forked from Rockachopa/Timmy-time-dashboard
feat: code quality audit + autoresearch integration + infra hardening (#150)
This commit is contained in:
Alexander Whitestone
committed by
GitHub
GitHub
parent
fd0ede0d51
commit
ae3bb1cc21
@@ -1,58 +1,65 @@
|
||||
import pytest
|
||||
from fastapi.templating import Jinja2Templates
|
||||
|
||||
|
||||
def test_agent_chat_msg_xss_prevention():
|
||||
"""Verify XSS prevention in agent_chat_msg.html."""
|
||||
templates = Jinja2Templates(directory="src/dashboard/templates")
|
||||
payload = "<script>alert('xss')</script>"
|
||||
|
||||
class MockAgent:
|
||||
def __init__(self):
|
||||
self.name = "TestAgent"
|
||||
self.id = "test-agent"
|
||||
|
||||
response = templates.get_template("partials/agent_chat_msg.html").render({
|
||||
"message": payload,
|
||||
"response": payload,
|
||||
"error": payload,
|
||||
"agent": MockAgent(),
|
||||
"timestamp": "12:00:00"
|
||||
})
|
||||
|
||||
|
||||
response = templates.get_template("partials/agent_chat_msg.html").render(
|
||||
{
|
||||
"message": payload,
|
||||
"response": payload,
|
||||
"error": payload,
|
||||
"agent": MockAgent(),
|
||||
"timestamp": "12:00:00",
|
||||
}
|
||||
)
|
||||
|
||||
# Check that payload is escaped
|
||||
assert "<script>alert('xss')</script>" in response
|
||||
assert payload not in response
|
||||
|
||||
|
||||
def test_agent_panel_xss_prevention():
|
||||
"""Verify XSS prevention in agent_panel.html."""
|
||||
templates = Jinja2Templates(directory="src/dashboard/templates")
|
||||
payload = "<script>alert('xss')</script>"
|
||||
|
||||
class MockAgent:
|
||||
def __init__(self):
|
||||
self.name = payload
|
||||
self.id = "test-agent"
|
||||
self.status = "idle"
|
||||
self.capabilities = payload
|
||||
|
||||
|
||||
class MockTask:
|
||||
def __init__(self):
|
||||
self.id = "task-1"
|
||||
self.status = type('obj', (object,), {'value': 'completed'})
|
||||
self.status = type("obj", (object,), {"value": "completed"})
|
||||
self.created_at = "2026-02-26T12:00:00"
|
||||
self.description = payload
|
||||
self.result = payload
|
||||
|
||||
response = templates.get_template("partials/agent_panel.html").render({
|
||||
"agent": MockAgent(),
|
||||
"tasks": [MockTask()]
|
||||
})
|
||||
|
||||
response = templates.get_template("partials/agent_panel.html").render(
|
||||
{"agent": MockAgent(), "tasks": [MockTask()]}
|
||||
)
|
||||
|
||||
assert "<script>alert('xss')</script>" in response
|
||||
assert payload not in response
|
||||
|
||||
|
||||
def test_swarm_sidebar_xss_prevention():
|
||||
"""Verify XSS prevention in swarm_agents_sidebar.html."""
|
||||
templates = Jinja2Templates(directory="src/dashboard/templates")
|
||||
payload = "<script>alert('xss')</script>"
|
||||
|
||||
class MockAgent:
|
||||
def __init__(self):
|
||||
self.name = payload
|
||||
@@ -61,9 +68,9 @@ def test_swarm_sidebar_xss_prevention():
|
||||
self.capabilities = payload
|
||||
self.last_seen = "2026-02-26T12:00:00"
|
||||
|
||||
response = templates.get_template("partials/swarm_agents_sidebar.html").render({
|
||||
"agents": [MockAgent()]
|
||||
})
|
||||
|
||||
response = templates.get_template("partials/swarm_agents_sidebar.html").render(
|
||||
{"agents": [MockAgent()]}
|
||||
)
|
||||
|
||||
assert "<script>alert('xss')</script>" in response
|
||||
assert payload not in response
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import pytest
|
||||
|
||||
|
||||
def test_xss_protection_in_templates():
|
||||
"""Verify that templates now use the escape filter for user-controlled content."""
|
||||
templates_to_check = [
|
||||
@@ -9,9 +10,8 @@ def test_xss_protection_in_templates():
|
||||
("src/dashboard/templates/partials/approval_card_single.html", "{{ item.title | e }}"),
|
||||
("src/dashboard/templates/marketplace.html", "{{ agent.name | e }}"),
|
||||
]
|
||||
|
||||
|
||||
for path, expected_snippet in templates_to_check:
|
||||
with open(path, "r") as f:
|
||||
content = f.read()
|
||||
assert expected_snippet in content, f"XSS fix missing in {path}"
|
||||
|
||||
|
||||
@@ -1,12 +1,16 @@
|
||||
import html
|
||||
|
||||
import pytest
|
||||
from fastapi.testclient import TestClient
|
||||
|
||||
from dashboard.app import app
|
||||
import html
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def client():
|
||||
return TestClient(app)
|
||||
|
||||
|
||||
def test_health_status_xss_vulnerability(client, monkeypatch):
|
||||
"""Verify that the health status page escapes the model name."""
|
||||
malicious_model = '"><script>alert("XSS")</script>'
|
||||
@@ -19,6 +23,7 @@ def test_health_status_xss_vulnerability(client, monkeypatch):
|
||||
assert escaped_model in response.text
|
||||
assert malicious_model not in response.text
|
||||
|
||||
|
||||
def test_grok_toggle_xss_vulnerability(client, monkeypatch):
|
||||
"""Verify that the grok toggle card escapes the model name."""
|
||||
malicious_model = '"><img src=x onerror=alert(1)>'
|
||||
|
||||
Reference in New Issue
Block a user