In order to ensure that my application is not vulnerable to this
exploit<http://www.phenoelit.org/blog/archives/2013/02/05/mysql_madness_and_rails/>,
I am trying to create a controller test in RSpec to cover it. In order to
do so, I need to be able to post raw JSON, but I haven't seemed to find a
way to do that. In doing some research, I've determined that there at least
used to be a way to do so using the RAW_POST_DATA header, but this doesn't
seem to work anymore:
it "should not be exploitable by using an integer token value" do
> request.env["CONTENT_TYPE"] = "application/json"
> request.env["RAW_POST_DATA"] = { token: 0 }.to_json
> post :reset_password
> end
>
When I look at the params hash, token is not set at all, and it just
contains { "controller" => "user", "action" => "reset_password" }. I get
the same results when trying to use XML, or even when trying to just use
regular post data, in all cases, it seems to not set it period.
I know that with the recent Rails vulnerabilities, the way parameters are
hashed was changed, but is there still a way to post raw data through
RSpec? Can I somehow directly use Rack::Test::Methods?
Any help would be appreciated.
--
You received this message because you are subscribed to the Google Groups
"rspec" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msg/rspec/-/eGpHZpW1MhgJ.
For more options, visit https://groups.google.com/groups/opt_out.
