@@ -45,6 +45,16 @@ class RequestForgeryProtectionController < ActionController::Base
45
45
protect_from_forgery :only => %w( index meta )
46
46
end
47
47
48
+ class RequestForgeryProtectionControllerUsingOldBehaviour < ActionController ::Base
49
+ include RequestForgeryProtectionActions
50
+ protect_from_forgery :only => %w( index meta )
51
+
52
+ def handle_unverified_request
53
+ raise ( ActionController ::InvalidAuthenticityToken )
54
+ end
55
+ end
56
+
57
+
48
58
class FreeCookieController < RequestForgeryProtectionController
49
59
self . allow_forgery_protection = false
50
60
@@ -67,172 +77,92 @@ def form_authenticity_param
67
77
# common test methods
68
78
69
79
module RequestForgeryProtectionTests
70
- def teardown
71
- ActionController ::Base . request_forgery_protection_token = nil
72
- end
80
+ def setup
81
+ @token = "cf50faa3fe97702ca1ae"
73
82
74
- def test_should_render_form_with_token_tag
75
- get :index
76
- assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , @token
83
+ ActiveSupport ::SecureRandom . stubs ( :base64 ) . returns ( @token )
84
+ ActionController ::Base . request_forgery_protection_token = :authenticity_token
77
85
end
78
86
79
- def test_should_render_external_form_for_with_external_token
80
- get :external_form_for
81
- assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , 'external_token'
82
- end
83
87
84
- def test_should_render_form_for_without_token_tag
85
- get :form_for_without_protection
86
- assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , @token , false
88
+ def test_should_render_form_with_token_tag
89
+ assert_not_blocked do
90
+ get :index
91
+ end
92
+ assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , @token
87
93
end
88
94
89
95
def test_should_render_button_to_with_token_tag
90
- get :show_button
96
+ assert_not_blocked do
97
+ get :show_button
98
+ end
91
99
assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , @token
92
100
end
93
101
94
- def test_should_render_external_form_with_external_token
95
- get :external_form
96
- assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , 'external_token'
97
- end
98
-
99
- def test_should_render_external_form_without_token
100
- get :external_form_without_protection
101
- assert_select 'form>div>input[name=?][value=?]' , 'authenticity_token' , @token , false
102
- end
103
-
104
102
def test_should_allow_get
105
- get :index
106
- assert_response :success
103
+ assert_not_blocked { get :index }
107
104
end
108
105
109
106
def test_should_allow_post_without_token_on_unsafe_action
110
- post :unsafe
111
- assert_response :success
112
- end
113
-
114
- def test_should_not_allow_html_post_without_token
115
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
116
- assert_raise ( ActionController ::InvalidAuthenticityToken ) { post :index , :format => :html }
117
- end
118
-
119
- def test_should_not_allow_html_put_without_token
120
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
121
- assert_raise ( ActionController ::InvalidAuthenticityToken ) { put :index , :format => :html }
122
- end
123
-
124
- def test_should_not_allow_html_delete_without_token
125
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
126
- assert_raise ( ActionController ::InvalidAuthenticityToken ) { delete :index , :format => :html }
127
- end
128
-
129
- def test_should_allow_api_formatted_post_without_token
130
- assert_nothing_raised do
131
- post :index , :format => 'xml'
132
- end
133
- end
134
-
135
- def test_should_not_allow_api_formatted_put_without_token
136
- assert_nothing_raised do
137
- put :index , :format => 'xml'
138
- end
139
- end
140
-
141
- def test_should_allow_api_formatted_delete_without_token
142
- assert_nothing_raised do
143
- delete :index , :format => 'xml'
144
- end
145
- end
146
-
147
- def test_should_not_allow_api_formatted_post_sent_as_url_encoded_form_without_token
148
- assert_raise ( ActionController ::InvalidAuthenticityToken ) do
149
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
150
- post :index , :format => 'xml'
151
- end
152
- end
153
-
154
- def test_should_not_allow_api_formatted_put_sent_as_url_encoded_form_without_token
155
- assert_raise ( ActionController ::InvalidAuthenticityToken ) do
156
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
157
- put :index , :format => 'xml'
158
- end
159
- end
160
-
161
- def test_should_not_allow_api_formatted_delete_sent_as_url_encoded_form_without_token
162
- assert_raise ( ActionController ::InvalidAuthenticityToken ) do
163
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
164
- delete :index , :format => 'xml'
165
- end
107
+ assert_not_blocked { post :unsafe }
166
108
end
167
109
168
- def test_should_not_allow_api_formatted_post_sent_as_multipart_form_without_token
169
- assert_raise ( ActionController ::InvalidAuthenticityToken ) do
170
- @request . env [ 'CONTENT_TYPE' ] = Mime ::MULTIPART_FORM . to_s
171
- post :index , :format => 'xml'
172
- end
110
+ def test_should_not_allow_post_without_token
111
+ assert_blocked { post :index }
173
112
end
174
113
175
- def test_should_not_allow_api_formatted_put_sent_as_multipart_form_without_token
176
- assert_raise ( ActionController ::InvalidAuthenticityToken ) do
177
- @request . env [ 'CONTENT_TYPE' ] = Mime ::MULTIPART_FORM . to_s
178
- put :index , :format => 'xml'
179
- end
114
+ def test_should_not_allow_post_without_token_irrespective_of_format
115
+ assert_blocked { post :index , :format => 'xml' }
180
116
end
181
117
182
- def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_token
183
- assert_raise ( ActionController ::InvalidAuthenticityToken ) do
184
- @request . env [ 'CONTENT_TYPE' ] = Mime ::MULTIPART_FORM . to_s
185
- delete :index , :format => 'xml'
186
- end
118
+ def test_should_not_allow_put_without_token
119
+ assert_blocked { put :index }
187
120
end
188
121
189
- def test_should_allow_xhr_post_without_token
190
- assert_nothing_raised { xhr :post , :index }
122
+ def test_should_not_allow_delete_without_token
123
+ assert_blocked { delete :index }
191
124
end
192
125
193
- def test_should_allow_xhr_put_without_token
194
- assert_nothing_raised { xhr :put , :index }
126
+ def test_should_not_allow_xhr_post_without_token
127
+ assert_blocked { xhr :post , :index }
195
128
end
196
129
197
- def test_should_allow_xhr_delete_without_token
198
- assert_nothing_raised { xhr :delete , :index }
130
+ def test_should_allow_post_with_token
131
+ assert_not_blocked { post :index , :authenticity_token => @token }
199
132
end
200
133
201
- def test_should_allow_xhr_post_with_encoded_form_content_type_without_token
202
- @request . env [ 'CONTENT_TYPE' ] = Mime ::URL_ENCODED_FORM . to_s
203
- assert_nothing_raised { xhr :post , :index }
134
+ def test_should_allow_put_with_token
135
+ assert_not_blocked { put :index , :authenticity_token => @token }
204
136
end
205
137
206
- def test_should_allow_post_with_token
207
- post :index , :authenticity_token => @token
208
- assert_response :success
138
+ def test_should_allow_delete_with_token
139
+ assert_not_blocked { delete :index , :authenticity_token => @token }
209
140
end
210
141
211
- def test_should_allow_put_with_token
212
- put :index , :authenticity_token => @token
213
- assert_response :success
142
+ def test_should_allow_post_with_token_in_header
143
+ @request . env [ 'HTTP_X_CSRF_TOKEN' ] = @token
144
+ assert_not_blocked { post :index }
214
145
end
215
146
216
- def test_should_allow_delete_with_token
217
- delete :index , :authenticity_token => @token
218
- assert_response :success
147
+ def test_should_allow_delete_with_token_in_header
148
+ @request . env [ 'HTTP_X_CSRF_TOKEN' ] = @token
149
+ assert_not_blocked { delete :index }
219
150
end
220
151
221
- def test_should_allow_post_with_xml
222
- @request . env [ 'CONTENT_TYPE' ] = Mime ::XML . to_s
223
- post :index , :format => 'xml'
224
- assert_response :success
152
+ def test_should_allow_put_with_token_in_header
153
+ @request . env [ 'HTTP_X_CSRF_TOKEN' ] = @token
154
+ assert_not_blocked { put :index }
225
155
end
226
156
227
- def test_should_allow_put_with_xml
228
- @request . env [ 'CONTENT_TYPE' ] = Mime ::XML . to_s
229
- put :index , :format => 'xml'
157
+ def assert_blocked
158
+ session [ :something_like_user_id ] = 1
159
+ yield
160
+ assert_nil session [ :something_like_user_id ] , "session values are still present"
230
161
assert_response :success
231
162
end
232
163
233
- def test_should_allow_delete_with_xml
234
- @request . env [ 'CONTENT_TYPE' ] = Mime ::XML . to_s
235
- delete :index , :format => 'xml'
164
+ def assert_not_blocked
165
+ assert_nothing_raised { yield }
236
166
assert_response :success
237
167
end
238
168
end
@@ -241,16 +171,6 @@ def test_should_allow_delete_with_xml
241
171
242
172
class RequestForgeryProtectionControllerTest < ActionController ::TestCase
243
173
include RequestForgeryProtectionTests
244
- def setup
245
- @controller = RequestForgeryProtectionController . new
246
- @request = ActionController ::TestRequest . new
247
- @request . format = :html
248
- @response = ActionController ::TestResponse . new
249
- @token = "cf50faa3fe97702ca1ae"
250
-
251
- ActiveSupport ::SecureRandom . stubs ( :base64 ) . returns ( @token )
252
- ActionController ::Base . request_forgery_protection_token = :authenticity_token
253
- end
254
174
255
175
test 'should emit a csrf-token meta tag' do
256
176
ActiveSupport ::SecureRandom . stubs ( :base64 ) . returns ( @token + '<=?' )
@@ -262,6 +182,15 @@ def setup
262
182
end
263
183
end
264
184
185
+ class RequestForgeryProtectionControllerUsingOldBehaviourTest < ActionController ::TestCase
186
+ include RequestForgeryProtectionTests
187
+ def assert_blocked
188
+ assert_raises ( ActionController ::InvalidAuthenticityToken ) do
189
+ yield
190
+ end
191
+ end
192
+ end
193
+
265
194
class FreeCookieControllerTest < ActionController ::TestCase
266
195
def setup
267
196
@controller = FreeCookieController . new
@@ -294,13 +223,23 @@ def test_should_allow_all_methods_without_token
294
223
end
295
224
end
296
225
226
+
227
+
228
+
229
+
297
230
class CustomAuthenticityParamControllerTest < ActionController ::TestCase
298
231
def setup
232
+ ActionController ::Base . request_forgery_protection_token = :custom_token_name
233
+ super
234
+ end
235
+
236
+ def teardown
299
237
ActionController ::Base . request_forgery_protection_token = :authenticity_token
238
+ super
300
239
end
301
240
302
241
def test_should_allow_custom_token
303
- post :index , :authenticity_token => 'foobar'
242
+ post :index , :custom_token_name => 'foobar'
304
243
assert_response :ok
305
244
end
306
245
end
0 commit comments