Daniel
2013-Feb-08 15:29 UTC
[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec
I apologize if this message was sent more than once, I tried to post through the Google Groups page but it didn''t seem to work. In order to ensure that my application is not vulnerable to this exploit, I am trying to create a controller test in RSpec to cover it. In order to do so, I need to be able to post raw JSON, but I haven''t seemed to find a way to do that. In doing some research, I''ve determined that there at least used to be a way to do so using the RAW_POST_DATA header, but this doesn''t seem to work anymore: it "should not be exploitable by using an integer token value" do> request.env["CONTENT_TYPE"] = "application/json" > request.env["RAW_POST_DATA"] = { token: 0 }.to_json > post :reset_password > end >When I look at the params hash, token is not set at all, and it just contains { "controller" => "user", "action" => "reset_password" }. I get the same results when trying to use XML, or even when trying to just use regular post data, in all cases, it seems to not set it period. I know that with the recent Rails vulnerabilities, the way parameters are hashed was changed, but is there still a way to post raw data through RSpec? Can I somehow directly use Rack::Test::Methods? Any help would be appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20130208/7769a006/attachment.html>
Lawrence Pit
2013-Feb-08 21:01 UTC
[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec
Hi Daniel, describe "Example", :type => :request do # curl -k -i -X POST -d ''{"api_token":0}'' https://api.example.local/reset_password # See https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion it "should not be exploitable by using an integer token value" do post "/reset_password", ''{"api_token":0}'', ''CONTENT_TYPE'' => ''application/json'', ''ACCEPT'' => ''application/json'' response.status.should == 401 end end Cheers, Lawrence> I apologize if this message was sent more than once, I tried to post > through the Google Groups page but it didn''t seem to work. > > In order to ensure that my application is not vulnerable to this > exploit, I > am trying to create a controller test in RSpec to cover it. In order > to do > so, I need to be able to post raw JSON, but I haven''t seemed to find a > way > to do that. In doing some research, I''ve determined that there at > least > used to be a way to do so using the RAW_POST_DATA header, but this > doesn''t > seem to work anymore: > > it "should not be exploitable by using an integer token value" do >> request.env["CONTENT_TYPE"] = "application/json" >> request.env["RAW_POST_DATA"] = { token: 0 }.to_json >> post :reset_password >> end >> > > When I look at the params hash, token is not set at all, and it just > contains { "controller" => "user", "action" => "reset_password" }. I > get > the same results when trying to use XML, or even when trying to just > use > regular post data, in all cases, it seems to not set it period. > > I know that with the recent Rails vulnerabilities, the way parameters > are > hashed was changed, but is there still a way to post raw data through > RSpec? Can I somehow directly use Rack::Test::Methods? > > Any help would be appreciated. > _______________________________________________ > rspec-users mailing list > rspec-users at rubyforge.org > http://rubyforge.org/mailman/listinfo/rspec-users
Daniel Vandersluis
2013-Feb-08 21:44 UTC
[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec
Hi Lawrence, thanks for the response. Unfortunately, when I try that, I get: NoMethodError: undefined method `symbolize_keys'' for> "{\"api_token\":0}":String > /Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:150:in > `assign_parameters'' > /Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:463:in > `process'' > /Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:49:in > `process'' > /Users/daniel/rails/spec/controllers/user_controller_spec.rb:10: in `block > (2 levels) in <top (required)>'' >On Friday, February 8, 2013 4:01:43 PM UTC-5, lawrence.pit wrote:> > Hi Daniel, > > > describe "Example", :type => :request do > > # curl -k -i -X POST -d ''{"api_token":0}'' > https://api.example.local/reset_password > # See > > https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion > it "should not be exploitable by using an integer token value" do > post "/reset_password", ''{"api_token":0}'', ''CONTENT_TYPE'' => > ''application/json'', ''ACCEPT'' => ''application/json'' > response.status.should == 401 > end > > end > > > Cheers, > Lawrence > > > I apologize if this message was sent more than once, I tried to post > > through the Google Groups page but it didn''t seem to work. > > > > In order to ensure that my application is not vulnerable to this > > exploit, I > > am trying to create a controller test in RSpec to cover it. In order > > to do > > so, I need to be able to post raw JSON, but I haven''t seemed to find a > > way > > to do that. In doing some research, I''ve determined that there at > > least > > used to be a way to do so using the RAW_POST_DATA header, but this > > doesn''t > > seem to work anymore: > > > > it "should not be exploitable by using an integer token value" do > >> request.env["CONTENT_TYPE"] = "application/json" > >> request.env["RAW_POST_DATA"] = { token: 0 }.to_json > >> post :reset_password > >> end > >> > > > > When I look at the params hash, token is not set at all, and it just > > contains { "controller" => "user", "action" => "reset_password" }. I > > get > > the same results when trying to use XML, or even when trying to just > > use > > regular post data, in all cases, it seems to not set it period. > > > > I know that with the recent Rails vulnerabilities, the way parameters > > are > > hashed was changed, but is there still a way to post raw data through > > RSpec? Can I somehow directly use Rack::Test::Methods? > > > > Any help would be appreciated. > > _______________________________________________ > > rspec-users mailing list > > rspec... at rubyforge.org <javascript:> > > http://rubyforge.org/mailman/listinfo/rspec-users > _______________________________________________ > rspec-users mailing list > rspec... at rubyforge.org <javascript:> > http://rubyforge.org/mailman/listinfo/rspec-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20130208/768bb81b/attachment.html>
Daniel Vandersluis
2013-Feb-08 21:50 UTC
[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec
Sorry, I just realized you did this as a request spec, not as a controller spec! That''s what I was missing here, thanks! So is it not possible to do a controller spec with raw data? On Friday, February 8, 2013 4:01:43 PM UTC-5, lawrence.pit wrote:> > Hi Daniel, > > > describe "Example", :type => :request do > > # curl -k -i -X POST -d ''{"api_token":0}'' > https://api.example.local/reset_password > # See > > https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion > it "should not be exploitable by using an integer token value" do > post "/reset_password", ''{"api_token":0}'', ''CONTENT_TYPE'' => > ''application/json'', ''ACCEPT'' => ''application/json'' > response.status.should == 401 > end > > end > > > Cheers, > Lawrence > > > I apologize if this message was sent more than once, I tried to post > > through the Google Groups page but it didn''t seem to work. > > > > In order to ensure that my application is not vulnerable to this > > exploit, I > > am trying to create a controller test in RSpec to cover it. In order > > to do > > so, I need to be able to post raw JSON, but I haven''t seemed to find a > > way > > to do that. In doing some research, I''ve determined that there at > > least > > used to be a way to do so using the RAW_POST_DATA header, but this > > doesn''t > > seem to work anymore: > > > > it "should not be exploitable by using an integer token value" do > >> request.env["CONTENT_TYPE"] = "application/json" > >> request.env["RAW_POST_DATA"] = { token: 0 }.to_json > >> post :reset_password > >> end > >> > > > > When I look at the params hash, token is not set at all, and it just > > contains { "controller" => "user", "action" => "reset_password" }. I > > get > > the same results when trying to use XML, or even when trying to just > > use > > regular post data, in all cases, it seems to not set it period. > > > > I know that with the recent Rails vulnerabilities, the way parameters > > are > > hashed was changed, but is there still a way to post raw data through > > RSpec? Can I somehow directly use Rack::Test::Methods? > > > > Any help would be appreciated. > > _______________________________________________ > > rspec-users mailing list > > rspec... at rubyforge.org <javascript:> > > http://rubyforge.org/mailman/listinfo/rspec-users > _______________________________________________ > rspec-users mailing list > rspec... at rubyforge.org <javascript:> > http://rubyforge.org/mailman/listinfo/rspec-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20130208/d8fa74ee/attachment.html>
Lawrence Pit
2013-Feb-09 06:51 UTC
[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec
> So is it not possible to do a controller spec with raw data?Not that I know of. In the controller the raw data is assumed to have been parsed already. You could also simply set the parameter value to an integer in your test and then call your controller action: params["token"] = 0 That should give you the same query manipulation if you have this in your controller action: User.find_by_token(params["token"]) Cheers, Lawrence