forked from Rockachopa/Timmy-time-dashboard
51 lines
1.8 KiB
Python
51 lines
1.8 KiB
Python
import pytest
|
|
from fastapi.testclient import TestClient
|
|
from dashboard.app import app
|
|
from config import settings
|
|
import html
|
|
|
|
@pytest.fixture
|
|
def client():
|
|
return TestClient(app)
|
|
|
|
def test_health_status_xss_vulnerability(client):
|
|
"""Verify that the health status page escapes the model name."""
|
|
original_model = settings.ollama_model
|
|
malicious_model = '"><script>alert("XSS")</script>'
|
|
|
|
try:
|
|
# Inject malicious model name into settings
|
|
settings.ollama_model = malicious_model
|
|
|
|
response = client.get("/health/status")
|
|
assert response.status_code == 200
|
|
|
|
# The malicious script should be escaped
|
|
escaped_model = html.escape(malicious_model)
|
|
assert escaped_model in response.text
|
|
assert malicious_model not in response.text
|
|
finally:
|
|
settings.ollama_model = original_model
|
|
|
|
def test_grok_toggle_xss_vulnerability(client):
|
|
"""Verify that the grok toggle card escapes the model name."""
|
|
original_model = settings.grok_default_model
|
|
malicious_model = '"><img src=x onerror=alert(1)>'
|
|
|
|
try:
|
|
# Inject malicious model name into settings
|
|
settings.grok_default_model = malicious_model
|
|
|
|
# We need to make grok available to trigger the render_toggle_card
|
|
# Since we're in test mode, we might need to mock this or just call the function
|
|
from dashboard.routes.grok import _render_toggle_card
|
|
|
|
html_output = _render_toggle_card(active=True)
|
|
|
|
# The malicious script should be escaped
|
|
escaped_model = html.escape(malicious_model)
|
|
assert escaped_model in html_output
|
|
assert malicious_model not in html_output
|
|
finally:
|
|
settings.grok_default_model = original_model
|