From 04317173a02eb67c103364b5c8b5756ac61fac98 Mon Sep 17 00:00:00 2001
From: Pratik Naik <pratiknaik@gmail.com>
Date: Wed, 7 Oct 2015 11:24:20 -0500
Subject: First take at cross site forgery protection

---
 test/connection/base_test.rb               |  1 +
 test/connection/cross_site_forgery_test.rb | 55 ++++++++++++++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 test/connection/cross_site_forgery_test.rb

(limited to 'test')

diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index 2f008652ee..a4bd7f4a03 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,6 +16,7 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
+    @server.config.disable_request_forgery_protection = true
 
     env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket'
     @connection = Connection.new(@server, env)
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
new file mode 100644
index 0000000000..b904dbd8b6
--- /dev/null
+++ b/test/connection/cross_site_forgery_test.rb
@@ -0,0 +1,55 @@
+require 'test_helper'
+require 'stubs/test_server'
+
+class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
+  HOST = 'rubyonrails.com'
+
+  setup do
+    @server = TestServer.new
+  end
+
+  test "default cross site forgery protection only allows origin same as the server host" do
+    assert_origin_allowed 'http://rubyonrails.com'
+    assert_origin_not_allowed 'http://hax.com'
+  end
+
+  test "disable forgery protection" do
+    @server.config.disable_request_forgery_protection = true
+    assert_origin_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://hax.com'
+  end
+
+  test "explicitly specified a single allowed origin" do
+    @server.config.allowed_request_origins = 'hax.com'
+    assert_origin_not_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://hax.com'
+  end
+
+  test "explicitly specified multiple allowed origins" do
+    @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
+    assert_origin_allowed 'http://rubyonrails.com'
+    assert_origin_allowed 'http://www.rubyonrails.com'
+    assert_origin_allowed 'https://www.rubyonrails.com'
+    assert_origin_not_allowed 'http://hax.com'
+  end
+
+  private
+    def assert_origin_allowed(origin)
+      response = connect_with_origin origin
+      assert_equal -1, response[0]
+    end
+
+    def assert_origin_not_allowed(origin)
+      response = connect_with_origin origin
+      assert_equal 404, response[0]
+    end
+
+    def connect_with_origin(origin)
+      ActionCable::Connection::Base.new(@server, env_for_origin(origin)).process
+    end
+
+    def env_for_origin(origin)
+      Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', 'SERVER_NAME' => HOST,
+        'HTTP_ORIGIN' => origin
+    end
+end
-- 
cgit v1.2.3


From d621ae41c11398992647c600b484446ecc76a11b Mon Sep 17 00:00:00 2001
From: Pratik Naik <pratiknaik@gmail.com>
Date: Mon, 12 Oct 2015 17:33:07 -0500
Subject: Set appropriate origin and host in the tests

---
 test/connection/base_test.rb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'test')

diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index a4bd7f4a03..6c8bacde9a 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,9 +16,10 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
-    @server.config.disable_request_forgery_protection = true
 
-    env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket'
+    env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket',
+      'SERVER_NAME' => 'rubyonrails.com', 'HTTP_ORIGIN' => 'http://rubyonrails.com'
+
     @connection = Connection.new(@server, env)
     @response = @connection.process
   end
-- 
cgit v1.2.3


From ecab8314eba8519bd593cbc097ef60ee0c285cf2 Mon Sep 17 00:00:00 2001
From: Pratik Naik <pratiknaik@gmail.com>
Date: Mon, 12 Oct 2015 18:14:14 -0500
Subject: Treat ORIGIN as an opaque identifier and do equality comparison with
 the specified whitelist

---
 test/connection/base_test.rb               |  3 ++-
 test/connection/cross_site_forgery_test.rb | 12 ++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

(limited to 'test')

diff --git a/test/connection/base_test.rb b/test/connection/base_test.rb
index 6c8bacde9a..bc8b5ba568 100644
--- a/test/connection/base_test.rb
+++ b/test/connection/base_test.rb
@@ -16,9 +16,10 @@ class ActionCable::Connection::BaseTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
 
     env = Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket',
-      'SERVER_NAME' => 'rubyonrails.com', 'HTTP_ORIGIN' => 'http://rubyonrails.com'
+      'HTTP_ORIGIN' => 'http://rubyonrails.com'
 
     @connection = Connection.new(@server, env)
     @response = @connection.process
diff --git a/test/connection/cross_site_forgery_test.rb b/test/connection/cross_site_forgery_test.rb
index b904dbd8b6..6073f89287 100644
--- a/test/connection/cross_site_forgery_test.rb
+++ b/test/connection/cross_site_forgery_test.rb
@@ -6,11 +6,12 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
 
   setup do
     @server = TestServer.new
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com )
   end
 
-  test "default cross site forgery protection only allows origin same as the server host" do
-    assert_origin_allowed 'http://rubyonrails.com'
-    assert_origin_not_allowed 'http://hax.com'
+  teardown do
+    @server.config.disable_request_forgery_protection = false
+    @server.config.allowed_request_origins = []
   end
 
   test "disable forgery protection" do
@@ -20,16 +21,15 @@ class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
   end
 
   test "explicitly specified a single allowed origin" do
-    @server.config.allowed_request_origins = 'hax.com'
+    @server.config.allowed_request_origins = 'http://hax.com'
     assert_origin_not_allowed 'http://rubyonrails.com'
     assert_origin_allowed 'http://hax.com'
   end
 
   test "explicitly specified multiple allowed origins" do
-    @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
+    @server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
     assert_origin_allowed 'http://rubyonrails.com'
     assert_origin_allowed 'http://www.rubyonrails.com'
-    assert_origin_allowed 'https://www.rubyonrails.com'
     assert_origin_not_allowed 'http://hax.com'
   end
 
-- 
cgit v1.2.3