From 76e2e41b7ed05fa4c2aa2310a0f208dbcae14b68 Mon Sep 17 00:00:00 2001
From: Nico Schedel <nschedel@sipwise.com>
Date: Wed, 21 Jul 2021 11:44:01 +0200
Subject: [PATCH] TT#70901 selenium: add new securtiy tests
Add security tests to check if javascript code or any other special
symbols gets treated properly
Change-Id: Ie4023748ff23976226703a4abcb20c1e641a0695
---
t/selenium/testrun.py | 125 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 125 insertions(+)
diff --git a/t/selenium/testrun.py b/t/selenium/testrun.py
index 04b241c7..e94c12de 100644
--- a/t/selenium/testrun.py
+++ b/t/selenium/testrun.py
@@ -13,6 +13,7 @@ from functions.Collections import delete_subscriber
from functions.Collections import delete_domain
from functions.Collections import login_csc
from functions.Collections import login_panel
+from functions.Collections import logout_panel
from functions.Collections import logout_csc
from functions.Functions import click_js
from functions.Functions import create_driver
@@ -22,6 +23,7 @@ from functions.Functions import wait_for_loading_screen
from functions.Functions import wait_for_invisibility
import selenium.common.exceptions
from selenium import webdriver
+from selenium.webdriver.common.alert import Alert
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.webdriver.support.ui import WebDriverWait
@@ -587,6 +589,129 @@ class testrun(unittest.TestCase):
"Time has not been changed")
filename = 0
+ def test_security(self):
+ global customers
+ global filename
+ filename = "test_speeddial.png"
+ driver = self.driver
+ driver.get(os.environ['CATALYST_SERVER'])
+ print("Try to log in with valid credentials...", end="")
+ login_csc(driver, "testuser@" + self.domainname, 'testpasswd')
+ self.assertTrue(
+ len(driver.find_elements_by_xpath('//*[@id="csc-header-toolbar-main"]')) > 0, "Login wasnt successful")
+ print("OK")
+ print("Go to 'Call Forwarding' page...", end="")
+ driver.find_element_by_xpath('//*[@id="csc-main-menu-top"]//div[contains(., "Call Settings")]').click()
+ driver.find_element_by_xpath('//*[@id="csc-main-menu-top"]//div/a[contains(., "Forwarding")]').click()
+ self.assertTrue(
+ len(driver.find_elements_by_xpath('//*[@id="csc-page-call-forwarding"]')) > 0, "Conference page wasnt opened")
+ print("OK")
+ print("Create a call forwarding 'if available'...", end="")
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]/div[1]/button/span[3]/svg[@class="q-spinner text-primary"')
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]//button[contains(., "Add forwarding")]/span/svg')
+ click_js(driver, '//*[@id="csc-page-call-forwarding"]//div//button[contains(., "Add forwarding")]')
+ time.sleep(1)
+ click_js(driver, '/html/body/div[3]/div/div[1]')
+ print("OK")
+ print("Create a call forwarding 'if not available'...", end="")
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]/div[1]/button/span[3]/svg[@class="q-spinner text-primary"')
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]//button[contains(., "Add forwarding")]/span/svg')
+ click_js(driver, '//*[@id="csc-page-call-forwarding"]//div//button[contains(., "Add forwarding")]')
+ time.sleep(1)
+ click_js(driver, '/html/body/div[3]/div/div[2]')
+ print("OK")
+ print("Create a call forwarding 'if busy'...", end="")
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]/div[1]/button/span[3]/svg[@class="q-spinner text-primary"')
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]//button[contains(., "Add forwarding")]/span/svg')
+ click_js(driver, '//*[@id="csc-page-call-forwarding"]//div//button[contains(., "Add forwarding")]')
+ time.sleep(1)
+ click_js(driver, '/html/body/div[3]/div/div[3]')
+ print("OK")
+ print("Try to edit all 'forwared to...' numbers...", end="")
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]/div[1]/button/span[3]/svg[@class="q-spinner text-primary"')
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]//button[contains(., "Add forwarding")]/span/svg')
+ driver.find_element_by_xpath('//*[@id="csc-wrapper-call-forwarding"]/div[1]//div/span[contains(., "Number")]').click()
+ fill_element(driver, "/html/body//label//div//input", "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL")
+ driver.find_element_by_xpath('/html/body//div/button[contains(., "Set")]').click()
+ wait_for_invisibility(driver, '//*[@id="csc-wrapper-call-forwarding"]/div/div[2]/div[4]/svg')
+ driver.find_element_by_xpath('//*[@id="csc-main-menu-top"]//div/a[contains(., "Voicebox")]').click()
+ WebDriverWait(driver, 10).until(EC.element_to_be_clickable((By.XPATH, '//*[@id="csc-page-voicebox"]//div//input[@aria-label="Change PIN"]')))
+ driver.find_element_by_xpath('//*[@id="csc-main-menu-top"]//div/a[contains(., "Forwarding")]').click()
+ self.assertTrue(
+ len(driver.find_elements_by_xpath('//*[@id="csc-page-call-forwarding"]')) > 0, "Conference page wasnt opened")
+ print("OK")
+ print("Create a call forwarding 'if available'...", end="")
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]/div[1]/button/span[3]/svg[@class="q-spinner text-primary"')
+ wait_for_invisibility(driver, '//*[@id="csc-page-call-forwarding"]//button[contains(., "Add forwarding")]/span/svg')
+ wait_for_invisibility(driver, '//*[@id="csc-wrapper-call-forwarding"]/div/div[2]/div[4]/svg')
+ driver.find_element_by_xpath('//*[@id="csc-wrapper-call-forwarding"]/div[1]//div/span[contains(., "Number")]').click()
+ fill_element(driver, "/html/body//label//div//input", "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL")
+ driver.find_element_by_xpath('/html/body//div/button[contains(., "Set")]').click()
+ wait_for_invisibility(driver, '//*[@id="csc-wrapper-call-forwarding"]/div/div[2]/div[4]/svg')
+ driver.find_element_by_xpath('//*[@id="csc-wrapper-call-forwarding"]/div[2]//div/span[contains(., "Number")]').click()
+ fill_element(driver, "/html/body//label//div//input", "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL")
+ driver.find_element_by_xpath('/html/body//div/button[contains(., "Set")]').click()
+ wait_for_invisibility(driver, '//*[@id="csc-wrapper-call-forwarding"]/div/div[2]/div[4]/svg')
+ driver.find_element_by_xpath('//*[@id="csc-wrapper-call-forwarding"]/div[3]//div/span[contains(., "Number")]').click()
+ fill_element(driver, "/html/body//label//div//input", "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL")
+ driver.find_element_by_xpath('/html/body//div/button[contains(., "Set")]').click()
+ wait_for_invisibility(driver, '//*[@id="csc-wrapper-call-forwarding"]/div/div[2]/div[4]/svg')
+ print("OK")
+ print("Go to Admin Panel...", end="")
+ logout_csc(driver)
+ login_panel(driver)
+ print("OK")
+ print("Open Subscriber and check if Call forwarding doesn't execute malicious code...", end="")
+ driver.find_element_by_xpath('//*[@id="main-nav"]/li//span[contains(., "Settings")]').click()
+ driver.find_element_by_xpath('//*[@id="main-nav"]//li/a[contains(., "Subscribers")]').click()
+ fill_element(driver, '//*[@id="subscriber_table_filter"]/label/input', self.domainname)
+ WebDriverWait(driver, 10).until(EC.visibility_of_element_located((By.XPATH, '//*[@id="subscriber_table"]//tr[1]/td[5][contains(., "' + self.domainname + '")]')))
+ click_js(driver, '//*[@id="subscriber_table"]/tbody/tr[1]/td//a[contains(., "Details")]')
+ driver.find_element_by_xpath('//*[@id="content"]/div//span/a[contains(., "Preferences")]').click()
+ try:
+ alert_obj = Alert(driver)
+ self.assertTrue(alert_obj.text != 'test', "JavaScript Code was executed")
+ alert_obj.accept()
+ alert_obj.accept()
+ alert_obj.accept()
+ except selenium.common.exceptions.NoAlertPresentException:
+ pass
+ driver.find_element_by_xpath('//*[@id="preference_groups"]/div[contains(., "Call Forwards")]').click()
+ driver.find_element_by_xpath('//*[@id="preferences_table_cf"]/tbody/tr[1]/td[6]/a').click()
+ self.assertTrue(
+ "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL" in driver.find_element_by_xpath('//div[@id="collapse_cf"]//table//tr[1]/td[6]/div/div[2]').text,
+ "Didn't match test string")
+ driver.find_element_by_xpath('//div[@id="collapse_cf"]/div/table/tbody/tr[1]/td[6]//div/button').click()
+ driver.find_element_by_xpath('//*[@id="preferences_table_cf"]/tbody/tr[2]/td[6]/a').click()
+ self.assertTrue(
+ "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL" in driver.find_element_by_xpath('//div[@id="collapse_cf"]//table//tr[2]/td[6]/div/div[2]').text,
+ "Didn't match test string")
+ driver.find_element_by_xpath('//div[@id="collapse_cf"]/div/table/tbody/tr[2]/td[6]//div/button').click()
+ driver.find_element_by_xpath('//*[@id="preferences_table_cf"]/tbody/tr[4]/td[6]/a').click()
+ self.assertTrue(
+ "checking <script>alert('test')</script> asdфывфів123!@#$%^&*()_+[]\|}{;'\":,./?><EOL" in driver.find_element_by_xpath('//div[@id="collapse_cf"]//table//tr[4]/td[6]/div/div[2]').text,
+ "Didn't match test string")
+ driver.find_element_by_xpath('//div[@id="collapse_cf"]/div/table/tbody/tr[4]/td[6]//div/button').click()
+ print("OK")
+ print("Try to delete call forwarding...", end="")
+ click_js(driver, '//*[@id="preferences_table_cf"]/tbody/tr[1]/td[8]//a[contains(., "Delete")]')
+ driver.find_element_by_xpath('//*[@id="dataConfirmOK"]').click()
+ click_js(driver, '//*[@id="preferences_table_cf"]/tbody/tr[2]/td[8]//a[contains(., "Delete")]')
+ driver.find_element_by_xpath('//*[@id="dataConfirmOK"]').click()
+ click_js(driver, '//*[@id="preferences_table_cf"]/tbody/tr[4]/td[8]//a[contains(., "Delete")]')
+ driver.find_element_by_xpath('//*[@id="dataConfirmOK"]').click()
+ print("OK")
+ print("Go back to CSC Panel Call Fowarding page...", end="")
+ logout_panel(driver)
+ login_csc(driver, "testuser@" + self.domainname, 'testpasswd')
+ self.assertTrue(
+ len(driver.find_elements_by_xpath('//*[@id="csc-header-toolbar-main"]')) > 0, "Login wasnt successful")
+ driver.find_element_by_xpath('//*[@id="csc-main-menu-top"]//div[contains(., "Call Settings")]').click()
+ driver.find_element_by_xpath('//*[@id="csc-main-menu-top"]//div/a[contains(., "Forwarding")]').click()
+ self.assertTrue(
+ len(driver.find_elements_by_xpath('//*[@id="csc-page-call-forwarding"]')) > 0, "Conference page wasnt opened")
+ print("OK")
+
def test_speed_dial(self):
global customers
global filename