mirror of
https://github.com/sinatra/sinatra
synced 2023-03-27 23:18:01 -04:00
8ae87a87f3
* Initialize rubocop * Style/StringLiterals: prefer single quotes * Style/AndOr: use `&&` and `||`, instead of `and` and `or` * Style/HashSyntax: use new hash syntax * Layout/EmptyLineAfterGuardClause: add empty lines after guard clause * Style/SingleLineMethods: temporary disable It breaks layout of the code, it is better to fix it manually * Style/Proc: prefer `proc` vs `Proc.new` * Disable Lint/AmbiguousBlockAssociation It affects proc definitions for sinatra DSL * Disable Style/CaseEquality * Lint/UnusedBlockArgument: put underscore in front of it * Style/Alias: prefer alias vs alias_method in a class body * Layout/EmptyLineBetweenDefs: add empty lines between defs * Style/ParallelAssignment: don't use parallel assigment * Style/RegexpLiteral: prefer %r for regular expressions * Naming/UncommunicativeMethodParamName: fix abbrevs * Style/PerlBackrefs: disable cop * Layout/SpaceAfterComma: add missing spaces * Style/Documentation: disable cop * Style/FrozenStringLiteralComment: add frozen_string_literal * Layout/AlignHash: align hash * Layout/ExtraSpacing: allow for alignment * Layout/SpaceAroundOperators: add missing spaces * Style/Not: prefer `!` instead of `not` * Style/GuardClause: add guard conditions * Style/MutableConstant: freeze contants * Lint/IneffectiveAccessModifier: disable cop * Lint/RescueException: disable cop * Style/SpecialGlobalVars: disable cop * Layout/DotPosition: fix position of dot for multiline method chains * Layout/SpaceInsideArrayLiteralBrackets: don't use spaces inside arrays * Layout/SpaceInsideBlockBraces: add space for blocks * Layout/SpaceInsideHashLiteralBraces: add spaces for hashes * Style/FormatString: use format string syntax * Style/StderrPuts: `warn` is preferable to `$stderr.puts` * Bundler/DuplicatedGem: disable cop * Layout/AlignArray: fix warning * Lint/AssignmentInCondition: remove assignments from conditions * Layout/IndentHeredoc: disable cop * Layout/SpaceInsideParens: remove extra spaces * Lint/UnusedMethodArgument: put underscore in front of unused arg * Naming/RescuedExceptionsVariableName: use `e` for exceptions * Style/CommentedKeyword: put comments before the method * Style/FormatStringToken: disable cop * Style/MultilineIfModifier: move condition before the method * Style/SignalException: prefer `raise` to `fail` * Style/SymbolArray: prefer %i for array of symbols * Gemspec/OrderedDependencies: Use alphabetical order for dependencies * Lint/UselessAccessModifier: disable cop * Naming/HeredocDelimiterNaming: change delimiter's name * Style/ClassCheck: prefer `is_a?` to `kind_of?` * Style/ClassVars: disable cop * Style/Encoding: remove coding comment * Style/RedundantParentheses: remove extra parentheses * Style/StringLiteralsInInterpolation: prefer singl quotes * Layout/AlignArguments: fix alignment * Layout/ClosingHeredocIndentation: align heredoc * Layout/EmptyLineAfterMagicComment: add empty line * Set RubyVersion for rubocop * Lint/UselessAssignment: disable cop * Style/EmptyLiteral: disable cop Causes test failures * Minor code-style fixes with --safe-auto-correct option * Disable the rest of the cops that cause warnings It would be easier to re-enable them in separate PRs * Add rubocop check to the default Rake task * Update to rubocop 1.32.0 * Rubocop updates for rack-protection and sinatra-contrib * Disable Style/SlicingWithRange cop * Make suggested updates Co-authored-by: Jordan Owens <jkowens@gmail.com>
139 lines
4.4 KiB
Ruby
139 lines
4.4 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe Rack::Protection do
|
|
it_behaves_like 'any rack application'
|
|
|
|
it 'passes on options' do
|
|
mock_app do
|
|
use Rack::Protection, track: ['HTTP_FOO']
|
|
run proc { |_e| [200, { 'Content-Type' => 'text/plain' }, ['hi']] }
|
|
end
|
|
|
|
session = { foo: :bar }
|
|
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
|
|
get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
|
|
expect(session[:foo]).to eq(:bar)
|
|
|
|
get '/', {}, 'rack.session' => session, 'HTTP_FOO' => 'BAR'
|
|
expect(session).to be_empty
|
|
end
|
|
|
|
it 'passes errors through if :reaction => :report is used' do
|
|
mock_app do
|
|
use Rack::Protection, reaction: :report
|
|
run proc { |e| [200, { 'Content-Type' => 'text/plain' }, [e['protection.failed'].to_s]] }
|
|
end
|
|
|
|
session = { foo: :bar }
|
|
post('/', {}, 'rack.session' => session, 'HTTP_ORIGIN' => 'http://malicious.com')
|
|
expect(last_response).to be_ok
|
|
expect(body).to eq('true')
|
|
end
|
|
|
|
describe '#react' do
|
|
it 'prevents attacks and warns about it' do
|
|
io = StringIO.new
|
|
mock_app do
|
|
use Rack::Protection, logger: Logger.new(io)
|
|
run DummyApp
|
|
end
|
|
post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
|
|
expect(io.string).to match(/prevented.*Origin/)
|
|
end
|
|
|
|
it 'reports attacks if reaction is to report' do
|
|
io = StringIO.new
|
|
mock_app do
|
|
use Rack::Protection, reaction: :report, logger: Logger.new(io)
|
|
run DummyApp
|
|
end
|
|
post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
|
|
expect(io.string).to match(/reported.*Origin/)
|
|
expect(io.string).not_to match(/prevented.*Origin/)
|
|
end
|
|
|
|
it 'passes errors to reaction method if specified' do
|
|
io = StringIO.new
|
|
Rack::Protection::Base.send(:define_method, :special) { |*args| io << args.inspect }
|
|
mock_app do
|
|
use Rack::Protection, reaction: :special, logger: Logger.new(io)
|
|
run DummyApp
|
|
end
|
|
post('/', {}, 'rack.session' => {}, 'HTTP_ORIGIN' => 'http://malicious.com')
|
|
expect(io.string).to match(/HTTP_ORIGIN.*malicious.com/)
|
|
expect(io.string).not_to match(/reported|prevented/)
|
|
end
|
|
end
|
|
|
|
describe '#html?' do
|
|
context 'given an appropriate content-type header' do
|
|
subject { Rack::Protection::Base.new(nil).html? 'content-type' => 'text/html' }
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
|
|
context 'given an appropriate content-type header of text/xml' do
|
|
subject { Rack::Protection::Base.new(nil).html? 'content-type' => 'text/xml' }
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
|
|
context 'given an appropriate content-type header of application/xml' do
|
|
subject { Rack::Protection::Base.new(nil).html? 'content-type' => 'application/xml' }
|
|
it { is_expected.to be_truthy }
|
|
end
|
|
|
|
context 'given an inappropriate content-type header' do
|
|
subject { Rack::Protection::Base.new(nil).html? 'content-type' => 'image/gif' }
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
|
|
context 'given no content-type header' do
|
|
subject { Rack::Protection::Base.new(nil).html?({}) }
|
|
it { is_expected.to be_falsey }
|
|
end
|
|
end
|
|
|
|
describe '#instrument' do
|
|
let(:env) { { 'rack.protection.attack' => 'base' } }
|
|
let(:instrumenter) { double('Instrumenter') }
|
|
|
|
after do
|
|
app.instrument(env)
|
|
end
|
|
|
|
context 'with an instrumenter specified' do
|
|
let(:app) { Rack::Protection::Base.new(nil, instrumenter: instrumenter) }
|
|
|
|
it { expect(instrumenter).to receive(:instrument).with('rack.protection', env) }
|
|
end
|
|
|
|
context 'with no instrumenter specified' do
|
|
let(:app) { Rack::Protection::Base.new(nil) }
|
|
|
|
it { expect(instrumenter).not_to receive(:instrument) }
|
|
end
|
|
end
|
|
|
|
describe 'new' do
|
|
it 'should allow disable session protection' do
|
|
mock_app do
|
|
use Rack::Protection, without_session: true
|
|
run DummyApp
|
|
end
|
|
|
|
session = { foo: :bar }
|
|
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
|
|
get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
|
|
expect(session[:foo]).to eq :bar
|
|
end
|
|
|
|
it 'should allow disable CSRF protection' do
|
|
mock_app do
|
|
use Rack::Protection, without_session: true
|
|
run DummyApp
|
|
end
|
|
|
|
post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
|
|
expect(last_response).to be_ok
|
|
end
|
|
end
|
|
end
|