[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec

Daniel Vandersluis reality.tv.addict at gmail.com
Fri Feb 8 21:50:06 UTC 2013


Sorry, I just realized you did this as a request spec, not as a controller 
spec! That's what I was missing here, thanks!

So is it not possible to do a controller spec with raw data?

On Friday, February 8, 2013 4:01:43 PM UTC-5, lawrence.pit wrote:
>
> Hi Daniel, 
>
>
>    describe "Example", :type => :request do 
>
>      # curl -k -i -X POST -d '{"api_token":0}' 
> https://api.example.local/reset_password 
>      # See 
>
> https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion 
>      it "should not be exploitable by using an integer token value" do 
>        post "/reset_password", '{"api_token":0}', 'CONTENT_TYPE' => 
> 'application/json', 'ACCEPT' => 'application/json' 
>        response.status.should == 401 
>      end 
>
>    end 
>
>
> Cheers, 
> Lawrence 
>
> > I apologize if this message was sent more than once, I tried to post 
> > through the Google Groups page but it didn't seem to work. 
> > 
> > In order to ensure that my application is not vulnerable to this 
> > exploit, I 
> > am trying to create a controller test in RSpec to cover it. In order 
> > to do 
> > so, I need to be able to post raw JSON, but I haven't seemed to find a 
> > way 
> > to do that. In doing some research, I've determined that there at 
> > least 
> > used to be a way to do so using the RAW_POST_DATA header, but this 
> > doesn't 
> > seem to work anymore: 
> > 
> > it "should not be exploitable by using an integer token value" do 
> >> request.env["CONTENT_TYPE"] = "application/json" 
> >> request.env["RAW_POST_DATA"]  = { token: 0 }.to_json 
> >> post :reset_password 
> >> end 
> >> 
> > 
> > When I look at the params hash, token is not set at all, and it just 
> > contains { "controller" => "user", "action" => "reset_password" }. I 
> > get 
> > the same results when trying to use XML, or even when trying to just 
> > use 
> > regular post data, in all cases, it seems to not set it period. 
> > 
> > I know that with the recent Rails vulnerabilities, the way parameters 
> > are 
> > hashed was changed, but is there still a way to post raw data through 
> > RSpec? Can I somehow directly use Rack::Test::Methods? 
> > 
> > Any help would be appreciated. 
> > _______________________________________________ 
> > rspec-users mailing list 
> > rspec... at rubyforge.org <javascript:> 
> > http://rubyforge.org/mailman/listinfo/rspec-users 
> _______________________________________________ 
> rspec-users mailing list 
> rspec... at rubyforge.org <javascript:> 
> http://rubyforge.org/mailman/listinfo/rspec-users 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rubyforge.org/pipermail/rspec-users/attachments/20130208/d8fa74ee/attachment.html>


More information about the rspec-users mailing list