Refactor #23875

Remove login doesn't escalate privileges test

Added by Lukas Zapletal about 1 month ago. Updated 7 days ago.

Status:Closed
Priority:Normal
Assignee:Lukas Zapletal
Category:Tests
Target version:1.19.0
Difficulty:easy Team Backlog:
Triaged: Fixed in Releases:
Bugzilla link: Found in Releases:
Pull request:https://github.com/theforeman/foreman/pull/5679

Description

In #4457 we introduced a change and two tests to verify the session does not leak session id via old session hash reference. Starting from Rails 4.0 the implementation used in tests (TestSession) was given a destroy method (https://github.com/rails/rails/commit/7d624e0e8cfa3adffd8f475e3588d83f3b367c24#diff-600d5368b55e46ed961abb4295977ac3R254) which enables the session stack to use it instead creation of new hash instance (https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/request.rb#L349-L355). This should lead to regression in tests, but due to oversight in test assertion, it was never failing:

refute old_session.keys.include?(:user)

Method keys always return entries as strings, therefore this line never fired. The purpose of this ticket is to refactor this - simply by removing the two tests, because we already test presence of user session key in "sets the session user" test and call of reset_session (which calls destroy method) in "changes the session ID to prevent fixation" test.


Related issues

Related to Foreman - Bug #4457: CVE-2014-0090 - Session fixation, new session IDs are not... Closed 02/26/2014 03/20/2014

Associated revisions

Revision b71907ec
Added by Lukas Zapletal about 1 month ago

Fixes #23875 - removed old session tests

History

#1 Updated by Lukas Zapletal about 1 month ago

  • Related to Bug #4457: CVE-2014-0090 - Session fixation, new session IDs are not generated on login added

#2 Updated by Lukas Zapletal about 1 month ago

  • Description updated (diff)

#3 Updated by The Foreman Bot about 1 month ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/5679 added

#4 Updated by Tomer Brisker about 1 month ago

  • Legacy Backlogs Release (now unused) set to 353

#5 Updated by Lukas Zapletal about 1 month ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF