Unit test code installed in deployment
Bug #1640239 reported by
Dave McCowan
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Triaged
|
Medium
|
Unassigned |
Bug Description
It is Horizon's (and OpenStack's) practice to not install unit test code as part of deployment.
It is also a security best practice to not install and expose test code to a end users of a deployment.
Using the AppScan test suite, it was found that:
GET /dashboard/
returns the javscript that matches this file:
Expected behavior: this javascript intended for unit test should not be part of the installed software and should not be executable by an end user of the deployment.
Changed in horizon: | |
status: | New → Triaged |
importance: | Undecided → Medium |
milestone: | none → ocata-2 |
Changed in horizon: | |
milestone: | ocata-2 → next |
To post a comment you must log in.
It's actually rendering out https:/ /github. com/openstack/ horizon/ blob/c66a1a14c5 ac2a70843eec04e 83c68e4b761b89e /test-shim. js which is a copy of the above Django file.
As far as I understand it, this provides a workaround for global gettext in JS-land, which should really be done via dependency injection. This is actually possible in the code base now, but isn't enforced.