diff options
| author | Robert Newson <rnewson@apache.org> | 2015-08-10 20:11:47 +0100 |
|---|---|---|
| committer | Robert Newson <rnewson@apache.org> | 2015-08-10 20:11:47 +0100 |
| commit | 68e83c23b0ac24f7f3245894a3765a5649718880 (patch) | |
| tree | 8f3d588a4b712b20cfa13b47103614966663bcba | |
| parent | b3c53672d1a8543b480dd46e6e6211ead1ed8619 (diff) | |
| download | couchdb-68e83c23b0ac24f7f3245894a3765a5649718880.tar.gz | |
Use POST requests to verify CSRF
| -rw-r--r-- | test/javascript/tests/csrf.js | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/test/javascript/tests/csrf.js b/test/javascript/tests/csrf.js index 9baef82fd..9799d6f56 100644 --- a/test/javascript/tests/csrf.js +++ b/test/javascript/tests/csrf.js @@ -11,12 +11,17 @@ // the License. couchTests.csrf = function(debug) { + var db = new CouchDB("test_suite_db", {"X-Couch-Full-Commit":"false"}); + db.deleteDb(); + db.createDb(); + if (debug) debugger; // Handy function to cause CouchDB to delete the CSRF cookie var deleteCsrf = function() { - var xhr = CouchDB.request("GET", "/", - {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); + var xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", { + body: '{"keys": []}', + headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); TEquals(403, xhr.status); }; @@ -26,7 +31,9 @@ couchTests.csrf = function(debug) { TEquals(200, xhr.status); // Matching but invalid cookie/header should 403 - xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); + xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", { + body: '{"keys": []}', + headers: {'X-CouchDB-CSRF': 'foo', 'Cookie': 'CouchDB-CSRF=foo'}}); TEquals(403, xhr.status); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent invalid cookie and header"); @@ -36,17 +43,19 @@ couchTests.csrf = function(debug) { T(cookie, "Should receive cookie"); // If I have a cookie, do I get a 403 if I don't send the header? - xhr = CouchDB.request("GET", "/"); + xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}'}); TEquals(403, xhr.status); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We didn't send the header"); // If I have a cookie, do I get a 200 if I send a matching header? - xhr = CouchDB.request("GET", "/", {headers: {"X-CouchDB-CSRF": cookie[1]}}); + xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}', + headers: {"X-CouchDB-CSRF": cookie[1]}}); TEquals(200, xhr.status); TEquals("true", xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "Server should have sent this"); // How about the wrong header? - xhr = CouchDB.request("GET", "/", {headers: {'X-CouchDB-CSRF': 'foo'}}); + xhr = CouchDB.request("POST", "/test_suite_db/_all_docs", {body: '{"keys": []}', + headers: {'X-CouchDB-CSRF': 'foo'}}); TEquals(403, xhr.status); TEquals(null, xhr.getResponseHeader("X-CouchDB-CSRF-Valid"), "We sent a mismatched header"); |