Disable insecure HTTP-methods #29
Description
Test nginx-14 checks if the string if ( $request_method !~ ^(GET|HEAD|POST)$ ) { exists in the in the nginx.conf. So far, so good. However there should also be a check that the correct error-code is returned, if the wrong request method is used.
Therefore I propose the following regex that checks if the output of nginx -T contains the following:
if ( $request_method !~ ^(GET|HEAD|POST)$ ) {
return 405;
}
the regex:
describe parse_config(nginx_parsed_config, options) do
its('content') { should match(/^\s*if\s+\(\s*\$request_method\s+\!\~\s+\^\(#{HTTP_METHODS}\)\$\s*\)\s*\{?$\s*return\s+405;\s+}$/) }
end
Regexr:
https://regexr.com/3u94m
What do you think?