fix: mitigate "sequential @import chaining" vulnerability (#5616)

* `test/e2e-cypress/tests/features/xss/` -> `test/e2e-cypress/tests/security` * add tests * filter <style> tags out of Markdown fields * initialize OAuth inputs without applying `value` attribute
2019-09-20 13:19:08 -07:00
parent c8ad396301
commit 5f6ec8ce1d
11 changed files with 143 additions and 7 deletions
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css
@@ -0,0 +1,7 @@
+* {
+  color: red !important; /* for humans */
+}
+
+h4 {
+  display: none; /* for machines, used to trace whether this sheet is applied */
+}
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml
@@ -0,0 +1,10 @@
+openapi: "3.0.0"
+
+info:
+  title: Sequential Import Chaining
+  description: >
+    <h4>This h4 would be hidden by the injected CSS</h4>
+
+    This document tests the ability of a `<style>` tag in a Markdown field to pull in a remote stylesheet using an `@import` directive.
+
+    <style>@import url(/documents/security/sequential-import-chaining/injection.css);</style>
--- a/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml
+++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml
@@ -0,0 +1,10 @@
+swagger: "2.0"
+
+info:
+  title: Sequential Import Chaining
+  description: >
+    <h4>This h4 would be hidden by the injected CSS</h4>
+
+    This document tests the ability of a `<style>` tag in a Markdown field to pull in a remote stylesheet using an `@import` directive.
+
+    <style>@import url(/documents/security/sequential-import-chaining/injection.css);</style>