require 'abstract_unit' class RequestTest < ActiveSupport::TestCase def setup ActionController::Base.relative_url_root = nil @request = ActionController::TestRequest.new end def teardown ActionController::Base.relative_url_root = nil end def test_remote_ip assert_equal '0.0.0.0', @request.remote_ip @request.remote_addr = '1.2.3.4' assert_equal '1.2.3.4', @request.remote_ip(true) @request.remote_addr = '1.2.3.4,3.4.5.6' assert_equal '1.2.3.4', @request.remote_ip(true) @request.env['HTTP_CLIENT_IP'] = '2.3.4.5' assert_equal '1.2.3.4', @request.remote_ip(true) @request.remote_addr = '192.168.0.1' assert_equal '2.3.4.5', @request.remote_ip(true) @request.env.delete 'HTTP_CLIENT_IP' @request.remote_addr = '1.2.3.4' @request.env['HTTP_X_FORWARDED_FOR'] = '3.4.5.6' assert_equal '1.2.3.4', @request.remote_ip(true) @request.remote_addr = '127.0.0.1' @request.env['HTTP_X_FORWARDED_FOR'] = '3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = 'unknown,3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = '172.16.0.1,3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = '192.168.0.1,3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = '10.0.0.1,3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = '10.0.0.1, 10.0.0.1, 3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = '127.0.0.1,3.4.5.6' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = 'unknown,192.168.0.1' assert_equal 'unknown', @request.remote_ip(true) @request.env['HTTP_X_FORWARDED_FOR'] = '9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4' assert_equal '3.4.5.6', @request.remote_ip(true) @request.env['HTTP_CLIENT_IP'] = '8.8.8.8' e = assert_raises(ActionController::ActionControllerError) { @request.remote_ip(true) } assert_match /IP spoofing attack/, e.message assert_match /HTTP_X_FORWARDED_FOR="9.9.9.9, 3.4.5.6, 10.0.0.1, 172.31.4.4"/, e.message assert_match /HTTP_CLIENT_IP="8.8.8.8"/, e.message # turn IP Spoofing detection off. # This is useful for sites that are aimed at non-IP clients. The typical # example is WAP. Since the cellular network is not IP based, it's a # leap of faith to assume that their proxies are ever going to set the # HTTP_CLIENT_IP/HTTP_X_FORWARDED_FOR headers properly. ActionController::Base.ip_spoofing_check = false assert_equal('8.8.8.8', @request.remote_ip(true)) ActionController::Base.ip_spoofing_check = true @request.env['HTTP_X_FORWARDED_FOR'] = '8.8.8.8, 9.9.9.9' assert_equal '8.8.8.8', @request.remote_ip(true) @request.env.delete 'HTTP_CLIENT_IP' @request.env.delete 'HTTP_X_FORWARDED_FOR' end def test_domains @request.host = "www.rubyonrails.org" assert_equal "rubyonrails.org", @request.domain @request.host = "www.rubyonrails.co.uk" assert_equal "rubyonrails.co.uk", @request.domain(2) @request.host = "192.168.1.200" assert_nil @request.domain @request.host = "foo.192.168.1.200" assert_nil @request.domain @request.host = "192.168.1.200.com" assert_equal "200.com", @request.domain @request.host = nil assert_nil @request.domain end def test_subdomains @request.host = "www.rubyonrails.org" assert_equal %w( www ), @request.subdomains @request.host = "www.rubyonrails.co.uk" assert_equal %w( www ), @request.subdomains(2) @request.host = "dev.www.rubyonrails.co.uk" assert_equal %w( dev www ), @request.subdomains(2) @request.host = "foobar.foobar.com" assert_equal %w( foobar ), @request.subdomains @request.host = "192.168.1.200" assert_equal [], @request.subdomains @request.host = "foo.192.168.1.200" assert_equal [], @request.subdomains @request.host = "192.168.1.200.com" assert_equal %w( 192 168 1 ), @request.subdomains @request.host = nil assert_equal [], @request.subdomains end def test_port_string @request.port = 80 assert_equal "", @request.port_string @request.port = 8080 assert_equal ":8080", @request.port_string end def test_request_uri @request.env['SERVER_SOFTWARE'] = 'Apache 42.342.3432' @request.set_REQUEST_URI "http://www.rubyonrails.org/path/of/some/uri?mapped=1" assert_equal "/path/of/some/uri?mapped=1", @request.request_uri assert_equal "/path/of/some/uri", @request.path @request.set_REQUEST_URI "http://www.rubyonrails.org/path/of/some/uri" assert_equal "/path/of/some/uri", @request.request_uri assert_equal "/path/of/some/uri", @request.path @request.set_REQUEST_URI "/path/of/some/uri" assert_equal "/path/of/some/uri", @request.request_uri assert_equal "/path/of/some/uri", @request.path @request.set_REQUEST_URI "/" assert_equal "/", @request.request_uri assert_equal "/", @request.path @request.set_REQUEST_URI "/?m=b" assert_equal "/?m=b", @request.request_uri assert_equal "/", @request.path @request.set_REQUEST_URI "/" @request.env['SCRIPT_NAME'] = "/dispatch.cgi" assert_equal "/", @request.request_uri assert_equal "/", @request.path ActionController::Base.relative_url_root = "/hieraki" @request.set_REQUEST_URI "/hieraki/" @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi" assert_equal "/hieraki/", @request.request_uri assert_equal "/", @request.path ActionController::Base.relative_url_root = nil ActionController::Base.relative_url_root = "/collaboration/hieraki" @request.set_REQUEST_URI "/collaboration/hieraki/books/edit/2" @request.env['SCRIPT_NAME'] = "/collaboration/hieraki/dispatch.cgi" assert_equal "/collaboration/hieraki/books/edit/2", @request.request_uri assert_equal "/books/edit/2", @request.path ActionController::Base.relative_url_root = nil # The following tests are for when REQUEST_URI is not supplied (as in IIS) @request.env['PATH_INFO'] = "/path/of/some/uri?mapped=1" @request.env['SCRIPT_NAME'] = nil #"/path/dispatch.rb" @request.set_REQUEST_URI nil assert_equal "/path/of/some/uri?mapped=1", @request.request_uri assert_equal "/path/of/some/uri", @request.path ActionController::Base.relative_url_root = '/path' @request.env['PATH_INFO'] = "/path/of/some/uri?mapped=1" @request.env['SCRIPT_NAME'] = "/path/dispatch.rb" @request.set_REQUEST_URI nil assert_equal "/path/of/some/uri?mapped=1", @request.request_uri(true) assert_equal "/of/some/uri", @request.path(true) ActionController::Base.relative_url_root = nil @request.env['PATH_INFO'] = "/path/of/some/uri" @request.env['SCRIPT_NAME'] = nil @request.set_REQUEST_URI nil assert_equal "/path/of/some/uri", @request.request_uri assert_equal "/path/of/some/uri", @request.path @request.env['PATH_INFO'] = "/" @request.set_REQUEST_URI nil assert_equal "/", @request.request_uri assert_equal "/", @request.path @request.env['PATH_INFO'] = "/?m=b" @request.set_REQUEST_URI nil assert_equal "/?m=b", @request.request_uri assert_equal "/", @request.path @request.env['PATH_INFO'] = "/" @request.env['SCRIPT_NAME'] = "/dispatch.cgi" @request.set_REQUEST_URI nil assert_equal "/", @request.request_uri assert_equal "/", @request.path ActionController::Base.relative_url_root = '/hieraki' @request.env['PATH_INFO'] = "/hieraki/" @request.env['SCRIPT_NAME'] = "/hieraki/dispatch.cgi" @request.set_REQUEST_URI nil assert_equal "/hieraki/", @request.request_uri assert_equal "/", @request.path ActionController::Base.relative_url_root = nil @request.set_REQUEST_URI '/hieraki/dispatch.cgi' ActionController::Base.relative_url_root = '/hieraki' assert_equal "/dispatch.cgi", @request.path(true) ActionController::Base.relative_url_root = nil @request.set_REQUEST_URI '/hieraki/dispatch.cgi' ActionController::Base.relative_url_root = '/foo' assert_equal "/hieraki/dispatch.cgi", @request.path(true) ActionController::Base.relative_url_root = nil # This test ensures that Rails uses REQUEST_URI over PATH_INFO ActionController::Base.relative_url_root = nil @request.env['REQUEST_URI'] = "/some/path" @request.env['PATH_INFO'] = "/another/path" @request.env['SCRIPT_NAME'] = "/dispatch.cgi" assert_equal "/some/path", @request.request_uri(true) assert_equal "/some/path", @request.path(true) end def test_host_with_default_port @request.host = "rubyonrails.org" @request.port = 80 assert_equal "rubyonrails.org", @request.host_with_port end def test_host_with_non_default_port @request.host = "rubyonrails.org" @request.port = 81 assert_equal "rubyonrails.org:81", @request.host_with_port end def test_server_software assert_equal nil, @request.server_software(true) @request.env['SERVER_SOFTWARE'] = 'Apache3.422' assert_equal 'apache', @request.server_software(true) @request.env['SERVER_SOFTWARE'] = 'lighttpd(1.1.4)' assert_equal 'lighttpd', @request.server_software(true) end def test_xml_http_request assert !@request.xml_http_request? assert !@request.xhr? @request.env['HTTP_X_REQUESTED_WITH'] = "DefinitelyNotAjax1.0" assert !@request.xml_http_request? assert !@request.xhr? @request.env['HTTP_X_REQUESTED_WITH'] = "XMLHttpRequest" assert @request.xml_http_request? assert @request.xhr? end def test_reports_ssl assert !@request.ssl? @request.env['HTTPS'] = 'on' assert @request.ssl? end def test_reports_ssl_when_proxied_via_lighttpd assert !@request.ssl? @request.env['HTTP_X_FORWARDED_PROTO'] = 'https' assert @request.ssl? end def test_symbolized_request_methods [:get, :post, :put, :delete].each do |method| self.request_method = method assert_equal method, @request.method end end def test_invalid_http_method_raises_exception assert_raises(ActionController::UnknownHttpMethod) do self.request_method = :random_method end end def test_allow_method_hacking_on_post [:get, :head, :options, :put, :post, :delete].each do |method| self.request_method = method @request.request_method(true) assert_equal(method == :head ? :get : method, @request.method) end end def test_invalid_method_hacking_on_post_raises_exception assert_raises(ActionController::UnknownHttpMethod) do self.request_method = :_random_method @request.request_method(true) end end def test_restrict_method_hacking @request.instance_eval { @parameters = { :_method => 'put' } } [:get, :put, :delete].each do |method| self.request_method = method assert_equal method, @request.method end end def test_head_masquerading_as_get self.request_method = :head assert_equal :get, @request.method assert @request.get? assert @request.head? end def test_xml_format @request.instance_eval { @parameters = { :format => 'xml' } } assert_equal Mime::XML, @request.format end def test_xhtml_format @request.instance_eval { @parameters = { :format => 'xhtml' } } assert_equal Mime::HTML, @request.format end def test_txt_format @request.instance_eval { @parameters = { :format => 'txt' } } assert_equal Mime::TEXT, @request.format end def test_nil_format ActionController::Base.use_accept_header, old = false, ActionController::Base.use_accept_header @request.instance_eval { @parameters = {} } @request.env["HTTP_X_REQUESTED_WITH"] = "XMLHttpRequest" assert @request.xhr? assert_equal Mime::JS, @request.format ensure ActionController::Base.use_accept_header = old end def test_content_type @request.env["CONTENT_TYPE"] = "text/html" assert_equal Mime::HTML, @request.content_type end def test_format_assignment_should_set_format @request.instance_eval { self.format = :txt } assert !@request.format.xml? @request.instance_eval { self.format = :xml } assert @request.format.xml? end def test_content_no_type assert_equal nil, @request.content_type end def test_content_type_xml @request.env["CONTENT_TYPE"] = "application/xml" assert_equal Mime::XML, @request.content_type end def test_content_type_with_charset @request.env["CONTENT_TYPE"] = "application/xml; charset=UTF-8" assert_equal Mime::XML, @request.content_type end def test_user_agent assert_not_nil @request.user_agent end def test_parameters @request.stubs(:request_parameters).returns({ "foo" => 1 }) @request.stubs(:query_parameters).returns({ "bar" => 2 }) assert_equal({"foo" => 1, "bar" => 2}, @request.parameters) assert_equal({"foo" => 1}, @request.request_parameters) assert_equal({"bar" => 2}, @request.query_parameters) end protected def request_method=(method) @request.env['REQUEST_METHOD'] = method.to_s.upcase @request.request_method(true) end end class UrlEncodedRequestParameterParsingTest < ActiveSupport::TestCase def test_unbalanced_query_string_with_array assert_equal( {'location' => ["1", "2"], 'age_group' => ["2"]}, ActionController::RequestParser.parse_request_parameters({'location[]' => ["1", "2"], 'age_group[]' => ["2"]}) ) end def test_request_hash_parsing query = { "note[viewers][viewer][][type]" => ["User", "Group"], "note[viewers][viewer][][id]" => ["1", "2"] } expected = { "note" => { "viewers"=>{"viewer"=>[{ "id"=>"1", "type"=>"User"}, {"type"=>"Group", "id"=>"2"} ]} } } assert_equal(expected, ActionController::RequestParser.parse_request_parameters(query)) end def test_parse_params input = { "customers[boston][first][name]" => [ "David" ], "customers[boston][first][url]" => [ "http://David" ], "customers[boston][second][name]" => [ "Allan" ], "customers[boston][second][url]" => [ "http://Allan" ], "something_else" => [ "blah" ], "something_nil" => [ nil ], "something_empty" => [ "" ], "products[first]" => [ "Apple Computer" ], "products[second]" => [ "Pc" ], "" => [ 'Save' ] } expected_output = { "customers" => { "boston" => { "first" => { "name" => "David", "url" => "http://David" }, "second" => { "name" => "Allan", "url" => "http://Allan" } } }, "something_else" => "blah", "something_empty" => "", "something_nil" => "", "products" => { "first" => "Apple Computer", "second" => "Pc" } } assert_equal expected_output, ActionController::RequestParser.parse_request_parameters(input) end UploadedStringIO = ActionController::UploadedStringIO class MockUpload < UploadedStringIO def initialize(content_type, original_path, *args) self.content_type = content_type self.original_path = original_path super *args end end def test_parse_params_from_multipart_upload file = MockUpload.new('img/jpeg', 'foo.jpg') ie_file = MockUpload.new('img/jpeg', 'c:\\Documents and Settings\\foo\\Desktop\\bar.jpg') non_file_text_part = MockUpload.new('text/plain', '', 'abc') input = { "something" => [ UploadedStringIO.new("") ], "array_of_stringios" => [[ UploadedStringIO.new("One"), UploadedStringIO.new("Two") ]], "mixed_types_array" => [[ UploadedStringIO.new("Three"), "NotStringIO" ]], "mixed_types_as_checkboxes[strings][nested]" => [[ file, "String", UploadedStringIO.new("StringIO")]], "ie_mixed_types_as_checkboxes[strings][nested]" => [[ ie_file, "String", UploadedStringIO.new("StringIO")]], "products[string]" => [ UploadedStringIO.new("Apple Computer") ], "products[file]" => [ file ], "ie_products[string]" => [ UploadedStringIO.new("Microsoft") ], "ie_products[file]" => [ ie_file ], "text_part" => [non_file_text_part] } expected_output = { "something" => "", "array_of_stringios" => ["One", "Two"], "mixed_types_array" => [ "Three", "NotStringIO" ], "mixed_types_as_checkboxes" => { "strings" => { "nested" => [ file, "String", "StringIO" ] }, }, "ie_mixed_types_as_checkboxes" => { "strings" => { "nested" => [ ie_file, "String", "StringIO" ] }, }, "products" => { "string" => "Apple Computer", "file" => file }, "ie_products" => { "string" => "Microsoft", "file" => ie_file }, "text_part" => "abc" } params = ActionController::RequestParser.parse_request_parameters(input) assert_equal expected_output, params # Lone filenames are preserved. assert_equal 'foo.jpg', params['mixed_types_as_checkboxes']['strings']['nested'].first.original_filename assert_equal 'foo.jpg', params['products']['file'].original_filename # But full Windows paths are reduced to their basename. assert_equal 'bar.jpg', params['ie_mixed_types_as_checkboxes']['strings']['nested'].first.original_filename assert_equal 'bar.jpg', params['ie_products']['file'].original_filename end def test_parse_params_with_file input = { "customers[boston][first][name]" => [ "David" ], "something_else" => [ "blah" ], "logo" => [ File.new(File.dirname(__FILE__) + "/rack_test.rb").path ] } expected_output = { "customers" => { "boston" => { "first" => { "name" => "David" } } }, "something_else" => "blah", "logo" => File.new(File.dirname(__FILE__) + "/rack_test.rb").path, } assert_equal expected_output, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_array input = { "selected[]" => [ "1", "2", "3" ] } expected_output = { "selected" => [ "1", "2", "3" ] } assert_equal expected_output, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_non_alphanumeric_name input = { "a/b[c]" => %w(d) } expected = { "a/b" => { "c" => "d" }} assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_single_brackets_in_middle input = { "a/b[c]d" => %w(e) } expected = { "a/b" => {} } assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_separated_brackets input = { "a/b@[c]d[e]" => %w(f) } expected = { "a/b@" => { }} assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_separated_brackets_and_array input = { "a/b@[c]d[e][]" => %w(f) } expected = { "a/b@" => { }} assert_equal expected , ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_unmatched_brackets_and_array input = { "a/b@[c][d[e][]" => %w(f) } expected = { "a/b@" => { "c" => { }}} assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_nil_key input = { nil => nil, "test2" => %w(value1) } expected = { "test2" => "value1" } assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_array_prefix_and_hashes input = { "a[][b][c]" => %w(d) } expected = {"a" => [{"b" => {"c" => "d"}}]} assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end def test_parse_params_with_complex_nesting input = { "a[][b][c][][d][]" => %w(e) } expected = {"a" => [{"b" => {"c" => [{"d" => ["e"]}]}}]} assert_equal expected, ActionController::RequestParser.parse_request_parameters(input) end end