aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test
diff options
context:
space:
mode:
authorRick Olson <technoweenie@gmail.com>2007-09-28 16:50:48 +0000
committerRick Olson <technoweenie@gmail.com>2007-09-28 16:50:48 +0000
commit82ff27766d3edc3fb1d0d043841e9c3cd277744f (patch)
tree7854659c7ec3f0ae5b87a8d1068f92a8fb40775c /actionpack/test
parentc1bdf027d8d54127e41427e21fabe7ff3e26c6bc (diff)
downloadrails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.tar.gz
rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.tar.bz2
rails-82ff27766d3edc3fb1d0d043841e9c3cd277744f.zip
Better error messages if you leave out the :secret option for request forgery protection. Closes #9670 [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test')
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb119
1 files changed, 74 insertions, 45 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 2166b24aa6..0990d1b0c5 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -5,6 +5,61 @@ ActionController::Routing::Routes.draw do |map|
map.connect ':controller/:action/:id'
end
+# simulates cookie session store
+class FakeSessionDbMan
+ def self.generate_digest(data)
+ Digest::SHA1.hexdigest("secure")
+ end
+end
+
+# common controller actions
+module RequestForgeryProtectionActions
+ def index
+ render :inline => "<%= form_tag('/') {} %>"
+ end
+
+ def show_button
+ render :inline => "<%= button_to('New', '/') {} %>"
+ end
+
+ def unsafe
+ render :text => 'pwn'
+ end
+
+ def rescue_action(e) raise e end
+end
+
+# sample controllers
+class RequestForgeryProtectionController < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery :only => :index, :secret => 'abc'
+end
+
+class RequestForgeryProtectionWithoutSecretController < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery
+end
+
+# no token is given, assume the cookie store is used
+class CsrfCookieMonsterController < ActionController::Base
+ include RequestForgeryProtectionActions
+ protect_from_forgery :only => :index
+end
+
+class FreeCookieController < CsrfCookieMonsterController
+ self.allow_forgery_protection = false
+
+ def index
+ render :inline => "<%= form_tag('/') {} %>"
+ end
+
+ def show_button
+ render :inline => "<%= button_to('New', '/') {} %>"
+ end
+end
+
+# common test methods
+
module RequestForgeryProtectionTests
def teardown
ActionController::Base.request_forgery_protection_token = nil
@@ -85,26 +140,7 @@ module RequestForgeryProtectionTests
end
end
-module RequestForgeryProtectionActions
- def index
- render :inline => "<%= form_tag('/') {} %>"
- end
-
- def show_button
- render :inline => "<%= button_to('New', '/') {} %>"
- end
-
- def unsafe
- render :text => 'pwn'
- end
-
- def rescue_action(e) raise e end
-end
-
-class RequestForgeryProtectionController < ActionController::Base
- include RequestForgeryProtectionActions
- protect_from_forgery :only => :index, :secret => 'abc'
-end
+# OK let's get our test on
class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
include RequestForgeryProtectionTests
@@ -120,27 +156,22 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase
end
end
-# no token is given, assume the cookie store is used
-class CsrfCookieMonsterController < ActionController::Base
- include RequestForgeryProtectionActions
- protect_from_forgery :only => :index
-end
-
-class FreeCookieController < CsrfCookieMonsterController
- self.allow_forgery_protection = false
-
- def index
- render :inline => "<%= form_tag('/') {} %>"
+class RequestForgeryProtectionWithoutSecretControllerTest < Test::Unit::TestCase
+ def setup
+ @controller = RequestForgeryProtectionWithoutSecretController.new
+ @request = ActionController::TestRequest.new
+ @response = ActionController::TestResponse.new
+ class << @request.session
+ def session_id() '123' end
+ end
+ @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+ ActionController::Base.request_forgery_protection_token = :authenticity_token
end
- def show_button
- render :inline => "<%= button_to('New', '/') {} %>"
- end
-end
-
-class FakeSessionDbMan
- def self.generate_digest(data)
- Digest::SHA1.hexdigest("secure")
+ def test_should_raise_error_without_secret
+ assert_raises ActionController::InvalidAuthenticityToken do
+ get :index
+ end
end
end
@@ -150,18 +181,17 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase
@controller = CsrfCookieMonsterController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
- # simulate a cookie session store
- @request.session.instance_variable_set(:@dbman, FakeSessionDbMan)
class << @request.session
- attr_reader :dbman
+ attr_accessor :dbman
end
+ # simulate a cookie session store
+ @request.session.dbman = FakeSessionDbMan
@token = Digest::SHA1.hexdigest("secure")
ActionController::Base.request_forgery_protection_token = :authenticity_token
end
end
class FreeCookieControllerTest < Test::Unit::TestCase
-
def setup
@controller = FreeCookieController.new
@request = ActionController::TestRequest.new
@@ -184,5 +214,4 @@ class FreeCookieControllerTest < Test::Unit::TestCase
assert_nothing_raised { send(method, :index)}
end
end
-
-end
+end \ No newline at end of file