public void Should_http_decode_cookie_token_when_copied_to_the_context()
{
// Given
var fakeValidator = A.Fake <ICsrfTokenValidator>();
A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true);
var csrfStartup = new CsrfApplicationStartup(
this.cryptographyConfiguration,
fakeValidator);
csrfStartup.Initialize(this.pipelines);
this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "Testing Token");
var context = new NancyContext {
Request = this.request, Response = this.response
};
// When
this.pipelines.AfterRequest.Invoke(context, new CancellationToken());
// Then
this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse();
context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("Testing Token");
}
public void Should_not_generate_a_new_token_on_an_options_request_and_not_add_a_cookie()
{
// Given
this.optionsRequest.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "ValidToken");
var fakeValidator = A.Fake <ICsrfTokenValidator>();
A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true);
var csrfStartup = new CsrfApplicationStartup(
this.cryptographyConfiguration,
fakeValidator);
csrfStartup.Initialize(this.pipelines);
var context = new NancyContext {
Request = this.optionsRequest, Response = this.response
};
context.Items[CsrfToken.DEFAULT_CSRF_KEY] = "ValidToken";
// When
this.pipelines.AfterRequest.Invoke(context, new CancellationToken());
// Then
this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse();
context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("ValidToken");
}
static void Main(string[] args)
{
Program program = new Program();
CsrfApplicationStartup UpdateConditional(System.Linq.Expressions.ConditionalExpression c, Expression test, Expression ifTrue, Expression ifFalse)
{
if (test != c.Test || ifTrue != c.IfTrue || ifFalse != c.IfFalse)
{
Console.WriteLine("calling vul element!");
return(new CsrfApplicationStartup(CryptographyConfiguration.NoEncryption, new DefaultObjectSerializer(), new DefaultCsrfTokenValidator(CryptographyConfiguration.NoEncryption)));
}
Console.WriteLine("this should not invoke vulnerable element");
return(new CsrfApplicationStartup(CryptographyConfiguration.NoEncryption, new DefaultObjectSerializer(), new DefaultCsrfTokenValidator(CryptographyConfiguration.NoEncryption)));
}
var num = 100;
Expression conditionExpr = Expression.Condition(
Expression.Constant(num > 10),
Expression.Constant("num is greater than 10"),
Expression.Constant("num is smaller than 10")
);
CsrfApplicationStartup csrfApplicationStartup = UpdateConditional
(System.Linq.Expressions.ConditionalExpression.Condition
(Expression.Constant(num > 10),
Expression.Constant("num is greater than 10"),
Expression.Constant("num is smaller than 10")), conditionExpr, conditionExpr, conditionExpr);
}
public CsrfStartupFixture()
{
this.pipelines = new MockPipelines();
this.cryptographyConfiguration = CryptographyConfiguration.Default;
this.objectSerializer = new DefaultObjectSerializer();
var csrfStartup = new CsrfApplicationStartup(
this.cryptographyConfiguration,
this.objectSerializer,
new DefaultCsrfTokenValidator(this.cryptographyConfiguration));
csrfStartup.Initialize(this.pipelines);
this.request = new FakeRequest("GET", "/");
this.response = new Response();
}
public CsrfFixture()
{
this.pipelines = new MockPipelines();
this.cryptographyConfiguration = CryptographyConfiguration.Default;
var csrfStartup = new CsrfApplicationStartup(
this.cryptographyConfiguration,
new DefaultCsrfTokenValidator(this.cryptographyConfiguration));
csrfStartup.Initialize(this.pipelines);
Csrf.Enable(this.pipelines);
this.request = new FakeRequest("GET", "/");
this.optionsRequest = new FakeRequest("OPTIONS", "/");
this.response = new Response();
}
public void Should_copy_request_cookie_to_context_but_not_response_if_it_exists_and_context_does_not_contain_token()
{
this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "ValidToken");
var fakeValidator = A.Fake <ICsrfTokenValidator>();
A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(true);
var csrfStartup = new CsrfApplicationStartup(
this.cryptographyConfiguration,
this.objectSerializer,
fakeValidator);
csrfStartup.Initialize(this.pipelines);
var context = new NancyContext {
Request = this.request, Response = this.response
};
this.pipelines.AfterRequest.Invoke(context, new CancellationToken());
this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse();
context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldEqual("ValidToken");
}
public void Should_regenerage_token_if_invalid()
{
this.request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, "InvalidToken");
var fakeValidator = A.Fake <ICsrfTokenValidator>();
A.CallTo(() => fakeValidator.CookieTokenStillValid(A <CsrfToken> .Ignored)).Returns(false);
var csrfStartup = new CsrfApplicationStartup(
this.cryptographyConfiguration,
this.objectSerializer,
fakeValidator);
csrfStartup.Initialize(this.pipelines);
var context = new NancyContext {
Request = this.request, Response = this.response
};
this.pipelines.AfterRequest.Invoke(context);
this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
context.Items.ContainsKey(CsrfToken.DEFAULT_CSRF_KEY).ShouldBeTrue();
context.Items[CsrfToken.DEFAULT_CSRF_KEY].ShouldNotEqual("InvalidToken");
}
