rails--rails/railties/test/application/middleware/remote_ip_test.rb

require 'isolation/abstract_unit'
require 'active_support/key_generator'

module ApplicationTests
  class RemoteIpTest < ActiveSupport::TestCase
    include ActiveSupport::Testing::Isolation

    def remote_ip(env = {})
      remote_ip = nil
      env = Rack::MockRequest.env_for("/").merge(env).merge!(
        'action_dispatch.show_exceptions' => false,
        'action_dispatch.key_generator'   => ActiveSupport::LegacyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
      )

      endpoint = Proc.new do |e|
        remote_ip = ActionDispatch::Request.new(e).remote_ip
        [200, {}, ["Hello"]]
      end

      Rails.application.middleware.build(endpoint).call(env)
      remote_ip
    end

    test "remote_ip works" do
      make_basic_app
      assert_equal "1.1.1.1", remote_ip("REMOTE_ADDR" => "1.1.1.1")
    end

    test "checks IP spoofing by default" do
      make_basic_app
      assert_raises(ActionDispatch::RemoteIp::IpSpoofAttackError) do
        remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1", "HTTP_CLIENT_IP" => "1.1.1.2")
      end
    end

    test "works with both headers individually" do
      make_basic_app
      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
        assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1")
      end
      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
        assert_equal "1.1.1.2", remote_ip("HTTP_CLIENT_IP" => "1.1.1.2")
      end
    end

    test "can disable IP spoofing check" do
      make_basic_app do |app|
        app.config.action_dispatch.ip_spoofing_check = false
      end

      assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
        assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1", "HTTP_CLIENT_IP" => "1.1.1.2")
      end
    end

    test "the user can set trusted proxies" do
      make_basic_app do |app|
        app.config.action_dispatch.trusted_proxies = /^4\.2\.42\.42$/
      end

      assert_equal "1.1.1.1", remote_ip("REMOTE_ADDR" => "4.2.42.42,1.1.1.1")
    end
  end
end
Fix a routing test. Reorganize middleware tests. 2010-10-02 11:42:36 -04:00			`require 'isolation/abstract_unit'`
Use derived keys everywhere, http_authentication was missing it 2012-11-02 18:26:11 -04:00			`require 'active_support/key_generator'`
Fix a routing test. Reorganize middleware tests. 2010-10-02 11:42:36 -04:00
			`module ApplicationTests`
convert railties to use AS::TestCase 2012-01-05 20:30:17 -05:00			`class RemoteIpTest < ActiveSupport::TestCase`
Fix a routing test. Reorganize middleware tests. 2010-10-02 11:42:36 -04:00			`include ActiveSupport::Testing::Isolation`

			`def remote_ip(env = {})`
			`remote_ip = nil`
			`env = Rack::MockRequest.env_for("/").merge(env).merge!(`
			`'action_dispatch.show_exceptions' => false,`
Rename DummyKeyGenerator -> LegacyKeyGenerator 2013-04-02 19:41:57 -04:00			`'action_dispatch.key_generator' => ActiveSupport::LegacyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')`
Fix a routing test. Reorganize middleware tests. 2010-10-02 11:42:36 -04:00			`)`

			`endpoint = Proc.new do \|e\|`
			`remote_ip = ActionDispatch::Request.new(e).remote_ip`
			`[200, {}, ["Hello"]]`
			`end`

			`Rails.application.middleware.build(endpoint).call(env)`
			`remote_ip`
			`end`

			`test "remote_ip works" do`
			`make_basic_app`
			`assert_equal "1.1.1.1", remote_ip("REMOTE_ADDR" => "1.1.1.1")`
			`end`

			`test "checks IP spoofing by default" do`
			`make_basic_app`
			`assert_raises(ActionDispatch::RemoteIp::IpSpoofAttackError) do`
			`remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1", "HTTP_CLIENT_IP" => "1.1.1.2")`
			`end`
			`end`

make sure both headers are set before checking for ip spoofing 2013-06-04 18:01:08 -04:00			`test "works with both headers individually" do`
			`make_basic_app`
			`assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do`
			`assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1")`
			`end`
			`assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do`
			`assert_equal "1.1.1.2", remote_ip("HTTP_CLIENT_IP" => "1.1.1.2")`
			`end`
			`end`

Fix a routing test. Reorganize middleware tests. 2010-10-02 11:42:36 -04:00			`test "can disable IP spoofing check" do`
			`make_basic_app do \|app\|`
			`app.config.action_dispatch.ip_spoofing_check = false`
			`end`

			`assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do`
Restore original remote_ip algorithm. Proxy servers add X-Forwarded-For headers, resulting in a list of IPs. We remove trusted IP values, and then take the last given value, assuming that it is the most likely to be the correct, unfaked value. See [1] for a very thorough discussion of why that is the best option we have at the moment. [1]: http://blog.gingerlime.com/2012/rails-ip-spoofing-vulnerabilities-and-protection/ Fixes #7979 2013-01-02 18:21:13 -05:00			`assert_equal "1.1.1.1", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1", "HTTP_CLIENT_IP" => "1.1.1.2")`
Fix a routing test. Reorganize middleware tests. 2010-10-02 11:42:36 -04:00			`end`
			`end`

			`test "the user can set trusted proxies" do`
			`make_basic_app do \|app\|`
			`app.config.action_dispatch.trusted_proxies = /^4\.2\.42\.42$/`
			`end`

			`assert_equal "1.1.1.1", remote_ip("REMOTE_ADDR" => "4.2.42.42,1.1.1.1")`
			`end`
			`end`
			`end`