Fixed: Security Vulnerabilities allowing authentication to be bypass

2026-04-18 21:34:28 -04:00 · 2017-12-13 21:46:44 -05:00
parent 4525f99370
commit 2ccc5af8d0
6 changed files with 116 additions and 37 deletions
--- a/src/NzbDrone.Integration.Test/CorsFixture.cs
+++ b/src/NzbDrone.Integration.Test/CorsFixture.cs
@@ -8,19 +8,26 @@ namespace NzbDrone.Integration.Test
    [TestFixture]
    public class CorsFixture : IntegrationTest
    {
-        private RestRequest BuildRequest()
+        private RestRequest BuildGet(string route = "artist")
        {
-            var request = new RestRequest("artist");
+            var request = new RestRequest(route, Method.GET);
            request.AddHeader(AccessControlHeaders.RequestMethod, "POST");

            return request;
        }

-        [Test]
+        private RestRequest BuildOptions(string route = "artist")
+        {
+            var request = new RestRequest(route, Method.OPTIONS);
+
+            return request;
+        }
+
+    [Test]
        public void should_not_have_allow_headers_in_response_when_not_included_in_the_request()
        {
-            var request = BuildRequest();
-            var response = RestClient.Get(request);
+            var request = BuildOptions();
+            var response = RestClient.Execute(request);
            
            response.Headers.Should().NotContain(h => h.Name == AccessControlHeaders.AllowHeaders);
        }
@@ -28,10 +35,10 @@ namespace NzbDrone.Integration.Test
        [Test]
        public void should_have_allow_headers_in_response_when_included_in_the_request()
        {
-            var request = BuildRequest();
+            var request = BuildOptions();
            request.AddHeader(AccessControlHeaders.RequestHeaders, "X-Test");

-            var response = RestClient.Get(request);
+            var response = RestClient.Execute(request);

            response.Headers.Should().Contain(h => h.Name == AccessControlHeaders.AllowHeaders);
        }
@@ -39,8 +46,8 @@ namespace NzbDrone.Integration.Test
        [Test]
        public void should_have_allow_origin_in_response()
        {
-            var request = BuildRequest();
-            var response = RestClient.Get(request);
+            var request = BuildOptions();
+            var response = RestClient.Execute(request);

            response.Headers.Should().Contain(h => h.Name == AccessControlHeaders.AllowOrigin);
        }
@@ -48,10 +55,37 @@ namespace NzbDrone.Integration.Test
        [Test]
        public void should_have_allow_methods_in_response()
        {
-            var request = BuildRequest();
-            var response = RestClient.Get(request);
+            var request = BuildOptions();
+            var response = RestClient.Execute(request);

            response.Headers.Should().Contain(h => h.Name == AccessControlHeaders.AllowMethods);
        }
+
+        [Test]
+        public void should_not_have_allow_methods_in_non_options_request()
+        {
+            var request = BuildGet();
+            var response = RestClient.Execute(request);
+
+            response.Headers.Should().NotContain(h => h.Name == AccessControlHeaders.AllowMethods);
+        }
+
+        [Test]
+        public void should_have_allow_origin_in_non_options_request()
+        {
+            var request = BuildGet();
+            var response = RestClient.Execute(request);
+
+            response.Headers.Should().Contain(h => h.Name == AccessControlHeaders.AllowOrigin);
+        }
+
+        [Test]
+        public void should_not_have_allow_origin_in_non_api_request()
+        {
+            var request = BuildGet("../abc");
+            var response = RestClient.Execute(request);
+
+            response.Headers.Should().NotContain(h => h.Name == AccessControlHeaders.AllowOrigin);
+        }
    }
 }