mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
Add :without_session
option to skip session based protection
This includes: * Rack::Protection::SessionHijacking * Rack::Protection::RemoteToken Closes #47
This commit is contained in:
parent
3286be8418
commit
46b1d85aee
2 changed files with 29 additions and 0 deletions
|
@ -23,6 +23,11 @@ module Rack
|
||||||
# does not include: RemoteReferrer, AuthenticityToken and FormToken
|
# does not include: RemoteReferrer, AuthenticityToken and FormToken
|
||||||
except = Array options[:except]
|
except = Array options[:except]
|
||||||
use_these = Array options[:use]
|
use_these = Array options[:use]
|
||||||
|
|
||||||
|
if options.fetch(:without_session, false)
|
||||||
|
except += [:session_hijacking, :remote_token]
|
||||||
|
end
|
||||||
|
|
||||||
Rack::Builder.new do
|
Rack::Builder.new do
|
||||||
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
use ::Rack::Protection::RemoteReferrer, options if use_these.include? :remote_referrer
|
||||||
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
use ::Rack::Protection::AuthenticityToken, options if use_these.include? :authenticity_token
|
||||||
|
|
|
@ -100,4 +100,28 @@ describe Rack::Protection do
|
||||||
it { expect(instrumenter).not_to receive(:instrument) }
|
it { expect(instrumenter).not_to receive(:instrument) }
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe "new" do
|
||||||
|
it 'should allow disable session protection' do
|
||||||
|
mock_app do
|
||||||
|
use Rack::Protection, :without_session => true
|
||||||
|
run DummyApp
|
||||||
|
end
|
||||||
|
|
||||||
|
session = {:foo => :bar}
|
||||||
|
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
|
||||||
|
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
|
||||||
|
expect(session[:foo]).to eq :bar
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'should allow disable CSRF protection' do
|
||||||
|
mock_app do
|
||||||
|
use Rack::Protection, :without_session => true
|
||||||
|
run DummyApp
|
||||||
|
end
|
||||||
|
|
||||||
|
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
||||||
|
expect(last_response).to be_ok
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue