From 690dbeffaad8bbd20b62464b976c0fbde880d76b Mon Sep 17 00:00:00 2001
From: Igor Bochkariov <ujifgc@gmail.com>
Date: Thu, 13 Mar 2014 11:55:59 +0400
Subject: [PATCH] clarify reaction warning, test it

---
 rack-protection/lib/rack/protection/base.rb |  3 +-
 rack-protection/spec/protection_spec.rb     | 35 +++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/rack-protection/lib/rack/protection/base.rb b/rack-protection/lib/rack/protection/base.rb
index 09d3ff9f..fe6ab37d 100755
--- a/rack-protection/lib/rack/protection/base.rb
+++ b/rack-protection/lib/rack/protection/base.rb
@@ -43,7 +43,6 @@ module Rack
 
       def call(env)
         unless accepts? env
-          warn env, "attack prevented by #{self.class}"
           instrument env
           result = react env
         end
@@ -68,10 +67,12 @@ module Rack
       end
 
       def deny(env)
+        warn env, "attack prevented by #{self.class}"
         [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
       end
 
       def report(env)
+        warn env, "attack reported by #{self.class}"
         env[options[:report_key]] = true
       end
 
diff --git a/rack-protection/spec/protection_spec.rb b/rack-protection/spec/protection_spec.rb
index 69d87584..083670c9 100755
--- a/rack-protection/spec/protection_spec.rb
+++ b/rack-protection/spec/protection_spec.rb
@@ -30,6 +30,41 @@ describe Rack::Protection do
     body.should == "true"
   end
 
+  describe "#react" do
+    it 'prevents attacks and warns about it' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /prevented.*Origin/
+    end
+
+    it 'reports attacks if reaction is to report' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /reported.*Origin/
+      io.string.should_not match /prevented.*Origin/
+    end
+
+    it 'passes errors to reaction method if specified' do
+      io = StringIO.new
+      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
+      mock_app do
+        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /HTTP_ORIGIN.*malicious.com/
+      io.string.should_not match /reported|prevented/
+    end
+  end
+
   describe "#html?" do
     context "given an appropriate content-type header" do
       subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }