forked from LengKundee/MQL5-Google-Onedrive
3b3aca33bf
🚨 Severity: MEDIUM 💡 Vulnerability: The web dashboard previously returned raw exception strings to the user upon error. This could leak sensitive internal details (e.g., file paths, stack traces). 🎯 Impact: Attackers could gain reconnaissance data about the server environment. 🔧 Fix: Replaced `return f"Error: {str(e)}", 500` with `logger.exception(...)` and a generic `Internal Server Error` response. ✅ Verification: Added `scripts/test_web_dashboard_security.py` which mocks an exception and asserts that the response does NOT contain the exception details. Existing tests in `scripts/test_web_dashboard.py` also pass.
35 lines
1.1 KiB
Python
35 lines
1.1 KiB
Python
import unittest
|
|
from unittest.mock import patch
|
|
import sys
|
|
import os
|
|
|
|
sys.path.append(os.path.dirname(os.path.abspath(__file__)))
|
|
|
|
from web_dashboard import app
|
|
|
|
class TestWebDashboardSecurity(unittest.TestCase):
|
|
def setUp(self):
|
|
self.app = app.test_client()
|
|
self.app.testing = True
|
|
|
|
@patch('web_dashboard.get_cached_markdown')
|
|
def test_error_handling_no_leak(self, mock_get_cached_markdown):
|
|
"""Test that exceptions are handled gracefully without leaking details."""
|
|
# Simulate an unexpected error with sensitive info
|
|
secret = "Secret Database Path: /etc/passwd"
|
|
mock_get_cached_markdown.side_effect = Exception(secret)
|
|
|
|
response = self.app.get('/')
|
|
|
|
# Expect 500 Internal Server Error
|
|
self.assertEqual(response.status_code, 500)
|
|
|
|
# Expect generic error message
|
|
self.assertIn(b"Internal Server Error", response.data)
|
|
|
|
# Expect sensitive info NOT to be present
|
|
self.assertNotIn(b"Secret Database Path", response.data)
|
|
self.assertNotIn(b"/etc/passwd", response.data)
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|