From 82c1fed89fe6dae8f44b6647dd94fc68f01eaa81 Mon Sep 17 00:00:00 2001 From: David Heinemeier Hansson Date: Tue, 25 Sep 2007 16:50:35 +0000 Subject: Protect button_to behind protect_from_forgery (closes #9675) [lifo] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de --- .../controller/request_forgery_protection_test.rb | 144 ++++++--------------- 1 file changed, 38 insertions(+), 106 deletions(-) (limited to 'actionpack/test/controller') diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 98ca44c8cb..a9b674405d 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -4,42 +4,21 @@ ActionController::Routing::Routes.draw do |map| map.connect ':controller/:action/:id' end -class RequestForgeryProtectionController < ActionController::Base - protect_from_forgery :only => :index, :secret => 'abc' - - def index - render :inline => "<%= form_tag('/') {} %>" - end - - def unsafe - render :text => 'pwn' - end - - def rescue_action(e) raise e end -end - -class RequestForgeryProtectionControllerTest < Test::Unit::TestCase - def setup - @controller = RequestForgeryProtectionController.new - @request = ActionController::TestRequest.new - @response = ActionController::TestResponse.new - class << @request.session - def session_id() '123' end - end - @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') - ActionController::Base.request_forgery_protection_token = :authenticity_token - end - +module RequestForgeryProtectionTests def teardown ActionController::Base.request_forgery_protection_token = nil end - + def test_should_render_form_with_token_tag get :index assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end + + def test_should_render_button_to_with_token_tag + get :show_button + assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token + end - # Replace this with your real tests. def test_should_allow_get get :index assert_response :success @@ -105,14 +84,15 @@ class RequestForgeryProtectionControllerTest < Test::Unit::TestCase end end -# no token is given, assume the cookie store is used -class CsrfCookieMonsterController < ActionController::Base - protect_from_forgery :only => :index - +module RequestForgeryProtectionActions def index render :inline => "<%= form_tag('/') {} %>" end + def show_button + render :inline => "<%= button_to('New', '/') {} %>" + end + def unsafe render :text => 'pwn' end @@ -120,6 +100,31 @@ class CsrfCookieMonsterController < ActionController::Base def rescue_action(e) raise e end end +class RequestForgeryProtectionController < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery :only => :index, :secret => 'abc' +end + +class RequestForgeryProtectionControllerTest < Test::Unit::TestCase + include RequestForgeryProtectionTests + def setup + @controller = RequestForgeryProtectionController.new + @request = ActionController::TestRequest.new + @response = ActionController::TestResponse.new + class << @request.session + def session_id() '123' end + end + @token = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('SHA1'), 'abc', '123') + ActionController::Base.request_forgery_protection_token = :authenticity_token + end +end + +# no token is given, assume the cookie store is used +class CsrfCookieMonsterController < ActionController::Base + include RequestForgeryProtectionActions + protect_from_forgery :only => :index +end + class FakeSessionDbMan def self.generate_digest(data) Digest::SHA1.hexdigest("secure") @@ -127,6 +132,7 @@ class FakeSessionDbMan end class CsrfCookieMonsterControllerTest < Test::Unit::TestCase + include RequestForgeryProtectionTests def setup @controller = CsrfCookieMonsterController.new @request = ActionController::TestRequest.new @@ -139,79 +145,5 @@ class CsrfCookieMonsterControllerTest < Test::Unit::TestCase @token = Digest::SHA1.hexdigest("secure") ActionController::Base.request_forgery_protection_token = :authenticity_token end - - def teardown - ActionController::Base.request_forgery_protection_token = nil - end - - def test_should_render_form_with_token_tag - get :index - assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token - end - - # Replace this with your real tests. - def test_should_allow_get - get :index - assert_response :success - end - - def test_should_allow_post_without_token_on_unsafe_action - post :unsafe - assert_response :success - end - - def test_should_not_allow_post_without_token - assert_raises(ActionController::InvalidAuthenticityToken) { post :index } - end - - def test_should_not_allow_put_without_token - assert_raises(ActionController::InvalidAuthenticityToken) { put :index } - end - - def test_should_not_allow_delete_without_token - assert_raises(ActionController::InvalidAuthenticityToken) { delete :index } - end - - def test_should_not_allow_xhr_post_without_token - assert_raises(ActionController::InvalidAuthenticityToken) { xhr :post, :index } - end - - def test_should_not_allow_xhr_put_without_token - assert_raises(ActionController::InvalidAuthenticityToken) { xhr :put, :index } - end - - def test_should_not_allow_xhr_delete_without_token - assert_raises(ActionController::InvalidAuthenticityToken) { xhr :delete, :index } - end - - def test_should_allow_post_with_token - post :index, :authenticity_token => @token - assert_response :success - end - - def test_should_allow_put_with_token - put :index, :authenticity_token => @token - assert_response :success - end - - def test_should_allow_delete_with_token - delete :index, :authenticity_token => @token - assert_response :success - end - - def test_should_allow_post_with_xml - post :index, :format => 'xml' - assert_response :success - end - - def test_should_allow_put_with_xml - put :index, :format => 'xml' - assert_response :success - end - - def test_should_allow_delete_with_xml - delete :index, :format => 'xml' - assert_response :success - end end -- cgit v1.2.3