diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 18:12:41 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-03 18:12:41 +0300 |
| commit | 67daaf4021a180166ad063e3a75ea777e96586a6 (patch) | |
| tree | 9ba7459c9c149e151fd31fa1fa7f31a186602eff /spec/lib/gitlab/rack_attack | |
| parent | 584ccdaf68710dec2c717a010cbab2610c0155ed (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/lib/gitlab/rack_attack')
| -rw-r--r-- | spec/lib/gitlab/rack_attack/request_spec.rb | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/spec/lib/gitlab/rack_attack/request_spec.rb b/spec/lib/gitlab/rack_attack/request_spec.rb index 37db588ce16..9b882f26480 100644 --- a/spec/lib/gitlab/rack_attack/request_spec.rb +++ b/spec/lib/gitlab/rack_attack/request_spec.rb @@ -192,6 +192,44 @@ RSpec.describe Gitlab::RackAttack::Request do end end + describe '#frontend_request?', :allow_forgery_protection do + subject { request.send(:frontend_request?) } + + let(:path) { '/' } + + # Define these as local variables so we can use them in the `where` block. + valid_token = SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) + other_token = SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) + + where(:session, :env, :expected) do + {} | {} | false # rubocop:disable Lint/BinaryOperatorWithIdenticalOperands + {} | { 'HTTP_X_CSRF_TOKEN' => valid_token } | false + { _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => other_token } | false + { _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => valid_token } | true + end + + with_them do + it { is_expected.to eq(expected) } + end + + context 'when the feature flag is disabled' do + before do + stub_feature_flags(rate_limit_frontend_requests: false) + end + + where(:session, :env) do + {} | {} # rubocop:disable Lint/BinaryOperatorWithIdenticalOperands + {} | { 'HTTP_X_CSRF_TOKEN' => valid_token } + { _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => other_token } + { _csrf_token: valid_token } | { 'HTTP_X_CSRF_TOKEN' => valid_token } + end + + with_them do + it { is_expected.to be(false) } + end + end + end + describe '#deprecated_api_request?' do subject { request.send(:deprecated_api_request?) } |