为了确保我的应用程序不会受到this exploit的攻击,我try 在RSpec中创建一个控制器测试来涵盖它.为此,我需要能够发布原始JSON,但我似乎还没有找到这样做的方法.在做了一些研究后,我发现至少过go 有一种方法可以使用RAW_POST_DATA
头来做到这一点,但现在似乎行不通了:
it "should not be exploitable by using an integer token value" do
request.env["CONTENT_TYPE"] = "application/json"
request.env["RAW_POST_DATA"] = { token: 0 }.to_json
post :reset_password
end
When I look at the params hash, token is not set at all, and it just contains { "controller" => "user", "action" => "reset_password" }
. I get the same results when trying to use XML, or even when trying to just use regular post data, in all cases, it seems to not set it period.
I know that with the recent Rails vulnerabilities, the way parameters are hashed was changed, but is there still a way to post raw data through RSpec? Can I somehow directly use Rack::Test::Methods
?