From 85783534fcf1baefa5b502a2bfee235ae6d612d7 Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@users.noreply.github.com>
Date: Wed, 25 Nov 2015 15:06:12 -0700
Subject: Add option to verify Origin header in CSRF checks

---
 .../controller/request_forgery_protection_test.rb  | 45 ++++++++++++++++++++++
 1 file changed, 45 insertions(+)

(limited to 'actionpack/test/controller')

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 94ffbe3cd0..2a3704c300 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -304,6 +304,41 @@ module RequestForgeryProtectionTests
     assert_not_blocked { put :index }
   end
 
+  def test_should_allow_post_with_origin_checking_and_correct_origin
+    forgery_protection_origin_check do
+      session[:_csrf_token] = @token
+      @controller.stub :form_authenticity_token, @token do
+        assert_not_blocked do
+          @request.set_header 'HTTP_ORIGIN', 'http://test.host'
+          post :index, params: { custom_authenticity_token: @token }
+        end
+      end
+    end
+  end
+
+  def test_should_allow_post_with_origin_checking_and_no_origin
+    forgery_protection_origin_check do
+      session[:_csrf_token] = @token
+      @controller.stub :form_authenticity_token, @token do
+        assert_not_blocked do
+          post :index, params: { custom_authenticity_token: @token }
+        end
+      end
+    end
+  end
+
+  def test_should_block_post_with_origin_checking_and_wrong_origin
+    forgery_protection_origin_check do
+      session[:_csrf_token] = @token
+      @controller.stub :form_authenticity_token, @token do
+        assert_blocked do
+          @request.set_header 'HTTP_ORIGIN', 'http://bad.host'
+          post :index, params: { custom_authenticity_token: @token }
+        end
+      end
+    end
+  end
+
   def test_should_warn_on_missing_csrf_token
     old_logger = ActionController::Base.logger
     logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new
@@ -405,6 +440,16 @@ module RequestForgeryProtectionTests
   def assert_cross_origin_not_blocked
     assert_not_blocked { yield }
   end
+
+  def forgery_protection_origin_check
+    old_setting = ActionController::Base.forgery_protection_origin_check
+    ActionController::Base.forgery_protection_origin_check = true
+    begin
+      yield
+    ensure
+      ActionController::Base.forgery_protection_origin_check = old_setting
+    end
+  end
 end
 
 # OK let's get our test on
-- 
cgit v1.2.3