[rspec-users] Sending raw JSON data with Rails 3.2.11 and RSpec

[Daniel]

I apologize if this message was sent more than once, I tried to post through the Google Groups page but it didn't seem to work.

In order to ensure that my application is not vulnerable to this exploit, I am trying to create a controller test in RSpec to cover it. In order to do so, I need to be able to post raw JSON, but I haven't seemed to find a way to do that. In doing some research, I've determined that there at least used to be a way to do so using the RAW_POST_DATA header, but this doesn't seem to work anymore:

it "should not be exploitable by using an integer token value" do
  request.env["CONTENT_TYPE"] = "application/json"
  request.env["RAW_POST_DATA"]  = { token: 0 }.to_json
  post :reset_password
end

When I look at the params hash, token is not set at all, and it just contains { "controller" => "user", "action" => "reset_password" }. I get the same results when trying to use XML, or even when trying to just use regular post data, in all cases, it seems to not set it period.

I know that with the recent Rails vulnerabilities, the way parameters are hashed was changed, but is there still a way to post raw data through RSpec? Can I somehow directly use Rack::Test::Methods?

Any help would be appreciated.

[Lawrence Pit]

Hi Daniel,


describe "Example", :type => :request do

# curl -k -i -X POST -d '{"api_token":0}'
https://api.example.local/reset_password
# See
https://groups.google.com/d/topic/rubyonrails-security/ZOdH5GH5jCU/discussion

it "should not be exploitable by using an integer token value" do

post "/reset_password", '{"api_token":0}', 'CONTENT_TYPE' =>
'application/json', 'ACCEPT' => 'application/json'
response.status.should == 401
end

end


Cheers,
Lawrence

> _______________________________________________
> rspec-users mailing list
> rspec...@rubyforge.org
> http://rubyforge.org/mailman/listinfo/rspec-users
_______________________________________________
rspec-users mailing list
rspec...@rubyforge.org
http://rubyforge.org/mailman/listinfo/rspec-users

[Daniel Vandersluis]

Hi Lawrence, thanks for the response. Unfortunately, when I try that, I get:

NoMethodError: undefined method `symbolize_keys' for "{\"api_token\":0}":String
/Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:150:in `assign_parameters'
/Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:463:in `process'
/Users/daniel/.rvm/gems/ruby-1.9.3-327/gems/actionpack-3.2.11/lib/action_controller/test_case.rb:49:in `process'
/Users/daniel/rails/spec/controllers/user_controller_spec.rb:10: in `block (2 levels) in <top (required)>'

[Daniel Vandersluis]

Sorry, I just realized you did this as a request spec, not as a controller spec! That's what I was missing here, thanks!

So is it not possible to do a controller spec with raw data?

On Friday, February 8, 2013 4:01:43 PM UTC-5, lawrence.pit wrote:

[Lawrence Pit]

> So is it not possible to do a controller spec with raw data?

Not that I know of. In the controller the raw data is assumed to have
been parsed already.

You could also simply set the parameter value to an integer in your test
and then call your controller action:

params["token"] = 0

That should give you the same query manipulation if you have this in
your controller action:

User.find_by_token(params["token"])


Cheers,
Lawrence