52 lines
1.6 KiB
Go
52 lines
1.6 KiB
Go
package server
|
|
|
|
import (
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// TestSameOriginGuard checks the admin console's CSRF defence: safe methods pass,
|
|
// a state-changing request needs an Origin/Referer host matching the request Host.
|
|
func TestSameOriginGuard(t *testing.T) {
|
|
gin.SetMode(gin.TestMode)
|
|
e := gin.New()
|
|
g := e.Group("/_gm")
|
|
g.Use(requireSameOrigin())
|
|
g.POST("/act", func(c *gin.Context) { c.Status(http.StatusOK) })
|
|
g.GET("/page", func(c *gin.Context) { c.Status(http.StatusOK) })
|
|
|
|
cases := []struct {
|
|
name string
|
|
method string
|
|
path string
|
|
origin string
|
|
referer string
|
|
want int
|
|
}{
|
|
{"get is safe", http.MethodGet, "/_gm/page", "", "", http.StatusOK},
|
|
{"post without origin rejected", http.MethodPost, "/_gm/act", "", "", http.StatusForbidden},
|
|
{"post matching origin ok", http.MethodPost, "/_gm/act", "http://example.com", "", http.StatusOK},
|
|
{"post foreign origin rejected", http.MethodPost, "/_gm/act", "http://evil.test", "", http.StatusForbidden},
|
|
{"post matching referer ok", http.MethodPost, "/_gm/act", "", "http://example.com/_gm/x", http.StatusOK},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
req := httptest.NewRequest(tc.method, "http://example.com"+tc.path, nil)
|
|
if tc.origin != "" {
|
|
req.Header.Set("Origin", tc.origin)
|
|
}
|
|
if tc.referer != "" {
|
|
req.Header.Set("Referer", tc.referer)
|
|
}
|
|
rec := httptest.NewRecorder()
|
|
e.ServeHTTP(rec, req)
|
|
if rec.Code != tc.want {
|
|
t.Errorf("status = %d, want %d", rec.Code, tc.want)
|
|
}
|
|
})
|
|
}
|
|
}
|