jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
c836c93b818ee6a56d3a8ece36eb380f42ba5bf3
danbooru/test/functional/autocomplete_controller_test.rb
evazion c836c93b81 autocomplete: don't send cookies in publicly cached responses. 
Fix session cookies being sent in publicly cached /autocomplete.json
responses. We can't set any cookies in a response that is being publicly
cached, otherwise they'll be visible to other users. If a user's session
cookies were to be cached, then it would allow their account to be stolen.

In reality, well-behaved caches like Cloudflare will simply refuse to
cache responses that contain cookies to avoid this scenario.

https://support.cloudflare.com/hc/en-us/articles/200172516-Understanding-Cloudflare-s-CDN:

    BYPASS is returned when enabling Origin Cache-Control. Cloudflare also
    sets BYPASS when your origin web server sends cookies in the response
    header.
2020-12-15 03:48:59 -06:00

48 lines
1.6 KiB
Ruby
Raw Blame History

require "test_helper"
class AutocompleteControllerTest < ActionDispatch::IntegrationTest
def autocomplete(query, type)
get autocomplete_index_path(search: { query: query, type: type }), as: :json
assert_response :success
response.parsed_body.map { |result| result["value"] }
end
def assert_autocomplete_equals(expected_value, query, type)
assert_equal(expected_value, autocomplete(query, type))
end
context "Autocomplete controller" do
context "index action" do
setup do
create(:tag, name: "azur_lane")
end
should "work for opensearch queries" do
get autocomplete_index_path(search: { query: "azur", type: "opensearch" }), as: :json
assert_response :success
assert_equal(["azur", ["azur_lane"]], response.parsed_body)
end
should "work for tag queries" do
assert_autocomplete_equals(["azur_lane"], "azur", "tag_query")
assert_autocomplete_equals(["azur_lane"], "-azur", "tag_query")
assert_autocomplete_equals(["azur_lane"], "~azur", "tag_query")
assert_autocomplete_equals(["azur_lane"], "AZUR", "tag_query")
assert_autocomplete_equals(["rating:safe"], "rating:s", "tag_query")
assert_autocomplete_equals(["rating:safe"], "-rating:s", "tag_query")
end
should "not set session cookies when the response is publicly cached" do
get autocomplete_index_path(search: { query: "azur", type: "tag_query" }), as: :json
assert_response :success
assert_equal(true, response.cache_control[:public])
assert_equal({}, response.cookies)
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink