[airflow] 01/04: Separate out tests to cater of changes in Python 3.8.8 (#14698)

Fri, 19 Mar 2021 15:02:37 -0700 

This is an automated email from the ASF dual-hosted git repository.

kaxilnaik pushed a commit to branch v2-0-test
in repository https://gitbox.apache.org/repos/asf/airflow.git

commit 159280656dfd5dcd81e97dade2c5fa5a88a20727
Author: Kaxil Naik <kaxiln...@gmail.com>
AuthorDate: Wed Mar 10 23:15:39 2021 +0000

    Separate out tests to cater of changes in Python 3.8.8 (#14698)
    
    https://github.com/python/cpython/pull/24297 change was included in
    Python 3.8.8 to fix a vulnerability (bpo-42967)
    
    Depending on which Base Python Image is run in our CI, two of the tests
    can fail or succeed.
    
    Our Previous two attempts:
    
    - 
https://github.com/apache/airflow/commit/061cd236deb22567e4de36af11025f028d787989#
    - 
https://github.com/apache/airflow/commit/49952e79b04da932242ebf3981883e591b467994
    
    We might for a while get different base python version depending on the 
changes of a PR (whether or not it includes a change to dockerfiler).
    a) when you have PR which do not have changes in the Dockerfile, they will 
use the older python version as base (for example Python 3.8.7)
    b) when you have PR that touches the Dockerfile and have setup.py changes 
in master, it should pull Python 3.8.8 first.
    
    (cherry picked from commit ffe3bd29574d62a0a692cd8f63995856bbff8c0b)
---
 tests/www/test_views.py | 72 ++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 66 insertions(+), 6 deletions(-)

diff --git a/tests/www/test_views.py b/tests/www/test_views.py
index d284314..0d50144 100644
--- a/tests/www/test_views.py
+++ b/tests/www/test_views.py
@@ -2763,7 +2763,38 @@ class TestTriggerDag(TestBase):
             ("%2Fgraph%3Fdag_id%3Dexample_bash_operator", 
"/graph?dag_id=example_bash_operator"),
         ]
     )
-    def test_trigger_dag_form_origin_url(self, test_origin, expected_origin):
+    @pytest.mark.skipif(
+        sys.version_info < (3, 8, 8),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_trigger_dag_form_origin_url_py_lte_387(self, test_origin, 
expected_origin):
+        test_dag_id = "example_bash_operator"
+
+        resp = 
self.client.get(f'trigger?dag_id={test_dag_id}&origin={test_origin}')
+        self.check_content_in_response(
+            '<button type="button" class="btn" onclick="location.href = 
\'{}\'; return false">'.format(
+                expected_origin
+            ),
+            resp,
+        )
+
+    @parameterized.expand(
+        [
+            ("javascript:alert(1)", "/home"),
+            ("http://google.com";, "/home"),
+            (
+                "%2Ftree%3Fdag_id%3Dexample_bash_operator';alert(33)//",
+                "/tree?dag_id=example_bash_operator%27%3Balert%2833%29%2F%2F",
+            ),
+            ("%2Ftree%3Fdag_id%3Dexample_bash_operator", 
"/tree?dag_id=example_bash_operator"),
+            ("%2Fgraph%3Fdag_id%3Dexample_bash_operator", 
"/graph?dag_id=example_bash_operator"),
+        ]
+    )
+    @pytest.mark.skipif(
+        sys.version_info > (3, 8, 7),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_trigger_dag_form_origin_url_py_gt_387(self, test_origin, 
expected_origin):
         test_dag_id = "example_bash_operator"
 
         resp = 
self.client.get(f'trigger?dag_id={test_dag_id}&origin={test_origin}')
@@ -3306,11 +3337,40 @@ class TestHelperFunctions(TestBase):
             ),
         ]
     )
-    @mock.patch("airflow.www.views.url_for")
-    def test_get_safe_url(self, test_url, expected_url, mock_url_for):
-        mock_url_for.return_value = "/home"
-        with self.app.test_request_context(base_url="http://localhost:8080";):
-            assert get_safe_url(test_url) == expected_url
+    @pytest.mark.skipif(
+        sys.version_info < (3, 8, 8),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_get_safe_url_py_lte_387(self, test_url, expected_url):
+        with mock.patch("airflow.www.views.url_for") as mock_url_for:
+            mock_url_for.return_value = "/home"
+            with 
self.app.test_request_context(base_url="http://localhost:8080";):
+                assert get_safe_url(test_url) == expected_url
+
+    @parameterized.expand(
+        [
+            ("", "/home"),
+            ("http://google.com";, "/home"),
+            (
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag';alert(33)//",
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3F";
+                "dag_id%25test_dag%27%3Balert%2833%29%2F%2F",
+            ),
+            (
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%test_dag";,
+                
"http://localhost:8080/trigger?dag_id=test_dag&origin=%2Ftree%3Fdag_id%25test_dag";,
+            ),
+        ]
+    )
+    @pytest.mark.skipif(
+        sys.version_info > (3, 8, 7),
+        reason='Vulnerability was fixed in Python 3.8.8 which changed the 
query string separator: bpo-42967',
+    )
+    def test_get_safe_url_py_gt_387(self, test_url, expected_url):
+        with mock.patch("airflow.www.views.url_for") as mock_url_for:
+            mock_url_for.return_value = "/home"
+            with 
self.app.test_request_context(base_url="http://localhost:8080";):
+                assert get_safe_url(test_url) == expected_url
 
     @parameterized.expand(
         [

Reply via email to