18458463416

Committed 13 Oct 2025 07:32AM UTC coverage: 36.912% (-6.3%) from 43.239%

Build # 18458463416

Build Type

push

github

Committed by

web-flow

Commit Message

Fix/rollback the use of utc to support python 3.9 (#206)

* fix: rollback the use of UTC to support python 3.9.

* fix: added an api-client with a fixed TestResultUpdateV2Request model.

* update README.md.

---------

Co-authored-by: pavel.butuzov <pavel.butuzov@testit.software>

Run Details

0 of 3 new or added lines in 1 file covered. (0.0%)

1 existing line in 1 file now uncovered.

1286 of 3484 relevant lines covered (36.91%)

0.74 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

78.26

/testit-python-commons/src/testit_python_commons/utils/html_escape_utils.py

import os
import re
import logging
from typing import Any, List, Optional, Union
from datetime import datetime, date, time, timedelta
from decimal import Decimal
from uuid import UUID


class HtmlEscapeUtils:
    """
    HTML escape utilities for preventing XSS attacks.
    Escapes HTML tags in strings and objects using reflection.
    """
    
    NO_ESCAPE_HTML_ENV_VAR = "NO_ESCAPE_HTML"
    
    # Regex pattern to detect HTML tags (requires at least one non-whitespace character after <)
    # This ensures empty <> brackets are not considered HTML tags
    _HTML_TAG_PATTERN = re.compile(r'<\S.*?(?:>|/>)')
    
    # Regex patterns to escape only non-escaped characters
    # Using negative lookbehind to avoid double escaping
    _LESS_THAN_PATTERN = re.compile(r'(?<!\\)<')
    _GREATER_THAN_PATTERN = re.compile(r'(?<!\\)>')
    
    @staticmethod
    def escape_html_tags(text: Optional[str]) -> Optional[str]:
        """
        Escapes HTML tags to prevent XSS attacks.
        First checks if the string contains HTML tags using regex pattern.
        Only performs escaping if HTML tags are detected.
        Escapes all < as \\< and > as \\> only if they are not already escaped.
        Uses regex with negative lookbehind to avoid double escaping.
        
        Args:
            text: The text to escape
            
        Returns:
            Escaped text or original text if escaping is disabled
        """
        if text is None:
            return None
            
        # Check if escaping is disabled via environment variable
        no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()
        if no_escape_html == "true":
            return text
            
        # First check if the string contains HTML tags
        if not HtmlEscapeUtils._HTML_TAG_PATTERN.search(text):
            return text  # No HTML tags found, return original string
            
        # Use regex with negative lookbehind to escape only non-escaped characters
        result = HtmlEscapeUtils._LESS_THAN_PATTERN.sub(r'\\<', text)
        result = HtmlEscapeUtils._GREATER_THAN_PATTERN.sub(r'\\>', result)
        
        return result
    
    @staticmethod
    def escape_html_in_object(obj: Any) -> Any:
        """
        Escapes HTML tags in all string attributes of an object using reflection.
        Also processes list attributes: if list of objects - calls escape_html_in_object_list,
        if list of strings - escapes each string.
        Can be disabled by setting NO_ESCAPE_HTML environment variable to "true".
        
        Args:
            obj: The object to process
            
        Returns:
            The processed object with escaped strings
        """
        if obj is None:
            return None
            
        # Check if escaping is disabled via environment variable
        no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()
        if no_escape_html == "true":
            return obj
            
        try:
            HtmlEscapeUtils._process_object_attributes(obj)
        except Exception as e:
            # Silently ignore reflection errors
            logging.debug(f"Error processing object attributes: {e}")
            
        return obj
    
    @staticmethod
    def escape_html_in_object_list(obj_list: Optional[List[Any]]) -> Optional[List[Any]]:
        """
        Escapes HTML tags in all string attributes of objects in a list using reflection.
        Can be disabled by setting NO_ESCAPE_HTML environment variable to "true".
        
        Args:
            obj_list: The list of objects to process
            
        Returns:
            The processed list with escaped strings in all objects
        """
        if obj_list is None:
            return None
            
        # Check if escaping is disabled via environment variable
        no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()
        if no_escape_html == "true":
            return obj_list
            
        for obj in obj_list:
            HtmlEscapeUtils.escape_html_in_object(obj)
            
        return obj_list
    
    @staticmethod
    def _process_object_attributes(obj: Any) -> None:
        """
        Process all attributes of an object for HTML escaping.
        """
        # Handle dictionary-like objects (common in API models)
        if hasattr(obj, '__dict__'):
            for attr_name in dir(obj):
                # Skip private/protected attributes and methods
                if attr_name.startswith('_') or callable(getattr(obj, attr_name, None)):
                    continue
                    
                try:
                    value = getattr(obj, attr_name)
                    HtmlEscapeUtils._process_attribute_value(obj, attr_name, value)
                except Exception as e:
                    # Silently ignore attribute errors
                    logging.debug(f"Error processing attribute {attr_name}: {e}")
                    
        # Handle dictionary objects
        elif isinstance(obj, dict):
            for key, value in obj.items():
                if isinstance(value, str):
                    obj[key] = HtmlEscapeUtils.escape_html_tags(value)
                elif isinstance(value, list):
                    HtmlEscapeUtils._process_list(value)
                elif not HtmlEscapeUtils._is_simple_type(type(value)):
                    HtmlEscapeUtils.escape_html_in_object(value)
    
    @staticmethod
    def _process_attribute_value(obj: Any, attr_name: str, value: Any) -> None:
        """
        Process a single attribute value for HTML escaping.
        """
        if isinstance(value, str):
            # Escape string attributes
            try:
                setattr(obj, attr_name, HtmlEscapeUtils.escape_html_tags(value))
            except AttributeError:
                # Attribute might be read-only
                pass
        elif isinstance(value, list):
            HtmlEscapeUtils._process_list(value)
        elif value is not None and not HtmlEscapeUtils._is_simple_type(type(value)):
            # Process nested objects (but not simple types)
            HtmlEscapeUtils.escape_html_in_object(value)
    
    @staticmethod
    def _process_list(lst: List[Any]) -> None:
        """
        Process a list for HTML escaping.
        """
        if not lst:
            return
            
        first_element = lst[0]
        
        if isinstance(first_element, str):
            # List of strings - escape each string
            for i, item in enumerate(lst):
                if isinstance(item, str):
                    lst[i] = HtmlEscapeUtils.escape_html_tags(item)
        elif first_element is not None:
            # List of objects - process each object
            for item in lst:
                HtmlEscapeUtils.escape_html_in_object(item)
    
    @staticmethod
    def _is_simple_type(obj_type: type) -> bool:
        """
        Checks if a type is a simple type that doesn't need HTML escaping.
        
        Args:
            obj_type: Type to check
            
        Returns:
            True if it's a simple type
        """
        simple_types = {
            # Basic types
            bool, int, float, complex, bytes, bytearray,
            # String type (handled separately)
            str,
            # Date/time types
            datetime, date, time, timedelta,
            # Other common types
            Decimal, UUID,
            # None type
            type(None)
        }
        
        return (
            obj_type in simple_types or
            # Check for enums
            (hasattr(obj_type, '__bases__') and any(
                base.__name__ == 'Enum' for base in obj_type.__bases__
            ))
        ) 

1	import os	2✔
2	import re	2✔
3	import logging	2✔
4	from typing import Any, List, Optional, Union	2✔
5	from datetime import datetime, date, time, timedelta	2✔
6	from decimal import Decimal	2✔
7	from uuid import UUID	2✔
8
9
10	class HtmlEscapeUtils:	2✔
11	"""
12	HTML escape utilities for preventing XSS attacks.
13	Escapes HTML tags in strings and objects using reflection.
14	"""
15
16	NO_ESCAPE_HTML_ENV_VAR = "NO_ESCAPE_HTML"	2✔
17
18	# Regex pattern to detect HTML tags (requires at least one non-whitespace character after <)
19	# This ensures empty <> brackets are not considered HTML tags
20	_HTML_TAG_PATTERN = re.compile(r'<\S.*?(?:>\|/>)')	2✔
21
22	# Regex patterns to escape only non-escaped characters
23	# Using negative lookbehind to avoid double escaping
24	_LESS_THAN_PATTERN = re.compile(r'(?<!\\)<')	2✔
25	_GREATER_THAN_PATTERN = re.compile(r'(?<!\\)>')	2✔
26
27	@staticmethod	2✔
28	def escape_html_tags(text: Optional[str]) -> Optional[str]:	2✔
29	"""
30	Escapes HTML tags to prevent XSS attacks.
31	First checks if the string contains HTML tags using regex pattern.
32	Only performs escaping if HTML tags are detected.
33	Escapes all < as \\< and > as \\> only if they are not already escaped.
34	Uses regex with negative lookbehind to avoid double escaping.
35
36	Args:
37	text: The text to escape
38
39	Returns:
40	Escaped text or original text if escaping is disabled
41	"""
42	if text is None:	2✔
43	return None	2✔
44
45	# Check if escaping is disabled via environment variable
46	no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()	2✔
47	if no_escape_html == "true":	2✔
48	return text	2✔
49
50	# First check if the string contains HTML tags
51	if not HtmlEscapeUtils._HTML_TAG_PATTERN.search(text):	2✔
52	return text # No HTML tags found, return original string	2✔
53
54	# Use regex with negative lookbehind to escape only non-escaped characters
55	result = HtmlEscapeUtils._LESS_THAN_PATTERN.sub(r'\\<', text)	2✔
56	result = HtmlEscapeUtils._GREATER_THAN_PATTERN.sub(r'\\>', result)	2✔
57
58	return result	2✔
59
60	@staticmethod	2✔
61	def escape_html_in_object(obj: Any) -> Any:	2✔
62	"""
63	Escapes HTML tags in all string attributes of an object using reflection.
64	Also processes list attributes: if list of objects - calls escape_html_in_object_list,
65	if list of strings - escapes each string.
66	Can be disabled by setting NO_ESCAPE_HTML environment variable to "true".
67
68	Args:
69	obj: The object to process
70
71	Returns:
72	The processed object with escaped strings
73	"""
74	if obj is None:	2✔
75	return None	×
76
77	# Check if escaping is disabled via environment variable
78	no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()	2✔
79	if no_escape_html == "true":	2✔
80	return obj	2✔
81
82	try:	2✔
83	HtmlEscapeUtils._process_object_attributes(obj)	2✔
84	except Exception as e:	×
85	# Silently ignore reflection errors
86	logging.debug(f"Error processing object attributes: {e}")	×
87
88	return obj	2✔
89
90	@staticmethod	2✔
91	def escape_html_in_object_list(obj_list: Optional[List[Any]]) -> Optional[List[Any]]:	2✔
92	"""
93	Escapes HTML tags in all string attributes of objects in a list using reflection.
94	Can be disabled by setting NO_ESCAPE_HTML environment variable to "true".
95
96	Args:
97	obj_list: The list of objects to process
98
99	Returns:
100	The processed list with escaped strings in all objects
101	"""
102	if obj_list is None:	2✔
103	return None	×
104
105	# Check if escaping is disabled via environment variable
106	no_escape_html = os.environ.get(HtmlEscapeUtils.NO_ESCAPE_HTML_ENV_VAR, "").lower()	2✔
107	if no_escape_html == "true":	2✔
108	return obj_list	×
109
110	for obj in obj_list:	2✔
111	HtmlEscapeUtils.escape_html_in_object(obj)	2✔
112
113	return obj_list	2✔
114
115	@staticmethod	2✔
116	def _process_object_attributes(obj: Any) -> None:	2✔
117	"""
118	Process all attributes of an object for HTML escaping.
119	"""
120	# Handle dictionary-like objects (common in API models)
121	if hasattr(obj, '__dict__'):	2✔
122	for attr_name in dir(obj):	2✔
123	# Skip private/protected attributes and methods
124	if attr_name.startswith('_') or callable(getattr(obj, attr_name, None)):	2✔
UNCOV 125	continue	×
126
127	try:	2✔
128	value = getattr(obj, attr_name)	2✔
129	HtmlEscapeUtils._process_attribute_value(obj, attr_name, value)	2✔
130	except Exception as e:	×
131	# Silently ignore attribute errors
132	logging.debug(f"Error processing attribute {attr_name}: {e}")	×
133
134	# Handle dictionary objects
135	elif isinstance(obj, dict):	2✔
136	for key, value in obj.items():	2✔
137	if isinstance(value, str):	2✔
138	obj[key] = HtmlEscapeUtils.escape_html_tags(value)	2✔
139	elif isinstance(value, list):	2✔
140	HtmlEscapeUtils._process_list(value)	2✔
141	elif not HtmlEscapeUtils._is_simple_type(type(value)):	×
142	HtmlEscapeUtils.escape_html_in_object(value)	×
143
144	@staticmethod	2✔
145	def _process_attribute_value(obj: Any, attr_name: str, value: Any) -> None:	2✔
146	"""
147	Process a single attribute value for HTML escaping.
148	"""
149	if isinstance(value, str):	2✔
150	# Escape string attributes
151	try:	2✔
152	setattr(obj, attr_name, HtmlEscapeUtils.escape_html_tags(value))	2✔
153	except AttributeError:	×
154	# Attribute might be read-only
155	pass	×
156	elif isinstance(value, list):	2✔
157	HtmlEscapeUtils._process_list(value)	2✔
158	elif value is not None and not HtmlEscapeUtils._is_simple_type(type(value)):	×
159	# Process nested objects (but not simple types)
160	HtmlEscapeUtils.escape_html_in_object(value)	×
161
162	@staticmethod	2✔
163	def _process_list(lst: List[Any]) -> None:	2✔
164	"""
165	Process a list for HTML escaping.
166	"""
167	if not lst:	2✔
168	return	×
169
170	first_element = lst[0]	2✔
171
172	if isinstance(first_element, str):	2✔
173	# List of strings - escape each string
174	for i, item in enumerate(lst):	2✔
175	if isinstance(item, str):	2✔
176	lst[i] = HtmlEscapeUtils.escape_html_tags(item)	2✔
177	elif first_element is not None:	×
178	# List of objects - process each object
179	for item in lst:	×
180	HtmlEscapeUtils.escape_html_in_object(item)	×
181
182	@staticmethod	2✔
183	def _is_simple_type(obj_type: type) -> bool:	2✔
184	"""
185	Checks if a type is a simple type that doesn't need HTML escaping.
186
187	Args:
188	obj_type: Type to check
189
190	Returns:
191	True if it's a simple type
192	"""
193	simple_types = {	×
194	# Basic types
195	bool, int, float, complex, bytes, bytearray,
196	# String type (handled separately)
197	str,
198	# Date/time types
199	datetime, date, time, timedelta,
200	# Other common types
201	Decimal, UUID,
202	# None type
203	type(None)
204	}
205
206	return (	×
207	obj_type in simple_types or
208	# Check for enums
209	(hasattr(obj_type, '__bases__') and any(
210	base.__name__ == 'Enum' for base in obj_type.__bases__
211	))
212	)

testit-tms / adapters-python / 18458463416

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous