1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
# frozen_string_literal: true
require "test_helper"
require "stubs/test_server"
class ActionCable::Connection::CrossSiteForgeryTest < ActionCable::TestCase
HOST = "rubyonrails.com"
class Connection < ActionCable::Connection::Base
def send_async(method, *args)
send method, *args
end
end
setup do
@server = TestServer.new
@server.config.allowed_request_origins = %w( http://rubyonrails.com )
@server.config.allow_same_origin_as_host = false
end
teardown do
@server.config.disable_request_forgery_protection = false
@server.config.allowed_request_origins = []
@server.config.allow_same_origin_as_host = true
end
test "disable forgery protection" do
@server.config.disable_request_forgery_protection = true
assert_origin_allowed "http://rubyonrails.com"
assert_origin_allowed "http://hax.com"
end
test "explicitly specified a single allowed origin" do
@server.config.allowed_request_origins = "http://hax.com"
assert_origin_not_allowed "http://rubyonrails.com"
assert_origin_allowed "http://hax.com"
end
test "explicitly specified multiple allowed origins" do
@server.config.allowed_request_origins = %w( http://rubyonrails.com http://www.rubyonrails.com )
assert_origin_allowed "http://rubyonrails.com"
assert_origin_allowed "http://www.rubyonrails.com"
assert_origin_not_allowed "http://hax.com"
end
test "explicitly specified a single regexp allowed origin" do
@server.config.allowed_request_origins = /.*ha.*/
assert_origin_not_allowed "http://rubyonrails.com"
assert_origin_allowed "http://hax.com"
end
test "explicitly specified multiple regexp allowed origins" do
@server.config.allowed_request_origins = [/http:\/\/ruby.*/, /.*rai.s.*com/, "string" ]
assert_origin_allowed "http://rubyonrails.com"
assert_origin_allowed "http://www.rubyonrails.com"
assert_origin_not_allowed "http://hax.com"
assert_origin_not_allowed "http://rails.co.uk"
end
test "allow same origin as host" do
@server.config.allow_same_origin_as_host = true
assert_origin_allowed "http://#{HOST}"
assert_origin_not_allowed "http://hax.com"
assert_origin_not_allowed "http://rails.co.uk"
end
private
def assert_origin_allowed(origin)
response = connect_with_origin origin
assert_equal(-1, response[0])
end
def assert_origin_not_allowed(origin)
response = connect_with_origin origin
assert_equal 404, response[0]
end
def connect_with_origin(origin)
response = nil
run_in_eventmachine do
response = Connection.new(@server, env_for_origin(origin)).process
end
response
end
def env_for_origin(origin)
Rack::MockRequest.env_for "/test", "HTTP_CONNECTION" => "upgrade", "HTTP_UPGRADE" => "websocket", "SERVER_NAME" => HOST,
"HTTP_HOST" => HOST, "HTTP_ORIGIN" => origin
end
end
|