[airflow] branch master updated: Separate out tests to cater of changes in Python 3.8.8 (#14698)

Wed, 10 Mar 2021 15:16:08 -0800 

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/master by this push:
     new ffe3bd2  Separate out tests to cater of changes in Python 3.8.8 
(#14698)
ffe3bd2 is described below

commit ffe3bd29574d62a0a692cd8f63995856bbff8c0b
Author: Kaxil Naik <[email protected]>
AuthorDate: Wed Mar 10 23:15:39 2021 +0000

    Separate out tests to cater of changes in Python 3.8.8 (#14698)
    
    https://github.com/python/cpython/pull/24297 change was included in
    Python 3.8.8 to fix a vulnerability (bpo-42967)
    
    Depending on which Base Python Image is run in our CI, two of the tests
    can fail or succeed.
    
    Our Previous two attempts:
    
    - 
https://github.com/apache/airflow/commit/061cd236deb22567e4de36af11025f028d787989#
    - 
https://github.com/apache/airflow/commit/49952e79b04da932242ebf3981883e591b467994
    
    We might for a while get different base python version depending on the 
changes of a PR (whether or not it includes a change to dockerfiler).
    a) when you have PR which do not have changes in the Dockerfile, they will 
use the older python version as base (for example Python 3.8.7)
    b) when you have PR that touches the Dockerfile and have setup.py changes 
in master, it should pull Python 3.8.8 first.
---
 tests/www/test_views.py | 72 ++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 66 insertions(+), 6 deletions(-)

diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index ef05f6b..517d4bc 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -2784,7 +2784,38 @@ class TestTriggerDag(TestBase):
             ("%2Fgraph%3Fdag_id%3Dexample_bash_operator", 
"/graph?dag_id=example_bash_operator"),
         ]
     )
-    def test_trigger_dag_form_origin_url(self, test_origin, expected_origin):
+    @pytest.mark.skipif(
+        sys.version_info < (3, 8, 8),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_trigger_dag_form_origin_url_py_lte_387(self, test_origin, 
expected_origin):
+        test_dag_id = "example_bash_operator"
+
+        resp = 
self.client.get(f'trigger?dag_id={test_dag_id}&origin={test_origin}')
+        self.check_content_in_response(
+            '<button type="button" class="btn" onclick="location.href = 
\'{}\'; return false">'.format(
+                expected_origin
+            ),
+            resp,
+        )
+
+    @parameterized.expand(
+        [
+            ("javascript:alert(1)", "/home"),
+            ("http://google.com";, "/home"),
+            (
+                "%2Ftree%3Fdag_id%3Dexample_bash_operator';alert(33)//",
+                "/tree?dag_id=example_bash_operator%27%3Balert%2833%29%2F%2F",
+            ),
+            ("%2Ftree%3Fdag_id%3Dexample_bash_operator", 
"/tree?dag_id=example_bash_operator"),
+            ("%2Fgraph%3Fdag_id%3Dexample_bash_operator", 
"/graph?dag_id=example_bash_operator"),
+        ]
+    )
+    @pytest.mark.skipif(
+        sys.version_info > (3, 8, 7),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_trigger_dag_form_origin_url_py_gt_387(self, test_origin, 
expected_origin):
         test_dag_id = "example_bash_operator"
 
         resp = 
self.client.get(f'trigger?dag_id={test_dag_id}&origin={test_origin}')
@@ -3329,11 +3360,40 @@ class TestHelperFunctions(TestBase):
             ),
         ]
     )
-    @mock.patch("airflow.www.views.url_for")
-    def test_get_safe_url(self, test_url, expected_url, mock_url_for):
-        mock_url_for.return_value = "/home"
-        with self.app.test_request_context(base_url="http://localhost:8080";):
-            assert get_safe_url(test_url) == expected_url
+    @pytest.mark.skipif(
+        sys.version_info < (3, 8, 8),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_get_safe_url_py_lte_387(self, test_url, expected_url):
+        with mock.patch("airflow.www.views.url_for") as mock_url_for:
+            mock_url_for.return_value = "/home"
+            with 
self.app.test_request_context(base_url="http://localhost:8080";):
+                assert get_safe_url(test_url) == expected_url
+
+    @parameterized.expand(
+        [
+            ("", "/home"),
+            ("http://google.com";, "/home"),
+            (
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag';alert(33)//",
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3F";
+                "dag_id%25test_dag%27%3Balert%2833%29%2F%2F",
+            ),
+            (
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag";,
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%25test_dag";,
+            ),
+        ]
+    )
+    @pytest.mark.skipif(
+        sys.version_info > (3, 8, 7),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_get_safe_url_py_gt_387(self, test_url, expected_url):
+        with mock.patch("airflow.www.views.url_for") as mock_url_for:
+            mock_url_for.return_value = "/home"
+            with 
self.app.test_request_context(base_url="http://localhost:8080";):
+                assert get_safe_url(test_url) == expected_url
 
     @parameterized.expand(
         [

Reply via email to