MQL5-Google-Onedrive/scripts/test_web_dashboard_security.py

import unittest
from unittest.mock import patch
import sys
import os

sys.path.append(os.path.dirname(os.path.abspath(__file__)))

from web_dashboard import app

class TestWebDashboardSecurity(unittest.TestCase):
    def setUp(self):
        self.app = app.test_client()
        self.app.testing = True

    @patch('web_dashboard.get_cached_markdown')
    def test_error_handling_no_leak(self, mock_get_cached_markdown):
        """Test that exceptions are handled gracefully without leaking details."""
        # Simulate an unexpected error with sensitive info
        secret = "Secret Database Path: /etc/passwd"
        mock_get_cached_markdown.side_effect = Exception(secret)

        response = self.app.get('/')

        # Expect 500 Internal Server Error
        self.assertEqual(response.status_code, 500)

        # Expect generic error message
        self.assertIn(b"Internal Server Error", response.data)

        # Expect sensitive info NOT to be present
        self.assertNotIn(b"Secret Database Path", response.data)
        self.assertNotIn(b"/etc/passwd", response.data)

if __name__ == '__main__':
    unittest.main()
🛡️ Sentinel: [MEDIUM] Fix error handling info leak in web dashboard 🚨 Severity: MEDIUM 💡 Vulnerability: The web dashboard previously returned raw exception strings to the user upon error. This could leak sensitive internal details (e.g., file paths, stack traces). 🎯 Impact: Attackers could gain reconnaissance data about the server environment. 🔧 Fix: Replaced `return f"Error: {str(e)}", 500` with `logger.exception(...)` and a generic `Internal Server Error` response. ✅ Verification: Added `scripts/test_web_dashboard_security.py` which mocks an exception and asserts that the response does NOT contain the exception details. Existing tests in `scripts/test_web_dashboard.py` also pass. 2026-02-13 11:13:14 +00:00			`import unittest`
			`from unittest.mock import patch`
			`import sys`
			`import os`

			`sys.path.append(os.path.dirname(os.path.abspath(__file__)))`

			`from web_dashboard import app`

			`class TestWebDashboardSecurity(unittest.TestCase):`
			`def setUp(self):`
			`self.app = app.test_client()`
			`self.app.testing = True`

			`@patch('web_dashboard.get_cached_markdown')`
			`def test_error_handling_no_leak(self, mock_get_cached_markdown):`
			`"""Test that exceptions are handled gracefully without leaking details."""`
			`# Simulate an unexpected error with sensitive info`
			`secret = "Secret Database Path: /etc/passwd"`
			`mock_get_cached_markdown.side_effect = Exception(secret)`

			`response = self.app.get('/')`

			`# Expect 500 Internal Server Error`
			`self.assertEqual(response.status_code, 500)`

			`# Expect generic error message`
			`self.assertIn(b"Internal Server Error", response.data)`

			`# Expect sensitive info NOT to be present`
			`self.assertNotIn(b"Secret Database Path", response.data)`
			`self.assertNotIn(b"/etc/passwd", response.data)`

			`if __name__ == '__main__':`
			`unittest.main()`