com.atlassian.jira.webtests.ztests.issue
Class TestWikiRendererXSS

java.lang.Object
  junit.framework.Assert
      junit.framework.TestCase
          com.atlassian.jira.functest.framework.FuncTestCase
              com.atlassian.jira.webtests.ztests.issue.TestWikiRendererXSS

All Implemented Interfaces:

FunctTestConstants, com.atlassian.jira.testkit.client.log.FuncTestLogger, EnvironmentAware, junit.framework.Test

public class TestWikiRendererXSS
extends FuncTestCase

Test the links generated by the wiki renderer against various types of XSS attacks.

Since:

v3.13

Field Summary

Fields inherited from class com.atlassian.jira.functest.framework.FuncTestCase

administration, assertions, backdoor, environmentData, form, funcTestHelperFactory, issueTableAssertions, locator, log, navigation, oldway_consider_porting, page, parse, tester, text

Fields inherited from interface com.atlassian.jira.functest.framework.FunctTestConstants

ADMIN_EMAIL, ADMIN_FULLNAME, ADMIN_PASSWORD, ADMIN_USERNAME, ADMINISTER, AFFECTS_VERSIONS_FIELD_ID, ANYONE, ASSIGN_FIELD_SCREEN, ASSIGN_FIELD_SCREEN_NAME, ASSIGN_ISSUE, ASSIGNABLE_USER, ASSIGNEE_FIELD_ID, ATTACHMENT_FIELD_ID, BOB_EMAIL, BOB_FULLNAME, BOB_PASSWORD, BOB_USERNAME, BROWSE, BUILT_IN_CUSTOM_FIELD_KEY, BULK_CHANGE, BUTTON_CANCEL, BUTTON_CONFIRM, BUTTON_NAME_NEXT, BUTTON_NEXT, CHANGE_HISTORY, CLONERS_INWARD_LINK_NAME, CLONERS_LINK_TYPE_NAME, CLONERS_OUTWARD_LINK_NAME, CLOSE_ISSUE, COMMENT_DELETE_ALL, COMMENT_DELETE_OWN, COMMENT_EDIT_ALL, COMMENT_EDIT_OWN, COMMENT_ISSUE, COMPONENT_NAME_FOUR, COMPONENT_NAME_ONE, COMPONENT_NAME_THREE, COMPONENT_NAME_TWO, COMPONENTS_FIELD_ID, CREATE_ATTACHMENT, CREATE_ISSUE, CREATE_ISSUE_OPERATION_SCREEN, CREATE_SHARED_OBJECTS, CURRENT_USER, CUSTOM_FIELD_CASCADING_SELECT_SEARCHER, CUSTOM_FIELD_CHECKBOX_SEARCHER, CUSTOM_FIELD_CONFIGURATION, CUSTOM_FIELD_DATE_RANGE, CUSTOM_FIELD_EXACT_NUMBER, CUSTOM_FIELD_EXACT_TEXT_SEARCHER, CUSTOM_FIELD_GROUP_PICKER_SEARCHER, CUSTOM_FIELD_LABEL_SEARCHER, CUSTOM_FIELD_MULTI_SELECT_SEARCHER, CUSTOM_FIELD_NUMBER_RANGE, CUSTOM_FIELD_PREFIX, CUSTOM_FIELD_PROJECT_SEARCHER, CUSTOM_FIELD_RADIO_SEARCHER, CUSTOM_FIELD_SELECT_SEARCHER, CUSTOM_FIELD_TEXT_SEARCHER, CUSTOM_FIELD_TYPE_CASCADINGSELECT, CUSTOM_FIELD_TYPE_CHECKBOX, CUSTOM_FIELD_TYPE_DATEPICKER, CUSTOM_FIELD_TYPE_DATETIME, CUSTOM_FIELD_TYPE_FLOAT, CUSTOM_FIELD_TYPE_GROUPPICKER, CUSTOM_FIELD_TYPE_LABELS, CUSTOM_FIELD_TYPE_MULTICHECKBOXES, CUSTOM_FIELD_TYPE_MULTIGROUPPICKER, CUSTOM_FIELD_TYPE_MULTISELECT, CUSTOM_FIELD_TYPE_MULTIUSERPICKER, CUSTOM_FIELD_TYPE_PROJECT, CUSTOM_FIELD_TYPE_RADIO, CUSTOM_FIELD_TYPE_SELECT, CUSTOM_FIELD_TYPE_TEXTFIELD, CUSTOM_FIELD_TYPE_URL, CUSTOM_FIELD_TYPE_USERPICKER, CUSTOM_FIELD_TYPE_VERSION, CUSTOM_FIELD_USER_PICKER_GROUP_SEARCHER, CUSTOM_FIELD_USER_PICKER_SEARCHER, CUSTOM_FIELD_VERSION_SEARCHER, CUSTOM_SUB_TASK_SUMMARY, CUSTOM_SUB_TASK_TYPE_DESCRIPTION, CUSTOM_SUB_TASK_TYPE_NAME, DEFAULT_ASSIGNEE_ERROR_MESSAGE, DEFAULT_FIELD_CONFIGURATION, DEFAULT_FIELD_SCREEN_NAME, DEFAULT_ISSUE_TYPE_SCREEN_SCHEME, DEFAULT_OPERATION_SCREEN, DEFAULT_PERM_SCHEME, DEFAULT_PERM_SCHEME_ID, DEFAULT_SCREEN_SCHEME, DEFAULT_TEXT_RENDERER, DELETE_ISSUE, DUE_DATE_FIELD_ID, EDIT_ISSUE, EDIT_ISSUE_OPERATION_SCREEN, EVENT_TYPE_ACTIVE_STATUS, EVENT_TYPE_INACTIVE_STATUS, FIELD_ASSIGNEE, FIELD_COMMENT, FIELD_COMPONENTS, FIELD_FIX_VERSIONS, FIELD_OPERATION, FIELD_PRIORITY, FIELD_SCHEME_DESC, FIELD_SCHEME_NAME, FIELD_TABLE_ID, FIELD_VERSIONS, FIELD_WORKFLOW, FIX_VERSIONS_FIELD_ID, FORMAT_DAYS, FORMAT_HOURS, FORMAT_PRETTY, FRED_EMAIL, FRED_FULLNAME, FRED_PASSWORD, FRED_USERNAME, FS, FUNC_TEST_PLUGIN_REST_PATH, GLOBAL_ADMIN, HTM, ISSUE_ALL, ISSUE_BUG, ISSUE_IMAGE_BUG, ISSUE_IMAGE_GENERIC, ISSUE_IMAGE_IMPROVEMENT, ISSUE_IMAGE_NEWFEATURE, ISSUE_IMAGE_SUB_TASK, ISSUE_IMAGE_TASK, ISSUE_IMPROVEMENT, ISSUE_NEWFEATURE, ISSUE_TAB_ALL, ISSUE_TAB_CHANGE_HISTORY, ISSUE_TAB_COMMENTS, ISSUE_TAB_WORK_LOG, ISSUE_TASK, ISSUE_TYPE_ALL, ISSUE_TYPE_ALL_SUB_TASK, ISSUE_TYPE_ANY, ISSUE_TYPE_BUG, ISSUE_TYPE_IMPROVEMENT, ISSUE_TYPE_NEWFEATURE, ISSUE_TYPE_SUB_TASK, ISSUE_TYPE_TASK, ISSUETABLE_EDIT_ROW, ISSUETABLE_HEADER_ROW, ISSUETABLE_ID, JIRA_ADMIN_GROUP, JIRA_ADMIN_ROLE, JIRA_DEV_GROUP, JIRA_DEV_ROLE, JIRA_FORM_NAME, JIRA_USERS_GROUP, JIRA_USERS_ROLE, LABEL_ISSUE_NAVIGATOR, LINK_ASSIGN_ISSUE, LINK_BULK_CHANGE_ALL, LINK_BULK_CHANGE_CURR_PG, LINK_CLONE_ISSUE, LINK_DELETE_ISSUE, LINK_EDIT_ISSUE, LINK_ISSUE, LINK_NEXT_PG, MANAGE_GROUP_FILTER_SUBSCRIPTIONS, MANAGE_WATCHER_LIST, minorPriority, MODIFY_REPORTER, MOVE_DOWN, MOVE_ISSUE, MOVE_TO_FIRST, MOVE_TO_LAST, MOVE_UP, PERM_SCHEME_DESC, PERM_SCHEME_NAME, PRIORITY_BLOCKER, PRIORITY_CRITICAL, PRIORITY_FIELD_ID, PRIORITY_IMAGE_BLOCKER, PRIORITY_IMAGE_CRITICAL, PRIORITY_IMAGE_MAJOR, PRIORITY_IMAGE_MINOR, PRIORITY_IMAGE_TRIVIAL, PRIORITY_MAJOR, PRIORITY_MINOR, PRIORITY_TRIVIAL, PROJECT_ADMIN, PROJECT_HOMOSAP, PROJECT_HOMOSAP_KEY, PROJECT_MONKEY, PROJECT_MONKEY_KEY, PROJECT_NEO, PROJECT_NEO_KEY, PROJECT_TAB_CHANGE_LOG, PROJECT_TAB_COMPONENTS, PROJECT_TAB_OPEN_ISSUES, PROJECT_TAB_ROAD_MAP, PROJECT_TAB_VERSIONS, RADIO_OPERATION_DELETE, RADIO_OPERATION_EDIT, RADIO_OPERATION_MOVE, RADIO_OPERATION_WORKFLOW, REPORTER_FIELD_ID, RESOLUTION_FIELD_ID, RESOLVE_FIELD_SCREEN_NAME, RESOLVE_ISSUE, SCHEDULE_ISSUE, SCREEN_TABLE_NAME_COLUMN_INDEX, SECURITY_LEVEL_FIELD_ID, SECURITY_LEVEL_ONE_DESC, SECURITY_LEVEL_ONE_NAME, SECURITY_LEVEL_THREE_DESC, SECURITY_LEVEL_THREE_NAME, SECURITY_LEVEL_TWO_DESC, SECURITY_LEVEL_TWO_NAME, SECURITY_SCHEME_DESC, SECURITY_SCHEME_NAME, SET_ISSUE_SECURITY, STATUS_IN_PROGRESS, STATUS_NAME, STATUS_OPEN, STATUS_RESOLVED, STEP_CHOOSE_ISSUES, STEP_CHOOSE_OPERATION, STEP_CONFIRMATION, STEP_NAME, STEP_OPERATION_DETAILS, STEP_PREFIX, SUB_TASK_DEFAULT_TYPE, SUB_TASK_SUMMARY, Summary, SYS_ADMIN_PASSWORD, SYS_ADMIN_USERNAME, SYSTEM_ADMINISTER, TEST_FIELD_SCREEN, TRANSIION_NAME_APPROVE, TRANSIION_NAME_CLOSE, TRANSIION_NAME_REOPEN, TRANSIION_NAME_RESOLVE, TRANSIION_NAME_START_PROGRESS, TRANSIION_NAME_STOP_PROGRESS, UNKNOWN, UNKNOWN_ID, USE, USER_PICKER, VERSION_NAME_FIVE, VERSION_NAME_FOUR, VERSION_NAME_ONE, VERSION_NAME_THREE, VERSION_NAME_TWO, VERSIONS_FIELD_ID, VIEW_ISSUE_OPERATION_SCREEN, VIEW_VERSION_CONTROL, VIEW_VOTERS_AND_WATCHERS, WIKI_STYLE_RENDERER, WORK_ISSUE, WORKFLOW_ADDED, WORKFLOW_COPIED, WORKFLOW_SCHEME

Constructor Summary

TestWikiRendererXSS()

Method Summary

void	testCodeMacro()
void	testXSSLinks() JRA-15812: The Wiki link renderer assumes that the returned URL is correctly escaped.

Methods inherited from class com.atlassian.jira.functest.framework.FuncTestCase

builtInCustomFieldKey, getAssertions, getEnvironmentData, getTester, getWebClientListener, isDumpHTML, log, log, runBare, runTest, setEnvironmentData, setUp, setUpHttpUnitOptions, setUpTest, shouldSkipSetup, tearDown, tearDownTest, xpath

Methods inherited from class junit.framework.TestCase

countTestCases, createResult, getName, run, run, setName, toString

Methods inherited from class junit.framework.Assert

assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertEquals, assertFalse, assertFalse, assertNotNull, assertNotNull, assertNotSame, assertNotSame, assertNull, assertNull, assertSame, assertSame, assertTrue, assertTrue, fail, fail, failNotEquals, failNotSame, failSame, format

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Constructor Detail

TestWikiRendererXSS

public TestWikiRendererXSS()

Method Detail

testCodeMacro

public void testCodeMacro()

testXSSLinks

public void testXSSLinks()

JRA-15812: The Wiki link renderer assumes that the returned URL is correctly escaped. Passing an un-escaped URL allows the user to perform an XSS attack by closing the link early and then embedding some Javascript. For instance, the link [XSS|cool" onclick=">some bad javascript<] would allow a user to execute some arbitrary Javascript when the user clicked a link.