我正在尝试测试一些Rack::Attack代码以阻止入侵尝试。在此特定测试中,我需要检查带有包含无效UTF-8字符的参数的查询是否获取HTTP 403,并且可以由fail2ban接受,而不是继续进入主应用程序并生成HTTP 500。
当我运行以下测试时,get命令通过验证失败,并且不会将无效的URI传递给中间件。毫不奇怪,攻击者不会通过此验证,因此我需要能够将其关闭。
require 'rails_helper'
describe Rack::Attack do
include Rack::Test::Methods
let(:blocked) { Rack::Utils::SYMBOL_TO_STATUS_CODE[:forbidden] }
def app
Rails.application
end
describe 'vulnerability probes' do
it 'blocks URLs with invalid UTF-8 characters' do
get "/?q=a\xff"
expect(last_response.status).to eq(blocked)
end
end
end
这是我收到的失败消息:
URI::InvalidURIError: URI must be ascii only "/?q=a\xFF"
0) Rack::Attack vulnerability probes blocks URLs with invalid UTF-8 characters
Failure/Error: get "/?q=a\xff"
URI::InvalidURIError:
URI must be ascii only "/?q=a\xFF"
# ./spec/initializers/rack_attack_spec.rb:60:in `block (3 levels) in <top (required)>'
即使URI无效,如何强制它实际执行GET,以便我可以测试Rack::Attack的配置?