Skip to content

Commit

Permalink
Fix test/controller/request_forgery_protection_test.rb failure
Browse files Browse the repository at this point in the history
  • Loading branch information
@kamipo
kamipo committed May 18, 2020
1 parent 97d3432 commit abd27d5
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 10 deletions.
6 changes: 3 additions & 3 deletions actionpack/lib/action_controller/metal/request_forgery_protection.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,7 +333,7 @@ def valid_authenticity_token?(session, encoded_masked_token) # :doc:
end

begin
masked_token = Base64.strict_decode64(encoded_masked_token)
masked_token = Base64.urlsafe_decode64(encoded_masked_token)
rescue ArgumentError # encoded_masked_token is invalid Base64
return false
end
Expand Down Expand Up @@ -397,8 +397,8 @@ def valid_per_form_csrf_token?(token, session) # :doc:
end

def real_csrf_token(session) # :doc:
session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
Base64.strict_decode64(session[:_csrf_token])
session[:_csrf_token] ||= SecureRandom.urlsafe_base64(AUTHENTICITY_TOKEN_LENGTH)
Base64.urlsafe_decode64(session[:_csrf_token])
end

def per_form_csrf_token(session, action_path, method) # :doc:
Expand Down
14 changes: 7 additions & 7 deletions actionpack/test/controller/request_forgery_protection_test.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ class SkipProtectionController < ActionController::Base
# common test methods
module RequestForgeryProtectionTests
def setup
@token = Base64.strict_encode64("railstestrailstestrailstestrails")
@token = Base64.urlsafe_encode64("railstestrailstestrailstestrails")
@old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token
ActionController::Base.request_forgery_protection_token = :custom_authenticity_token
end
Expand Down Expand Up @@ -722,29 +722,29 @@ def setup
end

def test_should_not_render_form_with_token_tag
SecureRandom.stub :base64, @token do
SecureRandom.stub :urlsafe_base64, @token do
get :index
assert_select "form>div>input[name=?][value=?]", "authenticity_token", @token, false
end
end

def test_should_not_render_button_to_with_token_tag
SecureRandom.stub :base64, @token do
SecureRandom.stub :urlsafe_base64, @token do
get :show_button
assert_select "form>div>input[name=?][value=?]", "authenticity_token", @token, false
end
end

def test_should_allow_all_methods_without_token
SecureRandom.stub :base64, @token do
SecureRandom.stub :urlsafe_base64, @token do
[:post, :patch, :put, :delete].each do |method|
assert_nothing_raised { send(method, :index) }
end
end
end

test "should not emit a csrf-token meta tag" do
SecureRandom.stub :base64, @token do
SecureRandom.stub :urlsafe_base64, @token do
get :meta
assert_predicate @response.body, :blank?
end
Expand All @@ -756,7 +756,7 @@ def setup
super
@old_logger = ActionController::Base.logger
@logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
@token = Base64.strict_encode64(SecureRandom.random_bytes(32))
@token = Base64.urlsafe_encode64(SecureRandom.random_bytes(32))
@old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token
ActionController::Base.request_forgery_protection_token = @token
end
Expand Down Expand Up @@ -1016,7 +1016,7 @@ def assert_presence_and_fetch_form_csrf_token
end

def assert_matches_session_token_on_server(form_token, method = "post")
actual = @controller.send(:unmask_token, Base64.strict_decode64(form_token))
actual = @controller.send(:unmask_token, Base64.urlsafe_decode64(form_token))
expected = @controller.send(:per_form_csrf_token, session, "/per_form_tokens/post_one", method)
assert_equal expected, actual
end
Expand Down

0 comments on commit abd27d5

Please sign in to comment.