-
Notifications
You must be signed in to change notification settings - Fork 2.4k
/
csrf_test.rb
120 lines (104 loc) · 3.07 KB
/
csrf_test.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# frozen_string_literal: true
require_relative "./helper"
require "sidekiq/web/csrf_protection"
describe "Csrf" do
def session
@session ||= {}
end
def env(method = :get, form_hash = {}, rack_session = session)
imp = StringIO.new
{
"REQUEST_METHOD" => method.to_s.upcase,
"rack.session" => rack_session,
"rack.logger" => ::Logger.new(@logio ||= StringIO.new),
"rack.input" => imp,
"rack.request.form_input" => imp,
"rack.request.form_hash" => form_hash
}
end
def call(env, &block)
Sidekiq::Web::CsrfProtection.new(block).call(env)
end
it "get" do
ok = [200, {}, ["OK"]]
first = 1
second = 1
result = call(env) do |envy|
refute_nil envy[:csrf_token]
assert_equal 88, envy[:csrf_token].size
first = envy[:csrf_token]
ok
end
assert_equal ok, result
result = call(env) do |envy|
refute_nil envy[:csrf_token]
assert_equal 88, envy[:csrf_token].size
second = envy[:csrf_token]
ok
end
assert_equal ok, result
# verify masked token changes on every valid request
refute_equal first, second
end
it "bad post" do
result = call(env(:post)) do
raise "Shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
@logio.rewind
assert_match(/attack prevented/, @logio.string)
end
it "succeeds with good token" do
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken
# Make a POST with the known good token
result = call(env(:post, "authenticity_token" => goodtoken)) do
[200, {}, ["OK"]]
end
refute_nil result
assert_equal 200, result[0]
assert_equal ["OK"], result[2]
end
it "fails with bad token" do
# Make a POST with a known bad token
result = call(env(:post, "authenticity_token" => "N0QRBD34tU61d7fi+0ZaF/35JLW/9K+8kk8dc1TZoK/0pTl7GIHap5gy7BWGsoKlzbMLRp1yaDpCDFwTJtxWAg==")) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
it "empty session post" do
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken
# Make a POST with an empty session data and good token
result = call(env(:post, {"authenticity_token" => goodtoken}, {})) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
it "empty csrf session post" do
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken
# Make a POST without csrf session data and good token
result = call(env(:post, {"authenticity_token" => goodtoken}, {"session_id" => "foo"})) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
end