Add specs for CSP violation reporter

2018-01-13 10:12:28 -06:00 · 2018-01-13 10:12:28 -06:00 · 871030cfa9
parent f21bd0568e
commit 871030cfa9
4 changed files with 16 additions and 6 deletions
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@ -35,7 +35,7 @@ class DashboardController < ApplicationController
  end

  # Endpoint reports CSP violations, indicating a possible security problem.
-  def csrf_reports
+  def csp_reports
    payload = request.body.read || ""
    begin
      report = JSON.parse(payload)
@ -43,9 +43,7 @@ class DashboardController < ApplicationController
      report = {problem: "Crashed while parsing report"}
    end
    Rollbar.error("CSP VIOLATION!!!", report)
-    puts "============"
-    puts report.to_yaml
-    puts "============"
+
    render json: report
  end
 end
--- a/config/application.rb
+++ b/config/application.rb
@ -98,7 +98,7 @@ module FarmBot
                                          # wouldn't, but I think it's too much
                                          # of an inconvinience to block that
                                          # feature. Comments welcome -RC.
-        report_uri: %w(/csrf_reports)
+        report_uri: %w(/csp_reports)
      }
    end
  end
--- a/config/routes.rb
+++ b/config/routes.rb
@ -60,7 +60,7 @@ FarmBot::Application.routes.draw do
  get  "/"             => "dashboard#front_page",   as: :front_page
  get  "/app"          => "dashboard#main_app",     as: :dashboard
  get  "/tos_update"   => "dashboard#tos_update",   as: :tos_update
-  post "/csrf_reports" => "dashboard#csrf_reports", as: :csrf_report
+  post "/csp_reports"  => "dashboard#csp_reports",  as: :csp_report

  match "/app/*path",
          to: "dashboard#main_app",
--- a/spec/controllers/dashboard_spec.rb
+++ b/spec/controllers/dashboard_spec.rb
@ -23,5 +23,17 @@ describe DashboardController do
      expect { get :main_app, params: {path: "nope.jpg"} }
        .to raise_error(ActionController::RoutingError)
    end
+
+    it "receives CSP violation reports (malformed JSON)" do
+      expect(Rollbar).to receive(:error)
+        .with("CSP VIOLATION!!!", {problem: "Crashed while parsing report"})
+      post :csp_reports, body: "NOT JSON ! ! !"
+    end
+
+    it "receives CSP violation reports (malformed JSON)" do
+      expect(Rollbar).to receive(:error)
+        .with("CSP VIOLATION!!!", {})
+      post :csp_reports, body: {}.to_json, params: {format: :json}
+    end
  end
 end