[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec

Daniel reality.tv.addict at gmail.com
Fri Feb 8 15:29:46 UTC 2013

I apologize if this message was sent more than once, I tried to post
through the Google Groups page but it didn't seem to work.

In order to ensure that my application is not vulnerable to this exploit, I
am trying to create a controller test in RSpec to cover it. In order to do
so, I need to be able to post raw JSON, but I haven't seemed to find a way
to do that. In doing some research, I've determined that there at least
used to be a way to do so using the RAW_POST_DATA header, but this doesn't
seem to work anymore:

it "should not be exploitable by using an integer token value" do
>   request.env["CONTENT_TYPE"] = "application/json"
>   request.env["RAW_POST_DATA"]  = { token: 0 }.to_json
>   post :reset_password
> end

When I look at the params hash, token is not set at all, and it just
contains { "controller" => "user", "action" => "reset_password" }. I get
the same results when trying to use XML, or even when trying to just use
regular post data, in all cases, it seems to not set it period.

I know that with the recent Rails vulnerabilities, the way parameters are
hashed was changed, but is there still a way to post raw data through
RSpec? Can I somehow directly use Rack::Test::Methods?

Any help would be appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20130208/7769a006/attachment.html>

More information about the rspec-users mailing list