Added tests to trigger the xss attack (and fail initially)

2025-09-08 18:16:44 +02:00 · 2021-03-11 19:51:05 +01:00
parent 7472a8ebc7
commit 4395a5f404
2 changed files with 90 additions and 4 deletions
--- a/cypress/integration/other/xss.spec.js
+++ b/cypress/integration/other/xss.spec.js
@@ -13,9 +13,25 @@ describe('XSS', () => {
      cy.get('.mermaid').should('exist');
    });
    cy.get('svg')
-    // cy.percySnapshot()
+  })
+
+  it('should not allow tags in the css', () => {
+    const str = 'eyJjb2RlIjoiJSV7aW5pdDogeyAnZm9udEZhbWlseSc6ICdcXFwiPjwvc3R5bGU-PGltZyBzcmM9eCBvbmVycm9yPXhzc0F0dGFjaygpPid9IH0lJVxuZ3JhcGggTFJcbiAgICAgQSAtLT4gQiIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9';
+
+    const url = mermaidUrl(str,{
+      "theme": "default",
+      "flowchart": {
+        "htmlMode": false
+      }
+    }, true);
+
+    cy.visit(url);
+    cy.wait(1000).then(()=>{
+      cy.get('#the-malware').should('not.exist');
+    });

  })
+
  it('should handle xss in tags in non-html mode', () => {
    const str = 'eyJjb2RlIjoiXG5ncmFwaCBMUlxuICAgICAgQi0tPkQoPGltZyBvbmVycm9yPWxvY2F0aW9uPWBqYXZhc2NyaXB0XFx1MDAzYXhzc0F0dGFja1xcdTAwMjhkb2N1bWVudC5kb21haW5cXHUwMDI5YCBzcmM9eD4pOyIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0IiwiZmxvd2NoYXJ0Ijp7Imh0bWxMYWJlbHMiOmZhbHNlfX19';

@@ -27,9 +43,16 @@ describe('XSS', () => {
    }, true);

    cy.visit(url);
-    // cy.get('svg')
-    // cy.percySnapshot()
-    cy.get('.malware').should('not.exist');
+    cy.wait(1000)
+
+    cy.get('#the-malware').should('not.exist');
+  })
+
+  it('should not allow changing the __proto__ attribute using config', () => {
+    cy.visit('http://localhost:9000/xss2.html');
+    cy.wait(1000);
+    cy.get('#the-malware').should('not.exist');

  })
+
 })
--- a/cypress/platform/xss2.html
+++ b/cypress/platform/xss2.html
@@ -0,0 +1,63 @@
+<html>
+  <head>
+    <script src="/e2e.js"></script>
+    <link
+      href="https://fonts.googleapis.com/css?family=Montserrat&display=swap"
+      rel="stylesheet"
+    />
+    <style>
+      .malware {
+        position: fixed;
+        bottom:0;
+        left:0;
+        right:0;
+        height: 150px;
+        background: red;
+        color: black;
+        display: flex;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        font-family: monospace;
+        font-size: 72px;
+      }
+    </style>
+    <script>
+      function xssAttack(){
+        const div = document.createElement('div')
+        div.id = 'the-malware'
+        div.className = 'malware'
+        div.innerHTML = 'XSS Succeeded'
+        document.getElementsByTagName('body')[0].appendChild(div);
+        throw new Error('XSS Succeded');
+      }
+    </script>
+  </head>
+  <body>
+    <div class="mermaid">
+      %%{init: { '__proto__': {'polluted': 'asdf'}} }%%
+      graph LR
+          A --> B
+    </div>
+    <script src="./mermaid.js"></script>
+    <script>
+      mermaid.initialize({
+        startOnLoad: true,
+        useMaxWidth: true,
+      });
+      var cnt = 0;
+      var a;
+      var handler = setInterval(() => {
+        cnt++;
+        a = {};
+        if(typeof a.polluted !== 'undefined') {
+          xssAttack();
+          clearInterval(handler);
+        }
+        if(cnt>20) {
+          clearInterval(handler);
+        }
+      }, 100);
+    </script>
+  </body>
+</html>