test/connection/cross_site_forgery_test.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

require 'test_helper'
require 'stubs/test_server'

class ActionCable::Connection::CrossSiteForgeryTest < ActiveSupport::TestCase
  HOST = 'rubyonrails.com'

  setup do
    @server = TestServer.new
  end

  test "default cross site forgery protection only allows origin same as the server host" do
    assert_origin_allowed 'http://rubyonrails.com'
    assert_origin_not_allowed 'http://hax.com'
  end

  test "disable forgery protection" do
    @server.config.disable_request_forgery_protection = true
    assert_origin_allowed 'http://rubyonrails.com'
    assert_origin_allowed 'http://hax.com'
  end

  test "explicitly specified a single allowed origin" do
    @server.config.allowed_request_origins = 'hax.com'
    assert_origin_not_allowed 'http://rubyonrails.com'
    assert_origin_allowed 'http://hax.com'
  end

  test "explicitly specified multiple allowed origins" do
    @server.config.allowed_request_origins = %w( rubyonrails.com www.rubyonrails.com )
    assert_origin_allowed 'http://rubyonrails.com'
    assert_origin_allowed 'http://www.rubyonrails.com'
    assert_origin_allowed 'https://www.rubyonrails.com'
    assert_origin_not_allowed 'http://hax.com'
  end

  private
    def assert_origin_allowed(origin)
      response = connect_with_origin origin
      assert_equal -1, response[0]
    end

    def assert_origin_not_allowed(origin)
      response = connect_with_origin origin
      assert_equal 404, response[0]
    end

    def connect_with_origin(origin)
      ActionCable::Connection::Base.new(@server, env_for_origin(origin)).process
    end

    def env_for_origin(origin)
      Rack::MockRequest.env_for "/test", 'HTTP_CONNECTION' => 'upgrade', 'HTTP_UPGRADE' => 'websocket', 'SERVER_NAME' => HOST,
        'HTTP_ORIGIN' => origin
    end
end