discourse/spec/requests/csp_reports_controller_spec.rb

# frozen_string_literal: true

RSpec.describe CspReportsController do
  describe "#create" do
    before do
      SiteSetting.content_security_policy = true
      SiteSetting.content_security_policy_collect_reports = true

      @orig_logger = Rails.logger
      Rails.logger = @fake_logger = FakeLogger.new
    end

    after { Rails.logger = @orig_logger }

    def send_report
      post "/csp_reports",
           params: {
             "csp-report": {
               "document-uri": "http://localhost:3000/",
               referrer: "",
               "violated-directive": "script-src",
               "effective-directive": "script-src",
               "original-policy":
                 "script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",
               disposition: "report",
               "blocked-uri": "http://suspicio.us/assets.js",
               "line-number": 25,
               "source-file": "http://localhost:3000/",
               "status-code": 200,
               "script-sample": "console.log('unsafe')",
             },
           }.to_json,
           headers: {
             "Content-Type": "application/csp-report",
           }
    end

    it "returns an error for invalid reports" do
      SiteSetting.content_security_policy_collect_reports = true

      post "/csp_reports",
           params: "[ not-json",
           headers: {
             "Content-Type": "application/csp-report",
           }

      expect(response.status).to eq(422)

      post "/csp_reports",
           params: ["yes json"].to_json,
           headers: {
             "Content-Type": "application/csp-report",
           }

      expect(response.status).to eq(422)
    end

    it "is enabled by SiteSetting" do
      SiteSetting.content_security_policy = false
      SiteSetting.content_security_policy_report_only = false
      SiteSetting.content_security_policy_collect_reports = true
      send_report
      expect(response.status).to eq(200)

      SiteSetting.content_security_policy = true
      send_report
      expect(response.status).to eq(200)

      SiteSetting.content_security_policy_collect_reports = false
      send_report
      expect(response.status).to eq(404)
    end

    it "logs the violation report" do
      send_report
      expect(@fake_logger.warnings).to include(
        "CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')",
      )
    end
  end
end
DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction 2019-04-29 20:27:42 -04:00			`# frozen_string_literal: true`

Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-27 22:27:38 -04:00			`RSpec.describe CspReportsController do`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`describe "#create" do`
			`before do`
			`SiteSetting.content_security_policy = true`
			`SiteSetting.content_security_policy_collect_reports = true`

			`@orig_logger = Rails.logger`
			`Rails.logger = @fake_logger = FakeLogger.new`
			`end`

			`after { Rails.logger = @orig_logger }`

			`def send_report`
			`post "/csp_reports",`
			`params: {`
			`"csp-report": {`
			`"document-uri": "http://localhost:3000/",`
			`referrer: "",`
			`"violated-directive": "script-src",`
			`"effective-directive": "script-src",`
			`"original-policy":`
			`"script-src 'unsafe-eval' www.google-analytics.com; report-uri /csp_reports",`
			`disposition: "report",`
			`"blocked-uri": "http://suspicio.us/assets.js",`
			`"line-number": 25,`
			`"source-file": "http://localhost:3000/",`
			`"status-code": 200,`
DEV: Only include "report-sample" CSP directive when reporting is enabled (#9337) 2020-04-02 11:16:38 -04:00			`"script-sample": "console.log('unsafe')",`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`},`
			`}.to_json,`
			`headers: {`
			`"Content-Type": "application/csp-report",`
			`}`
			`end`

FIX: stop logging blank and invalid CSP reports (#17144) Certain rogue bots such as Yandex may send across invalid CSP reports when CSP report collection is enabled. This ensures that invalid reports will not cause log floods and simply returns a 422 error. Co-authored-by: Alan Guo Xiang Tan <gxtan1990@gmail.com> 2022-06-20 02:57:46 -04:00			`it "returns an error for invalid reports" do`
			`SiteSetting.content_security_policy_collect_reports = true`

			`post "/csp_reports",`
			`params: "[ not-json",`
			`headers: {`
			`"Content-Type": "application/csp-report",`
			`}`

			`expect(response.status).to eq(422)`

			`post "/csp_reports",`
			`params: ["yes json"].to_json,`
			`headers: {`
			`"Content-Type": "application/csp-report",`
			`}`

			`expect(response.status).to eq(422)`
			`end`

FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`it "is enabled by SiteSetting" do`
			`SiteSetting.content_security_policy = false`
			`SiteSetting.content_security_policy_report_only = false`
			`SiteSetting.content_security_policy_collect_reports = true`
			`send_report`
allow CSP reports to be sent when header isn't set by Discourse (#6594) 2018-11-14 16:23:29 -05:00			`expect(response.status).to eq(200)`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00
			`SiteSetting.content_security_policy = true`
			`send_report`
			`expect(response.status).to eq(200)`

			`SiteSetting.content_security_policy_collect_reports = false`
			`send_report`
			`expect(response.status).to eq(404)`
			`end`

			`it "logs the violation report" do`
			`send_report`
DEV: Use `FakeLogger` in RequestTracker specs (#16640) `TestLogger` was responsible for some flaky specs runs: ``` Error during failsafe response: undefined method `debug' for #<TestLogger:0x0000556c4b942cf0 @warnings=1> Did you mean? debugger ``` This commit also cleans up other uses of `FakeLogger` 2022-05-04 21:53:54 -04:00			`expect(@fake_logger.warnings).to include(`
			`"CSP Violation: 'http://suspicio.us/assets.js' \n\nconsole.log('unsafe')",`
			`)`
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`end`
			`end`
			`end`