diff options
| author | Pratik Naik <pratiknaik@gmail.com> | 2015-10-07 11:24:20 -0500 |
|---|---|---|
| committer | Pratik Naik <pratiknaik@gmail.com> | 2015-10-07 11:24:20 -0500 |
| commit | 04317173a02eb67c103364b5c8b5756ac61fac98 (patch) | |
| tree | f7d7a6af91eac536cf420a57e03b5c3493741e8e /test/connection | |
| parent | 91d6db34357634eaa0903b5c05a5db8b10066366 (diff) | |
| download | rails-04317173a02eb67c103364b5c8b5756ac61fac98.tar.gz rails-04317173a02eb67c103364b5c8b5756ac61fac98.tar.bz2 rails-04317173a02eb67c103364b5c8b5756ac61fac98.zip | |
First take at cross site forgery protection
Diffstat (limited to 'test/connection')
| -rw-r--r-- | test/connection/base_test.rb | 1 | ||||
| -rw-r--r-- | test/connection/cross_site_forgery_test.rb | 55 |
2 files changed, 56 insertions, 0 deletions
diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb index 2f008652ee..a4bd7f4a03 100644 --- a/test/connection/base_test.rb +++ b/test/connection/base_test.rb @@ -16,6 +16,7 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase setup do @server = TestServer.new + @server.config.disable_request_forgery_protection = true env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket' @connection = Connection.new(@server, env) diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb new file mode 100644 index 0000000000..b904dbd8b6 --- /dev/null +++ b/test/connection/cross_site_forgery_test.rb @@ -0,0 +1,55 @@ +require 'test_helper' +require 'stubs/test_server' + +class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase + HOST = 'rubyonrails.com' + + setup do + @server = TestServer.new + end + + test "default cross site forgery protection only allows origin same as the server host" do + assert_origin_allowed 'http://rubyonrails.com' + assert_origin_not_allowed 'http://hax.com' + end + + test "disable forgery protection" do + @server.config.disable_request_forgery_protection = true + assert_origin_allowed 'http://rubyonrails.com' + assert_origin_allowed 'http://hax.com' + end + + test "explicitly specified a single allowed origin" do + @server.config.allowed_request_origins = 'hax.com' + assert_origin_not_allowed 'http://rubyonrails.com' + assert_origin_allowed 'http://hax.com' + end + + test "explicitly specified multiple allowed origins" do + @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com ) + assert_origin_allowed 'http://rubyonrails.com' + assert_origin_allowed 'http://www.rubyonrails.com' + assert_origin_allowed 'https://www.rubyonrails.com' + assert_origin_not_allowed 'http://hax.com' + end + + private + def assert_origin_allowed(origin) + response = connect_with_origin origin + assert_equal -1, response[0] + end + + def assert_origin_not_allowed(origin) + response = connect_with_origin origin + assert_equal 404, response[0] + end + + def connect_with_origin(origin) + ActionCable::Connection::Base.new(@server, env_for_origin(origin)).process + end + + def env_for_origin(origin) + Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', 'SERVER_NAME' => HOST, + 'HTTP_ORIGIN' => origin + end +end |