Hi Daniel,
describe "Example", :type => :request do
# curl -k -i -X POST -d '{"api_token":0}'
https://api.example.local/reset_password
# See
https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion
it "should not be exploitable by using an integer token value" do
post "/reset_password", '{"api_token":0}', 'CONTENT_TYPE' =>
'application/json', 'ACCEPT' => 'application/json'
response.status.should == 401
end
end
Cheers,
Lawrence
I apologize if this message was sent more than once, I tried to post
through the Google Groups page but it didn't seem to work.
In order to ensure that my application is not vulnerable to this
exploit, I
am trying to create a controller test in RSpec to cover it. In order
to do
so, I need to be able to post raw JSON, but I haven't seemed to find a
way
to do that. In doing some research, I've determined that there at
least
used to be a way to do so using the RAW_POST_DATA header, but this
doesn't
seem to work anymore:
it "should not be exploitable by using an integer token value" do
request.env["CONTENT_TYPE"] = "application/json"
request.env["RAW_POST_DATA"] = { token: 0 }.to_json
post :reset_password
end
When I look at the params hash, token is not set at all, and it just
contains { "controller" => "user", "action" => "reset_password" }. I
get
the same results when trying to use XML, or even when trying to just
use
regular post data, in all cases, it seems to not set it period.
I know that with the recent Rails vulnerabilities, the way parameters
are
hashed was changed, but is there still a way to post raw data through
RSpec? Can I somehow directly use Rack::Test::Methods?
Any help would be appreciated.
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
