Ejemplo n.º 1
0
        public void Should_http_decode_cookie_token_when_copied_to_the_context()
        {
            // Given
            var fakeValidator = A.Fake <ICsrfTokenValidator>();

            A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true);

            var csrfStartup = new CsrfApplicationStartup(
                this.cryptographyConfiguration,
                fakeValidator);

            csrfStartup.Initialize(this.pipelines);
            this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "Testing Token");
            var context = new NancyContext {
                Request = this.request, Response = this.response
            };

            // When
            this.pipelines.AfterRequest.Invoke(context, new CancellationToken());

            // Then
            this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse();
            context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
            context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("Testing Token");
        }
Ejemplo n.º 2
0
        public void Should_not_generate_a_new_token_on_an_options_request_and_not_add_a_cookie()
        {
            // Given
            this.optionsRequest.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "ValidToken");

            var fakeValidator = A.Fake <ICsrfTokenValidator>();

            A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true);

            var csrfStartup = new CsrfApplicationStartup(
                this.cryptographyConfiguration,
                fakeValidator);

            csrfStartup.Initialize(this.pipelines);
            var context = new NancyContext {
                Request = this.optionsRequest, Response = this.response
            };

            context.Items[CsrfToken.DEFAULT_CSRF_KEY] = "ValidToken";

            // When
            this.pipelines.AfterRequest.Invoke(context, new CancellationToken());

            // Then
            this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse();
            context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
            context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("ValidToken");
        }
Ejemplo n.º 3
0
        static void Main(string[] args)
        {
            Program program = new Program();

            CsrfApplicationStartup UpdateConditional(System.Linq.Expressions.ConditionalExpression c, Expression test, Expression ifTrue, Expression ifFalse)
            {
                if (test != c.Test || ifTrue != c.IfTrue || ifFalse != c.IfFalse)
                {
                    Console.WriteLine("calling vul element!");
                    return(new CsrfApplicationStartup(CryptographyConfiguration.NoEncryption, new DefaultObjectSerializer(), new DefaultCsrfTokenValidator(CryptographyConfiguration.NoEncryption)));
                }
                Console.WriteLine("this should not invoke vulnerable element");
                return(new CsrfApplicationStartup(CryptographyConfiguration.NoEncryption, new DefaultObjectSerializer(), new DefaultCsrfTokenValidator(CryptographyConfiguration.NoEncryption)));
            }

            var        num           = 100;
            Expression conditionExpr = Expression.Condition(
                Expression.Constant(num > 10),
                Expression.Constant("num is greater than 10"),
                Expression.Constant("num is smaller than 10")
                );
            CsrfApplicationStartup csrfApplicationStartup = UpdateConditional
                                                                (System.Linq.Expressions.ConditionalExpression.Condition
                                                                    (Expression.Constant(num > 10),
                                                                    Expression.Constant("num is greater than 10"),
                                                                    Expression.Constant("num is smaller than 10")), conditionExpr, conditionExpr, conditionExpr);
        }
Ejemplo n.º 4
0
        public CsrfStartupFixture()
        {
            this.pipelines = new MockPipelines();

            this.cryptographyConfiguration = CryptographyConfiguration.Default;

            this.objectSerializer = new DefaultObjectSerializer();
            var csrfStartup = new CsrfApplicationStartup(
                this.cryptographyConfiguration,
                this.objectSerializer,
                new DefaultCsrfTokenValidator(this.cryptographyConfiguration));

            csrfStartup.Initialize(this.pipelines);

            this.request  = new FakeRequest("GET", "/");
            this.response = new Response();
        }
Ejemplo n.º 5
0
        public CsrfFixture()
        {
            this.pipelines = new MockPipelines();

            this.cryptographyConfiguration = CryptographyConfiguration.Default;
            var csrfStartup = new CsrfApplicationStartup(
                this.cryptographyConfiguration,
                new DefaultCsrfTokenValidator(this.cryptographyConfiguration));

            csrfStartup.Initialize(this.pipelines);
            Csrf.Enable(this.pipelines);

            this.request = new FakeRequest("GET", "/");

            this.optionsRequest = new FakeRequest("OPTIONS", "/");

            this.response = new Response();
        }
Ejemplo n.º 6
0
        public void Should_copy_request_cookie_to_context_but_not_response_if_it_exists_and_context_does_not_contain_token()
        {
            this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "ValidToken");
            var fakeValidator = A.Fake <ICsrfTokenValidator>();

            A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true);
            var csrfStartup = new CsrfApplicationStartup(
                this.cryptographyConfiguration,
                this.objectSerializer,
                fakeValidator);

            csrfStartup.Initialize(this.pipelines);
            var context = new NancyContext {
                Request = this.request, Response = this.response
            };

            this.pipelines.AfterRequest.Invoke(context, new CancellationToken());

            this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse();
            context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
            context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("ValidToken");
        }
Ejemplo n.º 7
0
        public void Should_regenerage_token_if_invalid()
        {
            this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "InvalidToken");
            var fakeValidator = A.Fake <ICsrfTokenValidator>();

            A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(false);
            var csrfStartup = new CsrfApplicationStartup(
                this.cryptographyConfiguration,
                this.objectSerializer,
                fakeValidator);

            csrfStartup.Initialize(this.pipelines);
            var context = new NancyContext {
                Request = this.request, Response = this.response
            };

            this.pipelines.AfterRequest.Invoke(context);

            this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
            context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
            context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldNotEqual("InvalidToken");
        }