railties/test/application/middleware_stack_defaults_test.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

require 'isolation/abstract_unit'

class MiddlewareStackDefaultsTest < Test::Unit::TestCase
  include ActiveSupport::Testing::Isolation

  def setup
    boot_rails
    require "rails"
    require "action_controller/railtie"

    Object.const_set(:MyApplication, Class.new(Rails::Application))
    MyApplication.class_eval do
      config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
      config.session_store :cookie_store, :key => "_myapp_session"
    end
  end

  def remote_ip(env = {})
    remote_ip = nil
    env = Rack::MockRequest.env_for("/").merge(env).merge('action_dispatch.show_exceptions' => false)

    endpoint = Proc.new do |e|
      remote_ip = ActionDispatch::Request.new(e).remote_ip
      [200, {}, ["Hello"]]
    end

    out = MyApplication.middleware.build(endpoint).call(env)
    remote_ip
  end

  test "remote_ip works" do
    assert_equal "1.1.1.1", remote_ip("REMOTE_ADDR" => "1.1.1.1")
  end

  test "checks IP spoofing by default" do
    assert_raises(ActionDispatch::RemoteIp::IpSpoofAttackError) do
      remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1", "HTTP_CLIENT_IP" => "1.1.1.2")
    end
  end

  test "can disable IP spoofing check" do
    MyApplication.config.action_dispatch.ip_spoofing_check = false

    assert_nothing_raised(ActionDispatch::RemoteIp::IpSpoofAttackError) do
      assert_equal "1.1.1.2", remote_ip("HTTP_X_FORWARDED_FOR" => "1.1.1.1", "HTTP_CLIENT_IP" => "1.1.1.2")
    end
  end

  test "the user can set trusted proxies" do
    MyApplication.config.action_dispatch.trusted_proxies = /^4\.2\.42\.42$/

    assert_equal "1.1.1.1", remote_ip("REMOTE_ADDR" => "4.2.42.42,1.1.1.1")
  end
end