strict-forgery-protection 0.0.7 → 0.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
data/test/controller_test.rb
CHANGED
|
@@ -66,11 +66,16 @@ class ControllerTest < ActionController::TestCase
|
|
|
66
66
|
end
|
|
67
67
|
|
|
68
68
|
def test_unverified_get_write
|
|
69
|
-
|
|
69
|
+
# GET requests do not perform authenticity verification, since such requests are not intended to change server state. Still, people
|
|
70
|
+
# write applications that have GET requests change the state all the time. While we cannot offer full protection, we at least trip
|
|
71
|
+
# up the developer after the update has taken place in hopes that to draw attention to the problem and that they will fix it.
|
|
72
|
+
assert_raises(ForgeryProtection::AttemptError) { get :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'xsrf exploit' }
|
|
70
73
|
end
|
|
71
74
|
|
|
72
75
|
def test_unverified_post_write
|
|
73
|
-
assert_raises(ForgeryProtection::AttemptError) { post :write, :id => Post.last, :authenticity_token => 'bad token', :message => '
|
|
76
|
+
assert_raises(ForgeryProtection::AttemptError) { post :write, :id => Post.last, :authenticity_token => 'bad token', :message => 'xsrf exploit' }
|
|
77
|
+
|
|
78
|
+
assert_not_equal 'xsrf exploit', Post.last.message, 'Should prevent exploit update'
|
|
74
79
|
end
|
|
75
80
|
|
|
76
81
|
def test_unprotected_writes
|
data/test/test.sqlite3
CHANGED
|
Binary file
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
require 'test_helper'
|
|
2
|
+
|
|
3
|
+
class UnverifiedRequestHandlingTest < ControllerTest
|
|
4
|
+
class DefaultController < ActionController::Base
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
class RaisingExceptionController < ActionController::Base
|
|
8
|
+
private
|
|
9
|
+
|
|
10
|
+
def verify_unverified_request
|
|
11
|
+
raise 'Bad error!'
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def test_default_controller
|
|
16
|
+
|
|
17
|
+
end
|
|
18
|
+
end
|
metadata
CHANGED
|
@@ -2,14 +2,14 @@
|
|
|
2
2
|
name: strict-forgery-protection
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
4
|
prerelease:
|
|
5
|
-
version: 0.0.
|
|
5
|
+
version: 0.0.8
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
8
8
|
- Dmitry Ratnikov
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2012-
|
|
12
|
+
date: 2012-06-18 00:00:00.000000000Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: rails
|
|
@@ -37,8 +37,9 @@ files:
|
|
|
37
37
|
- lib/forgery_protection/version.rb
|
|
38
38
|
- test/controller_test.rb
|
|
39
39
|
- test/db_events_test.rb
|
|
40
|
-
- test/test.sqlite3
|
|
41
40
|
- test/test_helper.rb
|
|
41
|
+
- test/test.sqlite3
|
|
42
|
+
- test/unverified_request_handling_test.rb
|
|
42
43
|
homepage: http://github.com/ratnikov/strict-forgery-protection
|
|
43
44
|
licenses: []
|
|
44
45
|
post_install_message:
|
|
@@ -66,6 +67,7 @@ summary: Extends Rails to be strict CSRF token protection
|
|
|
66
67
|
test_files:
|
|
67
68
|
- test/controller_test.rb
|
|
68
69
|
- test/db_events_test.rb
|
|
69
|
-
- test/test.sqlite3
|
|
70
70
|
- test/test_helper.rb
|
|
71
|
+
- test/test.sqlite3
|
|
72
|
+
- test/unverified_request_handling_test.rb
|
|
71
73
|
...
|