Bypass csrf plugins (#597)

* Add bypass_csrf_protection decorator * Add beta notice * Add test_bypass_csrf_protection
2025-12-17 05:54:19 +01:00 · 2018-03-24 22:54:12 -04:00
parent c0e418d900
commit aedd753f4e
3 changed files with 44 additions and 1 deletions
--- a/tests/test_plugin_utils.py
+++ b/tests/test_plugin_utils.py
@@ -12,7 +12,8 @@ from CTFd.plugins import (
    register_admin_plugin_menu_bar,
    get_admin_plugin_menu_bar,
    register_user_page_menu_bar,
-    get_user_page_menu_bar
+    get_user_page_menu_bar,
+    bypass_csrf_protection
 )
 from freezegun import freeze_time
 from mock import patch
@@ -145,3 +146,29 @@ def test_register_user_page_menu_bar():
        assert menu_item.title == 'test_user_menu_link'
        assert menu_item.route == '/test_user_href'
    destroy_ctfd(app)
+
+
+def test_bypass_csrf_protection():
+    """
+    Test that the bypass_csrf_protection decorator functions properly
+    """
+    app = create_ctfd()
+
+    with app.app_context():
+        with app.test_client() as client:
+            r = client.post('/login')
+            output = r.get_data(as_text=True)
+            assert r.status_code == 403
+
+        def bypass_csrf_protection_test_route():
+            return "Success", 200
+
+        # Hijack an existing route to avoid any kind of hacks to create a test route
+        app.view_functions['auth.login'] = bypass_csrf_protection(bypass_csrf_protection_test_route)
+
+        with app.test_client() as client:
+            r = client.post('/login')
+            output = r.get_data(as_text=True)
+            assert r.status_code == 200
+            assert output == "Success"
+    destroy_ctfd(app)