mirror of
https://github.com/A6-9V/MQL5-Google-Onedrive.git
synced 2026-04-11 13:50:56 +00:00
de3bed10ba
🚨 Severity: MEDIUM 💡 Vulnerability: Information Exposure (CWE-209) - The web dashboard returned raw exception messages to users, potentially leaking internal details (stack traces, file paths, sensitive info). - This violated the principle of "Fail Securely". 🎯 Impact: - Attackers could glean information about the internal file structure or database errors to facilitate further attacks. 🔧 Fix: - Configured `logging` to capture errors securely to stderr (standard practice for containerized apps). - Updated `dashboard()` and `get_cached_markdown` to log the full exception traceback server-side. - Changed user-facing response to a generic "Internal Server Error" (500). ✅ Verification: - Added unit test `test_dashboard_error_handling` in `scripts/test_web_dashboard.py`. - Verified that the test passes: `python scripts/test_web_dashboard.py`. - Confirmed that the response body contains "Internal Server Error" and does NOT contain the mock secret.
70 lines
2.8 KiB
Python
70 lines
2.8 KiB
Python
import unittest
|
|
from unittest.mock import patch
|
|
import sys
|
|
import os
|
|
import json
|
|
|
|
# Add scripts directory to path so we can import web_dashboard
|
|
sys.path.append(os.path.dirname(os.path.abspath(__file__)))
|
|
|
|
from web_dashboard import app
|
|
|
|
class TestWebDashboard(unittest.TestCase):
|
|
def setUp(self):
|
|
self.app = app.test_client()
|
|
self.app.testing = True
|
|
|
|
def test_dashboard_route(self):
|
|
"""Test that the root route returns HTML."""
|
|
response = self.app.get('/')
|
|
self.assertEqual(response.status_code, 200)
|
|
self.assertIn(b'<!DOCTYPE html>', response.data)
|
|
self.assertIn(b'MQL5 Trading Automation Dashboard', response.data)
|
|
|
|
def test_health_route_json(self):
|
|
"""Test that the health route returns a JSON response."""
|
|
response = self.app.get('/health')
|
|
self.assertEqual(response.status_code, 200)
|
|
|
|
# This is what we expect AFTER the optimization.
|
|
# For TDD, this test will fail initially if I ran it now against the current code
|
|
# (because current code returns HTML for /health).
|
|
try:
|
|
data = json.loads(response.data)
|
|
self.assertEqual(data.get('status'), 'healthy')
|
|
except json.JSONDecodeError:
|
|
self.fail("Response is not valid JSON")
|
|
|
|
def test_skip_link_present(self):
|
|
"""Test that the skip link is present in the dashboard HTML."""
|
|
response = self.app.get('/')
|
|
self.assertEqual(response.status_code, 200)
|
|
self.assertIn(b'<a href="#status" class="skip-link">Skip to main content</a>', response.data)
|
|
|
|
def test_security_headers(self):
|
|
"""Test that security headers are present."""
|
|
response = self.app.get('/')
|
|
self.assertEqual(response.status_code, 200)
|
|
self.assertIn('Content-Security-Policy', response.headers)
|
|
self.assertIn('X-Content-Type-Options', response.headers)
|
|
self.assertIn('X-Frame-Options', response.headers)
|
|
self.assertIn('Referrer-Policy', response.headers)
|
|
|
|
def test_dashboard_error_handling(self):
|
|
"""Test that exceptions are handled gracefully without leaking details."""
|
|
# Patch get_cached_markdown to raise an exception
|
|
with patch('web_dashboard.get_cached_markdown', side_effect=Exception("Database connection failed - Secret: ABC-123")):
|
|
response = self.app.get('/')
|
|
|
|
# Should return 500 Internal Server Error
|
|
self.assertEqual(response.status_code, 500)
|
|
|
|
# Body should be generic error message
|
|
self.assertIn(b"Internal Server Error", response.data)
|
|
|
|
# Body should NOT contain the secret/exception details
|
|
self.assertNotIn(b"Database connection failed", response.data)
|
|
self.assertNotIn(b"Secret: ABC-123", response.data)
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|