module RequestForgeryProtectionTests
common test methods
Public Instance Methods
assert_blocked() { || ... }
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 582 def assert_blocked session[:something_like_user_id] = 1 yield assert_nil session[:something_like_user_id], "session values are still present" assert_response :success end
assert_cross_origin_blocked() { || ... }
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 594 def assert_cross_origin_blocked assert_raises(ActionController::InvalidCrossOriginRequest) do yield end end
assert_cross_origin_not_blocked() { || ... }
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 600 def assert_cross_origin_not_blocked assert_not_blocked { yield } end
assert_not_blocked() { || ... }
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 589 def assert_not_blocked assert_nothing_raised { yield } assert_response :success end
forgery_protection_origin_check() { || ... }
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 604 def forgery_protection_origin_check old_setting = ActionController::Base.forgery_protection_origin_check ActionController::Base.forgery_protection_origin_check = true begin yield ensure ActionController::Base.forgery_protection_origin_check = old_setting end end
setup()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 177 def setup @token = Base64.strict_encode64("quailstestquailstestquailstestquails") @old_request_forgery_protection_token = ActionController::Base.request_forgery_protection_token ActionController::Base.request_forgery_protection_token = :custom_authenticity_token end
teardown()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 183 def teardown ActionController::Base.request_forgery_protection_token = @old_request_forgery_protection_token end
test_should_allow_delete_with_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 394 def test_should_allow_delete_with_token session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_not_blocked { delete :index, params: { custom_authenticity_token: @token } } end end
test_should_allow_delete_with_token_in_header()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 407 def test_should_allow_delete_with_token_in_header session[:_csrf_token] = @token @request.env["HTTP_X_CSRF_TOKEN"] = @token assert_not_blocked { delete :index } end
test_should_allow_get()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 337 def test_should_allow_get assert_not_blocked { get :index } end
test_should_allow_head()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 341 def test_should_allow_head assert_not_blocked { head :index } end
test_should_allow_non_get_js_without_xhr_header()
click to toggle source
Allow non-GET requests since GET is all a remote <script> tag can muster.
# File actionpack/test/controller/request_forgery_protection_test.rb, line 550 def test_should_allow_non_get_js_without_xhr_header session[:_csrf_token] = @token assert_cross_origin_not_blocked { post :same_origin_js, params: { custom_authenticity_token: @token } } assert_cross_origin_not_blocked { post :same_origin_js, params: { format: "js", custom_authenticity_token: @token } } assert_cross_origin_not_blocked do @request.accept = "text/javascript" post :negotiate_same_origin, params: { custom_authenticity_token: @token } end end
test_should_allow_patch_with_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 380 def test_should_allow_patch_with_token session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_not_blocked { patch :index, params: { custom_authenticity_token: @token } } end end
test_should_allow_patch_with_token_in_header()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 413 def test_should_allow_patch_with_token_in_header session[:_csrf_token] = @token @request.env["HTTP_X_CSRF_TOKEN"] = @token assert_not_blocked { patch :index } end
test_should_allow_post_with_origin_checking_and_correct_origin()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 425 def test_should_allow_post_with_origin_checking_and_correct_origin forgery_protection_origin_check do session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_not_blocked do @request.set_header "HTTP_ORIGIN", "http://test.host" post :index, params: { custom_authenticity_token: @token } end end end end
test_should_allow_post_with_origin_checking_and_no_origin()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 437 def test_should_allow_post_with_origin_checking_and_no_origin forgery_protection_origin_check do session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_not_blocked do post :index, params: { custom_authenticity_token: @token } end end end end
test_should_allow_post_with_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 373 def test_should_allow_post_with_token session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_not_blocked { post :index, params: { custom_authenticity_token: @token } } end end
test_should_allow_post_with_token_in_header()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 401 def test_should_allow_post_with_token_in_header session[:_csrf_token] = @token @request.env["HTTP_X_CSRF_TOKEN"] = @token assert_not_blocked { post :index } end
test_should_allow_post_without_token_on_unsafe_action()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 345 def test_should_allow_post_without_token_on_unsafe_action assert_not_blocked { post :unsafe } end
test_should_allow_put_with_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 387 def test_should_allow_put_with_token session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_not_blocked { put :index, params: { custom_authenticity_token: @token } } end end
test_should_allow_put_with_token_in_header()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 419 def test_should_allow_put_with_token_in_header session[:_csrf_token] = @token @request.env["HTTP_X_CSRF_TOKEN"] = @token assert_not_blocked { put :index } end
test_should_block_post_with_origin_checking_and_wrong_origin()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 448 def test_should_block_post_with_origin_checking_and_wrong_origin old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new ActionController::Base.logger = logger forgery_protection_origin_check do session[:_csrf_token] = @token @controller.stub :form_authenticity_token, @token do assert_blocked do @request.set_header "HTTP_ORIGIN", "http://bad.host" post :index, params: { custom_authenticity_token: @token } end end end assert_match( "HTTP Origin header (http://bad.host) didn't match request.base_url (http://test.host)", logger.logged(:warn).last ) ensure ActionController::Base.logger = old_logger end
test_should_not_allow_delete_without_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 365 def test_should_not_allow_delete_without_token assert_blocked { delete :index } end
test_should_not_allow_patch_without_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 357 def test_should_not_allow_patch_without_token assert_blocked { patch :index } end
test_should_not_allow_post_without_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 349 def test_should_not_allow_post_without_token assert_blocked { post :index } end
test_should_not_allow_post_without_token_irrespective_of_format()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 353 def test_should_not_allow_post_without_token_irrespective_of_format assert_blocked { post :index, format: "xml" } end
test_should_not_allow_put_without_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 361 def test_should_not_allow_put_without_token assert_blocked { put :index } end
test_should_not_allow_xhr_post_without_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 369 def test_should_not_allow_xhr_post_without_token assert_blocked { post :index, xhr: true } end
test_should_not_raise_error_if_token_is_not_a_string()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 576 def test_should_not_raise_error_if_token_is_not_a_string assert_blocked do patch :index, params: { custom_authenticity_token: { foo: "bar" } } end end
test_should_not_warn_if_csrf_logging_disabled()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 486 def test_should_not_warn_if_csrf_logging_disabled old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new ActionController::Base.logger = logger ActionController::Base.log_warning_on_csrf_failure = false begin assert_blocked { post :index } assert_equal 0, logger.logged(:warn).size ensure ActionController::Base.logger = old_logger ActionController::Base.log_warning_on_csrf_failure = true end end
test_should_not_warn_if_csrf_logging_disabled_and_not_same_origin_js()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 533 def test_should_not_warn_if_csrf_logging_disabled_and_not_same_origin_js old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new ActionController::Base.logger = logger ActionController::Base.log_warning_on_csrf_failure = false begin assert_cross_origin_blocked { get :same_origin_js } assert_equal 0, logger.logged(:warn).size ensure ActionController::Base.logger = old_logger ActionController::Base.log_warning_on_csrf_failure = true end end
test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 560 def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled assert_cross_origin_not_blocked { get :cross_origin_js } assert_cross_origin_not_blocked { get :cross_origin_js, format: "js" } assert_cross_origin_not_blocked do @request.accept = "text/javascript" get :negotiate_cross_origin end assert_cross_origin_not_blocked { get :cross_origin_js, xhr: true } assert_cross_origin_not_blocked { get :cross_origin_js, xhr: true, format: "js" } assert_cross_origin_not_blocked do @request.accept = "text/javascript" get :negotiate_cross_origin, xhr: true end end
test_should_only_allow_same_origin_js_get_with_xhr_header()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 502 def test_should_only_allow_same_origin_js_get_with_xhr_header assert_cross_origin_blocked { get :same_origin_js } assert_cross_origin_blocked { get :same_origin_js, format: "js" } assert_cross_origin_blocked do @request.accept = "text/javascript" get :negotiate_same_origin end assert_cross_origin_not_blocked { get :same_origin_js, xhr: true } assert_cross_origin_not_blocked { get :same_origin_js, xhr: true, format: "js" } assert_cross_origin_not_blocked do @request.accept = "text/javascript" get :negotiate_same_origin, xhr: true end end
test_should_render_form_with_token_tag()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 187 def test_should_render_form_with_token_tag @controller.stub :form_authenticity_token, @token do assert_not_blocked do get :index end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token end end
test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 245 def test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested @controller.stub :form_authenticity_token, @token do assert_not_blocked do get :form_for_remote_with_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token end end
test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_on()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 212 def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_on original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms begin ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true assert_not_blocked do get :form_for_remote end assert_match(/authenticity_token/, response.body) ensure ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end end
test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 238 def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested assert_not_blocked do get :form_for_remote_with_external_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", "external_token" end
test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 225 def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms begin ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true assert_not_blocked do get :form_for_remote_with_external_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", "external_token" ensure ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end end
test_should_render_form_with_token_tag_with_authenticity_token_requested()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 254 def test_should_render_form_with_token_tag_with_authenticity_token_requested @controller.stub :form_authenticity_token, @token do assert_not_blocked do get :form_for_with_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token end end
test_should_render_form_with_with_token_tag_if_remote()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 263 def test_should_render_form_with_with_token_tag_if_remote assert_not_blocked do get :form_with_remote end assert_match(/authenticity_token/, response.body) end
test_should_render_form_with_with_token_tag_if_remote_and_authenticity_token_requested()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 303 def test_should_render_form_with_with_token_tag_if_remote_and_authenticity_token_requested @controller.stub :form_authenticity_token, @token do assert_not_blocked do get :form_with_remote_with_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token end end
test_should_render_form_with_with_token_tag_if_remote_and_embedding_token_is_on()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 321 def test_should_render_form_with_with_token_tag_if_remote_and_embedding_token_is_on original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms begin ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true @controller.stub :form_authenticity_token, @token do assert_not_blocked do get :form_with_remote end end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token ensure ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end end
test_should_render_form_with_with_token_tag_if_remote_and_external_authenticity_token_requested()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 296 def test_should_render_form_with_with_token_tag_if_remote_and_external_authenticity_token_requested assert_not_blocked do get :form_with_remote_with_external_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", "external_token" end
test_should_render_form_with_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 283 def test_should_render_form_with_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms begin ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true assert_not_blocked do get :form_with_remote_with_external_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", "external_token" ensure ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end end
test_should_render_form_with_with_token_tag_with_authenticity_token_requested()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 312 def test_should_render_form_with_with_token_tag_with_authenticity_token_requested @controller.stub :form_authenticity_token, @token do assert_not_blocked do get :form_with_local_with_token end assert_select "form>input[name=?][value=?]", "custom_authenticity_token", @token end end
test_should_render_form_with_without_token_tag_if_remote_and_embedding_token_is_off()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 270 def test_should_render_form_with_without_token_tag_if_remote_and_embedding_token_is_off original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms begin ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false assert_not_blocked do get :form_with_remote end assert_no_match(/authenticity_token/, response.body) ensure ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end end
test_should_render_form_without_token_tag_if_remote()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 205 def test_should_render_form_without_token_tag_if_remote assert_not_blocked do get :form_for_remote end assert_no_match(/authenticity_token/, response.body) end
test_should_warn_on_missing_csrf_token()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 471 def test_should_warn_on_missing_csrf_token old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new ActionController::Base.logger = logger begin assert_blocked { post :index } assert_equal 1, logger.logged(:warn).size assert_match(/CSRF token authenticity/, logger.logged(:warn).last) ensure ActionController::Base.logger = old_logger end end
test_should_warn_on_not_same_origin_js()
click to toggle source
# File actionpack/test/controller/request_forgery_protection_test.rb, line 518 def test_should_warn_on_not_same_origin_js old_logger = ActionController::Base.logger logger = ActiveSupport::LogSubscriber::TestHelper::MockLogger.new ActionController::Base.logger = logger begin assert_cross_origin_blocked { get :same_origin_js } assert_equal 1, logger.logged(:warn).size assert_match(/<script> tag on another site requested protected JavaScript/, logger.logged(:warn).last) ensure ActionController::Base.logger = old_logger end end