forked from Rockachopa/Timmy-time-dashboard
9d78eb31d1
* polish: streamline nav, extract inline styles, improve tablet UX - Restructure desktop nav from 8+ flat links + overflow dropdown into 5 grouped dropdowns (Core, Agents, Intel, System, More) matching the mobile menu structure to reduce decision fatigue - Extract all inline styles from mission_control.html and base.html notification elements into mission-control.css with semantic classes - Replace JS-built innerHTML with secure DOM construction in notification loader and chat history - Add CONNECTING state to connection indicator (amber) instead of showing OFFLINE before WebSocket connects - Add tablet breakpoint (1024px) with larger touch targets for Apple Pencil / stylus use and safe-area padding for iPad toolbar - Add active-link highlighting in desktop dropdown menus - Rename "Mission Control" page title to "System Overview" to disambiguate from the chat home page - Add "Home — Timmy Time" page title to index.html https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * fix(security): move auth-gate credentials to environment variables Hardcoded username, password, and HMAC secret in auth-gate.py replaced with os.environ lookups. Startup now refuses to run if any variable is unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h * refactor(tooling): migrate from black+isort+bandit to ruff Replace three separate linting/formatting tools with a single ruff invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs), .pre-commit-config.yaml, and CI workflow. Fixes all ruff errors including unused imports, missing raise-from, and undefined names. Ruff config maps existing bandit skips to equivalent S-rules. https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h --------- Co-authored-by: Claude <noreply@anthropic.com>
45 lines
1.4 KiB
Python
45 lines
1.4 KiB
Python
"""Tests for CSRF protection middleware traversal bypasses."""
|
|
|
|
import pytest
|
|
from fastapi import FastAPI
|
|
from fastapi.testclient import TestClient
|
|
|
|
from dashboard.middleware.csrf import CSRFMiddleware
|
|
|
|
|
|
class TestCSRFTraversal:
|
|
"""Test path traversal CSRF bypass."""
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def enable_csrf(self):
|
|
"""Re-enable CSRF for these tests."""
|
|
from config import settings
|
|
|
|
original = settings.timmy_disable_csrf
|
|
settings.timmy_disable_csrf = False
|
|
yield
|
|
settings.timmy_disable_csrf = original
|
|
|
|
def test_csrf_middleware_path_traversal_bypass(self):
|
|
"""Test if path traversal can bypass CSRF exempt patterns."""
|
|
app = FastAPI()
|
|
app.add_middleware(CSRFMiddleware)
|
|
|
|
@app.post("/test")
|
|
def test_endpoint():
|
|
return {"message": "success"}
|
|
|
|
TestClient(app)
|
|
|
|
# We want to check if the middleware logic is flawed.
|
|
# Since TestClient might normalize, we can test the _is_likely_exempt method directly.
|
|
middleware = CSRFMiddleware(app)
|
|
|
|
# This path starts with /webhook, but resolves to /test
|
|
traversal_path = "/webhook/../test"
|
|
|
|
# If this returns True, it's a vulnerability because /test is not supposed to be exempt.
|
|
is_exempt = middleware._is_likely_exempt(traversal_path)
|
|
|
|
assert is_exempt is False, f"Path {traversal_path} should not be exempt"
|