rack-protection 1.5.3 → 2.0.0

data/spec/remote_referrer_spec.rb

@@ -1,31 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::RemoteReferrer do
-  it_behaves_like "any rack application"
-
-  it "accepts post requests with no referrer" do
-    post('/').should be_ok
-  end
-
-  it "does not accept post requests with no referrer if allow_empty_referrer is false" do
-    mock_app do
-      use Rack::Protection::RemoteReferrer, :allow_empty_referrer => false
-      run DummyApp
-    end
-    post('/').should_not be_ok
-  end
-
-  it "should allow post request with a relative referrer" do
-    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
-  end
-
-  it "accepts post requests with the same host in the referrer" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.com')
-    last_response.should be_ok
-  end
-
-  it "denies post requests with a remote referrer" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
-    last_response.should_not be_ok
-  end
-end

data/spec/remote_token_spec.rb

@@ -1,42 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::RemoteToken do
-  it_behaves_like "any rack application"
-
-  it "accepts post requests with no referrer" do
-    post('/').should be_ok
-  end
-
-  it "accepts post requests with a local referrer" do
-    post('/', {}, 'HTTP_REFERER' => '/').should be_ok
-  end
-
-  it "denies post requests with a remote referrer and no token" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org')
-    last_response.should_not be_ok
-  end
-
-  it "accepts post requests with a remote referrer and correct X-CSRF-Token header" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
-      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "a")
-    last_response.should be_ok
-  end
-
-  it "denies post requests with a remote referrer and wrong X-CSRF-Token header" do
-    post('/', {}, 'HTTP_REFERER' => 'http://example.com/foo', 'HTTP_HOST' => 'example.org',
-      'rack.session' => {:csrf => "a"}, 'HTTP_X_CSRF_TOKEN' => "b")
-    last_response.should_not be_ok
-  end
-
-  it "accepts post form requests with a remote referrer and correct authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
-      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "a"})
-    last_response.should be_ok
-  end
-
-  it "denies post form requests with a remote referrer and wrong authenticity_token field" do
-    post('/', {"authenticity_token" => "a"}, 'HTTP_REFERER' => 'http://example.com/foo',
-      'HTTP_HOST' => 'example.org', 'rack.session' => {:csrf => "b"})
-    last_response.should_not be_ok
-  end
-end

data/spec/session_hijacking_spec.rb

@@ -1,55 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::SessionHijacking do
-  it_behaves_like "any rack application"
-
-  it "accepts a session without changes to tracked parameters" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session
-    get '/', {}, 'rack.session' => session
-    session[:foo].should == :bar
-  end
-
-  it "denies requests with a changing User-Agent header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_USER_AGENT' => 'b'
-    session.should be_empty
-  end
-
-  it "accepts requests with a changing Accept-Encoding header" do
-    # this is tested because previously it led to clearing the session
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_ENCODING' => 'b'
-    session.should_not be_empty
-  end
-
-  it "denies requests with a changing Accept-Language header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'b'
-    session.should be_empty
-  end
-
-  it "accepts requests with the same Accept-Language header" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    session.should_not be_empty
-  end
-
-  it "comparison of Accept-Language header is not case sensitive" do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'a'
-    get '/', {}, 'rack.session' => session, 'HTTP_ACCEPT_LANGUAGE' => 'A'
-    session.should_not be_empty
-  end
-
-  it "accepts requests with a changing Version header"do
-    session = {:foo => :bar}
-    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.0'
-    get '/', {}, 'rack.session' => session, 'HTTP_VERSION' => '1.1'
-    session[:foo].should == :bar
-  end
-end

data/spec/spec_helper.rb

@@ -1,163 +0,0 @@
-require 'rack/protection'
-require 'rack/test'
-require 'rack'
-require 'forwardable'
-require 'stringio'
-
-if defined? Gem.loaded_specs and Gem.loaded_specs.include? 'rack'
-  version = Gem.loaded_specs['rack'].version.to_s
-else
-  version = Rack.release + '.0'
-end
-
-if version == "1.3"
-  Rack::Session::Abstract::ID.class_eval do
-    private
-    def prepare_session(env)
-      session_was                  = env[ENV_SESSION_KEY]
-      env[ENV_SESSION_KEY]         = SessionHash.new(self, env)
-      env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
-      env[ENV_SESSION_KEY].merge! session_was if session_was
-    end
-  end
-end
-
-unless Rack::MockResponse.method_defined? :header
-  Rack::MockResponse.send(:alias_method, :header, :headers)
-end
-
-module DummyApp
-  def self.call(env)
-    Thread.current[:last_env] = env
-    body = (env['REQUEST_METHOD'] == 'HEAD' ? '' : 'ok')
-    [200, {'Content-Type' => env['wants'] || 'text/plain'}, [body]]
-  end
-end
-
-module TestHelpers
-  extend Forwardable
-  def_delegators :last_response, :body, :headers, :status, :errors
-  def_delegators :current_session, :env_for
-  attr_writer :app
-
-  def app
-    @app || mock_app(DummyApp)
-  end
-
-  def mock_app(app = nil, &block)
-    app = block if app.nil? and block.arity == 1
-    if app
-      klass = described_class
-      mock_app do
-        use Rack::Head
-        use(Rack::Config) { |e| e['rack.session'] ||= {}}
-        use klass
-        run app
-      end
-    else
-      @app = Rack::Lint.new Rack::Builder.new(&block).to_app
-    end
-  end
-
-  def with_headers(headers)
-    proc { [200, {'Content-Type' => 'text/plain'}.merge(headers), ['ok']] }
-  end
-
-  def env
-    Thread.current[:last_env]
-  end
-end
-
-# see http://blog.101ideas.cz/posts/pending-examples-via-not-implemented-error-in-rspec.html
-module NotImplementedAsPending
-  def self.included(base)
-    base.class_eval do
-      alias_method :__finish__, :finish
-      remove_method :finish
-    end
-  end
-
-  def finish(reporter)
-    if @exception.is_a?(NotImplementedError)
-      from = @exception.backtrace[0]
-      message = "#{@exception.message} (from #{from})"
-      @pending_declared_in_example = message
-      metadata[:pending] = true
-      @exception = nil
-    end
-
-    __finish__(reporter)
-  end
-
-  RSpec::Core::Example.send :include, self
-end
-
-RSpec.configure do |config|
-  config.expect_with :rspec, :stdlib
-  config.include Rack::Test::Methods
-  config.include TestHelpers
-end
-
-shared_examples_for 'any rack application' do
-  it "should not interfere with normal get requests" do
-    get('/').should be_ok
-    body.should == 'ok'
-  end
-
-  it "should not interfere with normal head requests" do
-    head('/').should be_ok
-  end
-
-  it 'should not leak changes to env' do
-    klass    = described_class
-    detector = Struct.new(:app)
-
-    detector.send(:define_method, :call) do |env|
-      was = env.dup
-      res = app.call(env)
-      was.each do |k,v|
-        next if env[k] == v
-        fail "env[#{k.inspect}] changed from #{v.inspect} to #{env[k].inspect}"
-      end
-      res
-    end
-
-    mock_app do
-      use Rack::Head
-      use(Rack::Config) { |e| e['rack.session'] ||= {}}
-      use detector
-      use klass
-      run DummyApp
-    end
-
-    get('/..', :foo => '<bar>').should be_ok
-  end
-
-  it 'allows passing on values in env' do
-    klass    = described_class
-    detector = Struct.new(:app)
-    changer  = Struct.new(:app)
-
-    detector.send(:define_method, :call) do |env|
-      res = app.call(env)
-      env['foo.bar'].should == 42
-      res
-    end
-
-    changer.send(:define_method, :call) do |env|
-      env['foo.bar'] = 42
-      app.call(env)
-    end
-
-    mock_app do
-      use Rack::Head
-      use(Rack::Config) { |e| e['rack.session'] ||= {}}
-      use detector
-      use klass
-      use changer
-      run DummyApp
-    end
-
-    get('/').should be_ok
-  end
-end

data/spec/xss_header_spec.rb

@@ -1,56 +0,0 @@
-require File.expand_path('../spec_helper.rb', __FILE__)
-
-describe Rack::Protection::XSSHeader do
-  it_behaves_like "any rack application"
-
-  it 'should set the X-XSS-Protection' do
-    get('/', {}, 'wants' => 'text/html;charset=utf-8').headers["X-XSS-Protection"].should == "1; mode=block"
-  end
-
-  it 'should set the X-XSS-Protection for XHTML' do
-    get('/', {}, 'wants' => 'application/xhtml+xml').headers["X-XSS-Protection"].should == "1; mode=block"
-  end
-
-  it 'should not set the X-XSS-Protection for other content types' do
-    get('/', {}, 'wants' => 'application/foo').headers["X-XSS-Protection"].should be_nil
-  end
-
-  it 'should allow changing the protection mode' do
-    # I have no clue what other modes are available
-    mock_app do
-      use Rack::Protection::XSSHeader, :xss_mode => :foo
-      run DummyApp
-    end
-
-    get('/', {}, 'wants' => 'application/xhtml').headers["X-XSS-Protection"].should == "1; mode=foo"
-  end
-
-  it 'should not override the header if already set' do
-    mock_app with_headers("X-XSS-Protection" => "0")
-    get('/', {}, 'wants' => 'text/html').headers["X-XSS-Protection"].should == "0"
-  end
-
-  it 'should set the X-Content-Type-Options' do
-    get('/', {}, 'wants' => 'text/html').header["X-Content-Type-Options"].should == "nosniff"
-  end
-
-
-  it 'should set the X-Content-Type-Options for other content types' do
-    get('/', {}, 'wants' => 'application/foo').header["X-Content-Type-Options"].should == "nosniff"
-  end
-
-
-  it 'should allow changing the nosniff-mode off' do
-    mock_app do
-      use Rack::Protection::XSSHeader, :nosniff => false
-      run DummyApp
-    end
-
-    get('/').headers["X-Content-Type-Options"].should be_nil
-  end
-
-  it 'should not override the header if already set X-Content-Type-Options' do
-    mock_app with_headers("X-Content-Type-Options" => "sniff")
-    get('/', {}, 'wants' => 'text/html').headers["X-Content-Type-Options"].should == "sniff"
-  end
-end