\"xssAttack()\\">" [Database] in api`,
6dd74de			150	});
6dd74de			151	imgSnapshotTest(utf8ToB64(str), {}, true);
6dd74de			152	cy.wait(1000);
6dd74de			153	cy.get('#the-malware').should('not.exist');
6dd74de			154	});
6dd74de			155
6dd74de			156	it('should sanitize katex blocks', () => {
6dd74de			157	const str = JSON.stringify({
6dd74de			158	code: `sequenceDiagram
6dd74de			159	participant A as Alice<img src="x" onerror="xssAttack()">$$\\text{Alice}$$
6dd74de			160	A->>John: Hello John, how are you?`,
6dd74de			161	});
6dd74de			162	imgSnapshotTest(utf8ToB64(str), {}, true);
6dd74de			163	cy.wait(1000);
6dd74de			164	cy.get('#the-malware').should('not.exist');
6dd74de			165	});
6dd74de			166
6dd74de			167	it('should sanitize labels', () => {
6dd74de			168	const str = JSON.stringify({
6dd74de			169	code: `erDiagram
6dd74de			170	"<img src=x onerror=xssAttack()>" \|\|--\|\| ENTITY2 : "<img src=x onerror=xssAttack()>"
6dd74de			171	`,
6dd74de			172	});
6dd74de			173	imgSnapshotTest(utf8ToB64(str), {}, true);
6dd74de			174	cy.wait(1000);
6dd74de			175	cy.get('#the-malware').should('not.exist');
6dd74de			176	});
6dd74de			177	});