From 8b8e42167322cae415229af66f8bb46ef7a59a8a Mon Sep 17 00:00:00 2001 From: labkey-sweta Date: Thu, 22 Feb 2024 07:47:30 -0800 Subject: [PATCH 1/2] Automation test for Issue 48660 and Issue 48508 --- .../test/pages/query/SourceQueryPage.java | 6 + ...PermissionsTestForJavascriptExecution.java | 139 ++++++++++++++++++ 2 files changed, 145 insertions(+) create mode 100644 src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java diff --git a/src/org/labkey/test/pages/query/SourceQueryPage.java b/src/org/labkey/test/pages/query/SourceQueryPage.java index 750aa77ec4..0bcc1117e9 100644 --- a/src/org/labkey/test/pages/query/SourceQueryPage.java +++ b/src/org/labkey/test/pages/query/SourceQueryPage.java @@ -101,6 +101,12 @@ public ExecuteQueryPage clickSaveAndFinish() return new ExecuteQueryPage(getDriver()); } + public String clickSaveExpectingError() + { + Ext4Helper.Locators.ext4Button("Save").findElement(getDriver()).click(); + return waitForElement(Locator.tagWithId("div","status")).getText(); + } + @Override protected ElementCache newElementCache() { diff --git a/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java b/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java new file mode 100644 index 0000000000..47161f08aa --- /dev/null +++ b/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java @@ -0,0 +1,139 @@ +package org.labkey.test.tests; + +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.labkey.test.BaseWebDriverTest; +import org.labkey.test.Locator; +import org.labkey.test.categories.Daily; +import org.labkey.test.pages.query.QueryMetadataEditorPage; +import org.labkey.test.pages.query.SourceQueryPage; +import org.labkey.test.util.ApiPermissionsHelper; +import org.labkey.test.util.PermissionsHelper; + +import java.util.Arrays; +import java.util.List; + +@Category({Daily.class}) +public class PermissionsTestForJavascriptExecution extends BaseWebDriverTest +{ + private static final String USER = "javascripttestuser@permissionstestforjavascriptexecution.test"; + private static final String XML_METADATA_2 = " \n" + + " \n" + + " \n" + + " \n" + + " \n" + + " \n" + + " org.labkey.api.data.JavaScriptDisplayColumnFactory\n" + + " \n" + + " ehr/window/ManageRecordWindow.js\n" + + " onclick=\"EHR.window.ManageRecordWindow.buttonHandler(${Id:jsString}, " + + " ${objectid:jsString}, ${queryName:jsString}, '${dataRegionName}');\"\n" + + " \n" + + " \n" + + " \n" + + " \n" + + "
\n" + + "\n"; + private static final String XML_METADATA_1 = "\n" + + " \n" + + " \n" + + " \n" + + " \n" + + " alert('Hello'); \n" + + " \n" + + " \n" + + " http://www.labkey.com \n" + + " \n" + + " \n" + + " \n" + + "
\n" + + "\n"; + ApiPermissionsHelper _apiPermissionsHelper = new ApiPermissionsHelper(this); + + @BeforeClass + public static void setupProject() + { + PermissionsTestForJavascriptExecution init = (PermissionsTestForJavascriptExecution) getCurrentTest(); + init.doSetup(); + } + + @Override + protected void doCleanup(boolean afterTest) + { + _containerHelper.deleteProject(getProjectName(), afterTest); + _userHelper.deleteUsers(afterTest, USER); + } + + private void doSetup() + { + _containerHelper.createProject(getProjectName(), null); + _containerHelper.enableModule("simpletest"); + + _userHelper.createUser(USER); + _apiPermissionsHelper.addMemberToRole(USER, "Project Administrator", PermissionsHelper.MemberType.user); + } + + /* + Regression coverage for : Secure Issue 48660: SaveSourceQueryAction doesn't check for JavaScriptDisplayColumnFactory and + Secure Issue 48508: SaveSourceQueryAction doesn't check for JavaScript in XML payload + */ + @Test + public void testSteps() + { + String schema = "vehicle"; + String query = "Models"; + + log("Verify editing the metadata without developer permissions throws error"); + goToProjectHome(); + impersonate(USER); + clickTab("Query"); + selectQuery(schema, query); + waitAndClickAndWait(Locator.linkContainingText("edit metadata")); + QueryMetadataEditorPage metadataPage = new QueryMetadataEditorPage(getDriver()); + SourceQueryPage sourceQueryPage = metadataPage.clickEditSource(); + sourceQueryPage.setMetadataXml(XML_METADATA_2); + Assert.assertEquals("Incorrect error message", + "Failed to Save: An exception occurred: For permissions to use JavaScriptDisplayColumn, contact your system administrator", + sourceQueryPage.clickSaveExpectingError()); + sourceQueryPage.setMetadataXml(XML_METADATA_1); + Assert.assertEquals("Incorrect error message", + "Failed to Save: An exception occurred: Illegal element . For permissions to use this element, contact your system administrator", + sourceQueryPage.clickSaveExpectingError()); + stopImpersonating(); + + log("Adding developer role to the user"); + _apiPermissionsHelper.setSiteAdminRoleUserPermissions(USER, "Platform Developer"); + + log("Verifying editing metadata is success"); + goToProjectHome(); + impersonate(USER); + editSource(schema, query, XML_METADATA_1); + editSource(schema, query, XML_METADATA_2); + stopImpersonating(); + + checkExpectedErrors(2); + } + + private void editSource(String schema, String query, String xml) + { + goToSchemaBrowser(); + selectQuery(schema, query); + waitAndClickAndWait(Locator.linkContainingText("edit metadata")); + SourceQueryPage sourceQueryPage = new QueryMetadataEditorPage(getDriver()).clickEditSource(); + sourceQueryPage.setMetadataXml(xml).clickSave(); + } + + @Override + protected String getProjectName() + { + return "PermissionsTestForJavascriptExecution Project"; + } + + @Override + public List getAssociatedModules() + { + return Arrays.asList("simpletest"); + } +} From 6b8c92a78934893f7c796a5369022acae42f3196 Mon Sep 17 00:00:00 2001 From: labkey-sweta Date: Thu, 22 Feb 2024 12:16:16 -0800 Subject: [PATCH 2/2] Code review changes --- ...PermissionsTestForJavascriptExecution.java | 63 ++++++++++--------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java b/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java index 47161f08aa..56d29f7e0c 100644 --- a/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java +++ b/src/org/labkey/test/tests/PermissionsTestForJavascriptExecution.java @@ -19,37 +19,38 @@ public class PermissionsTestForJavascriptExecution extends BaseWebDriverTest { private static final String USER = "javascripttestuser@permissionstestforjavascriptexecution.test"; - private static final String XML_METADATA_2 = " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " \n" + - " org.labkey.api.data.JavaScriptDisplayColumnFactory\n" + - " \n" + - " ehr/window/ManageRecordWindow.js\n" + - " onclick=\"EHR.window.ManageRecordWindow.buttonHandler(${Id:jsString}, " + - " ${objectid:jsString}, ${queryName:jsString}, '${dataRegionName}');\"\n" + - " \n" + - " \n" + - " \n" + - " \n" + - "
\n" + - "\n"; - private static final String XML_METADATA_1 = "\n" + - " \n" + - " \n" + - " \n" + - " \n" + - " alert('Hello'); \n" + - " \n" + - " \n" + - " http://www.labkey.com \n" + - " \n" + - " \n" + - " \n" + - "
\n" + - "\n"; + private static final String XML_METADATA_1 = """ + + + + + + alert('Hello'); + + + http://www.labkey.com + + + +
+ """; + private static final String XML_METADATA_2 = """ + \s + + + + \s + + org.labkey.api.data.JavaScriptDisplayColumnFactory + + ehr/window/ManageRecordWindow.js + onclick="EHR.window.ManageRecordWindow.buttonHandler(${Id:jsString}, ${objectid:jsString}, ${queryName:jsString}, '${dataRegionName}');" + + + + +
+ """; ApiPermissionsHelper _apiPermissionsHelper = new ApiPermissionsHelper(this); @BeforeClass