MQL5-Google-Onedrive/scripts/test_web_dashboard.py

import unittest
import sys
import os
import json

# Add scripts directory to path so we can import web_dashboard
sys.path.append(os.path.dirname(os.path.abspath(__file__)))

from web_dashboard import app

class TestWebDashboard(unittest.TestCase):
    def setUp(self):
        self.app = app.test_client()
        self.app.testing = True

    def test_dashboard_route(self):
        """Test that the root route returns HTML."""
        response = self.app.get('/')
        self.assertEqual(response.status_code, 200)
        self.assertIn(b'<!DOCTYPE html>', response.data)
        self.assertIn(b'MQL5 Trading Automation Dashboard', response.data)

    def test_health_route_json(self):
        """Test that the health route returns a JSON response."""
        response = self.app.get('/health')
        self.assertEqual(response.status_code, 200)

        # This is what we expect AFTER the optimization.
        # For TDD, this test will fail initially if I ran it now against the current code
        # (because current code returns HTML for /health).
        try:
            data = json.loads(response.data)
            self.assertEqual(data.get('status'), 'healthy')
        except json.JSONDecodeError:
            self.fail("Response is not valid JSON")

    def test_skip_link_present(self):
        """Test that the skip link is present in the dashboard HTML."""
        response = self.app.get('/')
        self.assertEqual(response.status_code, 200)
        self.assertIn(b'<a href="#status" class="skip-link">Skip to main content</a>', response.data)

    def test_security_headers(self):
        """Test that security headers are present."""
        response = self.app.get('/')
        self.assertEqual(response.status_code, 200)
        self.assertIn('Content-Security-Policy', response.headers)
        self.assertIn('X-Content-Type-Options', response.headers)
        self.assertIn('X-Frame-Options', response.headers)
        self.assertIn('Referrer-Policy', response.headers)

    def test_error_handling_no_leak(self):
        """Test that exceptions do not leak internal details."""
        from unittest.mock import patch
        # Patch get_cached_markdown to raise an exception with sensitive info
        with patch('web_dashboard.get_cached_markdown', side_effect=Exception("SENSITIVE_INTERNAL_INFO")):
            response = self.app.get('/')

            # Should return 500
            self.assertEqual(response.status_code, 500)

            # Should NOT contain the sensitive info
            self.assertNotIn(b'SENSITIVE_INTERNAL_INFO', response.data)

            # Should contain generic error message
            self.assertIn(b'Internal Server Error', response.data)

if __name__ == '__main__':
    unittest.main()
⚡ Bolt: Optimize health check endpoint 💡 What: Separated the /health endpoint from the main dashboard rendering logic. It now returns a lightweight JSON response. 🎯 Why: The previous implementation rendered the full Markdown dashboard for every health check, consuming unnecessary CPU and I/O resources during frequent polling. 📊 Impact: Reduces health check processing time from file reading + markdown parsing (~milliseconds) to a simple JSON return (~microseconds). 🔬 Measurement: Verified with new test script scripts/test_web_dashboard.py and updated render.yaml/app.yaml to use the new endpoint. 2026-01-21 05:17:23 +00:00			`import unittest`
			`import sys`
			`import os`
			`import json`

			`# Add scripts directory to path so we can import web_dashboard`
			`sys.path.append(os.path.dirname(os.path.abspath(__file__)))`

			`from web_dashboard import app`

			`class TestWebDashboard(unittest.TestCase):`
			`def setUp(self):`
			`self.app = app.test_client()`
			`self.app.testing = True`

			`def test_dashboard_route(self):`
			`"""Test that the root route returns HTML."""`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 200)`
			`self.assertIn(b'<!DOCTYPE html>', response.data)`
			`self.assertIn(b'MQL5 Trading Automation Dashboard', response.data)`

			`def test_health_route_json(self):`
			`"""Test that the health route returns a JSON response."""`
			`response = self.app.get('/health')`
			`self.assertEqual(response.status_code, 200)`

			`# This is what we expect AFTER the optimization.`
			`# For TDD, this test will fail initially if I ran it now against the current code`
			`# (because current code returns HTML for /health).`
			`try:`
			`data = json.loads(response.data)`
			`self.assertEqual(data.get('status'), 'healthy')`
			`except json.JSONDecodeError:`
			`self.fail("Response is not valid JSON")`

🎨 Palette: Add skip-to-content link for accessibility 2026-02-08 11:20:56 +00:00			`def test_skip_link_present(self):`
			`"""Test that the skip link is present in the dashboard HTML."""`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 200)`
			`self.assertIn(b'<a href="#status" class="skip-link">Skip to main content</a>', response.data)`

Add security headers to web dashboard (CSP, HSTS, X-Frame-Options) - Implemented `@app.after_request` in `scripts/web_dashboard.py` to inject security headers. - Added `Content-Security-Policy` with `default-src 'self'`, blocking inline scripts. - Added `X-Content-Type-Options: nosniff`. - Added `X-Frame-Options: SAMEORIGIN`. - Added `Referrer-Policy: strict-origin-when-cross-origin`. - Added unit test `test_security_headers` to `scripts/test_web_dashboard.py` to verify header presence. - Mitigates Stored XSS, Clickjacking, and MIME sniffing risks. 2026-02-09 11:27:48 +00:00			`def test_security_headers(self):`
			`"""Test that security headers are present."""`
			`response = self.app.get('/')`
			`self.assertEqual(response.status_code, 200)`
			`self.assertIn('Content-Security-Policy', response.headers)`
			`self.assertIn('X-Content-Type-Options', response.headers)`
			`self.assertIn('X-Frame-Options', response.headers)`
			`self.assertIn('Referrer-Policy', response.headers)`

Sentinel: [MEDIUM] Fix exception leakage in web dashboard 💡 Vulnerability: The web dashboard was returning raw exception strings in HTTP 500 responses, potentially exposing internal file paths or sensitive system information. 🎯 Impact: Attackers could gather reconnaissance data about the internal environment. 🔧 Fix: Catch exceptions, log them securely using `logging.error`, and return a generic "Internal Server Error" message to the user. ✅ Verification: Added `test_error_handling_no_leak` to `scripts/test_web_dashboard.py` which mocks a failure and asserts that the sensitive info is NOT present in the response. 2026-02-12 11:29:56 +00:00			`def test_error_handling_no_leak(self):`
			`"""Test that exceptions do not leak internal details."""`
			`from unittest.mock import patch`
			`# Patch get_cached_markdown to raise an exception with sensitive info`
			`with patch('web_dashboard.get_cached_markdown', side_effect=Exception("SENSITIVE_INTERNAL_INFO")):`
			`response = self.app.get('/')`

			`# Should return 500`
			`self.assertEqual(response.status_code, 500)`

			`# Should NOT contain the sensitive info`
			`self.assertNotIn(b'SENSITIVE_INTERNAL_INFO', response.data)`

			`# Should contain generic error message`
			`self.assertIn(b'Internal Server Error', response.data)`

⚡ Bolt: Optimize health check endpoint 💡 What: Separated the /health endpoint from the main dashboard rendering logic. It now returns a lightweight JSON response. 🎯 Why: The previous implementation rendered the full Markdown dashboard for every health check, consuming unnecessary CPU and I/O resources during frequent polling. 📊 Impact: Reduces health check processing time from file reading + markdown parsing (~milliseconds) to a simple JSON return (~microseconds). 🔬 Measurement: Verified with new test script scripts/test_web_dashboard.py and updated render.yaml/app.yaml to use the new endpoint. 2026-01-21 05:17:23 +00:00			`if __name__ == '__main__':`
			`unittest.main()`