From 627e1b3c7658ec8b31b89375b6e82e80e0264bb0 Mon Sep 17 00:00:00 2001
From: Christian Bundy <christianbundy@fraction.io>
Date: Fri, 10 Apr 2020 12:33:22 -0700
Subject: [PATCH] Add tests for CSRF and DNS rebind

Problem: We had these problems in the past and we can't have them again.
Solution: Tests make it really easy to double-check that we remain immune.
---
 .cspell.json  |  5 +++--
 test/basic.js | 28 +++++++++++++++++++++++++---
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/.cspell.json b/.cspell.json
index 353ba67..6b8c792 100644
--- a/.cspell.json
+++ b/.cspell.json
@@ -3,8 +3,9 @@
   "language": "en",
   "words": [
     "AGPL",
-    "EACCESS",
     "Argyris",
+    "CSRF",
+    "EACCESS",
     "Hintjens",
     "Kata",
     "LGPL",
@@ -46,8 +47,8 @@
     "shortname",
     "socio",
     "ssbc",
-    "summerfruit",
     "sulphurpool",
+    "summerfruit",
     "systemctl",
     "systemd",
     "unfollow",
diff --git a/test/basic.js b/test/basic.js
index 6f8225c..efcd09c 100644
--- a/test/basic.js
+++ b/test/basic.js
@@ -28,13 +28,35 @@ const paths = [
 
 tap.setTimeout(0);
 
+tap.test("DNS rebind attack fails", (t) => {
+  t.plan(1);
+  supertest(app)
+    .get("/inbox")
+    .set("Host", "example.com")
+    .expect(400)
+    .end(t.error);
+});
+
+tap.test("CSRF attack should fail with no referer", (t) => {
+  t.plan(1);
+  supertest(app).post("/conn/settings/stop").expect(400).end(t.error);
+});
+
+tap.test("CSRF attack should fail with wrong referer", (t) => {
+  t.plan(1);
+  supertest(app)
+    .post("/conn/settings/stop")
+    .set("Host", "example.com")
+    .expect(400)
+    .end(t.error);
+});
+
 paths.forEach((path) => {
   tap.test(path, (t) => {
     t.plan(1);
-    supertest
-      .agent(app)
-      .host("localhost") // supertest workaround
+    supertest(app)
       .get(path)
+      .set("Host", "localhost")
       .expect(200)
       .end((err) => {
         console.log(path);