diff options
| author | jessib <jessib@riseup.net> | 2013-08-27 12:18:35 -0700 |
|---|---|---|
| committer | jessib <jessib@riseup.net> | 2013-08-27 12:18:35 -0700 |
| commit | dc41ae0a3fb0a137e716d8ec63084b0ec3a7299b (patch) | |
| tree | c09fef161f105e7c03c35d1edcb2d257144cb97d /users/test/integration/browser | |
| parent | a87c750d1f12f15272beb117f8ee12ab711cc6d1 (diff) | |
| parent | e481b8cbc05a858674a59ef36d695973622f6b3a (diff) | |
Merge branch 'master' into billing_with_tests
Diffstat (limited to 'users/test/integration/browser')
| -rw-r--r-- | users/test/integration/browser/account_test.rb | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index ce63baf..b412980 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -20,4 +20,24 @@ class AccountTest < BrowserIntegrationTest assert_equal '/', current_path end + # trying to seed an invalid A for srp login + test "detects attempt to circumvent SRP" do + user = FactoryGirl.create :user + visit '/sessions/new' + fill_in 'Username', with: user.login + fill_in 'Password', with: "password" + inject_malicious_js + click_on 'Log In' + assert page.has_content?("Invalid random key") + assert page.has_no_content?("Welcome") + end + + def inject_malicious_js + page.execute_script <<-EOJS + var calc = new srp.Calculate(); + calc.A = function(_a) {return "00";}; + calc.S = calc.A; + srp.session = new srp.Session(null, calc); + EOJS + end end |