2019-07-27 16:15:23 +00:00
|
|
|
#![feature(proc_macro_hygiene, async_await)]
|
2018-11-08 17:01:58 +00:00
|
|
|
|
|
|
|
#[macro_use]
|
|
|
|
#[cfg(feature = "helmet")]
|
|
|
|
extern crate rocket;
|
|
|
|
|
|
|
|
#[cfg(feature = "helmet")]
|
|
|
|
mod helmet_tests {
|
|
|
|
use rocket::http::{Status, uri::Uri};
|
|
|
|
use rocket::local::{Client, LocalResponse};
|
|
|
|
|
2019-06-13 02:17:59 +00:00
|
|
|
use rocket_contrib::helmet::*;
|
|
|
|
use time::Duration;
|
2018-11-08 17:01:58 +00:00
|
|
|
|
|
|
|
#[get("/")] fn hello() { }
|
|
|
|
|
|
|
|
macro_rules! assert_header {
|
|
|
|
($response:ident, $name:expr, $value:expr) => {
|
|
|
|
match $response.headers().get_one($name) {
|
|
|
|
Some(value) => assert_eq!(value, $value),
|
|
|
|
None => panic!("missing header '{}' with value '{}'", $name, $value)
|
|
|
|
}
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
macro_rules! assert_no_header {
|
|
|
|
($response:ident, $name:expr) => {
|
|
|
|
if let Some(value) = $response.headers().get_one($name) {
|
|
|
|
panic!("unexpected header: '{}={}", $name, value);
|
|
|
|
}
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
macro_rules! dispatch {
|
|
|
|
($helmet:expr, $closure:expr) => {{
|
|
|
|
let rocket = rocket::ignite().mount("/", routes![hello]).attach($helmet);
|
|
|
|
let client = Client::new(rocket).unwrap();
|
|
|
|
let response = client.get("/").dispatch();
|
|
|
|
assert_eq!(response.status(), Status::Ok);
|
|
|
|
$closure(response)
|
|
|
|
}}
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn default_headers_test() {
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(SpaceHelmet::default(), |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_header!(response, "X-XSS-Protection", "1");
|
|
|
|
assert_header!(response, "X-Frame-Options", "SAMEORIGIN");
|
|
|
|
assert_header!(response, "X-Content-Type-Options", "nosniff");
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn disable_headers_test() {
|
|
|
|
let helmet = SpaceHelmet::default().disable::<XssFilter>();
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_header!(response, "X-Frame-Options", "SAMEORIGIN");
|
|
|
|
assert_header!(response, "X-Content-Type-Options", "nosniff");
|
|
|
|
assert_no_header!(response, "X-XSS-Protection");
|
|
|
|
});
|
|
|
|
|
|
|
|
let helmet = SpaceHelmet::default().disable::<Frame>();
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_header!(response, "X-XSS-Protection", "1");
|
|
|
|
assert_header!(response, "X-Content-Type-Options", "nosniff");
|
|
|
|
assert_no_header!(response, "X-Frame-Options");
|
|
|
|
});
|
|
|
|
|
|
|
|
let helmet = SpaceHelmet::default()
|
|
|
|
.disable::<Frame>()
|
|
|
|
.disable::<XssFilter>()
|
|
|
|
.disable::<NoSniff>();
|
|
|
|
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_no_header!(response, "X-Frame-Options");
|
|
|
|
assert_no_header!(response, "X-XSS-Protection");
|
|
|
|
assert_no_header!(response, "X-Content-Type-Options");
|
|
|
|
});
|
|
|
|
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(SpaceHelmet::new(), |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_no_header!(response, "X-Frame-Options");
|
|
|
|
assert_no_header!(response, "X-XSS-Protection");
|
|
|
|
assert_no_header!(response, "X-Content-Type-Options");
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn additional_headers_test() {
|
|
|
|
let helmet = SpaceHelmet::default()
|
|
|
|
.enable(Hsts::default())
|
|
|
|
.enable(ExpectCt::default())
|
|
|
|
.enable(Referrer::default());
|
|
|
|
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_header!(
|
|
|
|
response,
|
|
|
|
"Strict-Transport-Security",
|
2020-03-25 21:39:55 +00:00
|
|
|
format!("max-age={}", Duration::weeks(52).whole_seconds())
|
2018-11-08 17:01:58 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
assert_header!(
|
|
|
|
response,
|
|
|
|
"Expect-CT",
|
2020-03-25 21:39:55 +00:00
|
|
|
format!("max-age={}, enforce", Duration::days(30).whole_seconds())
|
2018-11-08 17:01:58 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
assert_header!(response, "Referrer-Policy", "no-referrer");
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn uri_test() {
|
|
|
|
let allow_uri = Uri::parse("https://www.google.com").unwrap();
|
|
|
|
let report_uri = Uri::parse("https://www.google.com").unwrap();
|
|
|
|
let enforce_uri = Uri::parse("https://www.google.com").unwrap();
|
|
|
|
|
|
|
|
let helmet = SpaceHelmet::default()
|
|
|
|
.enable(Frame::AllowFrom(allow_uri))
|
|
|
|
.enable(XssFilter::EnableReport(report_uri))
|
|
|
|
.enable(ExpectCt::ReportAndEnforce(Duration::seconds(30), enforce_uri));
|
|
|
|
|
2019-06-13 02:17:59 +00:00
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
2018-11-08 17:01:58 +00:00
|
|
|
assert_header!(response, "X-Frame-Options",
|
|
|
|
"ALLOW-FROM https://www.google.com");
|
|
|
|
|
|
|
|
assert_header!(response, "X-XSS-Protection",
|
|
|
|
"1; report=https://www.google.com");
|
|
|
|
|
|
|
|
assert_header!(response, "Expect-CT",
|
|
|
|
"max-age=30, enforce, report-uri=\"https://www.google.com\"");
|
|
|
|
});
|
|
|
|
}
|
2019-08-09 20:32:38 +00:00
|
|
|
|
|
|
|
#[test]
|
|
|
|
fn prefetch_test() {
|
|
|
|
let helmet = SpaceHelmet::default().enable(Prefetch::default());
|
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
|
|
|
assert_header!(response, "X-DNS-Prefetch-Control", "off");
|
|
|
|
});
|
|
|
|
|
|
|
|
let helmet = SpaceHelmet::default().enable(Prefetch::Off);
|
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
|
|
|
assert_header!(response, "X-DNS-Prefetch-Control", "off");
|
|
|
|
});
|
|
|
|
|
|
|
|
let helmet = SpaceHelmet::default().enable(Prefetch::On);
|
|
|
|
dispatch!(helmet, |response: LocalResponse<'_>| {
|
|
|
|
assert_header!(response, "X-DNS-Prefetch-Control", "on");
|
|
|
|
});
|
|
|
|
}
|
2018-11-08 17:01:58 +00:00
|
|
|
}
|