Merge pull request #76 from ujifgc/clarify-warning

clarify reaction warning, test it
2023-03-27 23:18:01 -04:00 · 2014-03-13 09:43:02 +01:00 · 2014-03-13 09:43:02 +01:00 · 52ebb35f82
commit 52ebb35f82
parent 3eec7838ec 690dbeffaa
2 changed files with 37 additions and 1 deletions
--- a/rack-protection/lib/rack/protection/base.rb
+++ b/rack-protection/lib/rack/protection/base.rb
@ -43,7 +43,6 @@ module Rack

      def call(env)
        unless accepts? env
-          warn env, "attack prevented by #{self.class}"
          instrument env
          result = react env
        end
@ -68,10 +67,12 @@ module Rack
      end

      def deny(env)
+        warn env, "attack prevented by #{self.class}"
        [options[:status], {'Content-Type' => 'text/plain'}, [options[:message]]]
      end

      def report(env)
+        warn env, "attack reported by #{self.class}"
        env[options[:report_key]] = true
      end

--- a/rack-protection/spec/protection_spec.rb
+++ b/rack-protection/spec/protection_spec.rb
@ -30,6 +30,41 @@ describe Rack::Protection do
    body.should == "true"
  end

+  describe "#react" do
+    it 'prevents attacks and warns about it' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /prevented.*Origin/
+    end
+
+    it 'reports attacks if reaction is to report' do
+      io = StringIO.new
+      mock_app do
+        use Rack::Protection, :reaction => :report, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /reported.*Origin/
+      io.string.should_not match /prevented.*Origin/
+    end
+
+    it 'passes errors to reaction method if specified' do
+      io = StringIO.new
+      Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
+      mock_app do
+        use Rack::Protection, :reaction => :special, :logger => Logger.new(io)
+        run DummyApp
+      end
+      post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
+      io.string.should match /HTTP_ORIGIN.*malicious.com/
+      io.string.should_not match /reported|prevented/
+    end
+  end
+
  describe "#html?" do
    context "given an appropriate content-type header" do
      subject { Rack::Protection::Base.new(nil).html? 'content-type' => "text/html" }