mirror of
https://github.com/discourse/discourse.git
synced 2024-12-12 03:43:42 +08:00
9361d9a587
Certain rogue bots such as Yandex may send across invalid CSP reports when CSP report collection is enabled. This ensures that invalid reports will not cause log floods and simply returns a 422 error. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com>
69 lines
2.2 KiB
Ruby
69 lines
2.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
describe CspReportsController do
|
|
describe '#create' do
|
|
before do
|
|
SiteSetting.content_security_policy = true
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
@orig_logger = Rails.logger
|
|
Rails.logger = @fake_logger = FakeLogger.new
|
|
end
|
|
|
|
after do
|
|
Rails.logger = @orig_logger
|
|
end
|
|
|
|
def send_report
|
|
post '/csp_reports', params: {
|
|
"csp-report": {
|
|
"document-uri": "http://localhost:3000/",
|
|
"referrer": "",
|
|
"violated-directive": "script-src",
|
|
"effective-directive": "script-src",
|
|
"original-policy": "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",
|
|
"disposition": "report",
|
|
"blocked-uri": "http://suspicio.us/assets.js",
|
|
"line-number": 25,
|
|
"source-file": "http://localhost:3000/",
|
|
"status-code": 200,
|
|
"script-sample": "console.log('unsafe')"
|
|
}
|
|
}.to_json, headers: { "Content-Type": "application/csp-report" }
|
|
end
|
|
|
|
it 'returns an error for invalid reports' do
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
post '/csp_reports', params: "[ not-json", headers: { "Content-Type": "application/csp-report" }
|
|
|
|
expect(response.status).to eq(422)
|
|
|
|
post '/csp_reports', params: ["yes json"].to_json, headers: { "Content-Type": "application/csp-report" }
|
|
|
|
expect(response.status).to eq(422)
|
|
end
|
|
|
|
it 'is enabled by SiteSetting' do
|
|
SiteSetting.content_security_policy = false
|
|
SiteSetting.content_security_policy_report_only = false
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
send_report
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.content_security_policy = true
|
|
send_report
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.content_security_policy_collect_reports = false
|
|
send_report
|
|
expect(response.status).to eq(404)
|
|
end
|
|
|
|
it 'logs the violation report' do
|
|
send_report
|
|
expect(@fake_logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')")
|
|
end
|
|
end
|
|
end
|