func TestRefererHttps(t *testing.T) { resp := httptest.NewRecorder() postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil) c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp)) c.Session = make(revel.Session) RefreshToken(c) token := c.Session["csrf_token"] // make a new request with the token data := url.Values{} data.Set("csrftoken", token) formPostRequest, _ := http.NewRequest("POST", "https://www.example.com/", bytes.NewBufferString(data.Encode())) formPostRequest.Header.Add("Content-Type", "application/x-www-form-urlencoded") formPostRequest.Header.Add("Content-Length", strconv.Itoa(len(data.Encode()))) formPostRequest.Header.Add("Referer", "http://www.example.com/") // and replace the old request c.Request = revel.NewRequest(formPostRequest) testFilters[0](c, testFilters) if c.Response.Status != 403 { t.Fatal("posts to https should have an https referer") } }
func (rc *RevelController) ServeHTTP(w http.ResponseWriter, r *http.Request) { // Dirty hacks, do NOT copy! revel.MainRouter = rc.router upgrade := r.Header.Get("Upgrade") if upgrade == "websocket" || upgrade == "Websocket" { panic("Not implemented") } else { var ( req = revel.NewRequest(r) resp = revel.NewResponse(w) c = revel.NewController(req, resp) ) req.Websocket = nil revel.Filters[0](c, revel.Filters[1:]) if c.Result != nil { c.Result.Apply(req, resp) } else if c.Response.Status != 0 { panic("Not implemented") } // Close the Writer if we can if w, ok := resp.Out.(io.Closer); ok { w.Close() } } }
func TestPostWithoutToken(t *testing.T) { resp := httptest.NewRecorder() postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil) c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp)) c.Session = make(revel.Session) testFilters[0](c, testFilters) if c.Response.Status != 403 { t.Fatal("post without token should be forbidden") } }
func TestTokenInSession(t *testing.T) { resp := httptest.NewRecorder() getRequest, _ := http.NewRequest("GET", "http://www.example.com/", nil) c := revel.NewController(revel.NewRequest(getRequest), revel.NewResponse(resp)) c.Session = make(revel.Session) testFilters[0](c, testFilters) if _, ok := c.Session["csrf_token"]; !ok { t.Fatal("token should be present in session") } }
func TestExemptPathCaseInsensitive(t *testing.T) { MarkExempt("/Controller/Action") resp := httptest.NewRecorder() postRequest, _ := http.NewRequest("POST", "http://www.example.com/controller/action", nil) c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp)) c.Session = make(revel.Session) testFilters[0](c, testFilters) if c.Response.Status == 403 { t.Fatal("post to csrf exempt action should pass") } }
func TestNoTokenInArgsWhenCORs(t *testing.T) { resp := httptest.NewRecorder() getRequest, _ := http.NewRequest("GET", "http://www.example1.com/", nil) getRequest.Header.Add("Referer", "http://www.example2.com/") c := revel.NewController(revel.NewRequest(getRequest), revel.NewResponse(resp)) c.Session = make(revel.Session) testFilters[0](c, testFilters) if _, ok := c.RenderArgs["_csrftoken"]; ok { t.Fatal("RenderArgs should not contain token when not same origin") } }
func TestHeaderWithToken(t *testing.T) { resp := httptest.NewRecorder() postRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil) c := revel.NewController(revel.NewRequest(postRequest), revel.NewResponse(resp)) c.Session = make(revel.Session) RefreshToken(c) token := c.Session["csrf_token"] // make a new request with the token formPostRequest, _ := http.NewRequest("POST", "http://www.example.com/", nil) formPostRequest.Header.Add("X-CSRFToken", token) formPostRequest.Header.Add("Referer", "http://www.example.com/") // and replace the old request c.Request = revel.NewRequest(formPostRequest) testFilters[0](c, testFilters) if c.Response.Status == 403 { t.Fatal("post with http header token should be allowed") } }
func renderError(w http.ResponseWriter, r *http.Request, err error) { req, resp := revel.NewRequest(r), revel.NewResponse(w) c := revel.NewController(req, resp) c.RenderError(err).Apply(req, resp) }
func FilterForApiDoc(c *revel.Controller, fc []revel.Filter) { if record, _ := revel.Config.Bool("yaag.record"); !record { fc[0](c, fc[1:]) return } w := httptest.NewRecorder() c.Response = revel.NewResponse(w) httpVerb := c.Request.Method customParams := make(map[string]interface{}) headers := make(map[string]string) hasJson := false hasXml := false body := middleware.ReadBody(c.Request.Request) if c.Request.ContentType == "application/json" { if httpVerb == "POST" || httpVerb == "PUT" || httpVerb == "PATCH" { err := json.Unmarshal([]byte(*body), &customParams) if err != nil { log.Println("Json Error ! ", err) } else { hasJson = true } } else { err := json.Unmarshal([]byte(c.Request.URL.RawQuery), &customParams) if err != nil { log.Println("Json Error ! ", err) } else { hasJson = true } } } else if c.Request.ContentType == "application/xml" { if httpVerb == "POST" || httpVerb == "PUT" || httpVerb == "PATCH" { err := xml.Unmarshal([]byte(*body), &customParams) if err != nil { log.Println("Xml Error ! ", err) } else { hasXml = true } } else { err := xml.Unmarshal([]byte(c.Request.URL.RawQuery), &customParams) if err != nil { log.Println("Json Error ! ", err) } else { hasXml = true } } } log.Println(hasJson, hasXml) // call remaiing filters fc[0](c, fc[1:]) c.Result.Apply(c.Request, c.Response) htmlValues := yaag.APICall{} htmlValues.CommonRequestHeaders = make(map[string]string) // get headers for k, v := range c.Request.Header { isCommon := false for _, hk := range yaag.CommonHeaders { if k == hk { isCommon = true htmlValues.CommonRequestHeaders[k] = strings.Join(v, " ") break } } if !isCommon { headers[k] = strings.Join(v, " ") } } htmlValues.MethodType = httpVerb htmlValues.CurrentPath = c.Request.URL.Path htmlValues.PostForm = make(map[string]string) for k, v := range c.Params.Form { htmlValues.PostForm[k] = strings.Join(v, " ") } htmlValues.RequestBody = *body htmlValues.RequestHeader = headers htmlValues.RequestUrlParams = make(map[string]string) for k, v := range c.Request.URL.Query() { htmlValues.RequestUrlParams[k] = strings.Join(v, " ") } htmlValues.ResponseHeader = make(map[string]string) htmlValues.ResponseBody = w.Body.String() for k, v := range w.Header() { htmlValues.ResponseHeader[k] = strings.Join(v, " ") } htmlValues.ResponseCode = w.Code yaag.ApiCallValueInstance.BaseLink = c.Request.Host go yaag.GenerateHtml(&htmlValues) }