diff options
author | Azul <azul@riseup.net> | 2016-10-20 14:39:33 +0200 |
---|---|---|
committer | Azul <azul@riseup.net> | 2016-10-20 14:39:33 +0200 |
commit | b97daaed9b513006ace7e8eb5232a2211e965e77 (patch) | |
tree | e27002e8368e92410e5d4af2a945260c2ea6e2d1 /test/integration/browser/security_test.rb | |
parent | c6c4d9fd10b8ca8e24889112727e44c9bf68dd60 (diff) | |
parent | 6eb2dae802e5453e2a4361ab28f614cce9294f4c (diff) |
Merge remote-tracking branch 'origin/develop'
We'll only use the master branch for development from now on.
Diffstat (limited to 'test/integration/browser/security_test.rb')
-rw-r--r-- | test/integration/browser/security_test.rb | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb new file mode 100644 index 0000000..825d50b --- /dev/null +++ b/test/integration/browser/security_test.rb @@ -0,0 +1,52 @@ +require 'test_helper' + +class SecurityTest < BrowserIntegrationTest + + teardown do + Identity.destroy_all_orphaned + end + + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + InviteCodeValidator.any_instance.stubs(:validate) + + user = FactoryGirl.create :user + visit '/login' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert page.has_content?("Invalid random key") + assert page.has_no_content?("Welcome") + user.destroy + end + + test "reports internal server errors" do + Api::UsersController.any_instance.stubs(:create).raises + submit_signup + assert page.has_content?("server failed") + end + + test "does not render signup form without js" do + Capybara.current_driver = :rack_test # no js + visit '/signup' + assert page.has_no_content?("Username") + assert page.has_no_content?("Password") + end + + test "does not render login form without js" do + Capybara.current_driver = :rack_test # no js + visit '/login' + assert page.has_no_content?("Username") + assert page.has_no_content?("Password") + end + + def inject_malicious_js + page.execute_script <<-EOJS + var calc = new srp.Calculate(); + calc.A = function(_a) {return "00";}; + calc.S = calc.A; + srp.session = new srp.Session(null, calc); + EOJS + end +end |