Add tests for CSRF and DNS rebind
Problem: We had these problems in the past and we can't have them again. Solution: Tests make it really easy to double-check that we remain immune.
This commit is contained in:
parent
2968f7d80a
commit
627e1b3c76
|
@ -3,8 +3,9 @@
|
|||
"language": "en",
|
||||
"words": [
|
||||
"AGPL",
|
||||
"EACCESS",
|
||||
"Argyris",
|
||||
"CSRF",
|
||||
"EACCESS",
|
||||
"Hintjens",
|
||||
"Kata",
|
||||
"LGPL",
|
||||
|
@ -46,8 +47,8 @@
|
|||
"shortname",
|
||||
"socio",
|
||||
"ssbc",
|
||||
"summerfruit",
|
||||
"sulphurpool",
|
||||
"summerfruit",
|
||||
"systemctl",
|
||||
"systemd",
|
||||
"unfollow",
|
||||
|
|
|
@ -28,13 +28,35 @@ const paths = [
|
|||
|
||||
tap.setTimeout(0);
|
||||
|
||||
tap.test("DNS rebind attack fails", (t) => {
|
||||
t.plan(1);
|
||||
supertest(app)
|
||||
.get("/inbox")
|
||||
.set("Host", "example.com")
|
||||
.expect(400)
|
||||
.end(t.error);
|
||||
});
|
||||
|
||||
tap.test("CSRF attack should fail with no referer", (t) => {
|
||||
t.plan(1);
|
||||
supertest(app).post("/conn/settings/stop").expect(400).end(t.error);
|
||||
});
|
||||
|
||||
tap.test("CSRF attack should fail with wrong referer", (t) => {
|
||||
t.plan(1);
|
||||
supertest(app)
|
||||
.post("/conn/settings/stop")
|
||||
.set("Host", "example.com")
|
||||
.expect(400)
|
||||
.end(t.error);
|
||||
});
|
||||
|
||||
paths.forEach((path) => {
|
||||
tap.test(path, (t) => {
|
||||
t.plan(1);
|
||||
supertest
|
||||
.agent(app)
|
||||
.host("localhost") // supertest workaround
|
||||
supertest(app)
|
||||
.get(path)
|
||||
.set("Host", "localhost")
|
||||
.expect(200)
|
||||
.end((err) => {
|
||||
console.log(path);
|
||||
|
|
Loading…
Reference in New Issue