strict-forgery-protection 0.0.7 → 0.0.8
Sign up to get free protection for your applications and to get access to all the features.
data/test/controller_test.rb
CHANGED
|
@@ -66,11 +66,16 @@ class ControllerTest < ActionController::TestCase
|
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
def test_unverified_get_write
|
|
69
|
-
|
|
69
|
+
# GET requests do not perform authenticity verification, since such requests are not intended to change server state. Still, people
|
|
70
|
+
# write applications that have GET requests change the state all the time. While we cannot offer full protection, we at least trip
|
|
71
|
+
# up the developer after the update has taken place in hopes that to draw attention to the problem and that they will fix it.
|
|
72
|
+
assert_raises(ForgeryProtection::AttemptError) { get :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'xsrf exploit' }
|
|
70
73
|
end
|
|
71
74
|
|
|
72
75
|
def test_unverified_post_write
|
|
73
|
-
assert_raises(ForgeryProtection::AttemptError) { post :write, :id => Post.last, :authenticity_token => 'bad token', :message => '
|
|
76
|
+
assert_raises(ForgeryProtection::AttemptError) { post :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'xsrf exploit' }
|
|
77
|
+
|
|
78
|
+
assert_not_equal 'xsrf exploit', Post.last.message, 'Should prevent exploit update'
|
|
74
79
|
end
|
|
75
80
|
|
|
76
81
|
def test_unprotected_writes
|
data/test/test.sqlite3
CHANGED
|
Binary file
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
require 'test_helper'
|
|
2
|
+
|
|
3
|
+
class UnverifiedRequestHandlingTest < ControllerTest
|
|
4
|
+
class DefaultController < ActionController::Base
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
class RaisingExceptionController < ActionController::Base
|
|
8
|
+
private
|
|
9
|
+
|
|
10
|
+
def verify_unverified_request
|
|
11
|
+
raise 'Bad error!'
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def test_default_controller
|
|
16
|
+
|
|
17
|
+
end
|
|
18
|
+
end
|
metadata
CHANGED
|
@@ -2,14 +2,14 @@
|
|
|
2
2
|
name: strict-forgery-protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease:
|
|
5
|
-
version: 0.0.
|
|
5
|
+
version: 0.0.8
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
8
8
|
- Dmitry Ratnikov
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-
|
|
12
|
+
date: 2012-06-18 00:00:00.000000000Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rails
|
|
@@ -37,8 +37,9 @@ files:
|
|
|
37
37
|
- lib/forgery_protection/version.rb
|
|
38
38
|
- test/controller_test.rb
|
|
39
39
|
- test/db_events_test.rb
|
|
40
|
-
- test/test.sqlite3
|
|
41
40
|
- test/test_helper.rb
|
|
41
|
+
- test/test.sqlite3
|
|
42
|
+
- test/unverified_request_handling_test.rb
|
|
42
43
|
homepage: http://github.com/ratnikov/strict-forgery-protection
|
|
43
44
|
licenses: []
|
|
44
45
|
post_install_message:
|
|
@@ -66,6 +67,7 @@ summary: Extends Rails to be strict CSRF token protection
|
|
|
66
67
|
test_files:
|
|
67
68
|
- test/controller_test.rb
|
|
68
69
|
- test/db_events_test.rb
|
|
69
|
-
- test/test.sqlite3
|
|
70
70
|
- test/test_helper.rb
|
|
71
|
+
- test/test.sqlite3
|
|
72
|
+
- test/unverified_request_handling_test.rb
|
|
71
73
|
...
|