使用Rails 3.2.11和RSpec发布原始JSON数据 [英] POSTing raw JSON data with Rails 3.2.11 and RSpec
问题描述
为了确保我的应用程序不受此漏洞的攻击,我试图在RSpec中创建一个控制器测试来涵盖它.为了做到这一点,我需要能够发布原始的JSON,但是我似乎还没有找到一种方法来做到这一点.在进行一些研究时,我确定至少曾经有一种使用RAW_POST_DATA标头的方法,但这似乎不再起作用:
In order to ensure that my application is not vulnerable to this exploit, I am trying to create a controller test in RSpec to cover it. In order to do so, I need to be able to post raw JSON, but I haven't seemed to find a way to do that. In doing some research, I've determined that there at least used to be a way to do so using the RAW_POST_DATA header, but this doesn't seem to work anymore:
it "should not be exploitable by using an integer token value" do
request.env["CONTENT_TYPE"] = "application/json"
request.env["RAW_POST_DATA"] = { token: 0 }.to_json
post :reset_password
end
当我查看params哈希时,完全没有设置令牌,它只包含{ "controller" => "user", "action" => "reset_password" }.在尝试使用XML或什至仅使用常规发布数据时,在所有情况下,我似乎都没有得到相同的结果.
When I look at the params hash, token is not set at all, and it just contains { "controller" => "user", "action" => "reset_password" }. I get the same results when trying to use XML, or even when trying to just use regular post data, in all cases, it seems to not set it period.
我知道最近的Rails漏洞改变了散列参数的方式,但是仍然有办法通过RSpec发布原始数据吗?我可以直接使用Rack::Test::Methods吗?
I know that with the recent Rails vulnerabilities, the way parameters are hashed was changed, but is there still a way to post raw data through RSpec? Can I somehow directly use Rack::Test::Methods?
推荐答案
据我所知,在控制器规范中不再可以发送原始POST数据.但是,可以在请求规范中轻松完成此操作:
As far as I have been able to tell, sending raw POST data is no longer possible within a controller spec. However, it can be done pretty easily in a request spec:
describe "Example", :type => :request do
params = { token: 0 }
post "/user/reset_password", params.to_json, { 'CONTENT_TYPE' => 'application/json', 'ACCEPT' => 'application/json' }
#=> params contains { "controller" => "user", "action" => "reset_password", "token" => 0 }
end
这篇关于使用Rails 3.2.11和RSpec发布原始JSON数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
