Skip to content

Commit 3231d19

Browse files
ThomasLaPianapattisdr
authored andcommitted
Merge pull request from GHSA-fgjj-5jmr-gh83
* feat: use a pydantic URL type for privacy policy URLs * fix: static_checks * fix: more tests, but still some failures on patching * fix: update other uses of invalid URLs in the tests * Update src/fides/api/schemas/privacy_experience.py Co-authored-by: Dawn Pattison <pattisdr@users.noreply.github.com> * fix: consent util tests * dummy commit --------- Co-authored-by: Dawn Pattison <pattisdr@users.noreply.github.com>
1 parent b64f2f8 commit 3231d19

7 files changed

+94
-42
lines changed

Diff for: src/fides/api/schemas/privacy_experience.py

+3-3
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
from datetime import datetime
44
from typing import Any, Dict, List, Optional
55

6-
from pydantic import Extra, Field, root_validator, validator
6+
from pydantic import Extra, Field, HttpUrl, root_validator, validator
77

88
from fides.api.models.privacy_experience import BannerEnabled, ComponentType
99
from fides.api.models.privacy_notice import PrivacyNoticeRegion
@@ -43,8 +43,8 @@ class ExperienceConfigSchema(FidesSchema):
4343
privacy_policy_link_label: Optional[str] = Field(
4444
description="Overlay and Privacy Center 'Privacy policy link label'"
4545
)
46-
privacy_policy_url: Optional[str] = Field(
47-
description="Overlay and Privacy Center 'Privacy policy URl'"
46+
privacy_policy_url: Optional[HttpUrl] = Field(
47+
default=None, description="Overlay and Privacy Center 'Privacy policy URL"
4848
)
4949
privacy_preferences_link_label: Optional[str] = Field(
5050
description="Overlay 'Privacy preferences link label'"

Diff for: tests/fixtures/application_fixtures.py

+3-3
Original file line numberDiff line numberDiff line change
@@ -2302,7 +2302,7 @@ def privacy_preference_history(
23022302
"request_origin": "privacy_center",
23032303
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/324.42 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/425.24",
23042304
"user_geography": "us_ca",
2305-
"url_recorded": "example.com/privacy_center",
2305+
"url_recorded": "https://example.com/privacy_center",
23062306
"served_notice_history_id": served_notice_history.id,
23072307
},
23082308
check_name=False,
@@ -2651,7 +2651,7 @@ def experience_config_overlay(db: Session) -> Generator:
26512651
"disabled": False,
26522652
"privacy_preferences_link_label": "Manage preferences",
26532653
"privacy_policy_link_label": "View our company&#x27;s privacy policy",
2654-
"privacy_policy_url": "example.com/privacy",
2654+
"privacy_policy_url": "https://example.com/privacy",
26552655
"reject_button_label": "Reject all",
26562656
"save_button_label": "Save",
26572657
"title": "Manage your consent",
@@ -2677,7 +2677,7 @@ def experience_config_tcf_overlay(db: Session) -> Generator:
26772677
"disabled": False,
26782678
"privacy_preferences_link_label": "Manage preferences",
26792679
"privacy_policy_link_label": "View our company&#x27;s privacy policy",
2680-
"privacy_policy_url": "example.com/privacy",
2680+
"privacy_policy_url": "https://example.com/privacy",
26812681
"reject_button_label": "Reject all",
26822682
"save_button_label": "Save",
26832683
"title": "Manage your consent",

Diff for: tests/ops/api/v1/endpoints/test_privacy_experience_config_endpoints.py

+48-13
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,7 @@ def overlay_experience_request_body(self) -> dict:
317317
"disabled": False,
318318
"privacy_preferences_link_label": "Manage preferences",
319319
"privacy_policy_link_label": "View our privacy policy",
320-
"privacy_policy_url": "example.com/privacy",
320+
"privacy_policy_url": "http://example.com/privacy",
321321
"reject_button_label": "Reject all",
322322
"regions": [],
323323
"save_button_label": "Save",
@@ -455,7 +455,7 @@ def test_create_another_default_experience_config(
455455
"description": "We take your privacy seriously",
456456
"is_default": True,
457457
"privacy_policy_link_label": "Manage your privacy",
458-
"privacy_policy_url": "example.com/privacy",
458+
"privacy_policy_url": "http://example.com/privacy",
459459
"reject_button_label": "No",
460460
"save_button_label": "Save",
461461
"title": "Manage your privacy",
@@ -469,6 +469,39 @@ def test_create_another_default_experience_config(
469469
== "Cannot set as the default. Only one default privacy_center config can be in the system."
470470
)
471471

472+
@pytest.mark.parametrize(
473+
"invalid_url",
474+
[
475+
"thisisnotaurl",
476+
"javascript:alert('XSS: domain scope: '+document.domain)",
477+
],
478+
)
479+
def test_create_experience_config_with_invalid_policy_url(
480+
self, api_client: TestClient, url, generate_auth_header, db, invalid_url
481+
) -> None:
482+
"""
483+
Verify that an invalid Privacy Policy URL returns a 422.
484+
"""
485+
auth_header = generate_auth_header(
486+
scopes=[scopes.PRIVACY_EXPERIENCE_CREATE, scopes.PRIVACY_EXPERIENCE_UPDATE]
487+
)
488+
response = api_client.post(
489+
url,
490+
json={
491+
"accept_button_label": "Yes",
492+
"banner_enabled": "always_disabled",
493+
"component": "privacy_center",
494+
"description": "We take your company's privacy seriously",
495+
"privacy_policy_link_label": "Manage your privacy",
496+
"privacy_policy_url": invalid_url,
497+
"reject_button_label": "No",
498+
"save_button_label": "Save",
499+
"title": "Manage your privacy",
500+
},
501+
headers=auth_header,
502+
)
503+
assert response.status_code == 422
504+
472505
def test_create_experience_config_with_no_regions(
473506
self, api_client: TestClient, url, generate_auth_header, db
474507
) -> None:
@@ -487,7 +520,7 @@ def test_create_experience_config_with_no_regions(
487520
"component": "privacy_center",
488521
"description": "We take your company's privacy seriously",
489522
"privacy_policy_link_label": "Manage your privacy",
490-
"privacy_policy_url": "example.com/privacy",
523+
"privacy_policy_url": "http://example.com/privacy",
491524
"reject_button_label": "No",
492525
"save_button_label": "Save",
493526
"title": "Manage your privacy",
@@ -503,7 +536,7 @@ def test_create_experience_config_with_no_regions(
503536
resp["description"] == "We take your company's privacy seriously"
504537
) # Returned in the response, unescaped, for display
505538
assert resp["privacy_policy_link_label"] == "Manage your privacy"
506-
assert resp["privacy_policy_url"] == "example.com/privacy"
539+
assert resp["privacy_policy_url"] == "http://example.com/privacy"
507540
assert resp["regions"] == []
508541
assert resp["reject_button_label"] == "No"
509542
assert resp["save_button_label"] == "Save"
@@ -551,7 +584,7 @@ def test_create_experience_config_with_empty_regions(
551584
"component": "privacy_center",
552585
"description": "We take your privacy seriously",
553586
"privacy_policy_link_label": "Manage your privacy",
554-
"privacy_policy_url": "example.com/privacy",
587+
"privacy_policy_url": "http://example.com/privacy",
555588
"regions": [],
556589
"reject_button_label": "No",
557590
"save_button_label": "Save",
@@ -566,7 +599,7 @@ def test_create_experience_config_with_empty_regions(
566599
assert resp["component"] == "privacy_center"
567600
assert resp["description"] == "We take your privacy seriously"
568601
assert resp["privacy_policy_link_label"] == "Manage your privacy"
569-
assert resp["privacy_policy_url"] == "example.com/privacy"
602+
assert resp["privacy_policy_url"] == "http://example.com/privacy"
570603
assert resp["regions"] == []
571604
assert resp["reject_button_label"] == "No"
572605
assert resp["save_button_label"] == "Save"
@@ -624,7 +657,7 @@ def test_create_experience_config_no_existing_experiences(
624657
"description": "We care about your privacy. Opt in and opt out of the data use cases below.",
625658
"privacy_preferences_link_label": "Control your privacy",
626659
"privacy_policy_link_label": "Control your privacy",
627-
"privacy_policy_url": "example.com/privacy",
660+
"privacy_policy_url": "http://example.com/privacy",
628661
"regions": ["us_ny"],
629662
"reject_button_label": "Reject all",
630663
"save_button_label": "Save",
@@ -645,7 +678,7 @@ def test_create_experience_config_no_existing_experiences(
645678
)
646679
assert resp["privacy_preferences_link_label"] == "Control your privacy"
647680
assert resp["privacy_policy_link_label"] == "Control your privacy"
648-
assert resp["privacy_policy_url"] == "example.com/privacy"
681+
assert resp["privacy_policy_url"] == "http://example.com/privacy"
649682
assert resp["regions"] == ["us_ny"]
650683
assert resp["reject_button_label"] == "Reject all"
651684
assert resp["save_button_label"] == "Save"
@@ -667,7 +700,7 @@ def test_create_experience_config_no_existing_experiences(
667700
experience_config.privacy_preferences_link_label == "Control your privacy"
668701
)
669702
assert experience_config.privacy_policy_link_label == "Control your privacy"
670-
assert experience_config.privacy_policy_url == "example.com/privacy"
703+
assert experience_config.privacy_policy_url == "http://example.com/privacy"
671704
assert experience_config.regions == [PrivacyNoticeRegion.us_ny]
672705
assert experience_config.reject_button_label == "Reject all"
673706
assert experience_config.save_button_label == "Save"
@@ -700,7 +733,9 @@ def test_create_experience_config_no_existing_experiences(
700733
experience_config_history.privacy_policy_link_label
701734
== "Control your privacy"
702735
)
703-
assert experience_config_history.privacy_policy_url == "example.com/privacy"
736+
assert (
737+
experience_config_history.privacy_policy_url == "http://example.com/privacy"
738+
)
704739
assert experience_config_history.reject_button_label == "Reject all"
705740
assert experience_config_history.save_button_label == "Save"
706741
assert experience_config_history.title == "Control your privacy"
@@ -758,7 +793,7 @@ def test_create_experience_config_existing_experiences(
758793
"description": "We care about your privacy. Opt in and opt out of the data use cases below.",
759794
"privacy_preferences_link_label": "Control your privacy",
760795
"privacy_policy_link_label": "Control your privacy",
761-
"privacy_policy_url": "example.com/privacy",
796+
"privacy_policy_url": "http://example.com/privacy",
762797
"regions": ["us_tx"],
763798
"reject_button_label": "Reject all",
764799
"save_button_label": "Save",
@@ -779,7 +814,7 @@ def test_create_experience_config_existing_experiences(
779814
)
780815
assert resp["privacy_preferences_link_label"] == "Control your privacy"
781816
assert resp["privacy_policy_link_label"] == "Control your privacy"
782-
assert resp["privacy_policy_url"] == "example.com/privacy"
817+
assert resp["privacy_policy_url"] == "http://example.com/privacy"
783818
assert resp["regions"] == ["us_tx"]
784819
assert resp["reject_button_label"] == "Reject all"
785820
assert resp["save_button_label"] == "Save"
@@ -957,7 +992,7 @@ def overlay_experience_config(self, db) -> PrivacyExperienceConfig:
957992
"disabled": False,
958993
"privacy_preferences_link_label": "Manage preferences",
959994
"privacy_policy_link_label": "View our privacy policy",
960-
"privacy_policy_url": "example.com/privacy",
995+
"privacy_policy_url": "http://example.com/privacy",
961996
"reject_button_label": "Reject all",
962997
"save_button_label": "Save",
963998
"title": "Control your privacy",

Diff for: tests/ops/api/v1/endpoints/test_privacy_preference_endpoints.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -2073,7 +2073,7 @@ def test_get_historical_preferences(
20732073
assert response_body["user_geography"] == "us_ca"
20742074
assert response_body["relevant_systems"] == [system.fides_key]
20752075
assert response_body["affected_system_status"] == {system.fides_key: "complete"}
2076-
assert response_body["url_recorded"] == "example.com/privacy_center"
2076+
assert response_body["url_recorded"] == "https://example.com/privacy_center"
20772077
assert (
20782078
response_body["user_agent"]
20792079
== "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/324.42 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/425.24"

Diff for: tests/ops/models/test_privacy_experience.py

+5-5
Original file line numberDiff line numberDiff line change
@@ -47,7 +47,7 @@ def test_create_privacy_experience_config(self, db):
4747
"description": "We care about your privacy. Opt in and opt out of the data use cases below.",
4848
"privacy_preferences_link_label": "Manage preferences",
4949
"privacy_policy_link_label": "View our privacy policy",
50-
"privacy_policy_url": "example.com/privacy",
50+
"privacy_policy_url": "http://example.com/privacy",
5151
"reject_button_label": "Reject all",
5252
"save_button_label": "Save",
5353
"title": "Control your privacy",
@@ -66,7 +66,7 @@ def test_create_privacy_experience_config(self, db):
6666
assert config.is_default is False
6767
assert config.privacy_preferences_link_label == "Manage preferences"
6868
assert config.privacy_policy_link_label == "View our privacy policy"
69-
assert config.privacy_policy_url == "example.com/privacy"
69+
assert config.privacy_policy_url == "http://example.com/privacy"
7070
assert config.reject_button_label == "Reject all"
7171
assert config.save_button_label == "Save"
7272
assert config.title == "Control your privacy"
@@ -91,7 +91,7 @@ def test_create_privacy_experience_config(self, db):
9191
assert history.is_default is False
9292
assert history.privacy_preferences_link_label == "Manage preferences"
9393
assert history.privacy_policy_link_label == "View our privacy policy"
94-
assert history.privacy_policy_url == "example.com/privacy"
94+
assert history.privacy_policy_url == "http://example.com/privacy"
9595
assert history.reject_button_label == "Reject all"
9696
assert history.save_button_label == "Save"
9797
assert history.title == "Control your privacy"
@@ -112,7 +112,7 @@ def test_update_privacy_experience_config(self, db):
112112
"description": "We care about your privacy. Opt in and opt out of the data use cases below.",
113113
"privacy_preferences_link_label": "Manage preferences",
114114
"privacy_policy_link_label": "View our privacy policy",
115-
"privacy_policy_url": "example.com/privacy",
115+
"privacy_policy_url": "http://example.com/privacy",
116116
"reject_button_label": "Reject all",
117117
"save_button_label": "Save",
118118
"title": "Control your privacy",
@@ -473,7 +473,7 @@ def test_get_should_show_banner(self, db):
473473
"description": "We care about your privacy. Opt in and opt out of the data use cases below.",
474474
"privacy_preferences_link_label": "Manage preferences",
475475
"privacy_policy_link_label": "View our privacy policy",
476-
"privacy_policy_url": "example.com/privacy",
476+
"privacy_policy_url": "http://example.com/privacy",
477477
"reject_button_label": "Reject all",
478478
"save_button_label": "Save",
479479
"title": "Control your privacy",

0 commit comments

Comments
 (0)