Merge csrf_killer plugin into rails. Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

6 files changed, 239 insertions, 0 deletions

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
new file mode 100644
index 0000000000..5c4dc1ee5f
--- /dev/null
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -0,0 +1,217 @@
+require File.dirname(__FILE__) + '/../abstract_unit'
+
+ActionController::Routing::Routes.draw do |map|
+  map.connect ':controller/:action/:id'
+end
+
+class RequestForgeryProtectionController < ActionController::Base
+  verify_token :only => :index, :secret => 'abc'
+
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  
+  def unsafe
+    render :text => 'pwn'
+  end
+  
+  def rescue_action(e) raise e end
+end
+
+class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = RequestForgeryProtectionController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    class << @request.session
+      def session_id() '123' end
+    end
+    @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+    ActionController::Base.request_forgery_protection_token = :_token
+  end
+  
+  def teardown
+    ActionController::Base.request_forgery_protection_token = nil
+  end
+
+  def test_should_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', '_token', @token
+  end
+
+  # Replace this with your real tests.
+  def test_should_allow_get
+    get :index
+    assert_response :success
+  end
+  
+  def test_should_allow_post_without_token_on_unsafe_action
+    post :unsafe
+    assert_response :success
+  end
+  
+  def test_should_not_allow_post_without_token
+    assert_raises(ActionController::InvalidToken) { post :index }
+  end
+  
+  def test_should_not_allow_put_without_token
+    assert_raises(ActionController::InvalidToken) { put :index }
+  end
+  
+  def test_should_not_allow_delete_without_token
+    assert_raises(ActionController::InvalidToken) { delete :index }
+  end
+  
+  def test_should_not_allow_xhr_post_without_token
+    assert_raises(ActionController::InvalidToken) { xhr :post, :index }
+  end
+  
+  def test_should_not_allow_xhr_put_without_token
+    assert_raises(ActionController::InvalidToken) { xhr :put, :index }
+  end
+  
+  def test_should_not_allow_xhr_delete_without_token
+    assert_raises(ActionController::InvalidToken) { xhr :delete, :index }
+  end
+  
+  def test_should_allow_post_with_token
+    post :index, :_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_put_with_token
+    put :index, :_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_delete_with_token
+    delete :index, :_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_post_with_xml
+    post :index, :format => 'xml'
+    assert_response :success
+  end
+  
+  def test_should_allow_put_with_xml
+    put :index, :format => 'xml'
+    assert_response :success
+  end
+  
+  def test_should_allow_delete_with_xml
+    delete :index, :format => 'xml'
+    assert_response :success
+  end
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+  verify_token :only => :index
+
+  def index
+    render :inline => "<%= form_tag('/') {} %>"
+  end
+  
+  def unsafe
+    render :text => 'pwn'
+  end
+  
+  def rescue_action(e) raise e end
+end
+
+class FakeSessionDbMan
+  def self.generate_digest(data)
+    Digest::SHA1.hexdigest("secure")
+  end
+end
+
+class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = CsrfCookieMonsterController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+    # simulate a cookie session store
+    @request.session.instance_variable_set(:@dbman, FakeSessionDbMan)
+    class << @request.session
+      attr_reader :dbman
+    end
+    @token = Digest::SHA1.hexdigest("secure")
+    ActionController::Base.request_forgery_protection_token = :_token
+  end
+  
+  def teardown
+    ActionController::Base.request_forgery_protection_token = nil
+  end
+
+  def test_should_render_form_with_token_tag
+    get :index
+    assert_select 'form>div>input[name=?][value=?]', '_token', @token
+  end
+
+  # Replace this with your real tests.
+  def test_should_allow_get
+    get :index
+    assert_response :success
+  end
+  
+  def test_should_allow_post_without_token_on_unsafe_action
+    post :unsafe
+    assert_response :success
+  end
+  
+  def test_should_not_allow_post_without_token
+    assert_raises(ActionController::InvalidToken) { post :index }
+  end
+  
+  def test_should_not_allow_put_without_token
+    assert_raises(ActionController::InvalidToken) { put :index }
+  end
+  
+  def test_should_not_allow_delete_without_token
+    assert_raises(ActionController::InvalidToken) { delete :index }
+  end
+  
+  def test_should_not_allow_xhr_post_without_token
+    assert_raises(ActionController::InvalidToken) { xhr :post, :index }
+  end
+  
+  def test_should_not_allow_xhr_put_without_token
+    assert_raises(ActionController::InvalidToken) { xhr :put, :index }
+  end
+  
+  def test_should_not_allow_xhr_delete_without_token
+    assert_raises(ActionController::InvalidToken) { xhr :delete, :index }
+  end
+  
+  def test_should_allow_post_with_token
+    post :index, :_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_put_with_token
+    put :index, :_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_delete_with_token
+    delete :index, :_token => @token
+    assert_response :success
+  end
+  
+  def test_should_allow_post_with_xml
+    post :index, :format => 'xml'
+    assert_response :success
+  end
+  
+  def test_should_allow_put_with_xml
+    put :index, :format => 'xml'
+    assert_response :success
+  end
+  
+  def test_should_allow_delete_with_xml
+    delete :index, :format => 'xml'
+    assert_response :success
+  end
+end
+
diff --git a/actionpack/test/template/form_helper_test.rb b/actionpack/test/template/form_helper_test.rb
index af63a056f8..9b22d4cef3 100644
--- a/actionpack/test/template/form_helper_test.rb
+++ b/actionpack/test/template/form_helper_test.rb
@@ -711,4 +711,8 @@ class FormHelperTest < Test::Unit::TestCase
     def post_path(post)
       "/posts/#{post.id}"
     end
+    
+    def request_forgery_protection_token
+      nil
+    end
 end
diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index c582c26c68..f2c6678ddd 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -177,4 +177,9 @@ class FormTagHelperTest < Test::Unit::TestCase
     expected = %(<fieldset>Hello world!</fieldset>)
     assert_dom_equal expected, _erbout
   end
+  
+  def request_forgery_protection_token
+    nil
+    
+  end
 end
diff --git a/actionpack/test/template/prototype_helper_test.rb b/actionpack/test/template/prototype_helper_test.rb
index 4adfc90180..7bb4245c58 100644
--- a/actionpack/test/template/prototype_helper_test.rb
+++ b/actionpack/test/template/prototype_helper_test.rb
@@ -60,6 +60,11 @@ module BaseTest
   end
 
 protected
+  
+  def request_forgery_protection_token
+    nil
+  end
+  
   def create_generator
     block = Proc.new { |*args| yield *args if block_given? } 
     JavaScriptGenerator.new self, &block
diff --git a/actionpack/test/template/scriptaculous_helper_test.rb b/actionpack/test/template/scriptaculous_helper_test.rb
index 514ba9107e..722839f15e 100644
--- a/actionpack/test/template/scriptaculous_helper_test.rb
+++ b/actionpack/test/template/scriptaculous_helper_test.rb
@@ -89,4 +89,8 @@ class ScriptaculousHelperTest < Test::Unit::TestCase
     assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nDroppables.add(\"droptarget1\", {accept:['tshirts','mugs'], onDrop:function(element){new Ajax.Updater('infobox', 'http://www.example.com/', {asynchronous:true, evalScripts:true, parameters:'id=' + encodeURIComponent(element.id)})}})\n//]]>\n</script>),
       drop_receiving_element("droptarget1", :accept => ['tshirts','mugs'], :update => 'infobox')
   end
+  
+  def request_forgery_protection_token
+    nil
+  end
 end
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index db1e226a7e..5707beeab1 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -267,6 +267,10 @@ class UrlHelperTest < Test::Unit::TestCase
     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#40;&#100;&#111;&#116;&#41;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
     assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
   end
+  
+  def request_forgery_protection_token
+    nil
+  end
 end
 
 class UrlHelperWithControllerTest < Test::Unit::TestCase