From d5b08bdf188c0fb56154e0bdac126f198959cdc1 Mon Sep 17 00:00:00 2001 From: Kyle Shockey Date: Wed, 18 Sep 2019 15:40:19 -0700 Subject: [PATCH 1/4] `test/e2e-cypress/tests/features/xss/` -> `test/e2e-cypress/tests/security` --- .../documents/{xss/oauth2.yaml => security/xss-oauth2.yaml} | 0 test/e2e-cypress/tests/{features/xss => security}/oauth2.js | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename test/e2e-cypress/static/documents/{xss/oauth2.yaml => security/xss-oauth2.yaml} (100%) rename test/e2e-cypress/tests/{features/xss => security}/oauth2.js (90%) diff --git a/test/e2e-cypress/static/documents/xss/oauth2.yaml b/test/e2e-cypress/static/documents/security/xss-oauth2.yaml similarity index 100% rename from test/e2e-cypress/static/documents/xss/oauth2.yaml rename to test/e2e-cypress/static/documents/security/xss-oauth2.yaml diff --git a/test/e2e-cypress/tests/features/xss/oauth2.js b/test/e2e-cypress/tests/security/oauth2.js similarity index 90% rename from test/e2e-cypress/tests/features/xss/oauth2.js rename to test/e2e-cypress/tests/security/oauth2.js index 3d7b727aa0a..4d01ba3c660 100644 --- a/test/e2e-cypress/tests/features/xss/oauth2.js +++ b/test/e2e-cypress/tests/security/oauth2.js @@ -1,6 +1,6 @@ describe("XSS: OAuth2 authorizationUrl sanitization", () => { it("should filter out a javascript URL", () => { - cy.visit("/?url=/documents/xss/oauth2.yaml") + cy.visit("/?url=/documents/security/xss-oauth2.yaml") .window() .then(win => { let args = null From e2d517f53f1081e3191f0c3574cca60a29a65a5f Mon Sep 17 00:00:00 2001 From: Kyle Shockey Date: Fri, 20 Sep 2019 12:16:15 -0700 Subject: [PATCH 2/4] add tests --- .../documents/petstore-expanded.openapi.yaml | 13 ++++- .../sequential-import-chaining/injection.css | 7 +++ .../sequential-import-chaining/openapi.yaml | 10 ++++ .../sequential-import-chaining/swagger.yaml | 10 ++++ .../security/sequential-import-chaining.js | 58 +++++++++++++++++++ 5 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css create mode 100644 test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml create mode 100644 test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml create mode 100644 test/e2e-cypress/tests/security/sequential-import-chaining.js diff --git a/test/e2e-cypress/static/documents/petstore-expanded.openapi.yaml b/test/e2e-cypress/static/documents/petstore-expanded.openapi.yaml index 20bd288b07d..98646200dc9 100644 --- a/test/e2e-cypress/static/documents/petstore-expanded.openapi.yaml +++ b/test/e2e-cypress/static/documents/petstore-expanded.openapi.yaml @@ -13,6 +13,8 @@ info: url: https://www.apache.org/licenses/LICENSE-2.0.html servers: - url: http://petstore.swagger.io/api +security: + - Petstore: [] paths: /pets: get: @@ -152,4 +154,13 @@ components: type: integer format: int32 message: - type: string \ No newline at end of file + type: string + securitySchemes: + Petstore: + type: oauth2 + flows: + implicit: + authorizationUrl: https://example.com/api/oauth/dialog + scopes: + write:pets: modify pets in your account + read:pets: read your pets diff --git a/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css b/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css new file mode 100644 index 00000000000..edc480f6ad8 --- /dev/null +++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/injection.css @@ -0,0 +1,7 @@ +* { + color: red !important; /* for humans */ +} + +h4 { + display: none; /* for machines, used to trace whether this sheet is applied */ +} diff --git a/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml b/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml new file mode 100644 index 00000000000..e4e4ade8526 --- /dev/null +++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/openapi.yaml @@ -0,0 +1,10 @@ +openapi: "3.0.0" + +info: + title: Sequential Import Chaining + description: > +

This h4 would be hidden by the injected CSS

+ + This document tests the ability of a ` diff --git a/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml b/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml new file mode 100644 index 00000000000..5f9cc448a92 --- /dev/null +++ b/test/e2e-cypress/static/documents/security/sequential-import-chaining/swagger.yaml @@ -0,0 +1,10 @@ +swagger: "2.0" + +info: + title: Sequential Import Chaining + description: > +

This h4 would be hidden by the injected CSS

+ + This document tests the ability of a ` diff --git a/test/e2e-cypress/tests/security/sequential-import-chaining.js b/test/e2e-cypress/tests/security/sequential-import-chaining.js new file mode 100644 index 00000000000..90887def3ad --- /dev/null +++ b/test/e2e-cypress/tests/security/sequential-import-chaining.js @@ -0,0 +1,58 @@ +describe("Security: CSS Sequential Import Chaining", () => { + describe("in OpenAPI 3.0", () => { + describe("CSS Injection via Markdown", () => { + it("should filter