• last updated 7 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Test further improvement of injection attempt by penetration tests

Replicate a smarter attempt by a penetration tool to disguise the javascript: protocol

Remove duplicated entry

Rework of util::which

The new version deals now correctly with absolute paths,

where just the extensions are added, and it is checked

whether the program is executable.

Extended regression test to deal with optional and required

external dependencies. Missing optional external programs

produce warnings.

  1. … 1 more file in changeset.
Cleanup of external binaries: always use "util::which" to resolve binaries

Background: it is important to always use the same binaries of some

programs. This is important for security reasons, consistency, and

configurability (some operating systems have read-only file systems,

which might be on the path and should be avoided for some operations).

Improve test:

whether the html filter will accept or not a script tag is configuration-dependent. We now enforce that the outcome is consistent with the security check for HTML used in the filter itself.

Replicate injection attempt by penetration tools

bugfix: fixed test test_ad_register_proc when running in a container

When runnig in a container, one cannot use util_current_localtion, which refers

to the URL to reach the server from the container host. To address the server

inside the container, acs::test::url should be used.

This change does not matter for non-containerized applications

Provide facilities to validate against invalid SQL strings

We introduce a new page contract filter and nsf validator called "dbtext". They implement enforcing of a value to be useable in an SQL query. Currently, this means that the value should not contain the NUL character, but the definition may change in the future or become database-specific.

The html contract filter has also be extended to reject the NUL character.

The test suite has been updated/extended to reflect the changes.

  1. … 2 more files in changeset.
improved spelling

Move test from acs-kernel to acs-tcl, add remarks

  1. … 1 more file in changeset.
Make URLs assumed to be hosted on openacs.org absolute

  1. … 3 more files in changeset.
Improve test for singleton package parameters (aka instance parameters of singleton packages):

- do not choose a parameter at random, test them all instead

- do not test for global parameters. For those, the api will behave differently

- do not test for parameters coming from the configuration file. The parameter::* api does not allow to manipulate those

- do not check for packages that are not mounted. A value would not be found for those

fix typo

skip "-url" in "export_vars -url" since it is the default

  1. … 11 more files in changeset.
Disable tests to check for executables on the system

  1. … 7 more files in changeset.
improve spelling

  1. … 5 more files in changeset.
Deprecate apm_file_type_keys, which can be inlined by a simple dict idiom

  1. … 2 more files in changeset.
Test apm_workspace directory api

Test creating and extracting an APM Package tarball

file apm-file-procs.tcl was initially added on branch oacs-5-10.

As tcllib was released in 2016, I believe we can cleanup the legacy zip implementation

  1. … 1 more file in changeset.
Extend the test to cover also cornercase behavior concerning overwriting of files

Test zipping and unzipping utilities

Make test less tautological

Test for psql only when this is expected

Test external command dependencies

This will currently fail because of a bug in db_get_pgbin

Test ad_change_password

addeded page contract filter: safetclchars

safetclchars should be used in cases, were the variable value is passed

to "subst", or "eval"...

  1. … 1 more file in changeset.
Save and restore all variables properly to not be influenced or interfere with other tests