kotovalexarian-likes-github/mperham--sidekiq
1
0
Fork 0
mirror of https://github.com/mperham/sidekiq.git synced 2022-11-09 13:52:34 -05:00
Code Releases Activity
mperham--sidekiq/test/test_csrf.rb
Mike Perham 55ced28181
Update standard rules (#5360) 
* update standard rules and run standard:fix

* Fix more standard errors

* standardize
2022-06-05 07:44:52 -07:00

120 lines
3.1 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
require_relative "./helper"
require "sidekiq/web/csrf_protection"
describe "Csrf" do
def session
@session ||= {}
end
def env(method = :get, form_hash = {}, rack_session = session)
imp = StringIO.new
{
"REQUEST_METHOD" => method.to_s.upcase,
"rack.session" => rack_session,
"rack.logger" => ::Logger.new(@logio ||= StringIO.new),
"rack.input" => imp,
"rack.request.form_input" => imp,
"rack.request.form_hash" => form_hash
}
end
def call(env, &block)
Sidekiq::Web::CsrfProtection.new(block).call(env)
end
it "get" do
ok = [200, {}, ["OK"]]
first = 1
second = 1
result = call(env) do |envy|
refute_nil envy[:csrf_token]
assert_equal 88, envy[:csrf_token].size
first = envy[:csrf_token]
ok
end
assert_equal ok, result
result = call(env) do |envy|
refute_nil envy[:csrf_token]
assert_equal 88, envy[:csrf_token].size
second = envy[:csrf_token]
ok
end
assert_equal ok, result
# verify masked token changes on every valid request
refute_equal first, second
end
it "bad post" do
result = call(env(:post)) do
raise "Shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
@logio.rewind
assert_match(/attack prevented/, @logio.string)
end
it "succeeds with good token" do
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken
# Make a POST with the known good token
result = call(env(:post, "authenticity_token" => goodtoken)) do
[200, {}, ["OK"]]
end
refute_nil result
assert_equal 200, result[0]
assert_equal ["OK"], result[2]
end
it "fails with bad token" do
# Make a POST with a known bad token
result = call(env(:post, "authenticity_token" => "N0QRBD34tU61d7fi+0ZaF/35JLW/9K+8kk8dc1TZoK/0pTl7GIHap5gy7BWGsoKlzbMLRp1yaDpCDFwTJtxWAg==")) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
it "empty session post" do
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken
# Make a POST with an empty session data and good token
result = call(env(:post, {"authenticity_token" => goodtoken}, {})) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
it "empty csrf session post" do
# Make a GET to set up the session with a good token
goodtoken = call(env) do |envy|
envy[:csrf_token]
end
assert goodtoken
# Make a POST without csrf session data and good token
result = call(env(:post, {"authenticity_token" => goodtoken}, {"session_id" => "foo"})) do
raise "shouldnt be called"
end
refute_nil result
assert_equal 403, result[0]
assert_equal ["Forbidden"], result[2]
end
end
View git blame Copy permalink