OpenStack Dashboard (Horizon)

Unit test code installed in deployment

Bug #1640239 reported by Dave McCowan on 2016-11-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Triaged	Medium	Unassigned	OpenStack Dashboard (Horizon) next

Bug Description

It is Horizon's (and OpenStack's) practice to not install unit test code as part of deployment.
It is also a security best practice to not install and expose test code to a end users of a deployment.

Using the AppScan test suite, it was found that:

GET /dashboard/i18n/js/horizon%2Bopenstack_dashboard/test/

returns the javscript that matches this file:

https://github.com/django/django/blob/3c447b108ac70757001171f7a4791f493880bf5b/js_tests/admin/jsi18n-mocks.test.js

Expected behavior: this javascript intended for unit test should not be part of the installed software and should not be executable by an end user of the deployment.

Revision history for this message

Rob Cresswell (robcresswell-deactivatedaccount) wrote on 2016-11-08:

It's actually rendering out https://github.com/openstack/horizon/blob/c66a1a14c5ac2a70843eec04e83c68e4b761b89e/test-shim.js which is a copy of the above Django file.

As far as I understand it, this provides a workaround for global gettext in JS-land, which should really be done via dependency injection. This is actually possible in the code base now, but isn't enforced.

Richard Jones (r1chardj0n3s) on 2016-12-01

Changed in horizon:
status:	New → Triaged
importance:	Undecided → Medium
milestone:	none → ocata-2

Rob Cresswell (robcresswell-deactivatedaccount) on 2017-01-30

Changed in horizon:
milestone:	ocata-2 → next

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.