Repository: couchdb Updated Branches: refs/heads/master 0c579b983 -> 09b9a722f
CSRF tests COUCHDB-2762 Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/09b9a722 Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/09b9a722 Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/09b9a722 Branch: refs/heads/master Commit: 09b9a722fe4c297eff7041b3426f8e067b921b25 Parents: 0c579b9 Author: Robert Newson <[email protected]> Authored: Tue Aug 4 11:53:25 2015 +0100 Committer: Robert Newson <[email protected]> Committed: Wed Aug 5 14:15:01 2015 +0100 ---------------------------------------------------------------------- test/javascript/tests/csrf.js | 54 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/couchdb/blob/09b9a722/test/javascript/tests/csrf.js ---------------------------------------------------------------------- diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js new file mode 100644 index 0000000..9baef82 --- /dev/null +++ b/test/javascript/tests/csrf.js @@ -0,0 +1,54 @@ +// Licensed under the Apache License, Version 2.0 (the "License"); you may not +// use this file except in compliance with the License. You may obtain a copy of +// the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +// License for the specific language governing permissions and limitations under +// the License. + +couchTests.csrf = function(debug) { + if (debug) debugger; + + // Handy function to cause CouchDB to delete the CSRF cookie + var deleteCsrf = function() { + var xhr = CouchDB.request("GET", "/", + {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); + TEquals(403, xhr.status); + }; + + // Shouldn't receive header if we didn't ask for it + var xhr = CouchDB.request("GET", "/"); + TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Didn't ask for CSRF"); + TEquals(200, xhr.status); + + // Matching but invalid cookie/header should 403 + xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); + TEquals(403, xhr.status); + TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header"); + + // Can I acquire a CouchDB-CSRF cookie? + xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'true'}}); + var cookie = xhr.getResponseHeader("Set-Cookie").match('^CouchDB-CSRF=([^;]+)'); + T(cookie, "Should receive cookie"); + + // If I have a cookie, do I get a 403 if I don't send the header? + xhr = CouchDB.request("GET", "/"); + TEquals(403, xhr.status); + TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header"); + + // If I have a cookie, do I get a 200 if I send a matching header? + xhr = CouchDB.request("GET", "/", {headers: {"X-CouchDB-CSRF": cookie[1]}}); + TEquals(200, xhr.status); + TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this"); + + // How about the wrong header? + xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo'}}); + TEquals(403, xhr.status); + TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header"); + + deleteCsrf(); +};
