kyy
f464ba2d31
Some checks failed
Node.js CI / build (push) Failing after 2s
Node.js CI / e2e-tests (+(a11y|security|bugs)/**/*cy.js) (push) Failing after 2s
Node.js CI / e2e-tests (features/**/!(o|d|m)*.cy.js) (push) Failing after 2s
Node.js CI / e2e-tests (features/**/+(o|d)*.cy.js) (push) Failing after 2s
Node.js CI / e2e-tests (features/**/m*.cy.js) (push) Failing after 2s
CodeQL / Analyze (javascript) (push) Failing after 2m49s
Security scan for docker image / build (push) Failing after 51s
59 lines
2.4 KiB
JavaScript
Executable File
59 lines
2.4 KiB
JavaScript
Executable File
describe("Security: CSS Sequential Import Chaining", () => {
|
|
describe("in OpenAPI 3.0", () => {
|
|
describe("CSS Injection via Markdown", () => {
|
|
it("should filter <style> tags out of Markdown fields", () => {
|
|
cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")
|
|
.get("div.information-container")
|
|
.should("exist")
|
|
.and("not.have.descendants", "style")
|
|
})
|
|
it("should not apply `@import`ed CSS stylesheets", () => {
|
|
cy.visit("/?url=/documents/security/sequential-import-chaining/openapi.yaml")
|
|
.wait(500) // HACK: wait for CSS import to settle
|
|
.get("div.info h4")
|
|
.should("have.length", 1)
|
|
.and("not.be.hidden")
|
|
})
|
|
})
|
|
describe("Value Exfiltration via CSS", () => {
|
|
it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {
|
|
cy.visit("/?url=/documents/petstore-expanded.openapi.yaml")
|
|
.get(".scheme-container > .schemes > .auth-wrapper > .btn > span")
|
|
.click()
|
|
.get("div > div > .wrapper > .block-tablet > #client_id_implicit")
|
|
.clear()
|
|
.type("abc")
|
|
.should("not.have.attr", "value", "abc")
|
|
})
|
|
})
|
|
})
|
|
describe("in Swagger 2.0", () => {
|
|
describe("CSS Injection via Markdown", () => {
|
|
it("should filter <style> tags out of Markdown fields", () => {
|
|
cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")
|
|
.get("div.information-container")
|
|
.should("exist")
|
|
.and("not.have.descendants", "style")
|
|
})
|
|
it("should not apply `@import`ed CSS stylesheets", () => {
|
|
cy.visit("/?url=/documents/security/sequential-import-chaining/swagger.yaml")
|
|
.wait(500) // HACK: wait for CSS import to settle
|
|
.get("div.info h4")
|
|
.should("have.length", 1)
|
|
.and("not.be.hidden")
|
|
})
|
|
})
|
|
describe("Value Exfiltration via CSS", () => {
|
|
it("should not allow OAuth credentials to be visible via HTML `value` attribute", () => {
|
|
cy.visit("/?url=/documents/petstore.swagger.yaml")
|
|
.get(".scheme-container > .schemes > .auth-wrapper > .btn > span")
|
|
.click()
|
|
.get("div > div > .wrapper > .block-tablet > #client_id_implicit")
|
|
.clear()
|
|
.type("abc")
|
|
.should("not.have.attr", "value", "abc")
|
|
})
|
|
})
|
|
})
|
|
})
|