File: csrf-rest.t

package info (click to toggle)
request-tracker5 5.0.7%2Bdfsg-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 80,216 kB
  • sloc: javascript: 191,898; perl: 87,146; sh: 1,412; makefile: 487; python: 37; php: 15
file content (75 lines) | stat: -rw-r--r-- 2,369 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
 
use strict;
use warnings;

use RT::Test tests => undef;

my ($baseurl, $m) = RT::Test->started_ok;

# Get a non-REST session
diag "Standard web session";
ok $m->login, 'logged in';
$m->content_contains("RT at a glance", "Get full UI content");

# Requesting a REST page should be fine, as we have a Referer
$m->post("$baseurl/REST/1.0/ticket/new", [
    format  => 'l',
]);
$m->content_like(qr{^id: ticket/new}m, "REST request with referrer");

# Removing the Referer header gets us an interstitial
$m->add_header(Referer => undef);
$m->post("$baseurl/REST/1.0/ticket/new", [
    format  => 'l',
    foo     => 'bar',
]);
$m->content_contains("Possible cross-site request forgery",
                 "REST request without referrer is blocked");

# But passing username and password lets us though
$m->post("$baseurl/REST/1.0/ticket/new", [
    user    => 'root',
    pass    => 'password',
    format  => 'l',
]);
$m->content_like(qr{^id: ticket/new}m, "REST request without referrer, but username/password supplied, is OK");

# And we can still access non-REST urls
$m->get("$baseurl");
$m->content_contains("RT at a glance", "Full UI is still available");


# Now go get a REST session
diag "REST session";
$m = RT::Test::Web->new;
$m->post("$baseurl/REST/1.0/ticket/new", [
    user    => 'root',
    pass    => 'password',
    format  => 'l',
]);
$m->content_like(qr{^id: ticket/new}m, "REST request to log in");

# Requesting that page again, with a username/password but no referrer,
# is fine
$m->add_header(Referer => undef);
$m->post("$baseurl/REST/1.0/ticket/new", [
    user    => 'root',
    pass    => 'password',
    format  => 'l',
]);
$m->content_like(qr{^id: ticket/new}m, "REST request with no referrer, but username/pass");

# And it's still fine without both referer and username and password,
# because REST is special-cased
$m->post("$baseurl/REST/1.0/ticket/new", [
    format  => 'l',
]);
$m->content_like(qr{^id: ticket/new}m, "REST request with no referrer or username/pass is special-cased for REST sessions");

# But the REST page can't request normal pages
$m->get("$baseurl");
$m->content_lacks("RT at a glance", "Full UI is denied for REST sessions");
$m->content_contains("This login session belongs to a REST client", "Tells you why");
$m->warning_like(qr/This login session belongs to a REST client/, "Logs a warning");

done_testing;