From d99bc61001bd37a46996c331e92f1ec43a25eb19 Mon Sep 17 00:00:00 2001
From: ltthienn <hien.le@kyber.network>
Date: Thu, 21 Sep 2023 16:54:58 +0700
Subject: [PATCH 1/5] Add csp tests

---
 cypress/e2e/specs/csp.e2e.cy.ts | 95 +++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 cypress/e2e/specs/csp.e2e.cy.ts

diff --git a/cypress/e2e/specs/csp.e2e.cy.ts b/cypress/e2e/specs/csp.e2e.cy.ts
new file mode 100644
index 0000000000..b65d70a5ca
--- /dev/null
+++ b/cypress/e2e/specs/csp.e2e.cy.ts
@@ -0,0 +1,95 @@
+import { SwapPage, TokenCatalog } from "../pages/swap-page.po.cy"
+import { DEFAULT_URL, TAG } from "../selectors/constants.cy"
+
+const tokenCatalog = new TokenCatalog()
+
+describe('CSP', { tags: TAG.regression }, () => {
+    beforeEach(() => {
+        cy.on('window:load', (win) => cy.stub(win.console, 'log').as('log'))
+        SwapPage.open(DEFAULT_URL)
+    })
+
+    describe('Search token in Token Catalog', { tags: TAG.regression }, () => {
+        beforeEach(() => {
+            SwapPage.selectTokenIn()
+        })
+        it('injecting <script> tag does not work', () => {
+            tokenCatalog.searchToken('KNC<img src="" onerror="console.log(`hacked`)" />')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('serves Content-Security-Policy header', () => {
+            cy.request('/')
+                .its('headers')
+                .should('have.property', 'content-security-policy')
+                // confirm parts of the CSP directive
+                .should('include', "frame-ancestors 'self'")
+        })
+    })
+
+    describe('Search token in Pools Page', { tags: TAG.regression }, () => {
+        beforeEach(() => {
+            SwapPage.goToPoolPage()
+        })
+        it('injecting <script> tag does not work', () => {
+            cy.get('div input', { timeout: 10000 })
+                .should('be.visible')
+                .click()
+                .type('KNC<img src="" onerror="console.log(`hacked`)" />')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('serves Content-Security-Policy header', () => {
+            cy.request('/')
+                .its('headers')
+                .should('have.property', 'content-security-policy')
+                // confirm parts of the CSP directive
+                .should('include', "frame-ancestors 'self'")
+        })
+    })
+
+    describe('Search token in My Pools Page', { tags: TAG.regression }, () => {
+        beforeEach(() => {
+            SwapPage.goToMyPoolsPage()
+        })
+        it('injecting <script> tag does not work', () => {
+            cy.get('div input', { timeout: 10000 })
+                .should('be.visible')
+                .click()
+                .type('KNC<img src="" onerror="console.log(`hacked`)" />')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('serves Content-Security-Policy header', () => {
+            cy.request('/')
+                .its('headers')
+                .should('have.property', 'content-security-policy')
+                // confirm parts of the CSP directive
+                .should('include', "frame-ancestors 'self'")
+        })
+
+    })
+
+    describe('Search token in Farms Page', { tags: TAG.regression }, () => {
+        beforeEach(() => {
+            SwapPage.goToFarmPage()
+        })
+        it('injecting <script> tag does not work', () => {
+            cy.get('div input', { timeout: 10000 })
+                .should('be.visible')
+                .click()
+                .type('KNC<img src="" onerror="console.log(`hacked`)" />')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('serves Content-Security-Policy header', () => {
+            cy.request('/')
+                .its('headers')
+                .should('have.property', 'content-security-policy')
+                // confirm parts of the CSP directive
+                .should('include', "frame-ancestors 'self'")
+        })
+
+    })
+
+})
\ No newline at end of file

From acc8209c8dec7f4d5ae2505ea0c1842e09a23de4 Mon Sep 17 00:00:00 2001
From: ltthienn <hien.le@kyber.network>
Date: Fri, 29 Sep 2023 17:05:34 +0700
Subject: [PATCH 2/5] Update tests

---
 cypress/e2e/selectors/selectors.cy.ts | 13 +++++++++++++
 cypress/e2e/specs/csp.e2e.cy.ts       |  7 ++++---
 cypress/e2e/specs/intercept.e2e.cy.ts |  4 ----
 src/components/Search/index.tsx       |  1 +
 src/pages/Farm/index.tsx              |  1 +
 5 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/cypress/e2e/selectors/selectors.cy.ts b/cypress/e2e/selectors/selectors.cy.ts
index f3a85e1eb3..3e88fea966 100644
--- a/cypress/e2e/selectors/selectors.cy.ts
+++ b/cypress/e2e/selectors/selectors.cy.ts
@@ -43,4 +43,17 @@ export const HeaderLocators = {
 export const FarmLocators = {
   lblApr: '[data-testid=apr-value]',
   lblTvl: '[data-testid=tvl-value]',
+  txtSearch: '[data-testid=input-search]'
+}
+
+export const PoolLocators = {
+  txtSearch: '[data-testid=input-search]'
+}
+
+export const MyPoolLocators = {
+  txtSearch: '[data-testid=input-search]'
+}
+
+export const MyEarningLocators = {
+  txtSearch: '[data-testid=input-search]'
 }
\ No newline at end of file
diff --git a/cypress/e2e/specs/csp.e2e.cy.ts b/cypress/e2e/specs/csp.e2e.cy.ts
index b65d70a5ca..07c221783f 100644
--- a/cypress/e2e/specs/csp.e2e.cy.ts
+++ b/cypress/e2e/specs/csp.e2e.cy.ts
@@ -1,5 +1,6 @@
 import { SwapPage, TokenCatalog } from "../pages/swap-page.po.cy"
 import { DEFAULT_URL, TAG } from "../selectors/constants.cy"
+import { FarmLocators, MyPoolLocators, PoolLocators } from "../selectors/selectors.cy"
 
 const tokenCatalog = new TokenCatalog()
 
@@ -32,7 +33,7 @@ describe('CSP', { tags: TAG.regression }, () => {
             SwapPage.goToPoolPage()
         })
         it('injecting <script> tag does not work', () => {
-            cy.get('div input', { timeout: 10000 })
+            cy.get(PoolLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
                 .type('KNC<img src="" onerror="console.log(`hacked`)" />')
@@ -53,7 +54,7 @@ describe('CSP', { tags: TAG.regression }, () => {
             SwapPage.goToMyPoolsPage()
         })
         it('injecting <script> tag does not work', () => {
-            cy.get('div input', { timeout: 10000 })
+            cy.get(MyPoolLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
                 .type('KNC<img src="" onerror="console.log(`hacked`)" />')
@@ -75,7 +76,7 @@ describe('CSP', { tags: TAG.regression }, () => {
             SwapPage.goToFarmPage()
         })
         it('injecting <script> tag does not work', () => {
-            cy.get('div input', { timeout: 10000 })
+            cy.get(FarmLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
                 .type('KNC<img src="" onerror="console.log(`hacked`)" />')
diff --git a/cypress/e2e/specs/intercept.e2e.cy.ts b/cypress/e2e/specs/intercept.e2e.cy.ts
index 163e19ca92..32893b316e 100644
--- a/cypress/e2e/specs/intercept.e2e.cy.ts
+++ b/cypress/e2e/specs/intercept.e2e.cy.ts
@@ -21,11 +21,9 @@ describe('Intercept', { tags: TAG.regression }, () => {
       it('Should get pool, farm list successfully', () => {
          cy.intercept('GET', '**/farm-pools?**').as('get-farm-list')
          cy.intercept('GET', '**/pools?**').as('get-pool-list')
-         cy.intercept('GET', '**/block?**').as('get-block')
          SwapPage.goToPoolPage()
          cy.wait('@get-farm-list', { timeout: 5000 }).its('response.statusCode').should('equal', 200)
          cy.wait('@get-pool-list', { timeout: 5000 }).its('response.statusCode').should('equal', 200)
-         cy.wait('@get-block', { timeout: 60000 }).its('response.statusCode').should('equal', 200)
       })
 
       it('Should be displayed APR and TVL values', () => {
@@ -56,7 +54,6 @@ describe('Intercept', { tags: TAG.regression }, () => {
       it('Should get pool, farm list successfully', () => {
          cy.intercept('GET', '**/farm-pools?**').as('get-farm-list')
          cy.intercept('GET', '**/pools?**').as('get-pool-list')
-         cy.intercept('GET', '**/block?**').as('get-block')
          SwapPage.goToFarmPage()
          cy.get('[data-testid=farm-block]')
             .should(_ => {})
@@ -65,7 +62,6 @@ describe('Intercept', { tags: TAG.regression }, () => {
                   cy.wait('@get-pool-list', { timeout: 5000 }).its('response.statusCode').should('equal', 200)
                }
                cy.wait('@get-farm-list', { timeout: 5000 }).its('response.statusCode').should('equal', 200)
-               cy.wait('@get-block', { timeout: 60000 }).its('response.statusCode').should('equal', 200)
             })
       })
    })
diff --git a/src/components/Search/index.tsx b/src/components/Search/index.tsx
index 5d99e5900d..f81cc9d775 100644
--- a/src/components/Search/index.tsx
+++ b/src/components/Search/index.tsx
@@ -73,6 +73,7 @@ const Search = ({ searchValue, onSearch, placeholder, minWidth, style }: SearchP
           onChange={e => {
             onSearch(e.target.value)
           }}
+          data-testid="input-search"
         />
         {searchValue && (
           <ButtonEmpty onClick={() => onSearch('')} style={{ padding: '2px 4px', width: 'max-content' }}>
diff --git a/src/pages/Farm/index.tsx b/src/pages/Farm/index.tsx
index c0db8094e3..3c6c097b14 100644
--- a/src/pages/Farm/index.tsx
+++ b/src/pages/Farm/index.tsx
@@ -439,6 +439,7 @@ const Farm = () => {
                       maxLength={255}
                       value={search}
                       onChange={e => handleSearch(e.target.value)}
+                      data-testid="input-search"
                     />
                     <Search color={theme.subText} size={16} />
                   </SearchContainer>

From 00fac6c3fb977ce0a58c0141ad6b55e57b946502 Mon Sep 17 00:00:00 2001
From: ltthienn <hien.le@kyber.network>
Date: Fri, 29 Sep 2023 17:13:49 +0700
Subject: [PATCH 3/5] Update tag to test

---
 cypress/e2e/specs/csp.e2e.cy.ts | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cypress/e2e/specs/csp.e2e.cy.ts b/cypress/e2e/specs/csp.e2e.cy.ts
index 07c221783f..d9ac7cb743 100644
--- a/cypress/e2e/specs/csp.e2e.cy.ts
+++ b/cypress/e2e/specs/csp.e2e.cy.ts
@@ -4,18 +4,18 @@ import { FarmLocators, MyPoolLocators, PoolLocators } from "../selectors/selecto
 
 const tokenCatalog = new TokenCatalog()
 
-describe('CSP', { tags: TAG.regression }, () => {
+describe('CSP', { tags: TAG.smoke }, () => {
     beforeEach(() => {
         cy.on('window:load', (win) => cy.stub(win.console, 'log').as('log'))
         SwapPage.open(DEFAULT_URL)
     })
 
-    describe('Search token in Token Catalog', { tags: TAG.regression }, () => {
+    describe('Search token in Token Catalog', () => {
         beforeEach(() => {
             SwapPage.selectTokenIn()
         })
         it('injecting <script> tag does not work', () => {
-            tokenCatalog.searchToken('KNC<img src="" onerror="console.log(`hacked`)" />')
+            tokenCatalog.searchToken('KNC<img src="" onerror="console.log(`failed`)" />')
             cy.get('@log').should('not.have.been.called')
         })
 
@@ -28,7 +28,7 @@ describe('CSP', { tags: TAG.regression }, () => {
         })
     })
 
-    describe('Search token in Pools Page', { tags: TAG.regression }, () => {
+    describe('Search token in Pools Page', () => {
         beforeEach(() => {
             SwapPage.goToPoolPage()
         })
@@ -36,7 +36,7 @@ describe('CSP', { tags: TAG.regression }, () => {
             cy.get(PoolLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
-                .type('KNC<img src="" onerror="console.log(`hacked`)" />')
+                .type('KNC<img src="" onerror="console.log(`failed`)" />')
             cy.get('@log').should('not.have.been.called')
         })
 
@@ -49,7 +49,7 @@ describe('CSP', { tags: TAG.regression }, () => {
         })
     })
 
-    describe('Search token in My Pools Page', { tags: TAG.regression }, () => {
+    describe('Search token in My Pools Page', () => {
         beforeEach(() => {
             SwapPage.goToMyPoolsPage()
         })
@@ -57,7 +57,7 @@ describe('CSP', { tags: TAG.regression }, () => {
             cy.get(MyPoolLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
-                .type('KNC<img src="" onerror="console.log(`hacked`)" />')
+                .type('KNC<img src="" onerror="console.log(`failed`)" />')
             cy.get('@log').should('not.have.been.called')
         })
 
@@ -71,7 +71,7 @@ describe('CSP', { tags: TAG.regression }, () => {
 
     })
 
-    describe('Search token in Farms Page', { tags: TAG.regression }, () => {
+    describe('Search token in Farms Page', () => {
         beforeEach(() => {
             SwapPage.goToFarmPage()
         })
@@ -79,7 +79,7 @@ describe('CSP', { tags: TAG.regression }, () => {
             cy.get(FarmLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
-                .type('KNC<img src="" onerror="console.log(`hacked`)" />')
+                .type('KNC<img src="" onerror="console.log(`failed`)" />')
             cy.get('@log').should('not.have.been.called')
         })
 

From cd5bbc171ba9b1de1d980b56051945fdafe4c783 Mon Sep 17 00:00:00 2001
From: ltthienn <hien.le@kyber.network>
Date: Wed, 4 Oct 2023 11:59:21 +0700
Subject: [PATCH 4/5] add tests

---
 cypress/e2e/specs/csp.e2e.cy.ts | 34 ++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/cypress/e2e/specs/csp.e2e.cy.ts b/cypress/e2e/specs/csp.e2e.cy.ts
index d9ac7cb743..2697f9bdeb 100644
--- a/cypress/e2e/specs/csp.e2e.cy.ts
+++ b/cypress/e2e/specs/csp.e2e.cy.ts
@@ -4,7 +4,7 @@ import { FarmLocators, MyPoolLocators, PoolLocators } from "../selectors/selecto
 
 const tokenCatalog = new TokenCatalog()
 
-describe('CSP', { tags: TAG.smoke }, () => {
+describe('CSP', { tags: TAG.regression }, () => {
     beforeEach(() => {
         cy.on('window:load', (win) => cy.stub(win.console, 'log').as('log'))
         SwapPage.open(DEFAULT_URL)
@@ -14,7 +14,13 @@ describe('CSP', { tags: TAG.smoke }, () => {
         beforeEach(() => {
             SwapPage.selectTokenIn()
         })
+
         it('injecting <script> tag does not work', () => {
+            tokenCatalog.searchToken('KNC<script>console.log(`failed`)</script>')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('injects XSS via img onerror attribute', () => {
             tokenCatalog.searchToken('KNC<img src="" onerror="console.log(`failed`)" />')
             cy.get('@log').should('not.have.been.called')
         })
@@ -33,6 +39,14 @@ describe('CSP', { tags: TAG.smoke }, () => {
             SwapPage.goToPoolPage()
         })
         it('injecting <script> tag does not work', () => {
+            cy.get(PoolLocators.txtSearch, { timeout: 10000 })
+                .should('be.visible')
+                .click()
+                .type('KNC<script>console.log(`failed`)</script>')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('injects XSS via img onerror attribute', () => {
             cy.get(PoolLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
@@ -53,7 +67,16 @@ describe('CSP', { tags: TAG.smoke }, () => {
         beforeEach(() => {
             SwapPage.goToMyPoolsPage()
         })
+
         it('injecting <script> tag does not work', () => {
+            cy.get(MyPoolLocators.txtSearch, { timeout: 10000 })
+                .should('be.visible')
+                .click()
+                .type('KNC<script>console.log(`failed`)</script>')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('injects XSS via img onerror attribute', () => {
             cy.get(MyPoolLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()
@@ -75,7 +98,16 @@ describe('CSP', { tags: TAG.smoke }, () => {
         beforeEach(() => {
             SwapPage.goToFarmPage()
         })
+
         it('injecting <script> tag does not work', () => {
+            cy.get(FarmLocators.txtSearch, { timeout: 10000 })
+                .should('be.visible')
+                .click()
+                .type('KNC<script>console.log(`failed`)</script>')
+            cy.get('@log').should('not.have.been.called')
+        })
+
+        it('injects XSS via img onerror attribute', () => {
             cy.get(FarmLocators.txtSearch, { timeout: 10000 })
                 .should('be.visible')
                 .click()

From 4f92edc1768663a3ea8d854b23d458ceff868af5 Mon Sep 17 00:00:00 2001
From: ltthienn <hien.le@kyber.network>
Date: Wed, 4 Oct 2023 12:03:58 +0700
Subject: [PATCH 5/5] update selectors

---
 cypress/e2e/selectors/selectors.cy.ts         | 8 ++++----
 cypress/support/selectTokenCommands.ts        | 4 ++--
 src/components/SearchModal/CurrencySearch.tsx | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/cypress/e2e/selectors/selectors.cy.ts b/cypress/e2e/selectors/selectors.cy.ts
index 3e88fea966..ea4ee1d6a5 100644
--- a/cypress/e2e/selectors/selectors.cy.ts
+++ b/cypress/e2e/selectors/selectors.cy.ts
@@ -1,7 +1,7 @@
 export const TokenCatalogLocators = {
   dropdownTokenIn: '[data-testid=swap-currency-input] [data-testid=token-symbol-container]',
   dropdownTokenOut: '[data-testid=swap-currency-output] [data-testid=token-symbol-container]',
-  txtToken: '[data-testid=token-search-input]',
+  txtSearch: '[data-testid=search-input]',
   lblFavoriteToken: '[data-testid=favorite-token]',
   lblRowInWhiteList: '[data-testid=token-item]',
   lblNotFound: '[data-testid=no-token-result]',
@@ -47,13 +47,13 @@ export const FarmLocators = {
 }
 
 export const PoolLocators = {
-  txtSearch: '[data-testid=input-search]'
+  txtSearch: '[data-testid=search-input]'
 }
 
 export const MyPoolLocators = {
-  txtSearch: '[data-testid=input-search]'
+  txtSearch: '[data-testid=search-input]'
 }
 
 export const MyEarningLocators = {
-  txtSearch: '[data-testid=input-search]'
+  txtSearch: '[data-testid=search-input]'
 }
\ No newline at end of file
diff --git a/cypress/support/selectTokenCommands.ts b/cypress/support/selectTokenCommands.ts
index 098d334d3e..efa0530ff6 100644
--- a/cypress/support/selectTokenCommands.ts
+++ b/cypress/support/selectTokenCommands.ts
@@ -39,7 +39,7 @@ Cypress.Commands.add('selectTokenOut', () => {
 })
 
 Cypress.Commands.add('searchToken', (value) => {
-   cy.get(TokenCatalogLocators.txtToken).should('be.visible').type(value)
+   cy.get(TokenCatalogLocators.txtSearch).should('be.visible').type(value)
 })
 
 Cypress.Commands.add('selectTokenBySymbol', (value) => {
@@ -74,7 +74,7 @@ Cypress.Commands.add('deleteImportedToken', (value: string) => {
    cy.searchToken(value)
    cy.wait(1000)
    cy.get(TokenCatalogLocators.lblRowInWhiteList).children().find(TokenCatalogLocators.iconRemoveImportedToken).click()
-   cy.get(TokenCatalogLocators.txtToken).clear()
+   cy.get(TokenCatalogLocators.txtSearch).clear()
 
 })
 
diff --git a/src/components/SearchModal/CurrencySearch.tsx b/src/components/SearchModal/CurrencySearch.tsx
index c25bf3038e..e42d3b5a7d 100644
--- a/src/components/SearchModal/CurrencySearch.tsx
+++ b/src/components/SearchModal/CurrencySearch.tsx
@@ -438,7 +438,7 @@ export function CurrencySearch({
           <SearchInput
             type="text"
             id="token-search-input"
-            data-testid="token-search-input"
+            data-testid="search-input"
             placeholder={t`Search by token name, token symbol or address`}
             value={searchQuery}
             ref={inputRef}