diff options
| author | Rick Olson <technoweenie@gmail.com> | 2007-09-28 16:50:48 +0000 |
|---|---|---|
| committer | Rick Olson <technoweenie@gmail.com> | 2007-09-28 16:50:48 +0000 |
| commit | 82ff27766d3edc3fb1d0d043841e9c3cd277744f (patch) | |
| tree | 7854659c7ec3f0ae5b87a8d1068f92a8fb40775c /actionpack/test/controller | |
| parent | c1bdf027d8d54127e41427e21fabe7ff3e26c6bc (diff) | |
| download | rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.tar.gz rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.tar.bz2 rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.zip | |
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 119 |
1 files changed, 74 insertions, 45 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 2166b24aa6..0990d1b0c5 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -5,6 +5,61 @@ ActionController::Routing::Routes.draw do |map| map.connect ':controller/:action/:id' end +# simulates cookie session store +class FakeSessionDbMan + def self.generate_digest(data) + Digest::SHA1.hexdigest("secure") + end +end + +# common controller actions +module RequestForgeryProtectionActions + def index + render :inline => "<%= form_tag('/') {} %>" + end + + def show_button + render :inline => "<%= button_to('New', '/') {} %>" + end + + def unsafe + render :text => 'pwn' + end + + def rescue_action(e) raise e end +end + +# sample controllers +class RequestForgeryProtectionController < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery :only => :index, :secret => 'abc' +end + +class RequestForgeryProtectionWithoutSecretController < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery +end + +# no token is given, assume the cookie store is used +class CsrfCookieMonsterController < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery :only => :index +end + +class FreeCookieController < CsrfCookieMonsterController + self.allow_forgery_protection = false + + def index + render :inline => "<%= form_tag('/') {} %>" + end + + def show_button + render :inline => "<%= button_to('New', '/') {} %>" + end +end + +# common test methods + module RequestForgeryProtectionTests def teardown ActionController::Base.request_forgery_protection_token = nil @@ -85,26 +140,7 @@ module RequestForgeryProtectionTests end end -module RequestForgeryProtectionActions - def index - render :inline => "<%= form_tag('/') {} %>" - end - - def show_button - render :inline => "<%= button_to('New', '/') {} %>" - end - - def unsafe - render :text => 'pwn' - end - - def rescue_action(e) raise e end -end - -class RequestForgeryProtectionController < ActionController::Base - include RequestForgeryProtectionActions - protect_from_forgery :only => :index, :secret => 'abc' -end +# OK let's get our test on class RequestForgeryProtectionControllerTest < Test::Unit::TestCase include RequestForgeryProtectionTests @@ -120,27 +156,22 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase end end -# no token is given, assume the cookie store is used -class CsrfCookieMonsterController < ActionController::Base - include RequestForgeryProtectionActions - protect_from_forgery :only => :index -end - -class FreeCookieController < CsrfCookieMonsterController - self.allow_forgery_protection = false - - def index - render :inline => "<%= form_tag('/') {} %>" +class RequestForgeryProtectionWithoutSecretControllerTest < Test::Unit::TestCase + def setup + @controller = RequestForgeryProtectionWithoutSecretController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + class << @request.session + def session_id() '123' end + end + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + ActionController::Base.request_forgery_protection_token = :authenticity_token end - def show_button - render :inline => "<%= button_to('New', '/') {} %>" - end -end - -class FakeSessionDbMan - def self.generate_digest(data) - Digest::SHA1.hexdigest("secure") + def test_should_raise_error_without_secret + assert_raises ActionController::InvalidAuthenticityToken do + get :index + end end end @@ -150,18 +181,17 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase @controller = CsrfCookieMonsterController.new @request = ActionController::TestRequest.new @response = ActionController::TestResponse.new - # simulate a cookie session store - @request.session.instance_variable_set(:@dbman, FakeSessionDbMan) class << @request.session - attr_reader :dbman + attr_accessor :dbman end + # simulate a cookie session store + @request.session.dbman = FakeSessionDbMan @token = Digest::SHA1.hexdigest("secure") ActionController::Base.request_forgery_protection_token = :authenticity_token end end class FreeCookieControllerTest < Test::Unit::TestCase - def setup @controller = FreeCookieController.new @request = ActionController::TestRequest.new @@ -184,5 +214,4 @@ class FreeCookieControllerTest < Test::Unit::TestCase assert_nothing_raised { send(method, :index)} end end - -end +end
\ No newline at end of file |