aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/request_forgery_protection_test.rb
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack/test/controller/request_forgery_protection_test.rb')
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb93
1 files changed, 6 insertions, 87 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 00c6bc0ab0..ef0bf5fd08 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -5,13 +5,6 @@ ActionController::Routing::Routes.draw do |map|
map.connect ':controller/:action/:id'
end
-# simulates cookie session store
-class FakeSessionDbMan
- def self.generate_digest(data)
- Digest::SHA1.hexdigest("secure")
- end
-end
-
# common controller actions
module RequestForgeryProtectionActions
def index
@@ -36,29 +29,10 @@ end
# sample controllers
class RequestForgeryProtectionController < ActionController::Base
include RequestForgeryProtectionActions
- protect_from_forgery :only => :index, :secret => 'abc'
-end
-
-class RequestForgeryProtectionWithoutSecretController < ActionController::Base
- include RequestForgeryProtectionActions
- protect_from_forgery
-end
-
-# no token is given, assume the cookie store is used
-class CsrfCookieMonsterController < ActionController::Base
- include RequestForgeryProtectionActions
protect_from_forgery :only => :index
end
-# sessions are turned off
-class SessionOffController < ActionController::Base
- protect_from_forgery :secret => 'foobar'
- session :off
- def rescue_action(e) raise e end
- include RequestForgeryProtectionActions
-end
-
-class FreeCookieController < CsrfCookieMonsterController
+class FreeCookieController < RequestForgeryProtectionController
self.allow_forgery_protection = false
def index
@@ -237,45 +211,9 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase
@request = ActionController::TestRequest.new
@request.format = :html
@response = ActionController::TestResponse.new
- class << @request.session
- def session_id() '123' end
- end
- @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
- ActionController::Base.request_forgery_protection_token = :authenticity_token
- end
-end
+ @token = "cf50faa3fe97702ca1ae"
-class RequestForgeryProtectionWithoutSecretControllerTest < ActionController::TestCase
- def setup
- @controller = RequestForgeryProtectionWithoutSecretController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- class << @request.session
- def session_id() '123' end
- end
- @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
- ActionController::Base.request_forgery_protection_token = :authenticity_token
- end
-
- # def test_should_raise_error_without_secret
- # assert_raises ActionController::InvalidAuthenticityToken do
- # get :index
- # end
- # end
-end
-
-class CsrfCookieMonsterControllerTest < ActionController::TestCase
- include RequestForgeryProtectionTests
- def setup
- @controller = CsrfCookieMonsterController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- class << @request.session
- attr_accessor :dbman
- end
- # simulate a cookie session store
- @request.session.dbman = FakeSessionDbMan
- @token = Digest::SHA1.hexdigest("secure")
+ ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
ActionController::Base.request_forgery_protection_token = :authenticity_token
end
end
@@ -285,7 +223,9 @@ class FreeCookieControllerTest < ActionController::TestCase
@controller = FreeCookieController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
- @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
+ @token = "cf50faa3fe97702ca1ae"
+
+ ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
end
def test_should_not_render_form_with_token_tag
@@ -304,24 +244,3 @@ class FreeCookieControllerTest < ActionController::TestCase
end
end
end
-
-class SessionOffControllerTest < ActionController::TestCase
- def setup
- @controller = SessionOffController.new
- @request = ActionController::TestRequest.new
- @response = ActionController::TestResponse.new
- @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123')
- end
-
- # TODO: Rewrite this test.
- # This test was passing but for the wrong reason.
- # Sessions aren't really being turned off, so an exception was raised
- # because sessions weren't on - not because the token didn't match.
- #
- # def test_should_raise_correct_exception
- # @request.session = {} # session(:off) doesn't appear to work with controller tests
- # assert_raises(ActionController::InvalidAuthenticityToken) do
- # post :index, :authenticity_token => @token, :format => :html
- # end
- # end
-end
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-25 22:57:54 +0000