kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/actionpack/test/controller/request_forgery_protection_test.rb

244 lines
6.2 KiB
Ruby
Raw Normal View History

require abstract_unit directly since test is in load path git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-05 08:32:06 -05:00
require 'abstract_unit'
Add missing require git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:48:59 -04:00
require 'digest/sha1'
revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty
2010-09-11 05:04:19 -04:00
require 'active_support/core_ext/string/strip'
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
# common controller actions
module RequestForgeryProtectionActions
def index
render :inline => "<%= form_tag('/') {} %>"
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
def show_button
render :inline => "<%= button_to('New', '/') {} %>"
end
Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-08 16:17:08 -05:00
authenticity_token option for form_tag [#2988 state:resolved]
2010-12-27 17:31:14 -05:00
def external_form
render :inline => "<%= form_tag('http://farfar.away/form', :authenticity_token => 'external_token') {} %>"
end
def external_form_without_protection
render :inline => "<%= form_tag('http://farfar.away/form', :authenticity_token => false) {} %>"
end
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
def unsafe
render :text => 'pwn'
end
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-18 02:36:48 -05:00
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
def meta
revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty
2010-09-11 05:04:19 -04:00
render :inline => "<%= csrf_meta_tags %>"
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
end
Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-05 10:37:53 -05:00
def external_form_for
put authenticity_token option in parity w/ remote [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-06 11:19:02 -05:00
render :inline => "<%= form_for(:some_resource, :authenticity_token => 'external_token') {} %>"
Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-05 10:37:53 -05:00
end
def form_for_without_protection
put authenticity_token option in parity w/ remote [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-06 11:19:02 -05:00
render :inline => "<%= form_for(:some_resource, :authenticity_token => false ) {} %>"
Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-05 10:37:53 -05:00
end
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
def rescue_action(e) raise e end
end
# sample controllers
class RequestForgeryProtectionController < ActionController::Base
include RequestForgeryProtectionActions
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
protect_from_forgery :only => %w(index meta)
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
end
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
class RequestForgeryProtectionControllerUsingOldBehaviour < ActionController::Base
include RequestForgeryProtectionActions
protect_from_forgery :only => %w(index meta)
def handle_unverified_request
raise(ActionController::InvalidAuthenticityToken)
end
end
Change the forgery token implementation to just be a simple random string. This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
2008-11-20 17:06:19 -05:00
class FreeCookieController < RequestForgeryProtectionController
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
self.allow_forgery_protection = false
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
def index
render :inline => "<%= form_tag('/') {} %>"
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
def show_button
render :inline => "<%= button_to('New', '/') {} %>"
end
end
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-18 02:36:48 -05:00
class CustomAuthenticityParamController < RequestForgeryProtectionController
def form_authenticity_param
'foobar'
end
end
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
# common test methods
Protect button_to behind protect_from_forgery (closes #9675) [lifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-25 12:50:35 -04:00
module RequestForgeryProtectionTests
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def setup
@token = "cf50faa3fe97702ca1ae"
Cleanup route reloading in tests. Prefer with_routing over using ActionController::Routing::Routes directly
2009-08-16 22:14:26 -04:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
ActionController::Base.request_forgery_protection_token = :authenticity_token
Fix indentation.
2010-09-22 15:04:42 -04:00
end
Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-05 10:37:53 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_render_form_with_token_tag
assert_not_blocked do
get :index
end
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
2011-02-05 10:37:53 -05:00
end
Fix indentation.
2010-09-22 15:04:42 -04:00
def test_should_render_button_to_with_token_tag
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
assert_not_blocked do
get :show_button
end
Fix indentation.
2010-09-22 15:04:42 -04:00
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
def test_should_allow_get
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
assert_not_blocked { get :index }
Fix indentation.
2010-09-22 15:04:42 -04:00
end
def test_should_allow_post_without_token_on_unsafe_action
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
assert_not_blocked { post :unsafe }
change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73]
2008-05-06 05:58:32 -04:00
end
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_not_allow_post_without_token
assert_blocked { post :index }
change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73]
2008-05-06 05:58:32 -04:00
end
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_not_allow_post_without_token_irrespective_of_format
assert_blocked { post :index, :format=>'xml' }
change ActionController::RequestForgeryProtection to use Mime::Type#verify_request? [#73]
2008-05-06 05:58:32 -04:00
end
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_not_allow_put_without_token
assert_blocked { put :index }
Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]
2008-05-06 03:42:24 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_not_allow_delete_without_token
assert_blocked { delete :index }
Changed request forgery protection to only worry about HTML-formatted content requests. Signed-off-by: Michael Koziarski <michael@koziarski.com>
2008-11-01 00:10:44 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_not_allow_xhr_post_without_token
assert_blocked { xhr :post, :index }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_allow_post_with_token
assert_not_blocked { post :index, :authenticity_token => @token }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_allow_put_with_token
assert_not_blocked { put :index, :authenticity_token => @token }
Don't check authenticity tokens for any AJAX requests
2009-03-04 16:05:15 -05:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_allow_delete_with_token
assert_not_blocked { delete :index, :authenticity_token => @token }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_allow_post_with_token_in_header
@request.env['HTTP_X_CSRF_TOKEN'] = @token
assert_not_blocked { post :index }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_allow_delete_with_token_in_header
@request.env['HTTP_X_CSRF_TOKEN'] = @token
assert_not_blocked { delete :index }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def test_should_allow_put_with_token_in_header
@request.env['HTTP_X_CSRF_TOKEN'] = @token
assert_not_blocked { put :index }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def assert_blocked
session[:something_like_user_id] = 1
yield
assert_nil session[:something_like_user_id], "session values are still present"
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
assert_response :success
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
def assert_not_blocked
assert_nothing_raised { yield }
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
assert_response :success
end
end
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 12:50:48 -04:00
# OK let's get our test on
Protect button_to behind protect_from_forgery (closes #9675) [lifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-25 12:50:35 -04:00
Move controller assertions from base TestCase to AC:: and AV::TestCase
2008-11-07 15:42:34 -05:00
class RequestForgeryProtectionControllerTest < ActionController::TestCase
Protect button_to behind protect_from_forgery (closes #9675) [lifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-25 12:50:35 -04:00
include RequestForgeryProtectionTests
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
Make csrf_meta_tags use the tag helper Improved formatting of csrf_helper and improved test coverage
2011-04-07 20:18:33 -04:00
test 'should emit a csrf-param meta tag and a csrf-token meta tag' do
Test that csrf meta content is html-escaped, too
2010-02-04 21:03:06 -05:00
ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
get :meta
Make csrf_meta_tags use the tag helper Improved formatting of csrf_helper and improved test coverage
2011-04-07 20:18:33 -04:00
assert_select 'meta[name=?][content=?]', 'csrf-param', 'authenticity_token'
assert_select 'meta[name=?][content=?]', 'csrf-token', 'cf50faa3fe97702ca1ae&lt;=?'
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
end
Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-22 22:32:55 -04:00
end
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
class RequestForgeryProtectionControllerUsingOldBehaviourTest < ActionController::TestCase
include RequestForgeryProtectionTests
def assert_blocked
assert_raises(ActionController::InvalidAuthenticityToken) do
yield
end
end
end
Move controller assertions from base TestCase to AC:: and AV::TestCase
2008-11-07 15:42:34 -05:00
class FreeCookieControllerTest < ActionController::TestCase
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 11:55:45 -04:00
def setup
@controller = FreeCookieController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
Revert dumb test
2010-02-04 20:49:23 -05:00
@token = "cf50faa3fe97702ca1ae"
Change the forgery token implementation to just be a simple random string. This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.
2008-11-20 17:06:19 -05:00
ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 11:55:45 -04:00
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 11:55:45 -04:00
def test_should_not_render_form_with_token_tag
get :index
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 11:55:45 -04:00
def test_should_not_render_button_to_with_token_tag
get :show_button
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token, false
end
Move form_remote_tag and remote_form_for into prototype_legacy_helper
2010-01-30 16:42:30 -05:00
Allow ability to disable request forgery protection, disable it in test mode by default. Closes #9693 [lifofifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-09-28 11:55:45 -04:00
def test_should_allow_all_methods_without_token
[:post, :put, :delete].each do |method|
assert_nothing_raised { send(method, :index)}
end
end
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
test 'should not emit a csrf-token meta tag' do
get :meta
code gardening: we have assert_(nil|blank|present), more concise, with better default failure messages - let's use them
2010-08-16 21:29:57 -04:00
assert_blank @response.body
Expose CSRF tag for UJS adapters
2010-02-04 17:15:16 -05:00
end
Ruby 1.9 compat, consistent load paths git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-10-02 01:32:14 -04:00
end
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-18 02:36:48 -05:00
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-18 02:36:48 -05:00
class CustomAuthenticityParamControllerTest < ActionController::TestCase
def setup
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
ActionController::Base.request_forgery_protection_token = :custom_token_name
super
end
def teardown
Fix test bleed
2009-11-18 20:54:27 -05:00
ActionController::Base.request_forgery_protection_token = :authenticity_token
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
super
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-18 02:36:48 -05:00
end
def test_should_allow_custom_token
Change the CSRF whitelisting to only apply to get requests Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
2011-01-04 19:36:07 -05:00
post :index, :custom_token_name => 'foobar'
Extract form_authenticity_param instance method so it's overridable in subclasses
2009-11-18 02:36:48 -05:00
assert_response :ok
end
end
Copy permalink