Add tests for CSRF and DNS rebind

Problem: We had these problems in the past and we can't have them again. Solution: Tests make it really easy to double-check that we remain immune.
2020-04-10 12:33:22 -07:00 · 2020-04-10 12:33:22 -07:00 · 627e1b3c76
parent 2968f7d80a
commit 627e1b3c76
2 changed files with 28 additions and 5 deletions
--- a/.cspell.json
+++ b/.cspell.json
@ -3,8 +3,9 @@
  "language": "en",
  "words": [
    "AGPL",
-    "EACCESS",
    "Argyris",
+    "CSRF",
+    "EACCESS",
    "Hintjens",
    "Kata",
    "LGPL",
@ -46,8 +47,8 @@
    "shortname",
    "socio",
    "ssbc",
-    "summerfruit",
    "sulphurpool",
+    "summerfruit",
    "systemctl",
    "systemd",
    "unfollow",
--- a/test/basic.js
+++ b/test/basic.js
@ -28,13 +28,35 @@ const paths = [

 tap.setTimeout(0);

+tap.test("DNS rebind attack fails", (t) => {
+  t.plan(1);
+  supertest(app)
+    .get("/inbox")
+    .set("Host", "example.com")
+    .expect(400)
+    .end(t.error);
+});
+
+tap.test("CSRF attack should fail with no referer", (t) => {
+  t.plan(1);
+  supertest(app).post("/conn/settings/stop").expect(400).end(t.error);
+});
+
+tap.test("CSRF attack should fail with wrong referer", (t) => {
+  t.plan(1);
+  supertest(app)
+    .post("/conn/settings/stop")
+    .set("Host", "example.com")
+    .expect(400)
+    .end(t.error);
+});
+
 paths.forEach((path) => {
  tap.test(path, (t) => {
    t.plan(1);
-    supertest
-      .agent(app)
-      .host("localhost") // supertest workaround
+    supertest(app)
      .get(path)
+      .set("Host", "localhost")
      .expect(200)
      .end((err) => {
        console.log(path);