aboutsummaryrefslogblamecommitdiffstats
path: root/actionpack/test/controller/redirect_test.rb
blob: 3ea03be74a3f607d48ae4c1261cc8adc99cfe805 (plain) (tree)
1
2
3
4
5
6
7
8
                       
 
                                                 

                                                                

                                                    
 


                                        
 
                          
                                                           
     


                                                             
     
 



                                                              
                              
                                                                        


                                   
                                                           
     
 
                                       
                                                   

     

                                                  



                                     

     



                                                                  



                                                                                        



                                                                                      




                                                 
                                                     

     



                                                



                                                 



                      
                                 
                               


                            
                                 

     



                     



                                                                                                         












                                                      







                                 
                                  
 




                                                                                     
 

                                               

                          
                        

                                                                         

     






                                                           
                                 



                                                           





                                                                         




                                                                         
 
                                    
                                  



                                                                         





                                                                          



                                                          
     


                                        


                                                          
 


                                            
                       


                                                                 

                                                 





                                                                       




                                       

                                                                      

     

                                        
                             

                                                                                                 


                          

                                                                                   



                                        
                             

                                                                                               
 








                                                      
                                                              

     





                                                                  





                                                          

                                                                       




                           

                                                                      
     
 
                                           
                                                       
                                        




                             


                           
 
















                                                                 
                             
                         
                 
                            
                                 



                                                                  
                                          


                                                                
                                            
       
     

                          
                                                                    

                          
                                                         
     
 
                             
                                          

                             
                                                                                                     

     














                                                      
                                 







                                                                  
   







                                                                      

                                                       
 

                            

                                                                                              
       
 

                                          
                               




                                                                                                   

                                                                           



                                          
                               
                                                                               

       
   
require 'abstract_unit'

class RedirectController < ActionController::Base
  # empty method not used anywhere to ensure methods like
  # `status` and `location` aren't called on `redirect_to` calls
  def status; render plain: 'called status'; end
  def location; render plain: 'called location'; end

  def simple_redirect
    redirect_to :action => "hello_world"
  end

  def redirect_with_status
    redirect_to({:action => "hello_world", :status => 301})
  end

  def redirect_with_status_hash
    redirect_to({:action => "hello_world"}, {:status => 301})
  end

  def redirect_with_protocol
    redirect_to :action => "hello_world", :protocol => "https"
  end

  def url_redirect_with_status
    redirect_to("http://www.example.com", :status => :moved_permanently)
  end

  def url_redirect_with_status_hash
    redirect_to("http://www.example.com", {:status => 301})
  end

  def relative_url_redirect_with_status
    redirect_to("/things/stuff", :status => :found)
  end

  def relative_url_redirect_with_status_hash
    redirect_to("/things/stuff", {:status => 301})
  end

  def redirect_to_back_with_status
    redirect_to :back, :status => 307
  end

  def redirect_back_with_status
    redirect_back(fallback_location: "/things/stuff", status: 307)
  end

  def host_redirect
    redirect_to :action => "other_host", :only_path => false, :host => 'other.test.host'
  end

  def module_redirect
    redirect_to :controller => 'module_test/module_redirect', :action => "hello_world"
  end

  def redirect_to_url
    redirect_to "http://www.rubyonrails.org/"
  end

  def redirect_to_url_with_unescaped_query_string
    redirect_to "http://example.com/query?status=new"
  end

  def redirect_to_url_with_complex_scheme
    redirect_to "x-test+scheme.complex:redirect"
  end

  def redirect_to_url_with_network_path_reference
    redirect_to "//www.rubyonrails.org/"
  end

  def redirect_to_back
    redirect_to :back
  end

  def redirect_to_existing_record
    redirect_to Workshop.new(5)
  end

  def redirect_to_new_record
    redirect_to Workshop.new(nil)
  end

  def redirect_to_nil
    redirect_to nil
  end

  def redirect_to_params
    redirect_to ActionController::Parameters.new(status: 200, protocol: 'javascript', f: '%0Aeval(name)')
  end

  def redirect_to_with_block
    redirect_to proc { "http://www.rubyonrails.org/" }
  end

  def redirect_to_with_block_and_assigns
    @url = "http://www.rubyonrails.org/"
    redirect_to proc { @url }
  end

  def redirect_to_with_block_and_options
    redirect_to proc { {:action => "hello_world"} }
  end

  def redirect_with_header_break
    redirect_to "/lol\r\nwat"
  end

  def redirect_with_null_bytes
    redirect_to "\000/lol\r\nwat"
  end

  def rescue_errors(e) raise e end

  protected
    def dashbord_url(id, message)
      url_for :action => "dashboard", :params => { "id" => id, "message" => message }
    end
end

class RedirectTest < ActionController::TestCase
  tests RedirectController

  def test_simple_redirect
    get :simple_redirect
    assert_response :redirect
    assert_equal "http://test.host/redirect/hello_world", redirect_to_url
  end

  def test_redirect_with_header_break
    get :redirect_with_header_break
    assert_response :redirect
    assert_equal "http://test.host/lolwat", redirect_to_url
  end

  def test_redirect_with_null_bytes
    get :redirect_with_null_bytes
    assert_response :redirect
    assert_equal "http://test.host/lolwat", redirect_to_url
  end

  def test_redirect_with_no_status
    get :simple_redirect
    assert_response 302
    assert_equal "http://test.host/redirect/hello_world", redirect_to_url
  end

  def test_redirect_with_status
    get :redirect_with_status
    assert_response 301
    assert_equal "http://test.host/redirect/hello_world", redirect_to_url
  end

  def test_redirect_with_status_hash
    get :redirect_with_status_hash
    assert_response 301
    assert_equal "http://test.host/redirect/hello_world", redirect_to_url
  end

  def test_redirect_with_protocol
    get :redirect_with_protocol
    assert_response 302
    assert_equal "https://test.host/redirect/hello_world", redirect_to_url
  end

  def test_url_redirect_with_status
    get :url_redirect_with_status
    assert_response 301
    assert_equal "http://www.example.com", redirect_to_url
  end

  def test_url_redirect_with_status_hash
    get :url_redirect_with_status_hash
    assert_response 301
    assert_equal "http://www.example.com", redirect_to_url
  end


  def test_relative_url_redirect_with_status
    get :relative_url_redirect_with_status
    assert_response 302
    assert_equal "http://test.host/things/stuff", redirect_to_url
  end

  def test_relative_url_redirect_with_status_hash
    get :relative_url_redirect_with_status_hash
    assert_response 301
    assert_equal "http://test.host/things/stuff", redirect_to_url
  end

  def test_redirect_to_back_with_status
    @request.env["HTTP_REFERER"] = "http://www.example.com/coming/from"

    assert_deprecated do
      get :redirect_to_back_with_status
    end

    assert_response 307
    assert_equal "http://www.example.com/coming/from", redirect_to_url
  end

  def test_simple_redirect_using_options
    get :host_redirect
    assert_response :redirect
    assert_redirected_to :action => "other_host", :only_path => false, :host => 'other.test.host'
  end

  def test_module_redirect
    get :module_redirect
    assert_response :redirect
    assert_redirected_to "http://test.host/module_test/module_redirect/hello_world"
  end

  def test_module_redirect_using_options
    get :module_redirect
    assert_response :redirect
    assert_redirected_to :controller => 'module_test/module_redirect', :action => 'hello_world'
  end

  def test_redirect_to_url
    get :redirect_to_url
    assert_response :redirect
    assert_redirected_to "http://www.rubyonrails.org/"
  end

  def test_redirect_to_url_with_unescaped_query_string
    get :redirect_to_url_with_unescaped_query_string
    assert_response :redirect
    assert_redirected_to "http://example.com/query?status=new"
  end

  def test_redirect_to_url_with_complex_scheme
    get :redirect_to_url_with_complex_scheme
    assert_response :redirect
    assert_equal "x-test+scheme.complex:redirect", redirect_to_url
  end

  def test_redirect_to_url_with_network_path_reference
    get :redirect_to_url_with_network_path_reference
    assert_response :redirect
    assert_equal "//www.rubyonrails.org/", redirect_to_url
  end

  def test_redirect_to_back
    @request.env["HTTP_REFERER"] = "http://www.example.com/coming/from"

    assert_deprecated do
      get :redirect_to_back
    end

    assert_response :redirect
    assert_equal "http://www.example.com/coming/from", redirect_to_url
  end

  def test_redirect_to_back_with_no_referer
    assert_raise(ActionController::RedirectBackError) {
      @request.env["HTTP_REFERER"] = nil

      assert_deprecated do
        get :redirect_to_back
      end

      get :redirect_to_back
    }
  end

  def test_redirect_back
    referer = "http://www.example.com/coming/from"
    @request.env["HTTP_REFERER"] = referer

    get :redirect_back_with_status

    assert_response 307
    assert_equal referer, redirect_to_url
  end

  def test_redirect_back_with_no_referer
    get :redirect_back_with_status

    assert_response 307
    assert_equal "http://test.host/things/stuff", redirect_to_url
  end

  def test_redirect_to_record
    with_routing do |set|
      set.draw do
        resources :workshops
        get ':controller/:action'
      end

      get :redirect_to_existing_record
      assert_equal "http://test.host/workshops/5", redirect_to_url
      assert_redirected_to Workshop.new(5)

      get :redirect_to_new_record
      assert_equal "http://test.host/workshops", redirect_to_url
      assert_redirected_to Workshop.new(nil)
    end
  end

  def test_redirect_to_nil
    error = assert_raise(ActionController::ActionControllerError) do
      get :redirect_to_nil
    end
    assert_equal "Cannot redirect to nil!", error.message
  end

  def test_redirect_to_params
    error = assert_raise(ArgumentError) do
      get :redirect_to_params
    end
    assert_equal "Generating a URL from non sanitized request parameters is insecure!", error.message
  end

  def test_redirect_to_with_block
    get :redirect_to_with_block
    assert_response :redirect
    assert_redirected_to "http://www.rubyonrails.org/"
  end

  def test_redirect_to_with_block_and_assigns
    get :redirect_to_with_block_and_assigns
    assert_response :redirect
    assert_redirected_to "http://www.rubyonrails.org/"
  end

  def test_redirect_to_with_block_and_accepted_options
    with_routing do |set|
      set.draw do
        get ':controller/:action'
      end

      get :redirect_to_with_block_and_options

      assert_response :redirect
      assert_redirected_to "http://test.host/redirect/hello_world"
    end
  end
end

module ModuleTest
  class ModuleRedirectController < ::RedirectController
    def module_redirect
      redirect_to :controller => '/redirect', :action => "hello_world"
    end
  end

  class ModuleRedirectTest < ActionController::TestCase
    tests ModuleRedirectController

    def test_simple_redirect
      get :simple_redirect
      assert_response :redirect
      assert_equal "http://test.host/module_test/module_redirect/hello_world", redirect_to_url
    end

    def test_simple_redirect_using_options
      get :host_redirect
      assert_response :redirect
      assert_redirected_to :action => "other_host", :only_path => false, :host => 'other.test.host'
    end

    def test_module_redirect
      get :module_redirect
      assert_response :redirect
      assert_equal "http://test.host/redirect/hello_world", redirect_to_url
    end

    def test_module_redirect_using_options
      get :module_redirect
      assert_response :redirect
      assert_redirected_to :controller => '/redirect', :action => "hello_world"
    end
  end
end