From 4395a5f404548ef3bb38d212f506f818206bc1bf Mon Sep 17 00:00:00 2001
From: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com>
Date: Thu, 11 Mar 2021 19:51:05 +0100
Subject: [PATCH] Added tests to trigger the xss attack (and fail initially)

---
 cypress/integration/other/xss.spec.js | 31 +++++++++++--
 cypress/platform/xss2.html            | 63 +++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 4 deletions(-)
 create mode 100644 cypress/platform/xss2.html

diff --git a/cypress/integration/other/xss.spec.js b/cypress/integration/other/xss.spec.js
index 7f2ea8d4d..1214955a7 100644
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -13,9 +13,25 @@ describe('XSS', () => {
       cy.get('.mermaid').should('exist');
     });
     cy.get('svg')
-    // cy.percySnapshot()
+  })
+
+  it('should not allow tags in the css', () => {
+    const str = 'eyJjb2RlIjoiJSV7aW5pdDogeyAnZm9udEZhbWlseSc6ICdcXFwiPjwvc3R5bGU-PGltZyBzcmM9eCBvbmVycm9yPXhzc0F0dGFjaygpPid9IH0lJVxuZ3JhcGggTFJcbiAgICAgQSAtLT4gQiIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9';
+
+    const url = mermaidUrl(str,{
+      "theme": "default",
+      "flowchart": {
+        "htmlMode": false
+      }
+    }, true);
+
+    cy.visit(url);
+    cy.wait(1000).then(()=>{
+      cy.get('#the-malware').should('not.exist');
+    });
 
   })
+
   it('should handle xss in tags in non-html mode', () => {
     const str = 'eyJjb2RlIjoiXG5ncmFwaCBMUlxuICAgICAgQi0tPkQoPGltZyBvbmVycm9yPWxvY2F0aW9uPWBqYXZhc2NyaXB0XFx1MDAzYXhzc0F0dGFja1xcdTAwMjhkb2N1bWVudC5kb21haW5cXHUwMDI5YCBzcmM9eD4pOyIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX19';
 
@@ -27,9 +43,16 @@ describe('XSS', () => {
     }, true);
 
     cy.visit(url);
-    // cy.get('svg')
-    // cy.percySnapshot()
-    cy.get('.malware').should('not.exist');
+    cy.wait(1000)
+
+    cy.get('#the-malware').should('not.exist');
+  })
+
+  it('should not allow changing the __proto__ attribute using config', () => {
+    cy.visit('http://localhost:9000/xss2.html');
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');
 
   })
+
 })
diff --git a/cypress/platform/xss2.html b/cypress/platform/xss2.html
new file mode 100644
index 000000000..949665951
--- /dev/null
+++ b/cypress/platform/xss2.html
@@ -0,0 +1,63 @@
+<html>
+  <head>
+    <script src="/e2e.js"></script>
+    <link
+      href="https://fonts.googleapis.com/css?family=Montserrat&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      .malware {
+        position: fixed;
+        bottom:0;
+        left:0;
+        right:0;
+        height: 150px;
+        background: red;
+        color: black;
+        display: flex;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        font-family: monospace;
+        font-size: 72px;
+      }
+    </style>
+    <script>
+      function xssAttack(){
+        const div = document.createElement('div')
+        div.id = 'the-malware'
+        div.className = 'malware'
+        div.innerHTML = 'XSS Succeeded'
+        document.getElementsByTagName('body')[0].appendChild(div);
+        throw new Error('XSS Succeded');
+      }
+    </script>
+  </head>
+  <body>
+    <div class="mermaid">
+      %%{init: { '__proto__': {'polluted': 'asdf'}} }%%
+      graph LR
+          A --> B
+    </div>
+    <script src="./mermaid.js"></script>
+    <script>
+      mermaid.initialize({
+        startOnLoad: true,
+        useMaxWidth: true,
+      });
+      var cnt = 0;
+      var a;
+      var handler = setInterval(() => {
+        cnt++;
+        a = {};
+        if(typeof a.polluted !== 'undefined') {
+          xssAttack();
+          clearInterval(handler);
+        }
+        if(cnt>20) {
+          clearInterval(handler);
+        }
+      }, 100);
+    </script>
+  </body>
+</html>