diff options
| author | Rafael França <rafaelmfranca@gmail.com> | 2015-11-26 14:23:50 -0200 |
|---|---|---|
| committer | Rafael França <rafaelmfranca@gmail.com> | 2015-11-26 14:23:50 -0200 |
| commit | e1e6499ede1dd196c03f650b95c3a0098c7c32ff (patch) | |
| tree | 934b91cfbf3950483900976f42dd827e90edf5a0 /actionpack/test | |
| parent | d25205241b4f8d38b8ab106ffc1c465a8a697415 (diff) | |
| parent | 85783534fcf1baefa5b502a2bfee235ae6d612d7 (diff) | |
| download | rails-e1e6499ede1dd196c03f650b95c3a0098c7c32ff.tar.gz rails-e1e6499ede1dd196c03f650b95c3a0098c7c32ff.tar.bz2 rails-e1e6499ede1dd196c03f650b95c3a0098c7c32ff.zip | |
Merge pull request #22263 from mastahyeti/csrf-origin-check
Add option to verify Origin header in CSRF checks
[Jeremy Daer + Rafael Mendonça França]
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 94ffbe3cd0..2a3704c300 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -304,6 +304,41 @@ module RequestForgeryProtectionTests assert_not_blocked { put :index } end + def test_should_allow_post_with_origin_checking_and_correct_origin + forgery_protection_origin_check do + session[:_csrf_token] = @token + @controller.stub :form_authenticity_token, @token do + assert_not_blocked do + @request.set_header 'HTTP_ORIGIN', 'http://test.host' + post :index, params: { custom_authenticity_token: @token } + end + end + end + end + + def test_should_allow_post_with_origin_checking_and_no_origin + forgery_protection_origin_check do + session[:_csrf_token] = @token + @controller.stub :form_authenticity_token, @token do + assert_not_blocked do + post :index, params: { custom_authenticity_token: @token } + end + end + end + end + + def test_should_block_post_with_origin_checking_and_wrong_origin + forgery_protection_origin_check do + session[:_csrf_token] = @token + @controller.stub :form_authenticity_token, @token do + assert_blocked do + @request.set_header 'HTTP_ORIGIN', 'http://bad.host' + post :index, params: { custom_authenticity_token: @token } + end + end + end + end + def test_should_warn_on_missing_csrf_token old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new @@ -405,6 +440,16 @@ module RequestForgeryProtectionTests def assert_cross_origin_not_blocked assert_not_blocked { yield } end + + def forgery_protection_origin_check + old_setting = ActionController::Base.forgery_protection_origin_check + ActionController::Base.forgery_protection_origin_check = true + begin + yield + ensure + ActionController::Base.forgery_protection_origin_check = old_setting + end + end end # OK let's get our test on |