Fix markup injection issues #236

DemiMarie · 2024-12-08T23:42:22Z

This fixes some (theoretical) markup injection problems. I believe none of the strings that I escape here will ever contain "<" or "&", but it is always safer to escape.

marmarta · 2024-12-11T13:18:53Z

merge conflict, otherwise looks fine (but let's tests check it too)

qui/utils.py

qui/tray/updates.py

codecov · 2024-12-14T06:13:19Z

Codecov Report

Attention: Patch coverage is 51.51515% with 16 lines in your changes missing coverage. Please review.

Project coverage is 93.04%. Comparing base (1231efc) to head (fa4bcc2).
Report is 60 commits behind head on main.

Files with missing lines	Patch %	Lines
qui/utils.py	23.52%	13 Missing ⚠️
qubes_config/widgets/gtk_utils.py	72.72%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #236      +/-   ##
==========================================
- Coverage   93.17%   93.04%   -0.13%     
==========================================
  Files          58       58              
  Lines       11048    11074      +26     
==========================================
+ Hits        10294    10304      +10     
- Misses        754      770      +16

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

qubesos-bot · 2024-12-15T12:53:49Z

OpenQA test summary

Complete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2025010617-4.3&flavor=pull-requests

Test run included the following:

widgets: fall back to Xwayland #234 (e011e5f)
Remove deprecated pkg_resources, replace with importlib qubes-desktop-linux-common#67 (QubesOS/qubes-desktop-linux-common@42def06)
Add filter for qubes stored on inaccessible storage pools qubes-manager#399 (QubesOS/qubes-manager@7dcb8b7)
Don't rely on kdelibs qubes-desktop-linux-kde#20 (QubesOS/qubes-desktop-linux-kde@997a5a3)
Do not set timezone for VMs with anon-timezone feature qubes-core-admin#646 (QubesOS/qubes-core-admin@c76735f)
log stdout/err from updates check on Debian qubes-core-agent-linux#537 (QubesOS/qubes-core-agent-linux@e3202dc)
Use the UUID for the machine ID qubes-core-admin#642 (QubesOS/qubes-core-admin@3efd0c3)
SystemD dropins for minimal sys-net and sys-usb qubes-core-agent-linux#540 (QubesOS/qubes-core-agent-linux@f4b3d19)
Don't change combobox on mouse scroll #241 (8643f9b)
vmupdate: fix waiting for the other apt-get process qubes-core-admin-linux#175 (QubesOS/qubes-core-admin-linux@d5759de)
Fix markup injection issues #236 (99c6f83)

New failures, excluding unstable

Compared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.3&build=2024111705-4.3&flavor=update

system_tests_pvgrub_salt_storage
- TC_41_HVMGrub_debian-12-xfce: test_000_standalone_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_debian-12-xfce: test_001_standalone_vm_dracut (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_debian-12-xfce: test_010_template_based_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_debian-12-xfce: test_011_template_based_vm_dracut (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_fedora-41-xfce: test_000_standalone_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_fedora-41-xfce: test_010_template_based_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
system_tests_extra
- TC_00_QVCTest_whonix-workstation-17: test_010_screenshare (failure)
  AssertionError: 13.069686413555461 not less than 2.0
- TC_01_InputProxyExclude_debian-12-xfce: test_000_qemu_tablet (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_01_InputProxyExclude_fedora-41-xfce: test_000_qemu_tablet (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
system_tests_manager
- tests: test_vm_settings (error)
  ModuleNotFoundError: No module named 'pytest'
- tests: test_clone_vm (error)
  ModuleNotFoundError: No module named 'pytest'
- tests: test_backup (error)
  ModuleNotFoundError: No module named 'pytest'
- tests: test_qube_manager (error)
  ModuleNotFoundError: No module named 'pytest'
system_tests_kde_gui_interactive
- gui_keyboard_layout: wait_serial (wait serial expected)
  # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...

Failed tests

15 failures

system_tests_pvgrub_salt_storage
- TC_41_HVMGrub_debian-12-xfce: test_000_standalone_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_debian-12-xfce: test_001_standalone_vm_dracut (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_debian-12-xfce: test_010_template_based_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_debian-12-xfce: test_011_template_based_vm_dracut (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_fedora-41-xfce: test_000_standalone_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_41_HVMGrub_fedora-41-xfce: test_010_template_based_vm (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
system_tests_extra
- TC_00_QVCTest_whonix-workstation-17: test_010_screenshare (failure)
  AssertionError: 13.069686413555461 not less than 2.0
- TC_01_InputProxyExclude_debian-12-xfce: test_000_qemu_tablet (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
- TC_01_InputProxyExclude_fedora-41-xfce: test_000_qemu_tablet (error)
  qubes.exc.QubesVMError: Cannot connect to qrexec agent for 120 seco...
system_tests_manager
- tests: test_vm_settings (error)
  ModuleNotFoundError: No module named 'pytest'
- tests: test_clone_vm (error)
  ModuleNotFoundError: No module named 'pytest'
- tests: test_backup (error)
  ModuleNotFoundError: No module named 'pytest'
- tests: test_qube_manager (error)
  ModuleNotFoundError: No module named 'pytest'
system_tests_kde_gui_interactive
- gui_keyboard_layout: wait_serial (wait serial expected)
  # wait_serial expected: "echo -e '[Layout]\nLayoutList=us,de' | sud...
- gui_keyboard_layout: Failed (test died)
  # Test died: command 'test "$(cd ~user;ls e1*)" = "$(qvm-run -p wor...

Fixed failures

Compared to: https://openqa.qubes-os.org/tests/119126#dependencies

3 fixed

system_tests_extra
- TC_00_QVCTest_whonix-gateway-17: test_010_screenshare (failure)
  ~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^... AssertionError: 0 == 0
system_tests_basic_vm_qrexec_gui_zfs
- switch_pool: Failed (test died)
  # Test died: command 'dnf install -y ./zfs-release.rpm' failed at /...
system_tests_audio@hw1
- TC_20_AudioVM_PipeWire_whonix-workstation-17: test_260_audio_mic_enabled_switch_audiovm (failure)
  AssertionError: too short audio, expected 10s, got 0.00013605442176...

Unstable tests

system_tests_update
update2/Failed (1/5 times with errors)
- job 121711 # Test died: command '(set -o pipefail; qubesctl --show-output stat...
system_tests_update@hw7
update2/Failed (1/5 times with errors)
- job 121711 # Test died: command '(set -o pipefail; qubesctl --show-output stat...
system_tests_update@hw1
update2/Failed (1/5 times with errors)
- job 121711 # Test died: command '(set -o pipefail; qubesctl --show-output stat...

marmarek · 2024-12-16T00:16:33Z

FWIW openQA says:

Dec 15 19:01:36.069179 dom0 widget-wrapper[3495]: Traceback (most recent call last):
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]:   File "/usr/lib/python3.13/site-packages/qui/tray/disk_space.py", line 435, in make_menu
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]:     menu.append(self.make_title_item('Volumes'))
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]:                 ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]:   File "/usr/lib/python3.13/site-packages/qui/tray/disk_space.py", line 474, in make_title_item
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]:     label.set_markup("<b>{}</b>").format(GLib.markup_escape_text(text))
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]:     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Dec 15 19:01:36.070033 dom0 widget-wrapper[3495]: AttributeError: 'NoneType' object has no attribute 'format'

marmarek · 2024-12-31T03:49:51Z

Both pylint and tests detected some issues, I think the same one.

marmarek · 2025-01-03T04:19:21Z

This will need rebase on top of #240 (queued for merging already).

marmarek · 2025-01-05T12:02:24Z

openQA says:

Jan 05 00:05:36 dom0 qui-domains[3238]: Failed to set text '<markup><span color="{colormap[state]}">sys-whonix</span></markup>' from markup due to error parsing markup: Value of 'foreground' attribute on <span> tag on line 1 could not be parsed; should be a color specification, not '{colormap[state]}'

(there may be more issues like this)

marmarek · 2025-01-06T11:47:10Z

Make the widgets work in KDE Wayland session

Mixed up PRs ?

marmarek

And that's all what openQA plus some manual testing found.

qubes_config/global_config/usb_devices.py

DemiMarie · 2025-01-08T00:40:44Z

And that's all what openQA plus some manual testing found.

My test box uses KDE+Wayland, so this change was to make the code easier to test. I’ll revert it.

This fixes some (theoretical) markup injection problems. I believe none of the strings that I escape here will ever contain "<" or "&", but it is always safer to escape.

marmarta

Please add some unit tests, codecov complains. I'm not sure if this is needed (see: theoretical), and I think your time could be better spent on things like fixing tray icons from non-dom0 VMs under wayland, but sure, we can have this.

DemiMarie · 2025-01-08T23:28:25Z

Yeah, tray icons without menus are not a sufficient implementation no matter how much easier they are to implement.

DemiMarie force-pushed the fix-markup-injection branch 2 times, most recently from 81f3f70 to be5c363 Compare December 13, 2024 02:50

DemiMarie marked this pull request as draft December 13, 2024 02:53

DemiMarie force-pushed the fix-markup-injection branch 4 times, most recently from a224c12 to fd9ff2f Compare December 14, 2024 03:09

marmarek reviewed Dec 14, 2024

View reviewed changes

qui/utils.py Outdated Show resolved Hide resolved

marmarek reviewed Dec 14, 2024

View reviewed changes

qui/tray/updates.py Outdated Show resolved Hide resolved

marmarek added the openqa-pending label Dec 15, 2024

This was referenced Dec 15, 2024

log stdout/err from updates check on Debian QubesOS/qubes-core-agent-linux#537

Merged

vmupdate: wait for other apt-get to complete QubesOS/qubes-core-admin-linux#174

Merged

Update to 3007.1 QubesOS/qubes-salt#9

Merged

marmarek removed the openqa-pending label Dec 16, 2024

DemiMarie force-pushed the fix-markup-injection branch from fd9ff2f to 689d549 Compare December 30, 2024 05:13

DemiMarie force-pushed the fix-markup-injection branch from 689d549 to e0794e2 Compare December 31, 2024 06:34

DemiMarie force-pushed the fix-markup-injection branch from e0794e2 to 4f3d7f1 Compare January 4, 2025 02:12

marmarek added the openqa-pending label Jan 4, 2025

DemiMarie force-pushed the fix-markup-injection branch 2 times, most recently from 8b8a126 to 275d9f6 Compare January 6, 2025 03:57

DemiMarie marked this pull request as draft January 6, 2025 03:57

DemiMarie force-pushed the fix-markup-injection branch from 275d9f6 to 99c6f83 Compare January 6, 2025 05:40

This was referenced Jan 6, 2025

Add filter for qubes stored on inaccessible storage pools QubesOS/qubes-manager#399

Closed

Don't change combobox on mouse scroll #241

Merged

marmarek requested changes Jan 7, 2025

View reviewed changes

qubes_config/global_config/usb_devices.py Outdated Show resolved Hide resolved

marmarek requested a review from marmarta January 7, 2025 02:31

DemiMarie force-pushed the fix-markup-injection branch from 99c6f83 to b2733b2 Compare January 7, 2025 04:19

DemiMarie marked this pull request as ready for review January 8, 2025 00:40

Fix markup injection issues

fa4bcc2

This fixes some (theoretical) markup injection problems. I believe none of the strings that I escape here will ever contain "<" or "&", but it is always safer to escape.

DemiMarie force-pushed the fix-markup-injection branch from b2733b2 to fa4bcc2 Compare January 8, 2025 00:41

DemiMarie requested a review from marmarek January 8, 2025 02:35

This comment was marked as outdated.

Sign in to view

marmarta suggested changes Jan 8, 2025

View reviewed changes

marmarek removed the openqa-pending label Jan 11, 2025

marmarek closed this Jul 5, 2025

Uh oh!

Fix markup injection issues #236

Fix markup injection issues #236

Uh oh!

Conversation

DemiMarie commented Dec 8, 2024

Uh oh!

marmarta commented Dec 11, 2024

Uh oh!

Uh oh!

Uh oh!

codecov bot commented Dec 14, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

qubesos-bot commented Dec 15, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

OpenQA test summary

New failures, excluding unstable

Failed tests

Fixed failures

Unstable tests

Uh oh!

marmarek commented Dec 16, 2024

Uh oh!

marmarek commented Dec 31, 2024

Uh oh!

marmarek commented Jan 3, 2025

Uh oh!

marmarek commented Jan 5, 2025

Uh oh!

marmarek commented Jan 6, 2025

Uh oh!

marmarek left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

DemiMarie commented Jan 8, 2025

Uh oh!

This comment was marked as outdated.

Uh oh!

marmarta left a comment

Choose a reason for hiding this comment

Uh oh!

DemiMarie commented Jan 8, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

codecov bot commented Dec 14, 2024 •

edited

Loading

qubesos-bot commented Dec 15, 2024 •

edited

Loading