Skip to content

Commit

Permalink
Test protection introduced in e98635a
Browse files Browse the repository at this point in the history
  • Loading branch information
vjt authored and tagliala committed Nov 12, 2023
1 parent 9ff671e commit 623d0bd
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions spec/omniauth/strategies/cas_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,14 @@
describe 'GET /auth/cas' do
let(:return_url) { 'http://example.org/admin/foo' }

context 'with a return url on a different host than the service url' do
before { get '/auth/cas?url=http://attack.example.org/' }

subject { last_response }

it { should be_bad_request }
end

context 'with a referer' do
let(:url) { '/auth/cas' }

Expand Down

0 comments on commit 623d0bd

Please sign in to comment.