diff options
Diffstat (limited to 'rt/t')
| -rw-r--r-- | rt/t/api/password-types.t | 3 | ||||
| -rw-r--r-- | rt/t/mail/html-outgoing.t | 3 | ||||
| -rw-r--r-- | rt/t/shredder/03plugin_users.t | 2 | ||||
| -rw-r--r-- | rt/t/web/csrf.t | 49 |
4 files changed, 55 insertions, 2 deletions
diff --git a/rt/t/api/password-types.t b/rt/t/api/password-types.t index 9eeded499..3278b488d 100644 --- a/rt/t/api/password-types.t +++ b/rt/t/api/password-types.t @@ -16,11 +16,12 @@ ok($root->IsPassword("password")); is($root->__Value("Password"), $old, "Unchanged after password check"); # bcrypt (smaller number of rounds) +my $rounds = RT->Config->Get("BcryptCost"); my $salt = Crypt::Eksblowfish::Bcrypt::en_base64("a"x16); $root->_Set( Field => "Password", Value => RT::User->_GeneratePassword_bcrypt("smaller", 6, $salt) ); like($root->__Value("Password"), qr/^\!$default\!06\!/, "Stored with a smaller number of rounds"); ok($root->IsPassword("smaller"), "Smaller number of bcrypt rounds works"); -like($root->__Value("Password"), qr/^\!$default\!10\!/, "And is now upgraded to salted $default"); +like($root->__Value("Password"), qr/^\!$default\!$rounds\!/, "And is now upgraded to $rounds rounds"); # Salted SHA-512, one round $root->_Set( Field => "Password", Value => RT::User->_GeneratePassword_sha512("other", "salt") ); diff --git a/rt/t/mail/html-outgoing.t b/rt/t/mail/html-outgoing.t index a37f52cdd..caad10f7a 100644 --- a/rt/t/mail/html-outgoing.t +++ b/rt/t/mail/html-outgoing.t @@ -84,6 +84,9 @@ mail_ok { SKIP: { skip "Only fails on core HTMLFormatter", 9 unless RT->Config->Get("HTMLFormatter") eq "core"; + require HTML::FormatText::WithLinks::AndTables; + skip "Only fails with older verions of HTML::FormatText::WithLinks::AndTables", 9 + unless $HTML::FormatText::WithLinks::AndTables::VERSION < 0.03; diag "Failing HTML -> Text conversion"; warnings_like { my $body = '<table><tr><td><table><tr><td>Foo</td></tr></table></td></tr></table>'; diff --git a/rt/t/shredder/03plugin_users.t b/rt/t/shredder/03plugin_users.t index 477f1474f..8f0fc2c85 100644 --- a/rt/t/shredder/03plugin_users.t +++ b/rt/t/shredder/03plugin_users.t @@ -6,7 +6,7 @@ use Test::Deep; use RT::Test::Shredder tests => 21; my $test = "RT::Test::Shredder"; -my @ARGS = sort qw(limit status name member_of not_member_of email replace_relations no_tickets); +my @ARGS = sort qw(limit status name member_of not_member_of email replace_relations no_tickets no_ticket_transactions); use_ok('RT::Shredder::Plugin::Users'); { diff --git a/rt/t/web/csrf.t b/rt/t/web/csrf.t index 9d95d0685..3fea28788 100644 --- a/rt/t/web/csrf.t +++ b/rt/t/web/csrf.t @@ -34,6 +34,55 @@ $m->get_ok("$test_page&user=root&pass=password"); $m->content_lacks("Possible cross-site request forgery"); $m->title_is('Create a new ticket'); +# CSRF parameter whitelist tests +my $searchBuildPath = '/Search/Build.html'; + +# CSRF whitelist for /Search/Build.html param SavedSearchLoad +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?SavedSearchLoad=foo"); +$m->content_lacks('Possible cross-site request forgery'); +$m->title_is('Query Builder'); + +# CSRF pass for /Search/Build.html no param +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath"); +$m->content_lacks('Possible cross-site request forgery'); +$m->title_is('Query Builder'); + +# CSRF fail for /Search/Build.html arbitrary param only +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?foo=bar"); +$m->content_contains('Possible cross-site request forgery'); +$m->title_is('Possible cross-site request forgery'); + +# CSRF fail for /Search/Build.html arbitrary param with SavedSearchLoad +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?SavedSearchLoad=foo&foo=bar"); +$m->content_contains('Possible cross-site request forgery'); +$m->title_is('Possible cross-site request forgery'); + +# CSRF pass for /Search/Build.html param NewQuery +$m->add_header(Referer => undef); +$m->get_ok("$searchBuildPath?NewQuery=1"); +$m->content_lacks('Possible cross-site request forgery'); +$m->title_is('Query Builder'); + +# CSRF pass for /Ticket/Update.html items in ticket action menu +$m->add_header(Referer => undef); +$m->get_ok('/Ticket/Update.html?id=1&Action=foo'); +$m->content_lacks('Possible cross-site request forgery'); + +# CSRF pass for /Ticket/Update.html reply to message in ticket history +$m->add_header(Referer => undef); +$m->get_ok('/Ticket/Update.html?id=1&QuoteTransaction=1&Action=Reply'); +$m->content_lacks('Possible cross-site request forgery'); + +# CSRF pass for /Articles/Article/ExtractIntoClass.html +# Action->Extract Article on ticket menu +$m->add_header(Referer => undef); +$m->get_ok('/Articles/Article/ExtractIntoClass.html?Ticket=1'); +$m->content_lacks('Possible cross-site request forgery'); + # now send a referer from an attacker $m->add_header(Referer => 'http://example.net'); $m->get_ok($test_page); |