Hi Lawrence, thanks for the response. Unfortunately, when I try that, I get:
NoMethodError: undefined method `symbolize_keys' for
> "{\"api_token\":0}":String
> /Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:150:in
>
> `assign_parameters'
> /Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:463:in
>
> `process'
> /Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:49:in
>
> `process'
> /Users/daniel/rails/spec/controllers/user_controller_spec.rb:10: in `block
> (2 levels) in <top (required)>'
>
On Friday, February 8, 2013 4:01:43 PM UTC-5, lawrence.pit wrote:
>
> Hi Daniel,
>
>
> describe "Example", :type => :request do
>
> # curl -k -i -X POST -d '{"api_token":0}'
> https://api.example.local/reset_password
> # See
>
> https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion
> it "should not be exploitable by using an integer token value" do
> post "/reset_password", '{"api_token":0}', 'CONTENT_TYPE' =>
> 'application/json', 'ACCEPT' => 'application/json'
> response.status.should == 401
> end
>
> end
>
>
> Cheers,
> Lawrence
>
> > I apologize if this message was sent more than once, I tried to post
> > through the Google Groups page but it didn't seem to work.
> >
> > In order to ensure that my application is not vulnerable to this
> > exploit, I
> > am trying to create a controller test in RSpec to cover it. In order
> > to do
> > so, I need to be able to post raw JSON, but I haven't seemed to find a
> > way
> > to do that. In doing some research, I've determined that there at
> > least
> > used to be a way to do so using the RAW_POST_DATA header, but this
> > doesn't
> > seem to work anymore:
> >
> > it "should not be exploitable by using an integer token value" do
> >> request.env["CONTENT_TYPE"] = "application/json"
> >> request.env["RAW_POST_DATA"] = { token: 0 }.to_json
> >> post :reset_password
> >> end
> >>
> >
> > When I look at the params hash, token is not set at all, and it just
> > contains { "controller" => "user", "action" => "reset_password" }. I
> > get
> > the same results when trying to use XML, or even when trying to just
> > use
> > regular post data, in all cases, it seems to not set it period.
> >
> > I know that with the recent Rails vulnerabilities, the way parameters
> > are
> > hashed was changed, but is there still a way to post raw data through
> > RSpec? Can I somehow directly use Rack::Test::Methods?
> >
> > Any help would be appreciated.
> > _______________________________________________
> > rspec-users mailing list
> > rspec...@rubyforge.org <javascript:>
> > http://rubyforge.org/mailman/listinfo/rspec-users
> _______________________________________________
> rspec-users mailing list
> rspec...@rubyforge.org <javascript:>
> http://rubyforge.org/mailman/listinfo/rspec-users
>
_______________________________________________
rspec-users mailing list
rspec-users@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users
