aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/host_authorization_test.rb
blob: dae7b08ec1bd39e93e194987b0ca7900ad5b5526 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# frozen_string_literal: true

require "abstract_unit"
require "ipaddr"

class HostAuthorizationTest < ActionDispatch::IntegrationTest
  App = -> env { [200, {}, %w(Success)] }

  test "blocks requests to unallowed host" do
    @app = ActionDispatch::HostAuthorization.new(App, %w(only.com))

    get "/"

    assert_response :forbidden
    assert_match "Blocked host: www.example.com", response.body
  end

  test "passes all requests to if the whitelist is empty" do
    @app = ActionDispatch::HostAuthorization.new(App, nil)

    get "/"

    assert_response :ok
    assert_equal "Success", body
  end

  test "passes requests to allowed host" do
    @app = ActionDispatch::HostAuthorization.new(App, %w(www.example.com))

    get "/"

    assert_response :ok
    assert_equal "Success", body
  end

  test "the whitelist could be a single element" do
    @app = ActionDispatch::HostAuthorization.new(App, "www.example.com")

    get "/"

    assert_response :ok
    assert_equal "Success", body
  end

  test "passes requests to allowed hosts with domain name notation" do
    @app = ActionDispatch::HostAuthorization.new(App, ".example.com")

    get "/"

    assert_response :ok
    assert_equal "Success", body
  end

  test "does not allow domain name notation in the HOST header itself" do
    @app = ActionDispatch::HostAuthorization.new(App, ".example.com")

    get "/", env: {
      "HOST" => ".example.com",
    }

    assert_response :forbidden
    assert_match "Blocked host: .example.com", response.body
  end

  test "checks for requests with #=== to support wider range of host checks" do
    @app = ActionDispatch::HostAuthorization.new(App, [-> input { input == "www.example.com" }])

    get "/"

    assert_response :ok
    assert_equal "Success", body
  end

  test "mark the host when authorized" do
    @app = ActionDispatch::HostAuthorization.new(App, ".example.com")

    get "/"

    assert_equal "www.example.com", request.get_header("action_dispatch.authorized_host")
  end

  test "sanitizes regular expressions to prevent accidental matches" do
    @app = ActionDispatch::HostAuthorization.new(App, [/w.example.co/])

    get "/"

    assert_response :forbidden
    assert_match "Blocked host: www.example.com", response.body
  end

  test "blocks requests to unallowed host supporting custom responses" do
    @app = ActionDispatch::HostAuthorization.new(App, ["w.example.co"], -> env do
      [401, {}, %w(Custom)]
    end)

    get "/"

    assert_response :unauthorized
    assert_equal "Custom", body
  end

  test "blocks requests with spoofed X-FORWARDED-HOST" do
    @app = ActionDispatch::HostAuthorization.new(App, [IPAddr.new("127.0.0.1")])

    get "/", env: {
      "HTTP_X_FORWARDED_HOST" => "127.0.0.1",
      "HOST" => "www.example.com",
    }

    assert_response :forbidden
    assert_match "Blocked host: 127.0.0.1", response.body
  end

  test "does not consider IP addresses in X-FORWARDED-HOST spoofed when disabled" do
    @app = ActionDispatch::HostAuthorization.new(App, nil)

    get "/", env: {
      "HTTP_X_FORWARDED_HOST" => "127.0.0.1",
      "HOST" => "www.example.com",
    }

    assert_response :ok
    assert_equal "Success", body
  end

  test "detects localhost domain spoofing" do
    @app = ActionDispatch::HostAuthorization.new(App, "localhost")

    get "/", env: {
      "HTTP_X_FORWARDED_HOST" => "localhost",
      "HOST" => "www.example.com",
    }

    assert_response :forbidden
    assert_match "Blocked host: localhost", response.body
  end

  test "forwarded hosts should be permitted" do
    @app = ActionDispatch::HostAuthorization.new(App, "domain.com")

    get "/", env: {
      "HTTP_X_FORWARDED_HOST" => "sub.domain.com",
      "HOST" => "domain.com",
    }

    assert_response :forbidden
    assert_match "Blocked host: sub.domain.com", response.body
  end

  test "forwarded hosts are allowed when permitted" do
    @app = ActionDispatch::HostAuthorization.new(App, ".domain.com")

    get "/", env: {
      "HTTP_X_FORWARDED_HOST" => "sub.domain.com",
      "HOST" => "domain.com",
    }

    assert_response :ok
    assert_equal "Success", body
  end
end