You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by kx...@apache.org on 2015/09/28 16:49:32 UTC
[03/39] couchdb commit: updated refs/heads/developer-preview-2.0 to
3ac3db6
CSRF tests
COUCHDB-2762
Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/09b9a722
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/09b9a722
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/09b9a722
Branch: refs/heads/developer-preview-2.0
Commit: 09b9a722fe4c297eff7041b3426f8e067b921b25
Parents: 0c579b9
Author: Robert Newson <rn...@apache.org>
Authored: Tue Aug 4 11:53:25 2015 +0100
Committer: Robert Newson <rn...@apache.org>
Committed: Wed Aug 5 14:15:01 2015 +0100
----------------------------------------------------------------------
test/javascript/tests/csrf.js | 54 ++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/couchdb/blob/09b9a722/test/javascript/tests/csrf.js
----------------------------------------------------------------------
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js
new file mode 100644
index 0000000..9baef82
--- /dev/null
+++ b/test/javascript/tests/csrf.js
@@ -0,0 +1,54 @@
+// Licensed under the Apache License, Version 2.0 (the "License"); you may not
+// use this file except in compliance with the License. You may obtain a copy of
+// the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+// License for the specific language governing permissions and limitations under
+// the License.
+
+couchTests.csrf = function(debug) {
+ if (debug) debugger;
+
+ // Handy function to cause CouchDB to delete the CSRF cookie
+ var deleteCsrf = function() {
+ var xhr = CouchDB.request("GET", "/",
+ {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+ TEquals(403, xhr.status);
+ };
+
+ // Shouldn't receive header if we didn't ask for it
+ var xhr = CouchDB.request("GET", "/");
+ TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF");
+ TEquals(200, xhr.status);
+
+ // Matching but invalid cookie/header should 403
+ xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}});
+ TEquals(403, xhr.status);
+ TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header");
+
+ // Can I acquire a CouchDB-CSRF cookie?
+ xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}});
+ var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)');
+ T(cookie, "Should receive cookie");
+
+ // If I have a cookie, do I get a 403 if I don't send the header?
+ xhr = CouchDB.request("GET", "/");
+ TEquals(403, xhr.status);
+ TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header");
+
+ // If I have a cookie, do I get a 200 if I send a matching header?
+ xhr = CouchDB.request("GET", "/", {headers: {"X-CouchDB-CSRF": cookie[1]}});
+ TEquals(200, xhr.status);
+ TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this");
+
+ // How about the wrong header?
+ xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo'}});
+ TEquals(403, xhr.status);
+ TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header");
+
+ deleteCsrf();
+};