History

Richard Hansen b80a37173e security: Fix authorization bypass vulnerability Before, a malicious user could bypass authorization restrictions imposed by the authorize hook: * Step 1: Fetch any resource that the malicious user is authorized to access (e.g., static content). * Step 2: Use the signed express_sid cookie generated in step 1 to create a socket.io connection. * Step 3: Perform the CLIENT_READY handshake for the desired pad. * Step 4: Profit! Now the authorization decision made by the authorize hook is propagated to SecurityManager so that it can approve or reject socket.io messages as appropriate. This also sets up future support for per-user read-only and modify-only (no create) authorization levels.		2020-09-15 21:40:25 +01:00
..
backend	security: Fix authorization bypass vulnerability	2020-09-15 21:40:25 +01:00
container	tests: remove loadSettings.js for backend tests.	2020-04-14 03:36:13 +02:00
frontend	Update responsiveness.js	2020-09-12 11:00:05 +01:00
README.md	tests: backend tests are now run with "npm test" instead of a custom bash script	2018-07-28 23:54:51 +02:00

README.md

About this folder: Tests

Before running the tests, start an Etherpad instance on your machine.

Frontend

To run the frontend tests, point your browser to <yourdomainhere>/tests/frontend

Backend

To run the backend tests, run cd src and then npm test