From c58a1ce5089a864dafc0355883a5a8905b8ec50d Mon Sep 17 00:00:00 2001 From: isgondurasa Date: Thu, 11 May 2017 16:00:03 +0300 Subject: [PATCH 1/2] xss pom escaping --- tcrudge/handlers.py | 9 +++++---- tests/test_handlers.py | 4 ++-- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/tcrudge/handlers.py b/tcrudge/handlers.py index 25ffab2..98879f0 100644 --- a/tcrudge/handlers.py +++ b/tcrudge/handlers.py @@ -609,7 +609,7 @@ async def get(self): { 'code': '', 'message': 'Bad query arguments', - 'detail': str(e) + 'detail': xhtml_escape(str(e)) } ] ) @@ -668,6 +668,7 @@ async def post(self): item = await self.model_cls._create(self.application, data) except AttributeError as e: # We can only create item if _create() model method implemented + err = xhtml_escape(str(e)) raise HTTPError( 405, body=self.get_response( @@ -675,7 +676,7 @@ async def post(self): { 'code': '', 'message': 'Method not allowed', - 'detail': str(e) + 'detail': err } ] ) @@ -785,7 +786,7 @@ async def get_item(self, item_id): { 'code': '', 'message': 'Item not found', - 'detail': str(e) + 'detail': xhtml_escape(str(e)) } ] ) @@ -834,7 +835,7 @@ async def put(self, item_id): { 'code': '', 'message': 'Method not allowed', - 'detail': str(e) + 'detail': xhtml_escape(str(e)) } ] ) diff --git a/tests/test_handlers.py b/tests/test_handlers.py index 44db4af..c648f9b 100644 --- a/tests/test_handlers.py +++ b/tests/test_handlers.py @@ -398,8 +398,8 @@ async def test_base_api_list_filter_bad_request1(http_client, base_url, url_para assert data['result'] is None assert not data['success'] assert len(data['errors']) == 1 - assert '<' in data['errors'][0]['detail'] - assert '>' in data['errors'][0]['detail'] + assert 'lt;' in data['errors'][0]['detail'] + assert 'gt;' in data['errors'][0]['detail'] @pytest.mark.gen_test From 5c582b35b72bfcc14e4b975abd23222538f09a40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=A1=D0=B2=D0=B8=D1=80=D0=B8=D0=B4=D0=BE=D0=B2=20=D0=90?= =?UTF-8?q?=D0=BD=D0=B4=D1=80=D0=B5=D0=B9=20=D0=9E=D0=BB=D0=B5=D0=B3=D0=BE?= =?UTF-8?q?=D0=B2=D0=B8=D1=87?= Date: Thu, 4 Oct 2018 16:21:47 +0300 Subject: [PATCH 2/2] added: DATABASE_URL to pytest.ini --- pytest.ini | 5 ++++- readme.md | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/pytest.ini b/pytest.ini index d0e86bb..8328641 100644 --- a/pytest.ini +++ b/pytest.ini @@ -1,3 +1,6 @@ [pytest] +env = + DATABASE_URL=postgresql://user:dbpass@pg/test + DEBUG= testpaths = tests -addopts = --cov=tcrudge --cov-report term-missing -v +addopts = --cov=tcrudge --cov-report term-missing -v \ No newline at end of file diff --git a/readme.md b/readme.md index 86fae6f..95b091d 100644 --- a/readme.md +++ b/readme.md @@ -42,7 +42,7 @@ You'll need docker and docker-compose. 1. Go to project root directory 2. Run docker-compose up, it builts and runs containers. 3. Go to tcrudge container bash: docker exec -ti tcrudge_tcrudge_1 bash -4. Run: DATABASE_URL=postgresql://user:dbpass@pg/test pytest +4. Run: pytest # Features? @@ -127,3 +127,4 @@ loop.run_forever() * [Nikolaev Alexander] (https://github.com/wokli) * [Krasavina Alina] (https://github.com/thaelathy) * [Ivanov Denis] (https://github.com/steinerr) +* [Andrey Sviridov] (https://github.com/isgondurasa)