Esempio n. 1
0
func TestRefererHttps(t *testing.T) {
	resp := httptest.NewRecorder()
	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
	c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))

	c.Session = make(revel.Session)

	RefreshToken(c)
	token := c.Session["csrf_token"]

	// make a new request with the token
	data := url.Values{}
	data.Set("csrftoken", token)
	formPostRequest, _ := http.NewRequest("POST", "https://www.example.com/", bytes.NewBufferString(data.Encode()))
	formPostRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded")
	formPostRequest.Header.Add("Content-Length", strconv.Itoa(len(data.Encode())))
	formPostRequest.Header.Add("Referer", "http://www.example.com/")

	// and replace the old request
	c.Request = revel.NewRequest(formPostRequest)

	testFilters[0](c, testFilters)

	if c.Response.Status != 403 {
		t.Fatal("posts to https should have an https referer")
	}
}
func (rc *RevelController) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	// Dirty hacks, do NOT copy!
	revel.MainRouter = rc.router

	upgrade := r.Header.Get("Upgrade")
	if upgrade == "websocket" || upgrade == "Websocket" {
		panic("Not implemented")
	} else {
		var (
			req  = revel.NewRequest(r)
			resp = revel.NewResponse(w)
			c    = revel.NewController(req, resp)
		)
		req.Websocket = nil
		revel.Filters[0](c, revel.Filters[1:])
		if c.Result != nil {
			c.Result.Apply(req, resp)
		} else if c.Response.Status != 0 {
			panic("Not implemented")
		}
		// Close the Writer if we can
		if w, ok := resp.Out.(io.Closer); ok {
			w.Close()
		}
	}
}
Esempio n. 3
0
func TestPostWithoutToken(t *testing.T) {
	resp := httptest.NewRecorder()
	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
	c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))
	c.Session = make(revel.Session)

	testFilters[0](c, testFilters)

	if c.Response.Status != 403 {
		t.Fatal("post without token should be forbidden")
	}
}
Esempio n. 4
0
func TestTokenInSession(t *testing.T) {
	resp := httptest.NewRecorder()
	getRequest, _ := http.NewRequest("GET", "http://www.example.com/", nil)
	c := revel.NewController(revel.NewRequest(getRequest), revel.NewResponse(resp))
	c.Session = make(revel.Session)

	testFilters[0](c, testFilters)

	if _, ok := c.Session["csrf_token"]; !ok {
		t.Fatal("token should be present in session")
	}
}
Esempio n. 5
0
func TestExemptPathCaseInsensitive(t *testing.T) {
	MarkExempt("/Controller/Action")

	resp := httptest.NewRecorder()
	postRequest, _ := http.NewRequest("POST", "http://www.example.com/controller/action", nil)
	c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))
	c.Session = make(revel.Session)

	testFilters[0](c, testFilters)

	if c.Response.Status == 403 {
		t.Fatal("post to csrf exempt action should pass")
	}
}
Esempio n. 6
0
func TestNoTokenInArgsWhenCORs(t *testing.T) {
	resp := httptest.NewRecorder()

	getRequest, _ := http.NewRequest("GET", "http://www.example1.com/", nil)
	getRequest.Header.Add("Referer", "http://www.example2.com/")

	c := revel.NewController(revel.NewRequest(getRequest), revel.NewResponse(resp))
	c.Session = make(revel.Session)

	testFilters[0](c, testFilters)

	if _, ok := c.RenderArgs["_csrftoken"]; ok {
		t.Fatal("RenderArgs should not contain token when not same origin")
	}
}
Esempio n. 7
0
func TestHeaderWithToken(t *testing.T) {
	resp := httptest.NewRecorder()
	postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
	c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp))

	c.Session = make(revel.Session)

	RefreshToken(c)
	token := c.Session["csrf_token"]

	// make a new request with the token
	formPostRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil)
	formPostRequest.Header.Add("X-CSRFToken", token)
	formPostRequest.Header.Add("Referer", "http://www.example.com/")

	// and replace the old request
	c.Request = revel.NewRequest(formPostRequest)

	testFilters[0](c, testFilters)

	if c.Response.Status == 403 {
		t.Fatal("post with http header token should be allowed")
	}
}
Esempio n. 8
0
func renderError(w http.ResponseWriter, r *http.Request, err error) {
	req, resp := revel.NewRequest(r), revel.NewResponse(w)
	c := revel.NewController(req, resp)
	c.RenderError(err).Apply(req, resp)
}