diff options
| author | Sergey Nartimov <just.lest@gmail.com> | 2012-09-13 12:07:37 +0300 |
|---|---|---|
| committer | Sergey Nartimov <just.lest@gmail.com> | 2012-09-13 12:07:37 +0300 |
| commit | 95be790ece75710f2588558a6d5f40fd09543b97 (patch) | |
| tree | 5dbcfe62d1337ed87c2afdc95f025aee22587a17 /railties/test | |
| parent | 616ba15f2cb89588ae3b0a55452f4059f2c118b1 (diff) | |
| download | rails-95be790ece75710f2588558a6d5f40fd09543b97.tar.gz rails-95be790ece75710f2588558a6d5f40fd09543b97.tar.bz2 rails-95be790ece75710f2588558a6d5f40fd09543b97.zip | |
Implement :null_session CSRF protection method
It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946.
The :null_session CSRF protection method provide an empty session during
request processing but doesn't reset it completely (as :reset_session
does).
Diffstat (limited to 'railties/test')
| -rw-r--r-- | railties/test/application/middleware/session_test.rb | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb index 07134cc935..06dec81d40 100644 --- a/railties/test/application/middleware/session_test.rb +++ b/railties/test/application/middleware/session_test.rb @@ -46,5 +46,87 @@ module ApplicationTests assert last_request.env["HTTP_COOKIE"] assert !last_response.headers["Set-Cookie"] end + + test "session is empty and isn't saved on unverified request when using :null_session protect method" do + app_file 'config/routes.rb', <<-RUBY + AppTemplate::Application.routes.draw do + get ':controller(/:action)' + post ':controller(/:action)' + end + RUBY + + controller :foo, <<-RUBY + class FooController < ActionController::Base + protect_from_forgery with: :null_session + + def write_session + session[:foo] = 1 + render nothing: true + end + + def read_session + render text: session[:foo].inspect + end + end + RUBY + + add_to_config <<-RUBY + config.action_controller.allow_forgery_protection = true + RUBY + + require "#{app_path}/config/environment" + + get '/foo/write_session' + get '/foo/read_session' + assert_equal '1', last_response.body + + post '/foo/read_session' # Read session using POST request without CSRF token + assert_equal 'nil', last_response.body # Stored value shouldn't be accessible + + post '/foo/write_session' # Write session using POST request without CSRF token + get '/foo/read_session' # Session shouldn't be changed + assert_equal '1', last_response.body + end + + test "cookie jar is empty and isn't saved on unverified request when using :null_session protect method" do + app_file 'config/routes.rb', <<-RUBY + AppTemplate::Application.routes.draw do + get ':controller(/:action)' + post ':controller(/:action)' + end + RUBY + + controller :foo, <<-RUBY + class FooController < ActionController::Base + protect_from_forgery with: :null_session + + def write_cookie + cookies[:foo] = '1' + render nothing: true + end + + def read_cookie + render text: cookies[:foo].inspect + end + end + RUBY + + add_to_config <<-RUBY + config.action_controller.allow_forgery_protection = true + RUBY + + require "#{app_path}/config/environment" + + get '/foo/write_cookie' + get '/foo/read_cookie' + assert_equal '"1"', last_response.body + + post '/foo/read_cookie' # Read cookie using POST request without CSRF token + assert_equal 'nil', last_response.body # Stored value shouldn't be accessible + + post '/foo/write_cookie' # Write cookie using POST request without CSRF token + get '/foo/read_cookie' # Cookie shouldn't be changed + assert_equal '"1"', last_response.body + end end end |