Audit cleanup: security fixes, code reduction, test hygiene (#131)

2026-03-05 18:56:52 -05:00
parent e8f1dea3ec
commit aff3edb06a
33 changed files with 160 additions and 591 deletions
--- a/tests/security/test_xss_vulnerabilities.py
+++ b/tests/security/test_xss_vulnerabilities.py
@@ -1,50 +1,33 @@
 import pytest
 from fastapi.testclient import TestClient
 from dashboard.app import app
-from config import settings
 import html

@pytest.fixture
 def client():
    return TestClient(app)

-def test_health_status_xss_vulnerability(client):
+def test_health_status_xss_vulnerability(client, monkeypatch):
    """Verify that the health status page escapes the model name."""
-    original_model = settings.ollama_model
    malicious_model = '"><script>alert("XSS")</script>'
-    
-    try:
-        # Inject malicious model name into settings
-        settings.ollama_model = malicious_model
-        
-        response = client.get("/health/status")
-        assert response.status_code == 200
-        
-        # The malicious script should be escaped
-        escaped_model = html.escape(malicious_model)
-        assert escaped_model in response.text
-        assert malicious_model not in response.text
-    finally:
-        settings.ollama_model = original_model
+    monkeypatch.setattr("config.settings.ollama_model", malicious_model)

-def test_grok_toggle_xss_vulnerability(client):
+    response = client.get("/health/status")
+    assert response.status_code == 200
+
+    escaped_model = html.escape(malicious_model)
+    assert escaped_model in response.text
+    assert malicious_model not in response.text
+
+def test_grok_toggle_xss_vulnerability(client, monkeypatch):
    """Verify that the grok toggle card escapes the model name."""
-    original_model = settings.grok_default_model
    malicious_model = '"><img src=x onerror=alert(1)>'
-    
-    try:
-        # Inject malicious model name into settings
-        settings.grok_default_model = malicious_model
-        
-        # We need to make grok available to trigger the render_toggle_card
-        # Since we're in test mode, we might need to mock this or just call the function
-        from dashboard.routes.grok import _render_toggle_card
-        
-        html_output = _render_toggle_card(active=True)
-        
-        # The malicious script should be escaped
-        escaped_model = html.escape(malicious_model)
-        assert escaped_model in html_output
-        assert malicious_model not in html_output
-    finally:
-        settings.grok_default_model = original_model
+    monkeypatch.setattr("config.settings.grok_default_model", malicious_model)
+
+    from dashboard.routes.grok import _render_toggle_card
+
+    html_output = _render_toggle_card(active=True)
+
+    escaped_model = html.escape(malicious_model)
+    assert escaped_model in html_output
+    assert malicious_model not in html_output