-
Notifications
You must be signed in to change notification settings - Fork 42
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Simplify the data template validation
Signed-off-by: Radoslav Dimitrov <[email protected]>
- Loading branch information
Showing
2 changed files
with
38 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,7 +6,8 @@ package email | |
| import "testing" | ||
|
|
||
| func TestIsValidField(t *testing.T) { | ||
| t.Parallel() // make this sub-test run in parallel | ||
| t.Parallel() | ||
|
|
||
| tests := []struct { | ||
| input string | ||
| expectedErr bool | ||
|
|
@@ -19,44 +20,28 @@ func TestIsValidField(t *testing.T) { | |
| {"Just plain text", false, ""}, | ||
|
|
||
| // Test case 3: String with HTML tags | ||
| {"<b>Bold Text</b>", true, "string <b>Bold Text</b> contains HTML tags, entities, or comments"}, | ||
| {"<b>Bold Text</b>", true, "string <b>Bold Text</b> contains HTML injection"}, | ||
|
|
||
| // Test case 4: String with HTML entity | ||
| {"This is a test & example.", true, "string This is a test & example. contains HTML tags, entities, or comments"}, | ||
| {"This is a test & example.", true, "string This is a test & example. contains HTML injection"}, | ||
|
|
||
| // Test case 5: String with multiple HTML entities | ||
| {"This & that < should > work.", true, "string This & that < should > work. contains HTML tags, entities, or comments"}, | ||
|
|
||
| // Test case 6: String with special characters, but no HTML | ||
| {"Special chars! #$%^&*", false, ""}, | ||
| {"This & that < should > work.", true, "string This & that < should > work. contains HTML injection"}, | ||
|
|
||
| // Test case 7: Numeric HTML entity | ||
| {"This is a test Ӓ", true, "string This is a test Ӓ contains HTML tags, entities, or comments"}, | ||
|
|
||
| // Test case 8: Valid URL (no HTML tags or entities) | ||
| // Test case 7: Valid URL (no HTML or JavaScript injection) | ||
| {"https://example.com", false, ""}, | ||
|
|
||
| // Test case 9: Script tag injection | ||
| {"<script>alert('test');</script>", true, "string <script>alert('test');</script> contains HTML tags, entities, or comments"}, | ||
|
|
||
| // Test case 10: Mixed content with HTML tag and entity | ||
| {"Hello <b>World</b> & Universe.", true, "string Hello <b>World</b> & Universe. contains HTML tags, entities, or comments"}, | ||
| // Test case 8: Mixed content with HTML and JS | ||
| {"Hello <b>World</b> onload=alert('test');", true, "string Hello <b>World</b> onload=alert('test'); contains HTML injection"}, | ||
|
|
||
| // Test case 11: Plain text with ampersand not forming an entity | ||
| {"AT&T is a company.", false, ""}, | ||
|
|
||
| // Test case 12: Plain text with angle brackets but no tags | ||
| {"Angle brackets < and > in text.", false, ""}, | ||
|
|
||
| // Test case 13: HTML-style comment | ||
| {"<!-- This is a comment -->", true, "string <!-- This is a comment --> contains HTML tags, entities, or comments"}, | ||
| // Test case 11: HTML-style comment | ||
| {"<!-- This is a comment -->", true, "string <!-- This is a comment --> contains HTML injection"}, | ||
| } | ||
|
|
||
| for _, tt := range tests { | ||
| tt := tt // capture range variable to avoid issues with parallel execution | ||
| tt := tt // capture range variable for parallel execution | ||
| t.Run(tt.input, func(t *testing.T) { | ||
| t.Parallel() | ||
|
|
||
| err := isValidField(tt.input) | ||
| if (err != nil) != tt.expectedErr { | ||
| t.Errorf("isValidField(%q) got error: %v, expected error: %v", tt.input, err, tt.expectedErr) | ||
|
|
@@ -69,7 +54,7 @@ func TestIsValidField(t *testing.T) { | |
| } | ||
|
|
||
| func TestValidateDataSourceTemplate(t *testing.T) { | ||
| t.Parallel() // make this sub-test run in parallel | ||
| t.Parallel() | ||
|
|
||
| tests := []struct { | ||
| input bodyData | ||
|
|
@@ -93,7 +78,7 @@ func TestValidateDataSourceTemplate(t *testing.T) { | |
| false, "", | ||
| }, | ||
|
|
||
| // Test case 2: One field contains HTML tag | ||
| // Test case 2: AdminName contains HTML tags | ||
| { | ||
| bodyData{ | ||
| AdminName: "John <b>Doe</b>", | ||
|
|
@@ -107,32 +92,32 @@ func TestValidateDataSourceTemplate(t *testing.T) { | |
| RoleName: "Administrator", | ||
| RoleVerb: "manage", | ||
| }, | ||
| true, "field AdminName is empty or contains HTML injection - John <b>Doe</b>", | ||
| true, "field AdminName failed validation - John <b>Doe</b>", | ||
| }, | ||
|
|
||
| // Test case 3: One field contains HTML entity | ||
| // Test case 3: OrganizationName contains HTML content | ||
| { | ||
| bodyData{ | ||
| AdminName: "John Doe", | ||
| OrganizationName: "Acme Corp", | ||
| OrganizationName: "<script>alert('Hack');</script>", | ||
| InvitationURL: "https://invitation.com", | ||
| RecipientEmail: "[email protected]", | ||
| MinderURL: "https://minder.com", | ||
| TermsURL: "https://terms.com", | ||
| PrivacyURL: "https://privacy.com", | ||
| SignInURL: "https://signin.com", | ||
| RoleName: "Administrator", | ||
| RoleVerb: "approve & manage", | ||
| RoleVerb: "manage", | ||
| }, | ||
| true, "field RoleVerb is empty or contains HTML injection - approve & manage", | ||
| true, "field OrganizationName failed validation - <script>alert('Hack');</script>", | ||
| }, | ||
|
|
||
| // Test case 4: Multiple fields contain HTML content | ||
| // Test case 4: AdminName contains JavaScript code | ||
| { | ||
| bodyData{ | ||
| AdminName: "John Doe", | ||
| OrganizationName: "<script>alert('Hack');</script>", | ||
| InvitationURL: "<a href='https://phishing.com'>Click here</a>", | ||
| AdminName: "onload=alert('test')", | ||
| OrganizationName: "Acme Corp", | ||
| InvitationURL: "https://invitation.com", | ||
| RecipientEmail: "[email protected]", | ||
| MinderURL: "https://minder.com", | ||
| TermsURL: "https://terms.com", | ||
|
|
@@ -141,7 +126,7 @@ func TestValidateDataSourceTemplate(t *testing.T) { | |
| RoleName: "Administrator", | ||
| RoleVerb: "manage", | ||
| }, | ||
| true, "field OrganizationName is empty or contains HTML injection - <script>alert('Hack');</script>", | ||
| true, "field AdminName failed validation - onload=alert('test')", | ||
| }, | ||
|
|
||
| // Test case 5: All fields contain valid plain text with some URLs | ||
|
|
@@ -163,10 +148,9 @@ func TestValidateDataSourceTemplate(t *testing.T) { | |
| } | ||
|
|
||
| for _, tt := range tests { | ||
| tt := tt // capture range variable to avoid issues with parallel execution | ||
| tt := tt // capture range variable for parallel execution | ||
| t.Run(tt.input.AdminName, func(t *testing.T) { | ||
| t.Parallel() | ||
|
|
||
| err := validateDataSourceTemplate(&tt.input) | ||
| if (err != nil) != tt.expectedErr { | ||
| t.Errorf("validateDataSourceTemplate(%+v) got error: %v, expected error: %v", tt.input, err, tt.expectedErr) | ||
|
|
||