diff options
Diffstat (limited to 'actionpack/test')
6 files changed, 239 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb new file mode 100644 index 0000000000..5c4dc1ee5f --- /dev/null +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -0,0 +1,217 @@ +require File.dirname(__FILE__) + '/../abstract_unit' + +ActionController::Routing::Routes.draw do |map| + map.connect ':controller/:action/:id' +end + +class RequestForgeryProtectionController < ActionController::Base + verify_token :only => :index, :secret => 'abc' + + def index + render :inline => "<%= form_tag('/') {} %>" + end + + def unsafe + render :text => 'pwn' + end + + def rescue_action(e) raise e end +end + +class RequestForgeryProtectionControllerTest < Test::Unit::TestCase + def setup + @controller = RequestForgeryProtectionController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + class << @request.session + def session_id() '123' end + end + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + ActionController::Base.request_forgery_protection_token = :_token + end + + def teardown + ActionController::Base.request_forgery_protection_token = nil + end + + def test_should_render_form_with_token_tag + get :index + assert_select 'form>div>input[name=?][value=?]', '_token', @token + end + + # Replace this with your real tests. + def test_should_allow_get + get :index + assert_response :success + end + + def test_should_allow_post_without_token_on_unsafe_action + post :unsafe + assert_response :success + end + + def test_should_not_allow_post_without_token + assert_raises(ActionController::InvalidToken) { post :index } + end + + def test_should_not_allow_put_without_token + assert_raises(ActionController::InvalidToken) { put :index } + end + + def test_should_not_allow_delete_without_token + assert_raises(ActionController::InvalidToken) { delete :index } + end + + def test_should_not_allow_xhr_post_without_token + assert_raises(ActionController::InvalidToken) { xhr :post, :index } + end + + def test_should_not_allow_xhr_put_without_token + assert_raises(ActionController::InvalidToken) { xhr :put, :index } + end + + def test_should_not_allow_xhr_delete_without_token + assert_raises(ActionController::InvalidToken) { xhr :delete, :index } + end + + def test_should_allow_post_with_token + post :index, :_token => @token + assert_response :success + end + + def test_should_allow_put_with_token + put :index, :_token => @token + assert_response :success + end + + def test_should_allow_delete_with_token + delete :index, :_token => @token + assert_response :success + end + + def test_should_allow_post_with_xml + post :index, :format => 'xml' + assert_response :success + end + + def test_should_allow_put_with_xml + put :index, :format => 'xml' + assert_response :success + end + + def test_should_allow_delete_with_xml + delete :index, :format => 'xml' + assert_response :success + end +end + +# no token is given, assume the cookie store is used +class CsrfCookieMonsterController < ActionController::Base + verify_token :only => :index + + def index + render :inline => "<%= form_tag('/') {} %>" + end + + def unsafe + render :text => 'pwn' + end + + def rescue_action(e) raise e end +end + +class FakeSessionDbMan + def self.generate_digest(data) + Digest::SHA1.hexdigest("secure") + end +end + +class CsrfCookieMonsterControllerTest < Test::Unit::TestCase + def setup + @controller = CsrfCookieMonsterController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + # simulate a cookie session store + @request.session.instance_variable_set(:@dbman, FakeSessionDbMan) + class << @request.session + attr_reader :dbman + end + @token = Digest::SHA1.hexdigest("secure") + ActionController::Base.request_forgery_protection_token = :_token + end + + def teardown + ActionController::Base.request_forgery_protection_token = nil + end + + def test_should_render_form_with_token_tag + get :index + assert_select 'form>div>input[name=?][value=?]', '_token', @token + end + + # Replace this with your real tests. + def test_should_allow_get + get :index + assert_response :success + end + + def test_should_allow_post_without_token_on_unsafe_action + post :unsafe + assert_response :success + end + + def test_should_not_allow_post_without_token + assert_raises(ActionController::InvalidToken) { post :index } + end + + def test_should_not_allow_put_without_token + assert_raises(ActionController::InvalidToken) { put :index } + end + + def test_should_not_allow_delete_without_token + assert_raises(ActionController::InvalidToken) { delete :index } + end + + def test_should_not_allow_xhr_post_without_token + assert_raises(ActionController::InvalidToken) { xhr :post, :index } + end + + def test_should_not_allow_xhr_put_without_token + assert_raises(ActionController::InvalidToken) { xhr :put, :index } + end + + def test_should_not_allow_xhr_delete_without_token + assert_raises(ActionController::InvalidToken) { xhr :delete, :index } + end + + def test_should_allow_post_with_token + post :index, :_token => @token + assert_response :success + end + + def test_should_allow_put_with_token + put :index, :_token => @token + assert_response :success + end + + def test_should_allow_delete_with_token + delete :index, :_token => @token + assert_response :success + end + + def test_should_allow_post_with_xml + post :index, :format => 'xml' + assert_response :success + end + + def test_should_allow_put_with_xml + put :index, :format => 'xml' + assert_response :success + end + + def test_should_allow_delete_with_xml + delete :index, :format => 'xml' + assert_response :success + end +end + diff --git a/actionpack/test/template/form_helper_test.rb b/actionpack/test/template/form_helper_test.rb index af63a056f8..9b22d4cef3 100644 --- a/actionpack/test/template/form_helper_test.rb +++ b/actionpack/test/template/form_helper_test.rb @@ -711,4 +711,8 @@ class FormHelperTest < Test::Unit::TestCase def post_path(post) "/posts/#{post.id}" end + + def request_forgery_protection_token + nil + end end diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb index c582c26c68..f2c6678ddd 100644 --- a/actionpack/test/template/form_tag_helper_test.rb +++ b/actionpack/test/template/form_tag_helper_test.rb @@ -177,4 +177,9 @@ class FormTagHelperTest < Test::Unit::TestCase expected = %(<fieldset>Hello world!</fieldset>) assert_dom_equal expected, _erbout end + + def request_forgery_protection_token + nil + + end end diff --git a/actionpack/test/template/prototype_helper_test.rb b/actionpack/test/template/prototype_helper_test.rb index 4adfc90180..7bb4245c58 100644 --- a/actionpack/test/template/prototype_helper_test.rb +++ b/actionpack/test/template/prototype_helper_test.rb @@ -60,6 +60,11 @@ module BaseTest end protected + + def request_forgery_protection_token + nil + end + def create_generator block = Proc.new { |*args| yield *args if block_given? } JavaScriptGenerator.new self, &block diff --git a/actionpack/test/template/scriptaculous_helper_test.rb b/actionpack/test/template/scriptaculous_helper_test.rb index 514ba9107e..722839f15e 100644 --- a/actionpack/test/template/scriptaculous_helper_test.rb +++ b/actionpack/test/template/scriptaculous_helper_test.rb @@ -89,4 +89,8 @@ class ScriptaculousHelperTest < Test::Unit::TestCase assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nDroppables.add(\"droptarget1\", {accept:['tshirts','mugs'], onDrop:function(element){new Ajax.Updater('infobox', 'http://www.example.com/', {asynchronous:true, evalScripts:true, parameters:'id=' + encodeURIComponent(element.id)})}})\n//]]>\n</script>), drop_receiving_element("droptarget1", :accept => ['tshirts','mugs'], :update => 'infobox') end + + def request_forgery_protection_token + nil + end end diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb index db1e226a7e..5707beeab1 100644 --- a/actionpack/test/template/url_helper_test.rb +++ b/actionpack/test/template/url_helper_test.rb @@ -267,6 +267,10 @@ class UrlHelperTest < Test::Unit::TestCase assert_dom_equal "<a href=\"mailto:%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">me(at)domain(dot)com</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)") assert_dom_equal "<script type=\"text/javascript\">eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)") end + + def request_forgery_protection_token + nil + end end class UrlHelperWithControllerTest < Test::Unit::TestCase |