From ba575e85646e29e028698ba6c83fb3f6698406ff Mon Sep 17 00:00:00 2001 From: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com> Date: Tue, 26 Mar 2024 12:15:58 -0500 Subject: [PATCH] Add tests for invalid/missing token Issue gh-14634 --- .../ROOT/pages/servlet/exploits/csrf.adoc | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc index 4c804112dd..2b8dffbf17 100644 --- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc +++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc @@ -1221,6 +1221,24 @@ public class CsrfTests { .andExpect(header().string(HttpHeaders.LOCATION, "/")); } + @Test + public void loginWhenInvalidCsrfTokenThenForbidden() throws Exception { + this.mockMvc.perform(post("/login").with(csrf().useInvalidToken()) + .accept(MediaType.TEXT_HTML) + .param("username", "user") + .param("password", "password")) + .andExpect(status().isForbidden()); + } + + @Test + public void loginWhenMissingCsrfTokenThenForbidden() throws Exception { + this.mockMvc.perform(post("/login") + .accept(MediaType.TEXT_HTML) + .param("username", "user") + .param("password", "password")) + .andExpect(status().isForbidden()); + } + @Test @WithMockUser public void logoutWhenValidCsrfTokenThenSuccess() throws Exception { @@ -1264,6 +1282,24 @@ class CsrfTests { .andExpect(header().string(HttpHeaders.LOCATION, "/")) } + @Test + fun loginWhenInvalidCsrfTokenThenForbidden() { + mockMvc.perform(post("/login").with(csrf().useInvalidToken()) + .accept(MediaType.TEXT_HTML) + .param("username", "user") + .param("password", "password")) + .andExpect(status().isForbidden) + } + + @Test + fun loginWhenMissingCsrfTokenThenForbidden() { + mockMvc.perform(post("/login") + .accept(MediaType.TEXT_HTML) + .param("username", "user") + .param("password", "password")) + .andExpect(status().isForbidden) + } + @Test @WithMockUser @Throws(Exception::class)