public void Should_http_decode_cookie_token_when_copied_to_the_context() { // Given var fakeValidator = A.Fake <ICsrfTokenValidator>(); A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true); var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, fakeValidator); csrfStartup.Initialize(this.pipelines); this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "Testing Token"); var context = new NancyContext { Request = this.request, Response = this.response }; // When this.pipelines.AfterRequest.Invoke(context, new CancellationToken()); // Then this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse(); context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue(); context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("Testing Token"); }
public void Should_not_generate_a_new_token_on_an_options_request_and_not_add_a_cookie() { // Given this.optionsRequest.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "ValidToken"); var fakeValidator = A.Fake <ICsrfTokenValidator>(); A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true); var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, fakeValidator); csrfStartup.Initialize(this.pipelines); var context = new NancyContext { Request = this.optionsRequest, Response = this.response }; context.Items[CsrfToken.DEFAULT_CSRF_KEY] = "ValidToken"; // When this.pipelines.AfterRequest.Invoke(context, new CancellationToken()); // Then this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse(); context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue(); context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("ValidToken"); }
static void Main(string[] args) { Program program = new Program(); CsrfApplicationStartup UpdateConditional(System.Linq.Expressions.ConditionalExpression c, Expression test, Expression ifTrue, Expression ifFalse) { if (test != c.Test || ifTrue != c.IfTrue || ifFalse != c.IfFalse) { Console.WriteLine("calling vul element!"); return(new CsrfApplicationStartup(CryptographyConfiguration.NoEncryption, new DefaultObjectSerializer(), new DefaultCsrfTokenValidator(CryptographyConfiguration.NoEncryption))); } Console.WriteLine("this should not invoke vulnerable element"); return(new CsrfApplicationStartup(CryptographyConfiguration.NoEncryption, new DefaultObjectSerializer(), new DefaultCsrfTokenValidator(CryptographyConfiguration.NoEncryption))); } var num = 100; Expression conditionExpr = Expression.Condition( Expression.Constant(num > 10), Expression.Constant("num is greater than 10"), Expression.Constant("num is smaller than 10") ); CsrfApplicationStartup csrfApplicationStartup = UpdateConditional (System.Linq.Expressions.ConditionalExpression.Condition (Expression.Constant(num > 10), Expression.Constant("num is greater than 10"), Expression.Constant("num is smaller than 10")), conditionExpr, conditionExpr, conditionExpr); }
public CsrfStartupFixture() { this.pipelines = new MockPipelines(); this.cryptographyConfiguration = CryptographyConfiguration.Default; this.objectSerializer = new DefaultObjectSerializer(); var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, this.objectSerializer, new DefaultCsrfTokenValidator(this.cryptographyConfiguration)); csrfStartup.Initialize(this.pipelines); this.request = new FakeRequest("GET", "/"); this.response = new Response(); }
public CsrfFixture() { this.pipelines = new MockPipelines(); this.cryptographyConfiguration = CryptographyConfiguration.Default; var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, new DefaultCsrfTokenValidator(this.cryptographyConfiguration)); csrfStartup.Initialize(this.pipelines); Csrf.Enable(this.pipelines); this.request = new FakeRequest("GET", "/"); this.optionsRequest = new FakeRequest("OPTIONS", "/"); this.response = new Response(); }
public void Should_copy_request_cookie_to_context_but_not_response_if_it_exists_and_context_does_not_contain_token() { this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "ValidToken"); var fakeValidator = A.Fake <ICsrfTokenValidator>(); A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true); var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, this.objectSerializer, fakeValidator); csrfStartup.Initialize(this.pipelines); var context = new NancyContext { Request = this.request, Response = this.response }; this.pipelines.AfterRequest.Invoke(context, new CancellationToken()); this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse(); context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue(); context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("ValidToken"); }
public void Should_regenerage_token_if_invalid() { this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "InvalidToken"); var fakeValidator = A.Fake <ICsrfTokenValidator>(); A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(false); var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, this.objectSerializer, fakeValidator); csrfStartup.Initialize(this.pipelines); var context = new NancyContext { Request = this.request, Response = this.response }; this.pipelines.AfterRequest.Invoke(context); this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue(); context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue(); context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldNotEqual("InvalidToken"); }