mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 11:33:43 +08:00
4ea21fa2d0
This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
59 lines
1.7 KiB
Ruby
59 lines
1.7 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
|
|
describe CspReportsController do
|
|
describe '#create' do
|
|
before do
|
|
SiteSetting.content_security_policy = true
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
@orig_logger = Rails.logger
|
|
Rails.logger = @fake_logger = FakeLogger.new
|
|
end
|
|
|
|
after do
|
|
Rails.logger = @orig_logger
|
|
end
|
|
|
|
def send_report
|
|
post '/csp_reports', params: {
|
|
"csp-report": {
|
|
"document-uri": "http://localhost:3000/",
|
|
"referrer": "",
|
|
"violated-directive": "script-src",
|
|
"effective-directive": "script-src",
|
|
"original-policy": "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",
|
|
"disposition": "report",
|
|
"blocked-uri": "http://suspicio.us/assets.js",
|
|
"line-number": 25,
|
|
"source-file": "http://localhost:3000/",
|
|
"status-code": 200,
|
|
"script-sample": ""
|
|
}
|
|
}.to_json, headers: { "Content-Type": "application/csp-report" }
|
|
end
|
|
|
|
it 'is enabled by SiteSetting' do
|
|
SiteSetting.content_security_policy = false
|
|
SiteSetting.content_security_policy_report_only = false
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
send_report
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.content_security_policy = true
|
|
send_report
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.content_security_policy_collect_reports = false
|
|
send_report
|
|
expect(response.status).to eq(404)
|
|
end
|
|
|
|
it 'logs the violation report' do
|
|
send_report
|
|
expect(Rails.logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js'")
|
|
end
|
|
end
|
|
end
|