public void SaltProperty() {
// Arrange
ValidateAntiForgeryTokenAttribute attribute = new ValidateAntiForgeryTokenAttribute();
// Act & Assert
MemberHelper.TestStringProperty(attribute, "Salt", String.Empty, false /* testDefaultValue */, true /* allowNullAndEmpty */);
}
public void ValidateThunk_DefaultsToAntiForgeryMethod() {
// Arrange
ValidateAntiForgeryTokenAttribute attribute = new ValidateAntiForgeryTokenAttribute();
// Act & Assert
Assert.AreEqual(AntiForgery.Validate, attribute.ValidateAction);
}
public void SaltProperty() {
// Arrange
ValidateAntiForgeryTokenAttribute attribute = new ValidateAntiForgeryTokenAttribute();
// Act & Assert
MemberHelper.TestStringProperty(attribute, "Salt", String.Empty);
}
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
throw new ArgumentNullException("filterContext");
if (_ignore)
return;
//don't apply filter to child methods
if (filterContext.IsChildAction)
return;
//only POST requests
if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase))
return;
if (!DataSettingsHelper.DatabaseIsInstalled())
return;
var securitySettings = EngineContext.Current.Resolve<SecuritySettings>();
if (!securitySettings.EnableXsrfProtectionForPublicStore)
return;
var validator = new ValidateAntiForgeryTokenAttribute();
validator.OnAuthorization(filterContext);
}
public void SerializerProperty() {
// Arrange
ValidateAntiForgeryTokenAttribute attribute = new ValidateAntiForgeryTokenAttribute();
AntiForgeryDataSerializer newSerializer = new AntiForgeryDataSerializer();
// Act & Assert
MemberHelper.TestPropertyWithDefaultInstance(attribute, "Serializer", newSerializer);
}
public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs, string salt)
{
this._verbs = new AcceptVerbsAttribute(verbs);
this._validator = new ValidateAntiForgeryTokenAttribute()
{
Salt = salt
};
}
public ValidateAntiForgeryTokenWrapperAttribute(HttpVerbs verbs)
{
this._verbs = new AcceptVerbsAttribute(verbs);
this._validator = new ValidateAntiForgeryTokenAttribute()
{
Salt = Consts.AntiForgeryToken
};
}
public void OnAuthorizationThrowsIfFilterContextIsNull() {
// Arrange
ValidateAntiForgeryTokenAttribute attribute = new ValidateAntiForgeryTokenAttribute();
// Act & Assert
ExceptionHelper.ExpectArgumentNullException(
delegate {
attribute.OnAuthorization(null);
}, "filterContext");
}
/// <summary>
/// Initializes a new instance of the <see cref="CustomValidateAntiForgeryTokenAttribute"/> class.
/// </summary>
/// <param name="verbs">The verbs.</param>
/// <param name="salt">The salt.</param>
public CustomValidateAntiForgeryTokenAttribute(HttpVerbs verbs, string salt)
{
Verbs = verbs;
Salt = salt;
AcceptVerbsAttribute = new AcceptVerbsAttribute(Verbs);
Validator = new ValidateAntiForgeryTokenAttribute
{
Salt = Salt
};
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (!(filterContext.RouteData.Values["validateAntiForgeryToken"] is bool
&& (bool)filterContext.RouteData.Values["validateAntiForgeryToken"]
&& filterContext.HttpContext.Request.HttpMethod == "POST"
&& filterContext.RequestContext.HttpContext.Request.IsAuthenticated))
{
return;
}
string host = filterContext.HttpContext.Request.Url.DnsSafeHost;
ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute();
validator.OnAuthorization(filterContext);
}
public void OnAuthorization(AuthorizationContext filterContext) {
if ((filterContext.HttpContext.Request.HttpMethod != "POST" ||
_authenticationService.GetAuthenticatedUser() == null) && !ShouldValidateGet(filterContext)) {
return;
}
if (!IsAntiForgeryProtectionEnabled(filterContext)) {
return;
}
var validator = new ValidateAntiForgeryTokenAttribute();
validator.OnAuthorization(filterContext);
if (filterContext.HttpContext is HackHttpContext)
filterContext.HttpContext = ((HackHttpContext)filterContext.HttpContext).OriginalHttpContextBase;
}
/// <summary>
/// 校验CSRF Token
/// </summary>
/// <param name="filterContext"></param>
public void OnAuthorization(AuthorizationContext filterContext)
{
//根据Area分区Name将移动端的请求直接返回
var routeDataDictionary = filterContext.RequestContext.RouteData.DataTokens;
if (routeDataDictionary.ContainsKey("area"))
{
string areaName = routeDataDictionary["area"].ToString();
if (areaName.ToLower().Contains("mobileclient"))
return;
}
if (!filterContext.HttpContext.Request.IsAjaxRequest() && string.Equals("post", filterContext.HttpContext.Request.HttpMethod, StringComparison.OrdinalIgnoreCase))
{
string token = string.Empty;
token = filterContext.HttpContext.Request.Form.Get<string>("CurrentUserIdToken", string.Empty);
if (string.IsNullOrEmpty(token))
token = filterContext.HttpContext.Request.QueryString.Get<string>("CurrentUserIdToken", string.Empty);
if (!string.IsNullOrEmpty(token))
{
token = Tunynet.Utilities.WebUtility.UrlDecode(token);
bool isTimeOut = false;
long userId = Utility.DecryptTokenForUploadfile(token.ToString(), out isTimeOut);
if (userId > 0)
return;
}
ValidateAntiForgeryTokenAttribute _validator = new ValidateAntiForgeryTokenAttribute();
try
{
_validator.OnAuthorization(filterContext);
}
catch (Exception ex)
{
LoggerFactory.GetLogger().Error(ex, "安全校验过滤器,校验CSRF Token时失败。");
filterContext.HttpContext.Response.Redirect(SiteUrls.Instance().SystemMessage(filterContext.Controller.TempData, new SystemMessageViewModel
{
StatusMessageType = StatusMessageType.Error,
Title = "安全校验失败",
Body = "安全校验失败!"
}));
}
}
}
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null) throw new ArgumentNullException("filterContext");
if (!_ignore ||
filterContext.IsChildAction ||
!"POST".Equals(filterContext.HttpContext.Request.HttpMethod, StringComparison.InvariantCultureIgnoreCase) ||
!DataSettingsHelper.DatabaseIsInstalled())
return;
// quan trọng nhất là ở đây, cho phép cấu hình kích hoạt/tắt AdminAntiForgeryAttribute trên toàn thể website
var securitySettings = EngineContext.Current.Resolve<SecuritySettings>();
if (!CheckEnableXsrfProtection(securitySettings)) return;
// ok, check complete, assign to ValidateAntiForgeryTokenAttribute to do another job
var validator = new ValidateAntiForgeryTokenAttribute();
validator.OnAuthorization(filterContext);
}
public void OnAuthorization_ForwardsAttributes() {
// Arrange
HttpContextBase context = new Mock<HttpContextBase>().Object;
Mock<AuthorizationContext> authorizationContextMock = new Mock<AuthorizationContext>();
authorizationContextMock.SetupGet(ac => ac.HttpContext).Returns(context);
bool validateCalled = false;
Action<HttpContextBase, string> validateMethod = (c, s) => {
Assert.AreSame(context, c);
Assert.AreEqual("some salt", s);
validateCalled = true;
};
ValidateAntiForgeryTokenAttribute attribute = new ValidateAntiForgeryTokenAttribute(validateMethod) {
Salt = "some salt"
};
// Act
attribute.OnAuthorization(authorizationContextMock.Object);
// Assert
Assert.IsTrue(validateCalled);
}
public ValidateRequestAttribute()
{
// This is what happens when Microsoft make classes sealed/internal
this.mvcAntiForgeryValidator = new ValidateAntiForgeryTokenAttribute();
}
public BaseController()
{
_antiForgeryValidator = new ValidateAntiForgeryTokenAttribute();
}
public ValidateAntiForgeryTokenOnVerbsAttribute(HttpVerbs verbs)
{
_validator = new ValidateAntiForgeryTokenAttribute();
_verbs = new AcceptVerbsAttribute(verbs);
}
