MCPcopy
hub / github.com/gofiber/fiber / Test_CSRF_UnsafeHeaderValue

Function Test_CSRF_UnsafeHeaderValue

middleware/csrf/csrf_test.go:1872–1937  ·  view source on GitHub ↗

Test_CSRF_UnsafeHeaderValue ensures that unsafe header values, such as those described in https://github.com/gofiber/fiber/issues/2045, are rejected and the bug remains fixed. go test -race -run Test_CSRF_UnsafeHeaderValue

(t *testing.T)

Source from the content-addressed store, hash-verified

1870// Test_CSRF_UnsafeHeaderValue ensures that unsafe header values, such as those described in https://github.com/gofiber/fiber/issues/2045, are rejected and the bug remains fixed.
1871// go test -race -run Test_CSRF_UnsafeHeaderValue
1872func Test_CSRF_UnsafeHeaderValue(t *testing.T) {
1873 t.Parallel()
1874 app := fiber.New()
1875
1876 app.Use(New())
1877 app.Get("/", func(c fiber.Ctx) error {
1878 return c.SendStatus(fiber.StatusOK)
1879 })
1880 app.Get("/test", func(c fiber.Ctx) error {
1881 return c.SendStatus(fiber.StatusOK)
1882 })
1883 app.Post("/", func(c fiber.Ctx) error {
1884 return c.SendStatus(fiber.StatusOK)
1885 })
1886
1887 resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", http.NoBody))
1888 require.NoError(t, err)
1889 require.Equal(t, fiber.StatusOK, resp.StatusCode)
1890
1891 var token string
1892 for _, c := range resp.Cookies() {
1893 if c.Name != ConfigDefault.CookieName {
1894 continue
1895 }
1896 token = c.Value
1897 break
1898 }
1899
1900 t.Log("token", token)
1901
1902 getReq := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
1903 getReq.Header.Set(HeaderName, token)
1904 resp, err = app.Test(getReq)
1905 require.NoError(t, err)
1906 require.Equal(t, fiber.StatusOK, resp.StatusCode)
1907
1908 getReq = httptest.NewRequest(fiber.MethodGet, "/test", http.NoBody)
1909 getReq.Header.Set("X-Requested-With", "XMLHttpRequest")
1910 getReq.Header.Set(fiber.HeaderCacheControl, "no")
1911 getReq.Header.Set(HeaderName, token)
1912 getReq.AddCookie(&http.Cookie{
1913 Name: ConfigDefault.CookieName,
1914 Value: token,
1915 })
1916
1917 resp, err = app.Test(getReq)
1918 require.NoError(t, err)
1919 require.Equal(t, fiber.StatusOK, resp.StatusCode)
1920
1921 getReq.Header.Set(fiber.HeaderAccept, "*/*")
1922 getReq.Header.Del(HeaderName)
1923 resp, err = app.Test(getReq)
1924 require.NoError(t, err)
1925 require.Equal(t, fiber.StatusOK, resp.StatusCode)
1926
1927 postReq := httptest.NewRequest(fiber.MethodPost, "/", http.NoBody)
1928 postReq.Header.Set("X-Requested-With", "XMLHttpRequest")
1929 postReq.Header.Set(HeaderName, token)

Callers

nothing calls this directly

Calls 10

TestMethod · 0.80
NewFunction · 0.70
NewMethod · 0.65
UseMethod · 0.65
GetMethod · 0.65
SendStatusMethod · 0.65
PostMethod · 0.65
CookiesMethod · 0.65
SetMethod · 0.65
DelMethod · 0.65

Tested by

no test coverage detected