testit-python-commons 3.6.4__tar.gz → 3.6.5__tar.gz

{testit_python_commons-3.6.4 → testit_python_commons-3.6.5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: testit-python-commons
-Version: 3.6.4
+Version: 3.6.5
 Summary: Python commons for Test IT
 Home-page: https://github.com/testit-tms/adapters-python/
 Author: Integration team

{testit_python_commons-3.6.4 → testit_python_commons-3.6.5}/setup.py

@@ -1,6 +1,6 @@
 from setuptools import find_packages, setup
 
-VERSION = "3.6.4"
+VERSION = "3.6.5"
 
 setup(
     name='testit-python-commons',

{testit_python_commons-3.6.4 → testit_python_commons-3.6.5}/src/testit_python_commons/client/api_client.py

@@ -21,6 +21,7 @@ from testit_python_commons.client.converter import Converter
 from testit_python_commons.models.test_result import TestResult
 from testit_python_commons.services.logger import adapter_logger
 from testit_python_commons.services.retry import retry
+from testit_python_commons.utils.html_escape_utils import HtmlEscapeUtils
 
 
 class ApiClientWorker:
@@ -57,6 +58,11 @@ class ApiClientWorker:
             header_name='Authorization',
             header_value='PrivateToken ' + token)
 
+    @staticmethod
+    def _escape_html_in_model(model):
+        """Apply HTML escaping to all models before sending to API"""
+        return HtmlEscapeUtils.escape_html_in_object(model)
+
     @adapter_logger
     def create_test_run(self):
         test_run_name = f'TestRun_{datetime.today().strftime("%Y-%m-%dT%H:%M:%S")}' if \
@@ -65,6 +71,7 @@ class ApiClientWorker:
             self.__config.get_project_id(),
             test_run_name
         )
+        model = self._escape_html_in_model(model)
 
         response = self.__test_run_api.create_empty(create_empty_test_run_api_model=model)
 
@@ -288,6 +295,7 @@ class ApiClientWorker:
         logging.debug(f'Autotest "{test_result.get_autotest_name()}" was not found')
 
         model = self.__prepare_to_create_autotest(test_result)
+        model = self._escape_html_in_model(model)
 
         autotest_response = self.__autotest_api.create_auto_test(auto_test_post_model=model)
 
@@ -299,6 +307,7 @@ class ApiClientWorker:
     def __create_tests(self, autotests_for_create: typing.List[AutoTestPostModel]):
         logging.debug(f'Creating autotests: "{autotests_for_create}')
 
+        autotests_for_create = self._escape_html_in_model(autotests_for_create)
         self.__autotest_api.create_multiple(auto_test_post_model=autotests_for_create)
 
         logging.debug(f'Autotests were created')
@@ -308,6 +317,7 @@ class ApiClientWorker:
         logging.debug(f'Autotest "{test_result.get_autotest_name()}" was found')
 
         model = self.__prepare_to_update_autotest(test_result, autotest)
+        model = self._escape_html_in_model(model)
 
         self.__autotest_api.update_auto_test(auto_test_put_model=model)
 
@@ -317,6 +327,7 @@ class ApiClientWorker:
     def __update_tests(self, autotests_for_update: typing.List[AutoTestPutModel]):
         logging.debug(f'Updating autotests: {autotests_for_update}')
 
+        autotests_for_update = self._escape_html_in_model(autotests_for_update)
         self.__autotest_api.update_multiple(auto_test_put_model=autotests_for_update)
 
         logging.debug(f'Autotests were updated')
@@ -344,6 +355,7 @@ class ApiClientWorker:
         model = Converter.test_result_to_testrun_result_post_model(
             test_result,
             self.__config.get_configuration_id())
+        model = self._escape_html_in_model(model)
 
         response = self.__test_run_api.set_auto_test_results_for_test_run(
             id=self.__config.get_test_run_id(),
@@ -358,6 +370,7 @@ class ApiClientWorker:
     def __load_test_results(self, test_results: typing.List[AutoTestResultsForTestRunModel]):
         logging.debug(f'Loading test results: {test_results}')
 
+        test_results = self._escape_html_in_model(test_results)
         self.__test_run_api.set_auto_test_results_for_test_run(
             id=self.__config.get_test_run_id(),
             auto_test_results_for_test_run_model=test_results)
@@ -379,6 +392,8 @@ class ApiClientWorker:
                     test_result.get_setup_results())
             model.teardown_results = Converter.step_results_to_auto_test_step_result_update_request(
                     test_result.get_teardown_results())
+            
+            model = self._escape_html_in_model(model)
 
             try:
                 self.__test_results_api.api_v2_test_results_id_put(
@@ -397,7 +412,9 @@ class ApiClientWorker:
                     attachment_response = self.__attachments_api.api_v2_attachments_post(
                         file=path)
 
-                    attachments.append(AttachmentPutModel(id=attachment_response.id))
+                    attachment_model = AttachmentPutModel(id=attachment_response.id)
+                    attachment_model = self._escape_html_in_model(attachment_model)
+                    attachments.append(attachment_model)
 
                     logging.debug(f'Attachment "{path}" was uploaded')
                 except Exception as exc:

testit_python_commons-3.6.5/src/testit_python_commons/utils/__init__.py

@@ -0,0 +1,3 @@
+from .html_escape_utils import HtmlEscapeUtils
+
+__all__ = ['HtmlEscapeUtils'] 

testit_python_commons-3.6.5/src/testit_python_commons/utils/html_escape_utils.py

@@ -0,0 +1,212 @@
+import os
+import re
+import logging
+from typing import Any, List, Optional, Union
+from datetime import datetime, date, time, timedelta
+from decimal import Decimal
+from uuid import UUID
+
+
+class HtmlEscapeUtils:
+    """
+    HTML escape utilities for preventing XSS attacks.
+    Escapes HTML tags in strings and objects using reflection.
+    """
+    
+    NO_ESCAPE_HTML_ENV_VAR = "NO_ESCAPE_HTML"
+    
+    # Regex pattern to detect HTML tags (requires at least one non-whitespace character after <)
+    # This ensures empty <> brackets are not considered HTML tags
+    _HTML_TAG_PATTERN = re.compile(r'<\S.*?(?:>|/>)')
+    
+    # Regex patterns to escape only non-escaped characters
+    # Using negative lookbehind to avoid double escaping
+    _LESS_THAN_PATTERN = re.compile(r'(?<!\\)<')
+    _GREATER_THAN_PATTERN = re.compile(r'(?<!\\)>')
+    
+    @staticmethod
+    def escape_html_tags(text: Optional[str]) -> Optional[str]:
+        """
+        Escapes HTML tags to prevent XSS attacks.
+        First checks if the string contains HTML tags using regex pattern.
+        Only performs escaping if HTML tags are detected.
+        Escapes all < as \\< and > as \\> only if they are not already escaped.
+        Uses regex with negative lookbehind to avoid double escaping.
+        
+        Args:
+            text: The text to escape
+            
+        Returns:
+            Escaped text or original text if escaping is disabled
+        """
+        if text is None:
+            return None
+            
+        # Check if escaping is disabled via environment variable
+        no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()
+        if no_escape_html == "true":
+            return text
+            
+        # First check if the string contains HTML tags
+        if not HtmlEscapeUtils._HTML_TAG_PATTERN.search(text):
+            return text  # No HTML tags found, return original string
+            
+        # Use regex with negative lookbehind to escape only non-escaped characters
+        result = HtmlEscapeUtils._LESS_THAN_PATTERN.sub(r'\\<', text)
+        result = HtmlEscapeUtils._GREATER_THAN_PATTERN.sub(r'\\>', result)
+        
+        return result
+    
+    @staticmethod
+    def escape_html_in_object(obj: Any) -> Any:
+        """
+        Escapes HTML tags in all string attributes of an object using reflection.
+        Also processes list attributes: if list of objects - calls escape_html_in_object_list,
+        if list of strings - escapes each string.
+        Can be disabled by setting NO_ESCAPE_HTML environment variable to "true".
+        
+        Args:
+            obj: The object to process
+            
+        Returns:
+            The processed object with escaped strings
+        """
+        if obj is None:
+            return None
+            
+        # Check if escaping is disabled via environment variable
+        no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()
+        if no_escape_html == "true":
+            return obj
+            
+        try:
+            HtmlEscapeUtils._process_object_attributes(obj)
+        except Exception as e:
+            # Silently ignore reflection errors
+            logging.debug(f"Error processing object attributes: {e}")
+            
+        return obj
+    
+    @staticmethod
+    def escape_html_in_object_list(obj_list: Optional[List[Any]]) -> Optional[List[Any]]:
+        """
+        Escapes HTML tags in all string attributes of objects in a list using reflection.
+        Can be disabled by setting NO_ESCAPE_HTML environment variable to "true".
+        
+        Args:
+            obj_list: The list of objects to process
+            
+        Returns:
+            The processed list with escaped strings in all objects
+        """
+        if obj_list is None:
+            return None
+            
+        # Check if escaping is disabled via environment variable
+        no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()
+        if no_escape_html == "true":
+            return obj_list
+            
+        for obj in obj_list:
+            HtmlEscapeUtils.escape_html_in_object(obj)
+            
+        return obj_list
+    
+    @staticmethod
+    def _process_object_attributes(obj: Any) -> None:
+        """
+        Process all attributes of an object for HTML escaping.
+        """
+        # Handle dictionary-like objects (common in API models)
+        if hasattr(obj, '__dict__'):
+            for attr_name in dir(obj):
+                # Skip private/protected attributes and methods
+                if attr_name.startswith('_') or callable(getattr(obj, attr_name, None)):
+                    continue
+                    
+                try:
+                    value = getattr(obj, attr_name)
+                    HtmlEscapeUtils._process_attribute_value(obj, attr_name, value)
+                except Exception as e:
+                    # Silently ignore attribute errors
+                    logging.debug(f"Error processing attribute {attr_name}: {e}")
+                    
+        # Handle dictionary objects
+        elif isinstance(obj, dict):
+            for key, value in obj.items():
+                if isinstance(value, str):
+                    obj[key] = HtmlEscapeUtils.escape_html_tags(value)
+                elif isinstance(value, list):
+                    HtmlEscapeUtils._process_list(value)
+                elif not HtmlEscapeUtils._is_simple_type(type(value)):
+                    HtmlEscapeUtils.escape_html_in_object(value)
+    
+    @staticmethod
+    def _process_attribute_value(obj: Any, attr_name: str, value: Any) -> None:
+        """
+        Process a single attribute value for HTML escaping.
+        """
+        if isinstance(value, str):
+            # Escape string attributes
+            try:
+                setattr(obj, attr_name, HtmlEscapeUtils.escape_html_tags(value))
+            except AttributeError:
+                # Attribute might be read-only
+                pass
+        elif isinstance(value, list):
+            HtmlEscapeUtils._process_list(value)
+        elif value is not None and not HtmlEscapeUtils._is_simple_type(type(value)):
+            # Process nested objects (but not simple types)
+            HtmlEscapeUtils.escape_html_in_object(value)
+    
+    @staticmethod
+    def _process_list(lst: List[Any]) -> None:
+        """
+        Process a list for HTML escaping.
+        """
+        if not lst:
+            return
+            
+        first_element = lst[0]
+        
+        if isinstance(first_element, str):
+            # List of strings - escape each string
+            for i, item in enumerate(lst):
+                if isinstance(item, str):
+                    lst[i] = HtmlEscapeUtils.escape_html_tags(item)
+        elif first_element is not None:
+            # List of objects - process each object
+            for item in lst:
+                HtmlEscapeUtils.escape_html_in_object(item)
+    
+    @staticmethod
+    def _is_simple_type(obj_type: type) -> bool:
+        """
+        Checks if a type is a simple type that doesn't need HTML escaping.
+        
+        Args:
+            obj_type: Type to check
+            
+        Returns:
+            True if it's a simple type
+        """
+        simple_types = {
+            # Basic types
+            bool, int, float, complex, bytes, bytearray,
+            # String type (handled separately)
+            str,
+            # Date/time types
+            datetime, date, time, timedelta,
+            # Other common types
+            Decimal, UUID,
+            # None type
+            type(None)
+        }
+        
+        return (
+            obj_type in simple_types or
+            # Check for enums
+            (hasattr(obj_type, '__bases__') and any(
+                base.__name__ == 'Enum' for base in obj_type.__bases__
+            ))
+        ) 

{testit_python_commons-3.6.4 → testit_python_commons-3.6.5}/src/testit_python_commons.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: testit-python-commons
-Version: 3.6.4
+Version: 3.6.5
 Summary: Python commons for Test IT
 Home-page: https://github.com/testit-tms/adapters-python/
 Author: Integration team

{testit_python_commons-3.6.4 → testit_python_commons-3.6.5}/src/testit_python_commons.egg-info/SOURCES.txt

@@ -35,5 +35,8 @@ src/testit_python_commons/services/retry.py
 src/testit_python_commons/services/step_manager.py
 src/testit_python_commons/services/step_result_storage.py
 src/testit_python_commons/services/utils.py
+src/testit_python_commons/utils/__init__.py
+src/testit_python_commons/utils/html_escape_utils.py
 tests/test_app_properties.py
-tests/test_dynamic_methods.py
+tests/test_dynamic_methods.py
+tests/test_html_escape_utils.py

testit_python_commons-3.6.5/tests/test_html_escape_utils.py

@@ -0,0 +1,116 @@
+import os
+import unittest
+from testit_python_commons.utils.html_escape_utils import HtmlEscapeUtils
+
+
+class SampleData:
+    def __init__(self, name="Test Name", description="<script>alert('xss')</script>"):
+        self.name = name
+        self.description = description
+        self.tags = ["<tag>", "normal_tag"]
+
+
+class TestHtmlEscapeUtils(unittest.TestCase):
+
+    def test_escape_html_tags_basic(self):
+        """Test basic HTML tag escaping"""
+        text = "Hello <script>alert('test')</script> world"
+        result = HtmlEscapeUtils.escape_html_tags(text)
+        expected = "Hello \\<script\\>alert('test')\\</script\\> world"
+        self.assertEqual(result, expected)
+
+    def test_escape_html_tags_no_html_content(self):
+        """Test that strings without HTML tags are returned unchanged"""
+        text = "Just plain text without any tags"
+        result = HtmlEscapeUtils.escape_html_tags(text)
+        self.assertEqual(result, text)  # Should be identical object
+        
+        text_with_empty_brackets = "Text with & symbols and other <> but not HTML tags"
+        result = HtmlEscapeUtils.escape_html_tags(text_with_empty_brackets)
+        # This should remain unchanged because <> is not a valid HTML tag
+        self.assertEqual(result, text_with_empty_brackets)
+
+
+    def test_escape_html_tags_none(self):
+        """Test handling of None input"""
+        result = HtmlEscapeUtils.escape_html_tags(None)
+        self.assertIsNone(result)
+
+    def test_escape_html_tags_no_double_escaping(self):
+        """Test that already escaped characters are not double-escaped"""
+        text = "Already \\<escaped\\> and <not_escaped>"
+        result = HtmlEscapeUtils.escape_html_tags(text)
+        expected = "Already \\<escaped\\> and \\<not_escaped\\>"
+        self.assertEqual(result, expected)
+
+    def test_escape_html_tags_various_tags(self):
+        """Test escaping of various HTML tag types"""
+        test_cases = [
+            ("<div>content</div>", "\\<div\\>content\\</div\\>"),
+            ("<img src='test.jpg'/>", "\\<img src='test.jpg'/\\>"),
+            ("<br>", "\\<br\\>"),
+            ("<span class='test'>text</span>", "\\<span class='test'\\>text\\</span\\>"),
+            ("No tags here", "No tags here"),  # Should remain unchanged
+            ("<>", "<>"),  # Empty angle brackets - should remain unchanged
+            ("< >", "< >"),  # Spaced angle brackets - should remain unchanged
+        ]
+        
+        for input_text, expected in test_cases:
+            with self.subTest(input_text=input_text):
+                result = HtmlEscapeUtils.escape_html_tags(input_text)
+                self.assertEqual(result, expected)
+
+    def test_escape_html_in_object(self):
+        """Test HTML escaping in object attributes"""
+        test_obj = SampleData()
+        result = HtmlEscapeUtils.escape_html_in_object(test_obj)
+        
+        self.assertEqual(result.name, "Test Name")  # No escaping needed
+        self.assertEqual(result.description, "\\<script\\>alert('xss')\\</script\\>")  # Escaped
+        self.assertEqual(result.tags[0], "\\<tag\\>")  # Escaped
+        self.assertEqual(result.tags[1], "normal_tag")  # No escaping needed
+
+    def test_escape_html_in_object_list(self):
+        """Test HTML escaping in list of objects"""
+        test_list = [
+            SampleData("First", "<div>content</div>"),
+            SampleData("Second", "<span>more</span>")
+        ]
+        result = HtmlEscapeUtils.escape_html_in_object_list(test_list)
+        
+        self.assertEqual(result[0].description, "\\<div\\>content\\</div\\>")
+        self.assertEqual(result[1].description, "\\<span\\>more\\</span\\>")
+
+    def test_escape_disabled_by_env_var(self):
+        """Test that escaping can be disabled via environment variable"""
+        os.environ[HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR] = "true"
+        
+        try:
+            text = "Hello <script>alert('test')</script> world"
+            result = HtmlEscapeUtils.escape_html_tags(text)
+            self.assertEqual(result, text)  # Should be unchanged
+            
+            test_obj = SampleData()
+            result = HtmlEscapeUtils.escape_html_in_object(test_obj)
+            self.assertEqual(result.description, "<script>alert('xss')</script>")  # Should be unchanged
+        finally:
+            # Clean up environment variable
+            del os.environ[HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR]
+
+    def test_escape_html_in_dictionary(self):
+        """Test HTML escaping in dictionary objects"""
+        test_dict = {
+            "name": "Test",
+            "description": "<script>alert('xss')</script>",
+            "tags": ["<tag>", "normal_tag"]
+        }
+        result = HtmlEscapeUtils.escape_html_in_object(test_dict)
+        
+        self.assertEqual(result["name"], "Test")
+        self.assertEqual(result["description"], "\\<script\\>alert('xss')\\</script\\>")
+        self.assertEqual(result["tags"][0], "\\<tag\\>")
+        self.assertEqual(result["tags"][1], "normal_tag")
+
+
+if __name__ == '__main__':
+    unittest.main()