MCPcopy
hub / github.com/gofiber/fiber / Test_CSRF_ExtractorSecurity_Validation

Function Test_CSRF_ExtractorSecurity_Validation

middleware/csrf/config_test.go:15–147  ·  view source on GitHub ↗

Test security validation functions

(t *testing.T)

Source from the content-addressed store, hash-verified

13
14// Test security validation functions
15func Test_CSRF_ExtractorSecurity_Validation(t *testing.T) {
16 t.Parallel()
17
18 // Test secure configurations - should not panic
19 t.Run("SecureConfigurations", func(t *testing.T) {
20 t.Parallel()
21 secureConfigs := []Config{
22 {Extractor: extractors.FromHeader("X-Csrf-Token")},
23 {Extractor: extractors.FromForm("_csrf")},
24 {Extractor: extractors.FromQuery("csrf_token")},
25 {Extractor: extractors.FromParam("csrf")},
26 {Extractor: extractors.Chain(extractors.FromHeader("X-Csrf-Token"), extractors.FromForm("_csrf"))},
27 }
28
29 for i, cfg := range secureConfigs {
30 t.Run(fmt.Sprintf("Config%d", i), func(t *testing.T) {
31 require.NotPanics(t, func() {
32 configDefault(cfg)
33 })
34 })
35 }
36 })
37
38 // Test insecure configurations - should panic
39 t.Run("InsecureCookieExtractor", func(t *testing.T) {
40 t.Parallel()
41 // Create a custom extractor that reads from cookie (simulating dangerous behavior)
42 insecureCookieExtractor := extractors.Extractor{
43 Extract: func(c fiber.Ctx) (string, error) {
44 return c.Cookies("csrf_"), nil
45 },
46 Source: extractors.SourceCookie,
47 Key: "csrf_",
48 }
49
50 cfg := Config{
51 CookieName: "csrf_",
52 Extractor: insecureCookieExtractor,
53 }
54
55 require.Panics(t, func() {
56 configDefault(cfg)
57 }, "Should panic when extractor reads from same cookie")
58 })
59
60 // Test insecure chained extractors
61 t.Run("InsecureChainedExtractor", func(t *testing.T) {
62 t.Parallel()
63 insecureCookieExtractor := extractors.Extractor{
64 Extract: func(c fiber.Ctx) (string, error) {
65 return c.Cookies("csrf_"), nil
66 },
67 Source: extractors.SourceCookie,
68 Key: "csrf_",
69 }
70
71 chainedExtractor := extractors.Chain(
72 extractors.FromHeader("X-Csrf-Token"),

Callers

nothing calls this directly

Calls 8

FromHeaderFunction · 0.92
FromFormFunction · 0.92
FromQueryFunction · 0.92
FromParamFunction · 0.92
ChainFunction · 0.92
FromCookieFunction · 0.92
configDefaultFunction · 0.70
CookiesMethod · 0.65

Tested by

no test coverage detected