From 26c1cf6a6066f90c0c2be7e84e68f75fb920b0d9 Mon Sep 17 00:00:00 2001 From: Yusuke Endoh Date: Fri, 19 Jun 2020 00:53:33 +0900 Subject: [PATCH] test/webrick/test_httpresponse.rb: Use a longer indicator for crack "hack" was too short. The tests checks the error html, which includes hostname. GitHub Actions hostname seems randomly generated, and it may include the indicator string. https://github.com/ruby/ruby/runs/784896235 ``` 1) Failure: WEBrick::TestHTTPResponse#test_prevent_response_splitting_cookie_headers_cr [/home/runner/work/ruby/ruby/src/test/webrick/test_httpresponse.rb:71]: Expected /hack/ to not match "HTTP/1.1 500 Internal Server Error\r\nContent-Type: text/html; charset=ISO-8859-1\r\n\r\n\n\n Internal Server Error\n \n

Internal Server Error

\n WEBrick::HTTPResponse::InvalidHeader\n
\n
\n WEBrick/1.6.0 (Ruby/2.8.0/2020-06-18) at\n fv-az89.dddawhu1s14uzpjkiz5fhackre.cx.internal.cloudapp.net:80\n
\n \n\n". ``` This change uses longer indicator "cracked_indicator_for_test" instead. --- test/webrick/test_httpresponse.rb | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/test/webrick/test_httpresponse.rb b/test/webrick/test_httpresponse.rb index e8c69a1212..89a0f7036e 100644 --- a/test/webrick/test_httpresponse.rb +++ b/test/webrick/test_httpresponse.rb @@ -30,70 +30,70 @@ module WEBrick end def test_prevent_response_splitting_headers_crlf - res['X-header'] = "malicious\r\nCookie: hack" + res['X-header'] = "malicious\r\nCookie: cracked_indicator_for_test" io = StringIO.new res.send_response io io.rewind res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) assert_equal '500', res.code - refute_match 'hack', io.string + refute_match 'cracked_indicator_for_test', io.string end def test_prevent_response_splitting_cookie_headers_crlf - user_input = "malicious\r\nCookie: hack" + user_input = "malicious\r\nCookie: cracked_indicator_for_test" res.cookies << WEBrick::Cookie.new('author', user_input) io = StringIO.new res.send_response io io.rewind res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) assert_equal '500', res.code - refute_match 'hack', io.string + refute_match 'cracked_indicator_for_test', io.string end def test_prevent_response_splitting_headers_cr - res['X-header'] = "malicious\rCookie: hack" + res['X-header'] = "malicious\rCookie: cracked_indicator_for_test" io = StringIO.new res.send_response io io.rewind res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) assert_equal '500', res.code - refute_match 'hack', io.string + refute_match 'cracked_indicator_for_test', io.string end def test_prevent_response_splitting_cookie_headers_cr - user_input = "malicious\rCookie: hack" + user_input = "malicious\rCookie: cracked_indicator_for_test" res.cookies << WEBrick::Cookie.new('author', user_input) io = StringIO.new res.send_response io io.rewind res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) assert_equal '500', res.code - refute_match 'hack', io.string + refute_match 'cracked_indicator_for_test', io.string end def test_prevent_response_splitting_headers_lf - res['X-header'] = "malicious\nCookie: hack" + res['X-header'] = "malicious\nCookie: cracked_indicator_for_test" io = StringIO.new res.send_response io io.rewind res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) assert_equal '500', res.code - refute_match 'hack', io.string + refute_match 'cracked_indicator_for_test', io.string end def test_prevent_response_splitting_cookie_headers_lf - user_input = "malicious\nCookie: hack" + user_input = "malicious\nCookie: cracked_indicator_for_test" res.cookies << WEBrick::Cookie.new('author', user_input) io = StringIO.new res.send_response io io.rewind res = Net::HTTPResponse.read_new(Net::BufferedIO.new(io)) assert_equal '500', res.code - refute_match 'hack', io.string + refute_match 'cracked_indicator_for_test', io.string end def test_set_redirect_response_splitting - url = "malicious\r\nCookie: hack" + url = "malicious\r\nCookie: cracked_indicator_for_test" assert_raises(URI::InvalidURIError) do res.set_redirect(WEBrick::HTTPStatus::MultipleChoices, url) end