Test_CSRF_UnsafeHeaderValue ensures that unsafe header values, such as those described in https://github.com/gofiber/fiber/issues/2045, are rejected and the bug remains fixed. go test -race -run Test_CSRF_UnsafeHeaderValue
(t *testing.T)
| 1870 | // Test_CSRF_UnsafeHeaderValue ensures that unsafe header values, such as those described in https://github.com/gofiber/fiber/issues/2045, are rejected and the bug remains fixed. |
| 1871 | // go test -race -run Test_CSRF_UnsafeHeaderValue |
| 1872 | func Test_CSRF_UnsafeHeaderValue(t *testing.T) { |
| 1873 | t.Parallel() |
| 1874 | app := fiber.New() |
| 1875 | |
| 1876 | app.Use(New()) |
| 1877 | app.Get("/", func(c fiber.Ctx) error { |
| 1878 | return c.SendStatus(fiber.StatusOK) |
| 1879 | }) |
| 1880 | app.Get("/test", func(c fiber.Ctx) error { |
| 1881 | return c.SendStatus(fiber.StatusOK) |
| 1882 | }) |
| 1883 | app.Post("/", func(c fiber.Ctx) error { |
| 1884 | return c.SendStatus(fiber.StatusOK) |
| 1885 | }) |
| 1886 | |
| 1887 | resp, err := app.Test(httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)) |
| 1888 | require.NoError(t, err) |
| 1889 | require.Equal(t, fiber.StatusOK, resp.StatusCode) |
| 1890 | |
| 1891 | var token string |
| 1892 | for _, c := range resp.Cookies() { |
| 1893 | if c.Name != ConfigDefault.CookieName { |
| 1894 | continue |
| 1895 | } |
| 1896 | token = c.Value |
| 1897 | break |
| 1898 | } |
| 1899 | |
| 1900 | t.Log("token", token) |
| 1901 | |
| 1902 | getReq := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody) |
| 1903 | getReq.Header.Set(HeaderName, token) |
| 1904 | resp, err = app.Test(getReq) |
| 1905 | require.NoError(t, err) |
| 1906 | require.Equal(t, fiber.StatusOK, resp.StatusCode) |
| 1907 | |
| 1908 | getReq = httptest.NewRequest(fiber.MethodGet, "/test", http.NoBody) |
| 1909 | getReq.Header.Set("X-Requested-With", "XMLHttpRequest") |
| 1910 | getReq.Header.Set(fiber.HeaderCacheControl, "no") |
| 1911 | getReq.Header.Set(HeaderName, token) |
| 1912 | getReq.AddCookie(&http.Cookie{ |
| 1913 | Name: ConfigDefault.CookieName, |
| 1914 | Value: token, |
| 1915 | }) |
| 1916 | |
| 1917 | resp, err = app.Test(getReq) |
| 1918 | require.NoError(t, err) |
| 1919 | require.Equal(t, fiber.StatusOK, resp.StatusCode) |
| 1920 | |
| 1921 | getReq.Header.Set(fiber.HeaderAccept, "*/*") |
| 1922 | getReq.Header.Del(HeaderName) |
| 1923 | resp, err = app.Test(getReq) |
| 1924 | require.NoError(t, err) |
| 1925 | require.Equal(t, fiber.StatusOK, resp.StatusCode) |
| 1926 | |
| 1927 | postReq := httptest.NewRequest(fiber.MethodPost, "/", http.NoBody) |
| 1928 | postReq.Header.Set("X-Requested-With", "XMLHttpRequest") |
| 1929 | postReq.Header.Set(HeaderName, token) |