diff options
author | Christopher Speller <crspeller@gmail.com> | 2017-01-31 09:48:06 -0500 |
---|---|---|
committer | Christopher Speller <crspeller@gmail.com> | 2017-01-31 12:23:05 -0500 |
commit | 6054dee806f45b7813438bfd4758af0407099865 (patch) | |
tree | ea07727ffba628443dd697fda2ab779c2742440d /api/websocket_test.go | |
parent | 6806df6f9390b0435f8eae21ddaaaefdb42f15a2 (diff) | |
download | chat-6054dee806f45b7813438bfd4758af0407099865.tar.gz chat-6054dee806f45b7813438bfd4758af0407099865.tar.bz2 chat-6054dee806f45b7813438bfd4758af0407099865.zip |
Fixing websocket origin policy
Diffstat (limited to 'api/websocket_test.go')
-rw-r--r-- | api/websocket_test.go | 25 |
1 files changed, 24 insertions, 1 deletions
diff --git a/api/websocket_test.go b/api/websocket_test.go index 39a55f8f4..6b8937d81 100644 --- a/api/websocket_test.go +++ b/api/websocket_test.go @@ -6,12 +6,14 @@ package api import ( //"encoding/json" //"net/http" + "net/http" "testing" "time" - //"github.com/gorilla/websocket" + "github.com/gorilla/websocket" "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" ) /*func TestWebSocketAuthentication(t *testing.T) { @@ -249,6 +251,27 @@ func TestWebSocketEvent(t *testing.T) { } } +func TestWebsocketOriginSecurity(t *testing.T) { + Setup().InitBasic() + url := "ws://localhost" + utils.Cfg.ServiceSettings.ListenAddress + + // Should fail because origin doesn't match + _, _, err := websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ + "Origin": []string{"http://www.evil.com"}, + }) + if err == nil { + t.Fatal("Should have errored because Origin does not match host! SECURITY ISSUE!") + } + + // We are not a browser so we can spoof this just fine + _, _, err = websocket.DefaultDialer.Dial(url+model.API_URL_SUFFIX_V3+"/users/websocket", http.Header{ + "Origin": []string{"http://localhost" + utils.Cfg.ServiceSettings.ListenAddress}, + }) + if err != nil { + t.Fatal(err) + } +} + func TestZZWebSocketTearDown(t *testing.T) { // *IMPORTANT* - Kind of hacky // This should be the last function in any test file |