Skip to content

E
edx-platform
Switch branch/tag
Find file
Normal viewHistoryPermalink
test_legacy_xss.py 2.22 KB
Newer Older
Fix XSS vulnerability in instructor dashboard
625a9581
 
Greg Price committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 
"""
Tests of various instructor dashboard features that include lists of students
"""

from django.conf import settings
from django.test.client import RequestFactory
from django.test.utils import override_settings
from markupsafe import escape

from courseware.tests.tests import TEST_DATA_MONGO_MODULESTORE
from student.tests.factories import UserFactory, CourseEnrollmentFactory
from xmodule.modulestore.tests.django_utils import ModuleStoreTestCase
from xmodule.modulestore.tests.factories import CourseFactory
fix legacy tests to point to legacy
a751702a
 
Miles Steele committed
15 
from instructor.views import legacy
Fix XSS vulnerability in instructor dashboard
625a9581
 
Greg Price committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 

@override_settings(MODULESTORE=TEST_DATA_MONGO_MODULESTORE)
class TestXss(ModuleStoreTestCase):
    def setUp(self):
        self._request_factory = RequestFactory()
        self._course = CourseFactory.create()
        self._evil_student = UserFactory.create(
            email="robot+evil@edx.org",
            username="evil-robot",
            profile__name='<span id="evil">Evil Robot</span>',
        )
        self._instructor = UserFactory.create(
            email="robot+instructor@edx.org",
            username="instructor",
            is_staff=True
        )
        CourseEnrollmentFactory.create(
            user=self._evil_student,
            course_id=self._course.id
        )

    def _test_action(self, action):
        """
        Test for XSS vulnerability in the given action

        Build a request with the given action, call the instructor dashboard
        view, and check that HTML code in a user's name is properly escaped.
        """
        req  = self._request_factory.post(
            "dummy_url",
            data={"action": action}
        )
        req.user = self._instructor
        req.session = {}
fix legacy tests to point to legacy
a751702a
 
Miles Steele committed
50 
        resp = legacy.instructor_dashboard(req, self._course.id)
Fix XSS vulnerability in instructor dashboard
625a9581
 
Greg Price committed
51 52 53 54 55 56 57 58 59 60 61 62 
        respUnicode = resp.content.decode(settings.DEFAULT_CHARSET)
        self.assertNotIn(self._evil_student.profile.name, respUnicode)
        self.assertIn(escape(self._evil_student.profile.name), respUnicode)

    def test_list_enrolled(self):
        self._test_action("List enrolled students")

    def test_dump_list_of_enrolled(self):
        self._test_action("Dump list of enrolled students")

    def test_dump_grades(self):
        self._test_action("Dump Grades for all students in this course")