def test_payload_is_executable_4(self): js_code = "PAYLOAD; alert('Hello');" contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptExecutableContext) self.assertTrue(context.is_executable())
def test_payload_break_single_quote_2(self): js_code = "alert('PAYLOAD');" contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptSingleQuoteString) self.assertFalse(context.is_executable())
def test_payload_is_all_content(self): js_code = 'PAYLOAD' contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptExecutableContext) self.assertTrue(context.is_executable())
def test_payload_is_executable_2(self): js_code = "init({login:'',foo: PAYLOAD})" contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptExecutableContext) self.assertTrue(context.is_executable())
def test_payload_break_double_quote_3(self): js_code = 'alert("Hello " + "PAYLOAD");' contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptDoubleQuoteString) self.assertFalse(context.is_executable())
def test_payload_break_double_quote_1(self): js_code = 'init({login:'',foo: "PAYLOAD"})' contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptDoubleQuoteString) self.assertFalse(context.is_executable())
def test_single_quote_mix_double(self): js_code = "alert('Hello' + \"PAYLOAD\");" contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptDoubleQuoteString) self.assertFalse(context.is_executable())
def test_single_quote_escape(self): js_code = "alert('Hello \\' world' + PAYLOAD);" contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptExecutableContext) self.assertTrue(context.is_executable())
def test_payload_break_multi_line_comment_false_positive(self): js_code = """ foo('/* PAYLOAD'); """ contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptSingleQuoteString) self.assertFalse(context.is_executable())
def test_payload_break_single_line_comment_with_single_quote(self): js_code = """ foo(); // I\'m a single quote and I break stuff PAYLOAD bar(); """ contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptSingleLineComment) self.assertFalse(context.is_executable())
def test_payload_break_single_line_comment(self): js_code = """ foo(); // PAYLOAD bar(); """ contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptSingleLineComment) self.assertFalse(context.is_executable())
def test_payload_break_multi_line_comment(self): js_code = """ foo(''); /* Multi Line PAYLOAD Comments */ bar(); """ contexts = get_js_context(js_code, 'PAYLOAD') self.assertEqual(len(contexts), 1, contexts) context = contexts[0] self.assertIsInstance(context, ScriptMultiLineComment) self.assertFalse(context.is_executable())