OpenSource
/
dify
Watch 4
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 152 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7038 Commits
4 Branches
Tree: 546d75d84d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '546d75d84d'
${ noResults }
dify/web/__tests__/xss-prevention.test.tsx

xss-prevention.test.tsx 2.8KB
Raw Normal View History

fix: XSS vulnerability in block-input and support-var-input components (#24835)
2 months ago
 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. /**

  2.  * XSS Prevention Test Suite

  3.  *

  4.  * This test verifies that the XSS vulnerabilities in block-input and support-var-input

  5.  * components have been properly fixed by replacing dangerouslySetInnerHTML with safe React rendering.

  6.  */

  7. 

  8. import React from 'react'

  9. import { cleanup, render } from '@testing-library/react'

  10. import '@testing-library/jest-dom'

  11. import BlockInput from '../app/components/base/block-input'

  12. import SupportVarInput from '../app/components/workflow/nodes/_base/components/support-var-input'

  13. 

  14. // Mock styles

  15. jest.mock('../app/components/app/configuration/base/var-highlight/style.module.css', () => ({

  16.   item: 'mock-item-class',

  17. }))

  18. 

  19. describe('XSS Prevention - Block Input and Support Var Input Security', () => {

  20.   afterEach(() => {

  21.     cleanup()

  22.   })

  23. 

  24.   describe('BlockInput Component Security', () => {

  25.     it('should safely render malicious variable names without executing scripts', () => {

  26.       const testInput = 'user@test.com{{<script>alert("XSS")</script>}}'

  27.       const { container } = render(<BlockInput value={testInput} readonly={true} />)

  28. 

  29.       const scriptElements = container.querySelectorAll('script')

  30.       expect(scriptElements).toHaveLength(0)

  31. 

  32.       const textContent = container.textContent

  33.       expect(textContent).toContain('<script>')

  34.     })

  35. 

  36.     it('should preserve legitimate variable highlighting', () => {

  37.       const legitimateInput = 'Hello {{userName}} welcome to {{appName}}'

  38.       const { container } = render(<BlockInput value={legitimateInput} readonly={true} />)

  39. 

  40.       const textContent = container.textContent

  41.       expect(textContent).toContain('userName')

  42.       expect(textContent).toContain('appName')

  43.     })

  44.   })

  45. 

  46.   describe('SupportVarInput Component Security', () => {

  47.     it('should safely render malicious variable names without executing scripts', () => {

  48.       const testInput = 'test@evil.com{{<img src=x onerror=alert(1)>}}'

  49.       const { container } = render(<SupportVarInput value={testInput} readonly={true} />)

  50. 

  51.       const scriptElements = container.querySelectorAll('script')

  52.       const imgElements = container.querySelectorAll('img')

  53. 

  54.       expect(scriptElements).toHaveLength(0)

  55.       expect(imgElements).toHaveLength(0)

  56. 

  57.       const textContent = container.textContent

  58.       expect(textContent).toContain('<img')

  59.     })

  60.   })

  61. 

  62.   describe('React Automatic Escaping Verification', () => {

  63.     it('should confirm React automatic escaping works correctly', () => {

  64.       const TestComponent = () => <span>{'<script>alert("xss")</script>'}</span>

  65.       const { container } = render(<TestComponent />)

  66. 

  67.       const spanElement = container.querySelector('span')

  68.       const scriptElements = container.querySelectorAll('script')

  69. 

  70.       expect(spanElement?.textContent).toBe('<script>alert("xss")</script>')

  71.       expect(scriptElements).toHaveLength(0)

  72.     })

  73.   })

  74. })

  75. 

  76. export {}