Tests for CSRF

This commit is contained in:
swaggboi 2024-08-15 19:56:02 -04:00
parent e590fe26e5
commit b29a95d0cb
4 changed files with 88 additions and 5 deletions

View file

@ -10,6 +10,11 @@ my %valid_login = (
);
subtest Login => sub {
$t->get_ok('/login');
$valid_login{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok('/login', form => \%valid_login)
->status_is(302)
->header_like(Location => qr{moderator/flagged});
@ -31,9 +36,10 @@ subtest Login => sub {
$t->get_ok('/moderator/admin/create')
->status_is(200)
->text_like(h2 => qr/Create Moderator/)
->element_exists('form input[name="name"]' )
->element_exists('form input[name="email"]' )
->element_exists('form input[name="password"]')
->element_exists('form input[name="name"]' )
->element_exists('form input[name="email"]' )
->element_exists('form input[name="password"]' )
->element_exists('form input[name="csrf_token"]')
};
subtest Reset => sub {
@ -43,6 +49,7 @@ subtest Login => sub {
->element_exists('a[href*="/moderator/admin/reset"]')
->element_exists('form input[name="email"]' )
->element_exists('form input[name="password"]' )
->element_exists('form input[name="csrf_token"]' )
};
subtest Lock => sub {
@ -51,6 +58,7 @@ subtest Login => sub {
->text_like(h2 => qr/Lock Account/)
->element_exists('a[href*="/moderator/admin/lock"]')
->element_exists('form input[name="email"]' )
->element_exists('form input[name="csrf_token"]' )
};
subtest Unlock => sub {
@ -59,6 +67,7 @@ subtest Login => sub {
->text_like(h2 => qr/Unlock Account/)
->element_exists('a[href*="/moderator/admin/unlock"]')
->element_exists('form input[name="email"]' )
->element_exists('form input[name="csrf_token"]' )
};
subtest Promote => sub {
@ -67,6 +76,7 @@ subtest Login => sub {
->text_like(h2 => qr/Promote Moderator/)
->element_exists('a[href*="/moderator/admin/promote"]')
->element_exists('form input[name="email"]' )
->element_exists('form input[name="csrf_token"]' )
};
subtest Demote => sub {
@ -75,6 +85,7 @@ subtest Login => sub {
->text_like(h2 => qr/Demote Admin/)
->element_exists('a[href*="/moderator/admin/demote"]')
->element_exists('form input[name="email"]' )
->element_exists('form input[name="csrf_token"]' )
};
# Admin session ends

View file

@ -25,18 +25,39 @@ subtest 'Bumping thread', sub {
$t->get_ok('/human/thread/bump/1')->status_is(302)
->header_like(Location => qr/captcha/);
$t->get_ok($bump_thread_url)
->status_is(200)
->element_exists('input[name="answer"]' )
->element_exists('input[name="number"]' )
->element_exists('input[name="csrf_token"]');
# Bad CSRF
$t->post_ok($bump_thread_url, form => \%bad_bot)
->status_is(403)
->element_exists('p[class="stash-with-error"]')
->text_like(p => qr/Something went wrong/);
# Bad CAPTCHA
$bad_bot{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($bump_thread_url, form => \%bad_bot)
->status_is(400)
->element_exists('p[class="stash-with-error"]')
->text_like(p => qr/Sounds like something a robot would say/);
$invalid_captcha{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($bump_thread_url, form => \%invalid_captcha)
->status_is(400)
->element_exists('p[class="field-with-error"]')
->text_like(p => qr/Should be a single number/);
# Solved CAPTCHA
$good_human{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($bump_thread_url, form => \%good_human)
->status_is(302)
->header_like(Location => qr{human/thread/bump/1});
@ -56,18 +77,35 @@ subtest 'Flagging thread', sub {
$t->get_ok('/human/thread/flag/1')->status_is(302)
->header_like(Location => qr/captcha/);
# Bad CSRF
$t->get_ok($flag_thread_url);
$t->post_ok($flag_thread_url, form => \%bad_bot)
->status_is(403)
->element_exists('p[class="stash-with-error"]')
->text_like(p => qr/Something went wrong/);
# Bad CAPTCHA
$bad_bot{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($flag_thread_url, form => \%bad_bot)
->status_is(400)
->element_exists('p[class="stash-with-error"]')
->text_like(p => qr/Sounds like something a robot would say/);
$invalid_captcha{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($flag_thread_url, form => \%invalid_captcha)
->status_is(400)
->element_exists('p[class="field-with-error"]')
->text_like(p => qr/Should be a single number/);
# Solved CAPTCHA
$good_human{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($flag_thread_url, form => \%good_human)
->status_is(302)
->header_like(Location => qr{human/thread/flag/1});
@ -83,18 +121,35 @@ subtest 'Flagging remark', sub {
$t->get_ok('/human/remark/flag/1')->status_is(302)
->header_like(Location => qr/captcha/);
# Bad CSRF
$t->get_ok($flag_remark_url);
$t->post_ok($flag_remark_url, form => \%bad_bot)
->status_is(403)
->element_exists('p[class="stash-with-error"]')
->text_like(p => qr/Something went wrong/);
# Bad CAPTCHA
$bad_bot{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($flag_remark_url, form => \%bad_bot)
->status_is(400)
->element_exists('p[class="stash-with-error"]')
->text_like(p => qr/Sounds like something a robot would say/);
$invalid_captcha{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($flag_remark_url, form => \%invalid_captcha)
->status_is(400)
->element_exists('p[class="field-with-error"]')
->text_like(p => qr/Should be a single number/);
# Solved CAPTCHA
$good_human{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($flag_remark_url, form => \%good_human)
->status_is(302)
->header_like(Location => qr{human/remark/flag/1});

View file

@ -17,16 +17,28 @@ my %invalid_login = (
subtest Login => sub {
$t->get_ok('/login')
->status_is(200)
->element_exists('form input[name="email"]')
->element_exists('form input[name="password"]')
->element_exists('form input[name="email"]' )
->element_exists('form input[name="password"]' )
->element_exists('form input[name="csrf_token"]')
->text_like(h2 => qr/Moderator Login/);
# Bad CSRF token
$t->post_ok('/login', form => \%valid_login)
->status_is(403)
->text_like(p => qr/Something went wrong/);
$invalid_login{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok('/login', form => \%invalid_login)
->status_is(403)
->element_exists('form input[name="email"]')
->element_exists('form input[name="password"]')
->text_like(p => qr/Invalid login/);
$valid_login{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok('/login', form => \%valid_login)
->status_is(302)
->header_like(Location => qr{moderator/flagged});

View file

@ -14,6 +14,11 @@ subtest 'Search before CAPTCHA', sub {
};
subtest 'Search after CAPTCHA', sub {
$t->get_ok($search_url);
$good_human{'csrf_token'} =
$t->tx->res->dom->at('input[name="csrf_token"]')->val;
$t->post_ok($search_url, form => \%good_human)
->status_is(302)
->header_like(Location => qr{human/search});