You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by he...@apache.org on 2015/07/27 22:20:11 UTC
[03/22] allura git commit: [#7927] strengthen / document tests a bit
[#7927] strengthen / document tests a bit
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/bbeebdbb
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/bbeebdbb
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/bbeebdbb
Branch: refs/heads/hs/7925
Commit: bbeebdbb9a3059f1c4595203967e2dbb6bd3a7a6
Parents: 82a3642
Author: Dave Brondsema <db...@slashdotmedia.com>
Authored: Tue Jul 21 17:43:23 2015 +0000
Committer: Dave Brondsema <db...@slashdotmedia.com>
Committed: Tue Jul 21 17:44:31 2015 +0000
----------------------------------------------------------------------
Allura/allura/tests/functional/test_rest.py | 18 ++++++++++++++++++
Allura/allura/tests/test_middlewares.py | 1 +
2 files changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/bbeebdbb/Allura/allura/tests/functional/test_rest.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_rest.py b/Allura/allura/tests/functional/test_rest.py
index 3fed49c..903cda7 100644
--- a/Allura/allura/tests/functional/test_rest.py
+++ b/Allura/allura/tests/functional/test_rest.py
@@ -353,6 +353,24 @@ class TestRestHome(TestRestApiBase):
r = self.api_get('/rest/p/test/')
assert r.status_int == 404
+ @td.with_wiki
+ def test_cors_POST_req_blocked_by_csrf(self):
+ # so test-admin isn't automatically logged in for all requests
+ self.app.extra_environ = {'disable_auth_magic': 'True'}
+
+ # regular login to get a session cookie set up
+ r = self.app.get('/auth/')
+ r.form['username'] = 'test-admin'
+ r.form['password'] = 'foo'
+ r.form.submit()
+
+ # simulate CORS ajax request withCredentials (cookie headers)
+ # make sure we don't allow the cookies to authorize the request (else could be a CSRF attack vector)
+ assert self.app.cookies['allura']
+ self.app.post('/rest/p/test/wiki/NewPage', headers={'Origin': 'http://bad.com/'},
+ status=401)
+
+
class TestDoap(TestRestApiBase):
validate_skip = True
ns = '{http://usefulinc.com/ns/doap#}'
http://git-wip-us.apache.org/repos/asf/allura/blob/bbeebdbb/Allura/allura/tests/test_middlewares.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/test_middlewares.py b/Allura/allura/tests/test_middlewares.py
index 4b45097..58dc515 100644
--- a/Allura/allura/tests/test_middlewares.py
+++ b/Allura/allura/tests/test_middlewares.py
@@ -77,6 +77,7 @@ class TestCORSMiddleware(object):
exc.HTTPOk.return_value.assert_called_once_with(env, callback)
def test_get_response_headers_simple(self):
+ # Allow-Origin: * is crucial for security, since that prevents browsers from exposing results fetched withCredentials: true (aka cookies)
assert_equal(self.cors.get_response_headers(),
[('Access-Control-Allow-Origin', '*')])
assert_equal(self.cors.get_response_headers(preflight=False),