mirror of
https://github.com/langgenius/dify.git
synced 2026-05-03 17:08:03 +08:00
d1a6779bbb
* test: adding some web tests (#27792) * feat: add validation to prevent saving empty opening statement in conversation opener modal (#27843) * fix(web): improve the consistency of the inputs-form UI (#27837) * fix(web): increase z-index of PortalToFollowElemContent (#27823) * fix: installation_id is missing when in tools page (#27849) * fix: avoid passing empty uniqueIdentifier to InstallFromMarketplace (#27802) Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * test: create new test scripts and update some existing test scripts o… (#27850) * feat: change feedback to forum (#27862) * chore: translate i18n files and update type definitions (#27868) Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> * Fix/template transformer line number (#27867) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> * bump vite to 6.4.1 (#27877) * Add WEAVIATE_GRPC_ENDPOINT as designed in weaviate migration guide (#27861) Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * Fix: correct DraftWorkflowApi.post response model (#27289) Signed-off-by: Yongtao Huang <yongtaoh2022@gmail.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix Version 2.0.0-beta.2: Chat annotations Api Error #25506 (#27206) Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> * fix jina reader creadential migration command (#27883) * fix agent putout the output of workflow-tool twice (#26835) (#27087) * fix jina reader transform (#27922) * fix: prevent fetch version info in enterprise edition (#27923) * fix(api): fix `VariablePool.get` adding unexpected keys to variable_dictionary (#26767) Co-authored-by: -LAN- <laipz8200@outlook.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * refactor: implement tenant self queue for rag tasks (#27559) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: -LAN- <laipz8200@outlook.com> * fix: bump brotli to 1.2.0 resloved CVE-2025-6176 (#27950) Signed-off-by: kenwoodjw <blackxin55+@gmail.com> * docs: clarify how to obtain workflow_id for version execution (#28007) Signed-off-by: OneZero-Y <aukovyps@163.com> * fix: fix https://github.com/langgenius/dify/issues/27939 (#27985) * fix: the model list encountered two children with the same key (#27956) Co-authored-by: haokai <haokai@shuwen.com> * add onupdate=func.current_timestamp() (#28014) Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * chore(deps): bump scipy-stubs from 1.16.2.3 to 1.16.3.0 in /api (#28025) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix typo in weaviate comment, improve time test precision, and add security tests for get-icon utility (#27919) Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * feat: Add Audio Content Support for MCP Tools (#27979) * fix: elasticsearch_vector version (#28028) Co-authored-by: huangzhuo <huangzhuo1@xiaomi.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * fix workflow default updated_at (#28047) * feat(api): Introduce Broadcast Channel (#27835) This PR introduces a `BroadcastChannel` abstraction with broadcasting and at-most once delivery semantics, serving as the communication component between celery worker and API server. It also includes a reference implementation backed by Redis PubSub. Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix * back --------- Signed-off-by: Yongtao Huang <yongtaoh2022@gmail.com> Signed-off-by: kenwoodjw <blackxin55+@gmail.com> Signed-off-by: OneZero-Y <aukovyps@163.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: aka James4u <smart.jamesjin@gmail.com> Co-authored-by: Novice <novice12185727@gmail.com> Co-authored-by: yangzheli <43645580+yangzheli@users.noreply.github.com> Co-authored-by: Elliott <105957288+Elliott-byte@users.noreply.github.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: johnny0120 <johnny0120@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Gritty_dev <101377478+codomposer@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: wangjifeng <163279492+kk-wangjifeng@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: Boris Polonsky <BorisPolonsky@users.noreply.github.com> Co-authored-by: Yongtao Huang <yongtaoh2022@gmail.com> Co-authored-by: Cursx <33718736+Cursx@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Jyong <76649700+JohnJyong@users.noreply.github.com> Co-authored-by: red_sun <56100962+redSun64@users.noreply.github.com> Co-authored-by: NFish <douxc512@gmail.com> Co-authored-by: QuantumGhost <obelisk.reg+git@gmail.com> Co-authored-by: -LAN- <laipz8200@outlook.com> Co-authored-by: hj24 <huangjian@dify.ai> Co-authored-by: kenwoodjw <blackxin55+@gmail.com> Co-authored-by: OneZero-Y <aukovyps@163.com> Co-authored-by: wangxiaolei <fatelei@gmail.com> Co-authored-by: Kenn <kennfalcon@gmail.com> Co-authored-by: haokai <haokai@shuwen.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: Will <vvfriday@gmail.com> Co-authored-by: huangzhuo1949 <167434202+huangzhuo1949@users.noreply.github.com> Co-authored-by: huangzhuo <huangzhuo1@xiaomi.com>
163 lines
5.9 KiB
TypeScript
163 lines
5.9 KiB
TypeScript
/**
|
|
* Test suite for icon utility functions
|
|
* Tests the generation of marketplace plugin icon URLs
|
|
*/
|
|
import { getIconFromMarketPlace } from './get-icon'
|
|
import { MARKETPLACE_API_PREFIX } from '@/config'
|
|
|
|
describe('get-icon', () => {
|
|
describe('getIconFromMarketPlace', () => {
|
|
/**
|
|
* Tests basic URL generation for marketplace plugin icons
|
|
*/
|
|
test('returns correct marketplace icon URL', () => {
|
|
const pluginId = 'test-plugin-123'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toBe(`${MARKETPLACE_API_PREFIX}/plugins/${pluginId}/icon`)
|
|
})
|
|
|
|
/**
|
|
* Tests URL generation with plugin IDs containing special characters
|
|
* like dashes and underscores
|
|
*/
|
|
test('handles plugin ID with special characters', () => {
|
|
const pluginId = 'plugin-with-dashes_and_underscores'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toBe(`${MARKETPLACE_API_PREFIX}/plugins/${pluginId}/icon`)
|
|
})
|
|
|
|
/**
|
|
* Tests behavior with empty plugin ID
|
|
* Note: This creates a malformed URL but doesn't throw an error
|
|
*/
|
|
test('handles empty plugin ID', () => {
|
|
const pluginId = ''
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toBe(`${MARKETPLACE_API_PREFIX}/plugins//icon`)
|
|
})
|
|
|
|
/**
|
|
* Tests URL generation with plugin IDs containing spaces
|
|
* Spaces will be URL-encoded when actually used
|
|
*/
|
|
test('handles plugin ID with spaces', () => {
|
|
const pluginId = 'plugin with spaces'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toBe(`${MARKETPLACE_API_PREFIX}/plugins/${pluginId}/icon`)
|
|
})
|
|
|
|
/**
|
|
* Security tests: Path traversal attempts
|
|
* These tests document current behavior and potential security concerns
|
|
* Note: Current implementation does not sanitize path traversal sequences
|
|
*/
|
|
test('handles path traversal attempts', () => {
|
|
const pluginId = '../../../etc/passwd'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
// Current implementation includes path traversal sequences in URL
|
|
// This is a potential security concern that should be addressed
|
|
expect(result).toContain('../')
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
test('handles multiple path traversal attempts', () => {
|
|
const pluginId = '../../../../etc/passwd'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
// Current implementation includes path traversal sequences in URL
|
|
expect(result).toContain('../')
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
test('passes through URL-encoded path traversal sequences', () => {
|
|
const pluginId = '..%2F..%2Fetc%2Fpasswd'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
/**
|
|
* Security tests: Null and undefined handling
|
|
* These tests document current behavior with invalid input types
|
|
* Note: Current implementation converts null/undefined to strings instead of throwing
|
|
*/
|
|
test('handles null plugin ID', () => {
|
|
// Current implementation converts null to string "null"
|
|
const result = getIconFromMarketPlace(null as any)
|
|
expect(result).toContain('null')
|
|
// This is a potential issue - should validate input type
|
|
})
|
|
|
|
test('handles undefined plugin ID', () => {
|
|
// Current implementation converts undefined to string "undefined"
|
|
const result = getIconFromMarketPlace(undefined as any)
|
|
expect(result).toContain('undefined')
|
|
// This is a potential issue - should validate input type
|
|
})
|
|
|
|
/**
|
|
* Security tests: URL-sensitive characters
|
|
* These tests verify that URL-sensitive characters are handled appropriately
|
|
*/
|
|
test('does not encode URL-sensitive characters', () => {
|
|
const pluginId = 'plugin/with?special=chars#hash'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
// Note: Current implementation doesn't encode, but test documents the behavior
|
|
expect(result).toContain(pluginId)
|
|
expect(result).toContain('?')
|
|
expect(result).toContain('#')
|
|
expect(result).toContain('=')
|
|
})
|
|
|
|
test('handles URL characters like & and %', () => {
|
|
const pluginId = 'plugin&with%encoding'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
/**
|
|
* Edge case tests: Extreme inputs
|
|
* These tests verify behavior with unusual but valid inputs
|
|
*/
|
|
test('handles very long plugin ID', () => {
|
|
const pluginId = 'a'.repeat(10000)
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
expect(result.length).toBeGreaterThan(10000)
|
|
})
|
|
|
|
test('handles Unicode characters', () => {
|
|
const pluginId = '插件-🚀-测试-日本語'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
test('handles control characters', () => {
|
|
const pluginId = 'plugin\nwith\ttabs\r\nand\0null'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
/**
|
|
* Security tests: XSS attempts
|
|
* These tests verify that XSS attempts are handled appropriately
|
|
*/
|
|
test('handles XSS attempts with script tags', () => {
|
|
const pluginId = '<script>alert("xss")</script>'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
// Note: Current implementation doesn't sanitize, but test documents the behavior
|
|
})
|
|
|
|
test('handles XSS attempts with event handlers', () => {
|
|
const pluginId = 'plugin"onerror="alert(1)"'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
|
|
test('handles XSS attempts with encoded script tags', () => {
|
|
const pluginId = '%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E'
|
|
const result = getIconFromMarketPlace(pluginId)
|
|
expect(result).toContain(pluginId)
|
|
})
|
|
})
|
|
})
|