2022-07-31 08:56:44 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2022-02-05 07:32:44 -05:00
|
|
|
RSpec.describe Rack::Protection::CookieTossing do
|
2022-07-31 08:56:44 -04:00
|
|
|
it_behaves_like 'any rack application'
|
2016-07-30 18:22:59 -04:00
|
|
|
|
|
|
|
|
context 'with default reaction' do
|
|
|
|
|
before(:each) do
|
|
|
|
|
mock_app do
|
|
|
|
|
use Rack::Protection::CookieTossing
|
|
|
|
|
run DummyApp
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'accepts requests with a single session cookie' do
|
|
|
|
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=SESSION_TOKEN'
|
|
|
|
|
expect(last_response).to be_ok
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'denies requests with duplicate session cookies' do
|
|
|
|
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
|
|
|
|
expect(last_response).not_to be_ok
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'denies requests with sneaky encoded session cookies' do
|
|
|
|
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=EVIL_SESSION_TOKEN; rack.%73ession=SESSION_TOKEN'
|
|
|
|
|
expect(last_response).not_to be_ok
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'adds the correct Set-Cookie header' do
|
|
|
|
|
get '/some/path', {}, 'HTTP_COOKIE' => 'rack.%73ession=EVIL_SESSION_TOKEN; rack.session=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
|
|
|
|
|
|
|
|
|
expected_header = <<-END.chomp
|
2020-03-10 10:24:05 -04:00
|
|
|
rack.%2573ession=; domain=example.org; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
|
|
|
|
|
rack.%2573ession=; domain=example.org; path=/some; expires=Thu, 01 Jan 1970 00:00:00 GMT
|
|
|
|
|
rack.%2573ession=; domain=example.org; path=/some/path; expires=Thu, 01 Jan 1970 00:00:00 GMT
|
|
|
|
|
rack.session=; domain=example.org; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
|
|
|
|
|
rack.session=; domain=example.org; path=/some; expires=Thu, 01 Jan 1970 00:00:00 GMT
|
|
|
|
|
rack.session=; domain=example.org; path=/some/path; expires=Thu, 01 Jan 1970 00:00:00 GMT
|
2022-07-31 08:56:44 -04:00
|
|
|
END
|
2016-07-30 18:22:59 -04:00
|
|
|
expect(last_response.headers['Set-Cookie']).to eq(expected_header)
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'with redirect reaction' do
|
|
|
|
|
before(:each) do
|
|
|
|
|
mock_app do
|
2022-07-31 08:56:44 -04:00
|
|
|
use Rack::Protection::CookieTossing, reaction: :redirect
|
2016-07-30 18:22:59 -04:00
|
|
|
run DummyApp
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'redirects requests with duplicate session cookies' do
|
|
|
|
|
get '/', {}, 'HTTP_COOKIE' => 'rack.session=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
|
|
|
|
expect(last_response).to be_redirect
|
|
|
|
|
expect(last_response.location).to eq('/')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
it 'redirects requests with sneaky encoded session cookies' do
|
|
|
|
|
get '/path', {}, 'HTTP_COOKIE' => 'rack.%73ession=EVIL_SESSION_TOKEN; rack.session=SESSION_TOKEN'
|
|
|
|
|
expect(last_response).to be_redirect
|
|
|
|
|
expect(last_response.location).to eq('/path')
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
context 'with custom session key' do
|
|
|
|
|
it 'denies requests with duplicate session cookies' do
|
|
|
|
|
mock_app do
|
2022-07-31 08:56:44 -04:00
|
|
|
use Rack::Protection::CookieTossing, session_key: '_session'
|
2016-07-30 18:22:59 -04:00
|
|
|
run DummyApp
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
get '/', {}, 'HTTP_COOKIE' => '_session=EVIL_SESSION_TOKEN; _session=SESSION_TOKEN'
|
|
|
|
|
expect(last_response).not_to be_ok
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
