discourse/spec/requests/csp_reports_controller_spec.rb

# frozen_string_literal: true

require 'rails_helper'

describe CspReportsController do
  describe '#create' do
    before do
      SiteSetting.content_security_policy = true
      SiteSetting.content_security_policy_collect_reports = true

      @orig_logger = Rails.logger
      Rails.logger = @fake_logger = FakeLogger.new
    end

    after do
      Rails.logger = @orig_logger
    end

    def send_report
      post '/csp_reports', params: {
        "csp-report": {
          "document-uri": "http://localhost:3000/",
          "referrer": "",
          "violated-directive": "script-src",
          "effective-directive": "script-src",
          "original-policy": "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",
          "disposition": "report",
          "blocked-uri": "http://suspicio.us/assets.js",
          "line-number": 25,
          "source-file": "http://localhost:3000/",
          "status-code": 200,
          "script-sample": "console.log('unsafe')"
        }
      }.to_json, headers: { "Content-Type": "application/csp-report" }
    end

    it 'is enabled by SiteSetting' do
      SiteSetting.content_security_policy = false
      SiteSetting.content_security_policy_report_only = false
      SiteSetting.content_security_policy_collect_reports = true
      send_report
      expect(response.status).to eq(200)

      SiteSetting.content_security_policy = true
      send_report
      expect(response.status).to eq(200)

      SiteSetting.content_security_policy_collect_reports = false
      send_report
      expect(response.status).to eq(404)
    end

    it 'logs the violation report' do
      send_report
      expect(Rails.logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')")
    end
  end
end
DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction 2019-04-29 20:27:42 -04:00			`# frozen_string_literal: true`

FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`require 'rails_helper'`

			`describe CspReportsController do`
			`describe '#create' do`
			`before do`
			`SiteSetting.content_security_policy = true`
			`SiteSetting.content_security_policy_collect_reports = true`

			`@orig_logger = Rails.logger`
			`Rails.logger = @fake_logger = FakeLogger.new`
			`end`

			`after do`
			`Rails.logger = @orig_logger`
			`end`

			`def send_report`
			`post '/csp_reports', params: {`
			`"csp-report": {`
			`"document-uri": "http://localhost:3000/",`
			`"referrer": "",`
			`"violated-directive": "script-src",`
			`"effective-directive": "script-src",`
			`"original-policy": "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",`
			`"disposition": "report",`
			`"blocked-uri": "http://suspicio.us/assets.js",`
			`"line-number": 25,`
			`"source-file": "http://localhost:3000/",`
			`"status-code": 200,`
DEV: Only include "report-sample" CSP directive when reporting is enabled (#9337) 2020-04-02 11:16:38 -04:00			`"script-sample": "console.log('unsafe')"`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`}`
			`}.to_json, headers: { "Content-Type": "application/csp-report" }`
			`end`

			`it 'is enabled by SiteSetting' do`
			`SiteSetting.content_security_policy = false`
			`SiteSetting.content_security_policy_report_only = false`
			`SiteSetting.content_security_policy_collect_reports = true`
			`send_report`
allow CSP reports to be sent when header isn't set by Discourse (#6594) 2018-11-14 16:23:29 -05:00			`expect(response.status).to eq(200)`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00
			`SiteSetting.content_security_policy = true`
			`send_report`
			`expect(response.status).to eq(200)`

			`SiteSetting.content_security_policy_collect_reports = false`
			`send_report`
			`expect(response.status).to eq(404)`
			`end`

			`it 'logs the violation report' do`
			`send_report`
DEV: Only include "report-sample" CSP directive when reporting is enabled (#9337) 2020-04-02 11:16:38 -04:00			`expect(Rails.logger.warnings).to include("CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')")`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`end`
			`end`
			`end`