aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/request_forgery_protection_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* add option for per-form CSRF tokensBen Toews2016-01-041-0/+172
|
* Change the `protect_from_forgery` prepend default to `false`eileencodes2015-12-071-2/+2
| | | | | | | | | | | | | | | | | | | | | Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ```
* Add option to verify Origin header in CSRF checksBen Toews2015-11-251-0/+45
|
* Remove mocha from ActionPack testsMarcin Olichwirowicz2015-09-051-1/+0
|
* Get rid of mocha tests - part 2Marcin Olichwirowicz2015-08-251-8/+24
|
* Get rid of mocha tests - part 1Marcin Olichwirowicz2015-08-241-33/+46
|
* Stop using deprecated `render :text` in testPrem Sichanugrist2015-07-171-1/+1
| | | | | | | | | This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
* let the superclass build the request and responseAaron Patterson2015-07-081-2/+1
| | | | | We should leverage the request / response objects that the superclass has already allocated for us.
* Deprecate `:nothing` option for render methodMehmet Emin İNAÇ2015-05-281-3/+3
| | | | `head` method works similar to `render` method with `:nothing` option
* Removed unused code from request_forgery_protection testsPrathamesh Sonpatki2015-04-261-17/+0
|
* Handle non-string authenticity tokensVille Lautanala2015-02-121-0/+7
| | | | Non-string authenticity tokens raised NoMethodError when decoding the masked token.
* Migrating xhr methods to keyword arguments syntaxKir Shatrov2015-02-011-7/+7
| | | | | | | | | | | | in `ActionController::TestCase` and `ActionDispatch::Integration` Old syntax: `xhr :get, :create, params: { id: 1 }` New syntax example: `get :create, params: { id: 1 }, xhr: true`
* Switch to kwargs in ActionController::TestCase and ActionDispatch::IntegrationKir Shatrov2015-01-291-10/+10
| | | | | | | | Non-kwargs requests are deprecated now. Guides are updated as well. `post url, nil, nil, { a: 'b' }` doesn't make sense. `post url, params: { y: x }, session: { a: 'b' }` would be an explicit way to do the same
* Add prepend option to protect_from_forgery.Josef Šimánek2015-01-081-0/+60
|
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-5/+6
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Remove unneeded comment in test.Timm2014-06-161-1/+1
| |
* | Nokogiri leaves '<' unescaped, so the assert_select looking for '&lt;' will ↵Timm2014-06-161-2/+3
| | | | | | | | never work. Switched to assert_matching the reponse body.
* | Fixed Nokogiri::CSS::SyntaxErrors.Timm2014-06-151-2/+2
|/ | | | Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters.
* Avoid hardcoded value in teardown.Zuhao Wan2014-05-281-3/+6
|
* Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-5/+26
| | | | improved tests.
* Remove wrapper div for inputs in button_toRafael Mendonça França2014-04-171-1/+1
| | | | Related with cbb917455f306cf5818644b162f22be09f77d4b2
* Update Request forgery tests to remove input wrappign divRafael Mendonça França2014-04-171-5/+5
| | | | This was changed at cbb917455f306cf5818644b162f22be09f77d4b2
* Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-0/+16
| | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* Clearly limit new CSRF protection to GET requestsJeremy Kemper2013-12-171-0/+10
|
* CSRF protection from cross-origin <script> tagsJeremy Kemper2013-12-171-9/+69
| | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking
* NullSessionHash#destroy should be a no-opJonathan Baudanza2013-09-181-0/+10
| | | | Previously it was raising a NilException
* Fix #9168 Initialize NullCookieJar with all options needed for KeyGeneratorAndrey Chernih2013-02-081-0/+35
|
* Added a test that shows that a HEAD request does not normally pass CSRF ↵Michiel Sikkes2013-01-221-0/+4
| | | | protection
* deprecate `assert_blank` and `assert_present`.Yves Senn2013-01-051-1/+1
| | | | | They don't add any benefits over `assert object.blank?` and `assert object.present?`
* Implement :null_session CSRF protection methodSergey Nartimov2012-09-131-10/+6
| | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
* no need to pass an empty block to button_to helperSergey Nartimov2012-05-301-2/+2
|
* Cover one more case in auth_token and remote formsPiotr Sarnacki2012-03-281-0/+7
| | | | | If embedding auth_token in remote forms is off and we pass a value for auth_token it should respect it.
* config.action_view.embed_authenticity_token_in_remote_forms is true by defaultPiotr Sarnacki2012-03-281-19/+14
| | | | | | | Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms` to `false`. This change breaks remote forms that need to work also without javascript, so if you need such behavior, you can either set it to `true` or explicitly pass `:authenticity_token => true` in form options
* Added config.action_view.embed_authenticity_token_in_remote_formsPiotr Sarnacki2012-03-281-2/+48
| | | | | | | | | | | | There is a regression introduced in 16ee611fa, which breaks remote forms that should also work without javascript. This commit introduces config option that allows to configure this behavior defaulting to the old behavior (ie. include authenticity token in remote forms by default) Conflicts: actionpack/CHANGELOG.md
* fixed - warning: ambiguous first argument; put parentheses or even spacesSandeep2012-03-161-1/+1
|
* Allow you to force the authenticity_token to be rendered even on remote ↵David Heinemeier Hansson2012-03-141-0/+11
| | | | forms if you pass true
* Do not include the authenticity token in forms where remote: true as ajax ↵David Heinemeier Hansson2012-03-141-0/+13
| | | | forms use the meta-tag value
* configure how unverified request will be handledSergey Nartimov2012-03-091-2/+2
| | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception
* Add config.default_method_for_update to support PATCHDavid Lee2012-02-221-1/+14
| | | | | | | | | | | | | | | | PATCH is the correct HTML verb to map to the #update action. The semantics for PATCH allows for partial updates, whereas PUT requires a complete replacement. Changes: * adds config.default_method_for_update you can set to :patch * optionally use PATCH instead of PUT in resource routes and forms * adds the #patch verb to routes to detect PATCH requests * adds #patch? to Request * changes documentation and comments to indicate support for PATCH This change maintains complete backwards compatibility by keeping :put as the default for config.default_method_for_update.
* Remove not used requires from csrf helper file and testCarlos Antonio da Silva2012-01-211-7/+0
| | | | | These requires were added in a87b92d and the implementation changed in 2cdc1f0, removing the need for them.
* Remove rescue_action from compatibility module and testsCarlos Antonio da Silva2012-01-171-2/+0
|
* Use ensure instead of rescueMike Dillon2011-09-101-1/+1
|
* Add test for warning and CHANGELOG entryMike Dillon2011-09-101-0/+16
|
* Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵Jon Leighton2011-05-231-3/+3
| | | | and require 'securerandom' from the stdlib when active support is required.
* Test csrf token param name customizationDavid Lee2011-05-101-7/+18
|
* Make csrf_meta_tags use the tag helperJames Robinson2011-04-081-5/+3
| | | | Improved formatting of csrf_helper and improved test coverage
* Change the CSRF whitelisting to only apply to get requestsMichael Koziarski2011-02-081-136/+75
| | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
* put authenticity_token option in parity w/ remoteDan Pickett2011-02-061-2/+2
| | | | | | [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
* Added tests for form_for and an authenticity_token option. Added docs for ↵Timothy N. Tsvetkov2011-02-051-0/+18
| | | | | | | | for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>