kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

test/webrick/test_httpresponse.rb: Use a longer indicator for crack

Browse source 
"hack" was too short.  The tests checks the error html, which includes
hostname.  GitHub Actions hostname seems randomly generated, and it may
include the indicator string.

784896235
```
  1) Failure:
WEBrick::TestHTTPResponse#test_prevent_response_splitting_cookie_headers_cr [/home/runner/work/ruby/ruby/src/test/webrick/test_httpresponse.rb:71]:
Expected /hack/ to not match "HTTP/1.1 500 Internal Server Error\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\">\n<HTML>\n  <HEAD><TITLE>Internal Server Error</TITLE></HEAD>\n  <BODY>\n    <H1>Internal Server Error</H1>\n    WEBrick::HTTPResponse::InvalidHeader\n    <HR>\n    <ADDRESS>\n     WEBrick/1.6.0 (Ruby/2.8.0/2020-06-18) at\n     fv-az89.dddawhu1s14uzpjkiz5fhackre.cx.internal.cloudapp.net:80\n    </ADDRESS>\n  </BODY>\n</HTML>\n".
```

This change uses longer indicator "cracked_indicator_for_test" instead.
This commit is contained in:
Yusuke Endoh 2020-06-19 00:53:33 +09:00
parent c0591b8477
commit 26c1cf6a60
1 changed files with 13 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

26
test/webrick/test_httpresponse.rb
View file

@ -30,70 +30,70 @@ module WEBrick
end end
def test_prevent_response_splitting_headers_crlf def test_prevent_response_splitting_headers_crlf
res['X-header'] = "malicious\r\nCookie: hack" res['X-header'] = "malicious\r\nCookie: cracked_indicator_for_test"
io = StringIO.new io = StringIO.new
res.send_response io res.send_response io
io.rewind io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code assert_equal '500', res.code
refute_match 'hack', io.string refute_match 'cracked_indicator_for_test', io.string
end end
def test_prevent_response_splitting_cookie_headers_crlf def test_prevent_response_splitting_cookie_headers_crlf
user_input = "malicious\r\nCookie: hack" user_input = "malicious\r\nCookie: cracked_indicator_for_test"
res.cookies << WEBrick::Cookie.new('author', user_input) res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new io = StringIO.new
res.send_response io res.send_response io
io.rewind io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code assert_equal '500', res.code
refute_match 'hack', io.string refute_match 'cracked_indicator_for_test', io.string
end end
def test_prevent_response_splitting_headers_cr def test_prevent_response_splitting_headers_cr
res['X-header'] = "malicious\rCookie: hack" res['X-header'] = "malicious\rCookie: cracked_indicator_for_test"
io = StringIO.new io = StringIO.new
res.send_response io res.send_response io
io.rewind io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code assert_equal '500', res.code
refute_match 'hack', io.string refute_match 'cracked_indicator_for_test', io.string
end end
def test_prevent_response_splitting_cookie_headers_cr def test_prevent_response_splitting_cookie_headers_cr
user_input = "malicious\rCookie: hack" user_input = "malicious\rCookie: cracked_indicator_for_test"
res.cookies << WEBrick::Cookie.new('author', user_input) res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new io = StringIO.new
res.send_response io res.send_response io
io.rewind io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code assert_equal '500', res.code
refute_match 'hack', io.string refute_match 'cracked_indicator_for_test', io.string
end end
def test_prevent_response_splitting_headers_lf def test_prevent_response_splitting_headers_lf
res['X-header'] = "malicious\nCookie: hack" res['X-header'] = "malicious\nCookie: cracked_indicator_for_test"
io = StringIO.new io = StringIO.new
res.send_response io res.send_response io
io.rewind io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code assert_equal '500', res.code
refute_match 'hack', io.string refute_match 'cracked_indicator_for_test', io.string
end end
def test_prevent_response_splitting_cookie_headers_lf def test_prevent_response_splitting_cookie_headers_lf
user_input = "malicious\nCookie: hack" user_input = "malicious\nCookie: cracked_indicator_for_test"
res.cookies << WEBrick::Cookie.new('author', user_input) res.cookies << WEBrick::Cookie.new('author', user_input)
io = StringIO.new io = StringIO.new
res.send_response io res.send_response io
io.rewind io.rewind
res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io))
assert_equal '500', res.code assert_equal '500', res.code
refute_match 'hack', io.string refute_match 'cracked_indicator_for_test', io.string
end end
def test_set_redirect_response_splitting def test_set_redirect_response_splitting
url = "malicious\r\nCookie: hack" url = "malicious\r\nCookie: cracked_indicator_for_test"
assert_raises(URI::InvalidURIError) do assert_raises(URI::InvalidURIError) do
res.set_redirect(WEBrick::HTTPStatus::MultipleChoices, url) res.set_redirect(WEBrick::HTTPStatus::MultipleChoices, url)
end end