2019-04-30 08:27:42 +08:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2018-10-23 01:22:23 +08:00
|
|
|
describe CspReportsController do
|
|
|
|
describe '#create' do
|
|
|
|
before do
|
|
|
|
SiteSetting.content_security_policy = true
|
|
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
|
|
|
|
@orig_logger = Rails.logger
|
|
|
|
Rails.logger = @fake_logger = FakeLogger.new
|
|
|
|
end
|
|
|
|
|
|
|
|
after do
|
|
|
|
Rails.logger = @orig_logger
|
|
|
|
end
|
|
|
|
|
|
|
|
def send_report
|
|
|
|
post '/csp_reports', params: {
|
|
|
|
"csp-report": {
|
|
|
|
"document-uri": "http://localhost:3000/",
|
|
|
|
"referrer": "",
|
|
|
|
"violated-directive": "script-src",
|
|
|
|
"effective-directive": "script-src",
|
|
|
|
"original-policy": "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",
|
|
|
|
"disposition": "report",
|
|
|
|
"blocked-uri": "http://suspicio.us/assets.js",
|
|
|
|
"line-number": 25,
|
|
|
|
"source-file": "http://localhost:3000/",
|
|
|
|
"status-code": 200,
|
2020-04-02 23:16:38 +08:00
|
|
|
"script-sample": "console.log('unsafe')"
|
2018-10-23 01:22:23 +08:00
|
|
|
}
|
|
|
|
}.to_json, headers: { "Content-Type": "application/csp-report" }
|
|
|
|
end
|
|
|
|
|
2022-06-20 14:57:46 +08:00
|
|
|
it 'returns an error for invalid reports' do
|
|
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
|
|
|
|
post '/csp_reports', params: "[ not-json", headers: { "Content-Type": "application/csp-report" }
|
|
|
|
|
|
|
|
expect(response.status).to eq(422)
|
|
|
|
|
|
|
|
post '/csp_reports', params: ["yes json"].to_json, headers: { "Content-Type": "application/csp-report" }
|
|
|
|
|
|
|
|
expect(response.status).to eq(422)
|
|
|
|
end
|
|
|
|
|
2018-10-23 01:22:23 +08:00
|
|
|
it 'is enabled by SiteSetting' do
|
|
|
|
SiteSetting.content_security_policy = false
|
|
|
|
SiteSetting.content_security_policy_report_only = false
|
|
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
send_report
|
2018-11-15 05:23:29 +08:00
|
|
|
expect(response.status).to eq(200)
|
2018-10-23 01:22:23 +08:00
|
|
|
|
|
|
|
SiteSetting.content_security_policy = true
|
|
|
|
send_report
|
|
|
|
expect(response.status).to eq(200)
|
|
|
|
|
|
|
|
SiteSetting.content_security_policy_collect_reports = false
|
|
|
|
send_report
|
|
|
|
expect(response.status).to eq(404)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'logs the violation report' do
|
|
|
|
send_report
|
2022-05-05 09:53:54 +08:00
|
|
|
expect(@fake_logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')")
|
2018-10-23 01:22:23 +08:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|