summaryrefslogtreecommitdiff
path: root/test/integration/browser/security_test.rb
diff options
context:
space:
mode:
authorAzul <azul@riseup.net>2016-10-20 14:39:33 +0200
committerAzul <azul@riseup.net>2016-10-20 14:39:33 +0200
commitb97daaed9b513006ace7e8eb5232a2211e965e77 (patch)
treee27002e8368e92410e5d4af2a945260c2ea6e2d1 /test/integration/browser/security_test.rb
parentc6c4d9fd10b8ca8e24889112727e44c9bf68dd60 (diff)
parent6eb2dae802e5453e2a4361ab28f614cce9294f4c (diff)
Merge remote-tracking branch 'origin/develop'
We'll only use the master branch for development from now on.
Diffstat (limited to 'test/integration/browser/security_test.rb')
-rw-r--r--test/integration/browser/security_test.rb52
1 files changed, 52 insertions, 0 deletions
diff --git a/test/integration/browser/security_test.rb b/test/integration/browser/security_test.rb
new file mode 100644
index 0000000..825d50b
--- /dev/null
+++ b/test/integration/browser/security_test.rb
@@ -0,0 +1,52 @@
+require 'test_helper'
+
+class SecurityTest < BrowserIntegrationTest
+
+ teardown do
+ Identity.destroy_all_orphaned
+ end
+
+ # trying to seed an invalid A for srp login
+ test "detects attempt to circumvent SRP" do
+ InviteCodeValidator.any_instance.stubs(:validate)
+
+ user = FactoryGirl.create :user
+ visit '/login'
+ fill_in 'Username', with: user.login
+ fill_in 'Password', with: "password"
+ inject_malicious_js
+ click_on 'Log In'
+ assert page.has_content?("Invalid random key")
+ assert page.has_no_content?("Welcome")
+ user.destroy
+ end
+
+ test "reports internal server errors" do
+ Api::UsersController.any_instance.stubs(:create).raises
+ submit_signup
+ assert page.has_content?("server failed")
+ end
+
+ test "does not render signup form without js" do
+ Capybara.current_driver = :rack_test # no js
+ visit '/signup'
+ assert page.has_no_content?("Username")
+ assert page.has_no_content?("Password")
+ end
+
+ test "does not render login form without js" do
+ Capybara.current_driver = :rack_test # no js
+ visit '/login'
+ assert page.has_no_content?("Username")
+ assert page.has_no_content?("Password")
+ end
+
+ def inject_malicious_js
+ page.execute_script <<-EOJS
+ var calc = new srp.Calculate();
+ calc.A = function(_a) {return "00";};
+ calc.S = calc.A;
+ srp.session = new srp.Session(null, calc);
+ EOJS
+ end
+end