packages/rubygem-actionpack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
rubygem-actionpack/CVE-2024-28103-test.patch
starlet-dx 57fc328fa7 Fix CVE-2024-28103 
(cherry picked from commit b0e03059a0a8f3caed107c4efe7d770bfa9b533a)
2024-06-06 10:27:52 +08:00

63 lines
2.1 KiB
Diff
Raw Blame History

diff --git a/actionpack/test/dispatch/permissions_policy_test.rb b/actionpack/test/dispatch/permissions_policy_test.rb
index 030e37942bd0e..533b59a55094d 100644
--- a/actionpack/test/dispatch/permissions_policy_test.rb
+++ b/actionpack/test/dispatch/permissions_policy_test.rb
@@ -41,6 +41,57 @@ def test_invalid_directive_source
end
end
+class PermissionsPolicyMiddlewareTest < ActionDispatch::IntegrationTest
+ APP = ->(env) { [200, {}, []] }
+
+ POLICY = ActionDispatch::PermissionsPolicy.new do |p|
+ p.gyroscope :self
+ end
+
+ class PolicyConfigMiddleware
+ def initialize(app)
+ @app = app
+ end
+
+ def call(env)
+ env["action_dispatch.permissions_policy"] = POLICY
+ env["action_dispatch.show_exceptions"] = :none
+
+ @app.call(env)
+ end
+ end
+
+ test "html requests will set a policy" do
+ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "text/html" }, []] })
+ # Dummy CONTENT_TYPE to avoid including backport of the following commit in
+ # a security-related patch:
+ # https://github.com/rails/rails/commit/060887d4c55a8b4038dd4662712007d07e74e625
+ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+ assert_equal "text/html", response.headers['Content-Type']
+ assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+ end
+
+ test "non-html requests will set a policy" do
+ @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] })
+ get "/index", headers: { Rack::CONTENT_TYPE => 'cant/be-nil' }
+
+ assert_equal "application/json", response.headers['Content-Type']
+ assert_equal "gyroscope 'self'", response.headers['Feature-Policy']
+ end
+
+ private
+ def build_app(app)
+ PolicyConfigMiddleware.new(
+ Rack::Lint.new(
+ ActionDispatch::PermissionsPolicy::Middleware.new(
+ Rack::Lint.new(app),
+ ),
+ ),
+ )
+ end
+end
+
class PermissionsPolicyIntegrationTest < ActionDispatch::IntegrationTest
class PolicyController < ActionController::Base
permissions_policy only: :index do |f|
Reference in New Issue View Git Blame Copy Permalink