mirror of
https://github.com/discourse/discourse.git
synced 2024-12-18 18:06:28 +08:00
493d437e79
* Remove outdated option
04078317ba
* Use the non-globally exposed RSpec syntax
https://github.com/rspec/rspec-core/pull/2803
* Use the non-globally exposed RSpec syntax, cont
https://github.com/rspec/rspec-core/pull/2803
* Comply to strict predicate matchers
See:
- https://github.com/rspec/rspec-expectations/pull/1195
- https://github.com/rspec/rspec-expectations/pull/1196
- https://github.com/rspec/rspec-expectations/pull/1277
69 lines
2.2 KiB
Ruby
69 lines
2.2 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe CspReportsController do
|
|
describe '#create' do
|
|
before do
|
|
SiteSetting.content_security_policy = true
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
@orig_logger = Rails.logger
|
|
Rails.logger = @fake_logger = FakeLogger.new
|
|
end
|
|
|
|
after do
|
|
Rails.logger = @orig_logger
|
|
end
|
|
|
|
def send_report
|
|
post '/csp_reports', params: {
|
|
"csp-report": {
|
|
"document-uri": "http://localhost:3000/",
|
|
"referrer": "",
|
|
"violated-directive": "script-src",
|
|
"effective-directive": "script-src",
|
|
"original-policy": "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",
|
|
"disposition": "report",
|
|
"blocked-uri": "http://suspicio.us/assets.js",
|
|
"line-number": 25,
|
|
"source-file": "http://localhost:3000/",
|
|
"status-code": 200,
|
|
"script-sample": "console.log('unsafe')"
|
|
}
|
|
}.to_json, headers: { "Content-Type": "application/csp-report" }
|
|
end
|
|
|
|
it 'returns an error for invalid reports' do
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
|
|
post '/csp_reports', params: "[ not-json", headers: { "Content-Type": "application/csp-report" }
|
|
|
|
expect(response.status).to eq(422)
|
|
|
|
post '/csp_reports', params: ["yes json"].to_json, headers: { "Content-Type": "application/csp-report" }
|
|
|
|
expect(response.status).to eq(422)
|
|
end
|
|
|
|
it 'is enabled by SiteSetting' do
|
|
SiteSetting.content_security_policy = false
|
|
SiteSetting.content_security_policy_report_only = false
|
|
SiteSetting.content_security_policy_collect_reports = true
|
|
send_report
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.content_security_policy = true
|
|
send_report
|
|
expect(response.status).to eq(200)
|
|
|
|
SiteSetting.content_security_policy_collect_reports = false
|
|
send_report
|
|
expect(response.status).to eq(404)
|
|
end
|
|
|
|
it 'logs the violation report' do
|
|
send_report
|
|
expect(@fake_logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')")
|
|
end
|
|
end
|
|
end
|