Welcome to mirror list, hosted at ThFree Co, Russian Federation.

request_forgery_protection_spec.rb « gitlab « lib « spec - gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/spec/lib/gitlab/request_forgery_protection_spec.rb
blob: dbf9f2957060ca24b11d7f8c063dfb976c358078 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Gitlab::RequestForgeryProtection, :allow_forgery_protection do
  let(:csrf_token) { SecureRandom.base64(ActionController::RequestForgeryProtection::AUTHENTICITY_TOKEN_LENGTH) }
  let(:env) do
    {
      'rack.input' => '',
      'rack.session' => {
        _csrf_token: csrf_token
      }
    }
  end

  before do
    allow(env['rack.session']).to receive(:enabled?).and_return(true)
    allow(env['rack.session']).to receive(:loaded?).and_return(true)
  end

  it 'logs to /dev/null' do
    expect(ActiveSupport::Logger).to receive(:new).with(File::NULL)

    described_class::Controller.new.logger
  end

  describe '.call' do
    context 'when the request method is GET' do
      before do
        env['REQUEST_METHOD'] = 'GET'
      end

      it 'does not raise an exception' do
        expect { described_class.call(env) }.not_to raise_exception
      end
    end

    context 'when the request method is POST' do
      before do
        env['REQUEST_METHOD'] = 'POST'
      end

      context 'when the CSRF token is valid' do
        before do
          env['HTTP_X_CSRF_TOKEN'] = csrf_token
        end

        it 'does not raise an exception' do
          expect { described_class.call(env) }.not_to raise_exception
        end
      end

      context 'when the CSRF token is invalid' do
        before do
          env['HTTP_X_CSRF_TOKEN'] = 'foo'
        end

        it 'raises an ActionController::InvalidAuthenticityToken exception' do
          expect { described_class.call(env) }.to raise_exception(ActionController::InvalidAuthenticityToken)
        end
      end
    end
  end

  describe '.verified?' do
    it 'does not modify the env' do
      env['REQUEST_METHOD'] = "GET"
      expect { described_class.verified?(env) }.not_to change { env }
    end

    context 'when the request method is GET' do
      before do
        env['REQUEST_METHOD'] = 'GET'
      end

      it 'returns true' do
        expect(described_class.verified?(env)).to be_truthy
      end
    end

    context 'when the request method is POST' do
      before do
        env['REQUEST_METHOD'] = 'POST'
      end

      context 'when the CSRF token is valid' do
        before do
          env['HTTP_X_CSRF_TOKEN'] = csrf_token
        end

        it 'returns true' do
          expect(described_class.verified?(env)).to be_truthy
        end
      end

      context 'when the CSRF token is invalid' do
        before do
          env['HTTP_X_CSRF_TOKEN'] = 'foo'
        end

        it 'returns false' do
          expect(described_class.verified?(env)).to be_falsey
        end
      end
    end
  end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 15:07:53 +0300