diff options
| author | Natalia <124304+nessita@users.noreply.github.com> | 2023-09-19 09:51:48 -0300 |
|---|---|---|
| committer | Natalia <124304+nessita@users.noreply.github.com> | 2023-10-04 09:38:26 -0300 |
| commit | 8124c42601b9abfeb234056092a62a22a22107cb (patch) | |
| tree | be47b09b56cfe59215b82d052727d0ad23abf03c /tests | |
| parent | 5c0df9953b6a9a70b143cfeae0a3f812b52be47b (diff) | |
[5.0.x] Fixed CVE-2023-43665 -- Mitigated potential DoS in django.utils.text.Truncator when truncating HTML text.
Thanks Wenchao Li of Alibaba Group for the report.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/utils_tests/test_text.py | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/tests/utils_tests/test_text.py b/tests/utils_tests/test_text.py index 12328d7693..77e637ae6c 100644 --- a/tests/utils_tests/test_text.py +++ b/tests/utils_tests/test_text.py @@ -1,5 +1,6 @@ import json import sys +from unittest.mock import patch from django.core.exceptions import SuspiciousFileOperation from django.test import SimpleTestCase @@ -94,11 +95,17 @@ class TestUtilsText(SimpleTestCase): text.Truncator(lazystr("The quick brown fox")).chars(10), "The quick…" ) - def test_truncate_chars_html(self): + @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) + def test_truncate_chars_html_size_limit(self): + max_len = text.Truncator.MAX_LENGTH_HTML + bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 + valid_html = "<p>Joel is a slug</p>" # 14 chars perf_test_values = [ - (("</a" + "\t" * 50000) + "//>", None), - ("&" * 50000, "&" * 9 + "…"), + ("</a" + "\t" * (max_len - 6) + "//>", None), + ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * 6 + "…"), + ("&" * bigger_len, "&" * 9 + "…"), ("_X<<<<<<<<<<<>", None), + (valid_html * bigger_len, "<p>Joel is a…</p>"), # 10 chars ] for value, expected in perf_test_values: with self.subTest(value=value): @@ -176,15 +183,25 @@ class TestUtilsText(SimpleTestCase): truncator = text.Truncator("<p>I <3 python, what about you?</p>") self.assertEqual("<p>I <3 python,…</p>", truncator.words(3, html=True)) + @patch("django.utils.text.Truncator.MAX_LENGTH_HTML", 10_000) + def test_truncate_words_html_size_limit(self): + max_len = text.Truncator.MAX_LENGTH_HTML + bigger_len = text.Truncator.MAX_LENGTH_HTML + 1 + valid_html = "<p>Joel is a slug</p>" # 4 words perf_test_values = [ - ("</a" + "\t" * 50000) + "//>", - "&" * 50000, - "_X<<<<<<<<<<<>", + ("</a" + "\t" * (max_len - 6) + "//>", None), + ("</p" + "\t" * bigger_len + "//>", "</p" + "\t" * (max_len - 3) + "…"), + ("&" * max_len, None), # no change + ("&" * bigger_len, "&" * max_len + "…"), + ("_X<<<<<<<<<<<>", None), + (valid_html * bigger_len, valid_html * 12 + "<p>Joel is…</p>"), # 50 words ] - for value in perf_test_values: + for value, expected in perf_test_values: with self.subTest(value=value): truncator = text.Truncator(value) - self.assertEqual(value, truncator.words(50, html=True)) + self.assertEqual( + expected if expected else value, truncator.words(50, html=True) + ) def test_wrap(self): digits = "1234 67 9" |