|
@@ 29-41 (lines=13) @@
|
| 26 |
|
$this->assertSame('foobar', (string) $response->getBody()); |
| 27 |
|
} |
| 28 |
|
|
| 29 |
|
public function testFailingPostRequestNoHost() |
| 30 |
|
{ |
| 31 |
|
$request = new ServerRequest([], [], "http://alice.com/hello", "Post"); |
| 32 |
|
$request = $request->withHeader('Origin', "http://alice.com"); |
| 33 |
|
$request = $request->withoutHeader('Host'); |
| 34 |
|
|
| 35 |
|
$middleware = CsrfHeaderCheckMiddlewareFactory::createDefault(); |
| 36 |
|
|
| 37 |
|
$this->expectException(CsrfHeaderCheckMiddlewareException::class); |
| 38 |
|
$this->expectExceptionMessage('Could not find the HOST header in the HTTP request.'); |
| 39 |
|
|
| 40 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 41 |
|
} |
| 42 |
|
|
| 43 |
|
public function testSuccessfullPostWithOriginAndHost() |
| 44 |
|
{ |
|
@@ 43-53 (lines=11) @@
|
| 40 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 41 |
|
} |
| 42 |
|
|
| 43 |
|
public function testSuccessfullPostWithOriginAndHost() |
| 44 |
|
{ |
| 45 |
|
$request = new ServerRequest([], [], "http://alice.com/hello", "Post"); |
| 46 |
|
$request = $request->withHeader('Origin', "http://alice.com"); |
| 47 |
|
|
| 48 |
|
$middleware = CsrfHeaderCheckMiddlewareFactory::createDefault(); |
| 49 |
|
|
| 50 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 51 |
|
|
| 52 |
|
$this->assertSame('foobar', (string) $response->getBody()); |
| 53 |
|
} |
| 54 |
|
|
| 55 |
|
public function testSuccessfullPostWithOriginAndHostAndPort() |
| 56 |
|
{ |
|
@@ 55-65 (lines=11) @@
|
| 52 |
|
$this->assertSame('foobar', (string) $response->getBody()); |
| 53 |
|
} |
| 54 |
|
|
| 55 |
|
public function testSuccessfullPostWithOriginAndHostAndPort() |
| 56 |
|
{ |
| 57 |
|
$request = new ServerRequest([], [], "http://alice.com:8080/hello", "Post"); |
| 58 |
|
$request = $request->withHeader('Origin', "http://alice.com:8080"); |
| 59 |
|
|
| 60 |
|
$middleware = CsrfHeaderCheckMiddlewareFactory::createDefault(); |
| 61 |
|
|
| 62 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 63 |
|
|
| 64 |
|
$this->assertSame('foobar', (string) $response->getBody()); |
| 65 |
|
} |
| 66 |
|
|
| 67 |
|
public function testAttackPostWithOriginAndHost() |
| 68 |
|
{ |
|
@@ 67-77 (lines=11) @@
|
| 64 |
|
$this->assertSame('foobar', (string) $response->getBody()); |
| 65 |
|
} |
| 66 |
|
|
| 67 |
|
public function testAttackPostWithOriginAndHost() |
| 68 |
|
{ |
| 69 |
|
$request = new ServerRequest([], [], "http://alice.com/hello", "Post"); |
| 70 |
|
$request = $request->withHeader('Origin', "http://eve.com"); |
| 71 |
|
|
| 72 |
|
$middleware = CsrfHeaderCheckMiddlewareFactory::createDefault(); |
| 73 |
|
|
| 74 |
|
$this->expectException(CsrfHeaderCheckMiddlewareException::class); |
| 75 |
|
$this->expectExceptionMessage('Potential CSRF attack stopped. Source origin and target origin do not match.'); |
| 76 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 77 |
|
} |
| 78 |
|
|
| 79 |
|
public function testExceptionOnWeirdRequests() |
| 80 |
|
{ |
|
@@ 79-90 (lines=12) @@
|
| 76 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 77 |
|
} |
| 78 |
|
|
| 79 |
|
public function testExceptionOnWeirdRequests() |
| 80 |
|
{ |
| 81 |
|
$request = new ServerRequest([], [], "http://alice.com/hello", "Post"); |
| 82 |
|
$request = $request->withHeader('Origin', "http://eve.com"); |
| 83 |
|
$request = $request->withAddedHeader('Origin', "http://alice.com"); |
| 84 |
|
|
| 85 |
|
$middleware = CsrfHeaderCheckMiddlewareFactory::createDefault(); |
| 86 |
|
|
| 87 |
|
$this->expectException(CsrfHeaderCheckMiddlewareException::class); |
| 88 |
|
$this->expectExceptionMessage('Unexpected request: more than one ORIGIN header sent.'); |
| 89 |
|
$response = $middleware->process($request, $this->getDelegate()); |
| 90 |
|
} |
| 91 |
|
} |
| 92 |
|
|
thecodingmachine /
csrf-header-check-middleware
