|
|
|
@ -222,8 +222,9 @@ func TestDeviceCallback(t *testing.T) { |
|
|
|
code: "somecode", |
|
|
|
code: "somecode", |
|
|
|
error: "Error Condition", |
|
|
|
error: "Error Condition", |
|
|
|
}, |
|
|
|
}, |
|
|
|
expectedResponseCode: http.StatusBadRequest, |
|
|
|
expectedResponseCode: http.StatusBadRequest, |
|
|
|
expectedServerResponse: "Error Condition: \n", |
|
|
|
// Note: Error details should NOT be displayed to user anymore.
|
|
|
|
|
|
|
|
// Instead, a safe generic message is shown.
|
|
|
|
}, |
|
|
|
}, |
|
|
|
{ |
|
|
|
{ |
|
|
|
testName: "Expired Auth Code", |
|
|
|
testName: "Expired Auth Code", |
|
|
|
@ -352,8 +353,9 @@ func TestDeviceCallback(t *testing.T) { |
|
|
|
code: "somecode", |
|
|
|
code: "somecode", |
|
|
|
error: "<script>console.log(window);</script>", |
|
|
|
error: "<script>console.log(window);</script>", |
|
|
|
}, |
|
|
|
}, |
|
|
|
expectedResponseCode: http.StatusBadRequest, |
|
|
|
expectedResponseCode: http.StatusBadRequest, |
|
|
|
expectedServerResponse: "<script>console.log(window);</script>: \n", |
|
|
|
// Note: XSS data should NOT be displayed to user anymore.
|
|
|
|
|
|
|
|
// Instead, a safe generic message is shown.
|
|
|
|
}, |
|
|
|
}, |
|
|
|
} |
|
|
|
} |
|
|
|
for _, tc := range tests { |
|
|
|
for _, tc := range tests { |
|
|
|
@ -413,6 +415,29 @@ func TestDeviceCallback(t *testing.T) { |
|
|
|
t.Errorf("%s: Unexpected Response. Expected %q got %q", tc.testName, tc.expectedServerResponse, result) |
|
|
|
t.Errorf("%s: Unexpected Response. Expected %q got %q", tc.testName, tc.expectedServerResponse, result) |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Special check for error message safety tests
|
|
|
|
|
|
|
|
if tc.testName == "Prevent cross-site scripting" || tc.testName == "Error During Authorization" { |
|
|
|
|
|
|
|
result, _ := io.ReadAll(rr.Body) |
|
|
|
|
|
|
|
responseBody := string(result) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Error details should NOT be present in the response (for security)
|
|
|
|
|
|
|
|
if tc.testName == "Prevent cross-site scripting" { |
|
|
|
|
|
|
|
if strings.Contains(responseBody, "<script>") || strings.Contains(responseBody, "console.log(window)") { |
|
|
|
|
|
|
|
t.Errorf("%s: XSS script found in response, but should be blocked: %q", tc.testName, responseBody) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if tc.testName == "Error During Authorization" { |
|
|
|
|
|
|
|
if strings.Contains(responseBody, "Error Condition") { |
|
|
|
|
|
|
|
t.Errorf("%s: Error details found in response, but should be hidden: %q", tc.testName, responseBody) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Safe message should be present
|
|
|
|
|
|
|
|
if !strings.Contains(responseBody, "Authorization failed. Please try again.") { |
|
|
|
|
|
|
|
t.Errorf("%s: Safe error message not found in response: %q", tc.testName, responseBody) |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
} |
|
|
|
}) |
|
|
|
}) |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
Ivan Zvyagintsev
2 months ago