kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

test/webrick/test_httpresponse.rb: Use a longer indicator for crack

Browse source 
"hack" was too short.  The tests checks the error html, which includes
hostname.  GitHub Actions hostname seems randomly generated, and it may
include the indicator string.

https://github.com/ruby/ruby/runs/784896235
```
  1) Failure:
WEBrick::TestHTTPResponse#test_prevent_response_splitting_cookie_headers_cr [/home/runner/work/ruby/ruby/src/test/webrick/test_httpresponse.rb:71]:
Expected /hack/ to not match "HTTP/1.1 500 Internal Server Error\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\n<HTML>\n  <HEAD><TITLE>Internal Server Error</TITLE></HEAD>\n  <BODY>\n    <H1>Internal Server Error</H1>\n    WEBrick::HTTPResponse::InvalidHeader\n    <HR>\n    <ADDRESS>\n     WEBrick/1.6.0 (Ruby/2.8.0/2020-06-18) at\n     fv-az89.dddawhu1s14uzpjkiz5fhackre.cx.internal.cloudapp.net:80\n    </ADDRESS>\n  </BODY>\n</HTML>\n".
```

This change uses longer indicator "cracked_indicator_for_test" instead.
This commit is contained in:
Yusuke Endoh 2020-06-19 00:53:33 +09:00
parent c0591b8477
commit 26c1cf6a60
1 changed files with 13 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
test/webrick/test_httpresponse.rb
View file

@ -30,70 +30,70 @@ module WEBrick
end
def test_prevent_response_splitting_headers_crlf
res['X-header'] = "malicious\r\nCookie: hack"
res['X-header'] = "malicious\r\nCookie: cracked_indicator_for_test"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
refute_match 'cracked_indicator_for_test', io.string
end
def test_prevent_response_splitting_cookie_headers_crlf
user_input = "malicious\r\nCookie: hack"
user_input = "malicious\r\nCookie: cracked_indicator_for_test"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
refute_match 'cracked_indicator_for_test', io.string
end
def test_prevent_response_splitting_headers_cr
res['X-header'] = "malicious\rCookie: hack"
res['X-header'] = "malicious\rCookie: cracked_indicator_for_test"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
refute_match 'cracked_indicator_for_test', io.string
end
def test_prevent_response_splitting_cookie_headers_cr
user_input = "malicious\rCookie: hack"
user_input = "malicious\rCookie: cracked_indicator_for_test"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
refute_match 'cracked_indicator_for_test', io.string
end
def test_prevent_response_splitting_headers_lf
res['X-header'] = "malicious\nCookie: hack"
res['X-header'] = "malicious\nCookie: cracked_indicator_for_test"
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
refute_match 'cracked_indicator_for_test', io.string
end
def test_prevent_response_splitting_cookie_headers_lf
user_input = "malicious\nCookie: hack"
user_input = "malicious\nCookie: cracked_indicator_for_test"
res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new
res.send_response io
io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code
refute_match 'hack', io.string
refute_match 'cracked_indicator_for_test', io.string
end
def test_set_redirect_response_splitting
url = "malicious\r\nCookie: hack"
url = "malicious\r\nCookie: cracked_indicator_for_test"
assert_raises(URI::InvalidURIError) do
res.set_redirect(WEBrick::HTTPStatus::MultipleChoices, url)
end