diff options
| author | Bradley Buda <bradleybuda@gmail.com> | 2014-08-19 14:29:26 -0700 |
|---|---|---|
| committer | Bradley Buda <bradleybuda@gmail.com> | 2014-08-19 15:28:07 -0700 |
| commit | 69fc0e1b5e6a3227576d67587c386142ef65854e (patch) | |
| tree | 252a9f1cf5badc0945eaed8abbbb94c5c0a44700 /actionpack/test | |
| parent | 4751a8c51ff4b9766dcf8324347477095b7f940d (diff) | |
| download | rails-69fc0e1b5e6a3227576d67587c386142ef65854e.tar.gz rails-69fc0e1b5e6a3227576d67587c386142ef65854e.tar.bz2 rails-69fc0e1b5e6a3227576d67587c386142ef65854e.zip | |
Auth token mask from breach-mitigation-rails gem
This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.
The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 2a5aad9c0e..5e2510fb2e 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -125,8 +125,9 @@ end module RequestForgeryProtectionTests def setup @token = "cf50faa3fe97702ca1ae" - - SecureRandom.stubs(:base64).returns(@token) + @controller.stubs(:form_authenticity_token).returns(@token) + @controller.stubs(:valid_authenticity_token?).with{ |_, t| t == @token }.returns(true) + @controller.stubs(:valid_authenticity_token?).with{ |_, t| t != @token }.returns(false) @old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token ActionController::Base.request_forgery_protection_token = :custom_authenticity_token end @@ -386,7 +387,7 @@ class RequestForgeryProtectionControllerUsingResetSessionTest < ActionController end test 'should emit a csrf-param meta tag and a csrf-token meta tag' do - SecureRandom.stubs(:base64).returns(@token + '<=?') + @controller.stubs(:form_authenticity_token).returns(@token + '<=?') get :meta assert_select 'meta[name=?][content=?]', 'csrf-param', 'custom_authenticity_token' assert_select 'meta[name=?][content=?]', 'csrf-token', 'cf50faa3fe97702ca1ae<=?' @@ -466,7 +467,7 @@ class CustomAuthenticityParamControllerTest < ActionController::TestCase super @old_logger = ActionController::Base.logger @logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new - @token = "foobar" + @token = Base64.strict_encode64(SecureRandom.random_bytes(32)) @old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token ActionController::Base.request_forgery_protection_token = @token end @@ -478,7 +479,7 @@ class CustomAuthenticityParamControllerTest < ActionController::TestCase def test_should_not_warn_if_form_authenticity_param_matches_form_authenticity_token ActionController::Base.logger = @logger - SecureRandom.stubs(:base64).returns(@token) + @controller.stubs(:valid_authenticity_token?).returns(:true) begin post :index, :custom_token_name => 'foobar' |