[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec

[Lawrence Pit]

Hi Daniel,


   describe "Example", :type => :request do

     # curl -k -i -X POST -d '{"api_token":0}' 
https://api.example.local/reset_password
     # See 
https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion
     it "should not be exploitable by using an integer token value" do
       post "/reset_password", '{"api_token":0}', 'CONTENT_TYPE' => 
'application/json', 'ACCEPT' => 'application/json'
       response.status.should == 401
     end

   end


Cheers,
Lawrence

> I apologize if this message was sent more than once, I tried to post
> through the Google Groups page but it didn't seem to work.
>
> In order to ensure that my application is not vulnerable to this 
> exploit, I
> am trying to create a controller test in RSpec to cover it. In order 
> to do
> so, I need to be able to post raw JSON, but I haven't seemed to find a 
> way
> to do that. In doing some research, I've determined that there at 
> least
> used to be a way to do so using the RAW_POST_DATA header, but this 
> doesn't
> seem to work anymore:
>
> it "should not be exploitable by using an integer token value" do
>> request.env["CONTENT_TYPE"] = "application/json"
>> request.env["RAW_POST_DATA"]  = { token: 0 }.to_json
>> post :reset_password
>> end
>>
>
> When I look at the params hash, token is not set at all, and it just
> contains { "controller" => "user", "action" => "reset_password" }. I 
> get
> the same results when trying to use XML, or even when trying to just 
> use
> regular post data, in all cases, it seems to not set it period.
>
> I know that with the recent Rails vulnerabilities, the way parameters 
> are
> hashed was changed, but is there still a way to post raw data through
> RSpec? Can I somehow directly use Rack::Test::Methods?
>
> Any help would be appreciated.
> _______________________________________________
> rspec-users mailing list
> rspec-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users