Skip to content

Instantly share code, notes, and snippets.

@CHTJonas
Created July 24, 2019 15:31
Show Gist options
  • Save CHTJonas/70cd9ec5fcffa6ca5bae0e04ec51d174 to your computer and use it in GitHub Desktop.
Save CHTJonas/70cd9ec5fcffa6ca5bae0e04ec51d174 to your computer and use it in GitHub Desktop.
Rails tests to verify that CVE-2015-9284 is mitigated.
require 'test_helper'
# Make sure that https://nvd.nist.gov/vuln/detail/CVE-2015-9284 is mitigated
class OmniauthCsrfTest < ActionDispatch::IntegrationTest
setup do
ActionController::Base.allow_forgery_protection = true
OmniAuth.config.test_mode = false
end
test "should not accept GET requests to OmniAuth endpoint" do
get '/auth/google_oauth2'
assert_response :missing
end
test "should not accept POST requests with invalid CSRF tokens to OmniAuth endpoint" do
assert_raises ActionController::InvalidAuthenticityToken do
post '/auth/google_oauth2'
end
end
teardown do
ActionController::Base.allow_forgery_protection = false
OmniAuth.config.test_mode = true
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment