github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 10:41:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

test(ssrf): table-drive blocked hostname literal checks

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-21 23:33:47 +00:00
parent e84d89ab06
commit ffd9b86ca4
1 changed files with 20 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/infra/net/ssrf.pinning.test.ts
View File

@@ -7,6 +7,10 @@ import {
SsrFBlockedError, SsrFBlockedError,
} from "./ssrf.js"; } from "./ssrf.js";
function createPublicLookupMock(): LookupFn {
return vi.fn(async () => [{ address: "93.184.216.34", family: 4 }]) as unknown as LookupFn;
}
describe("ssrf pinning", () => { describe("ssrf pinning", () => {
it("pins resolved addresses for the target hostname", async () => { it("pins resolved addresses for the target hostname", async () => {
const lookup = vi.fn(async () => [ const lookup = vi.fn(async () => [
@@ -109,36 +113,23 @@ describe("ssrf pinning", () => {
).rejects.toThrow(/allowlist/i); ).rejects.toThrow(/allowlist/i);
}); });
it("blocks ISATAP embedded private IPv4 before DNS lookup", async () => { it.each([
const lookup = vi.fn(async () => [ {
{ address: "93.184.216.34", family: 4 }, name: "ISATAP embedded private IPv4",
]) as unknown as LookupFn; hostname: "2001:db8:1234::5efe:127.0.0.1",
},
{
name: "legacy loopback IPv4 literal",
hostname: "0177.0.0.1",
},
{
name: "unsupported short-form IPv4 literal",
hostname: "8.8.2056",
},
])("blocks $name before DNS lookup", async ({ hostname }) => {
const lookup = createPublicLookupMock();
await expect( await expect(resolvePinnedHostnameWithPolicy(hostname, { lookupFn: lookup })).rejects.toThrow(
resolvePinnedHostnameWithPolicy("2001:db8:1234::5efe:127.0.0.1", {
lookupFn: lookup,
}),
).rejects.toThrow(SsrFBlockedError);
expect(lookup).not.toHaveBeenCalled();
});
it("blocks legacy loopback IPv4 literals before DNS lookup", async () => {
const lookup = vi.fn(async () => [
{ address: "93.184.216.34", family: 4 },
]) as unknown as LookupFn;
await expect(
resolvePinnedHostnameWithPolicy("0177.0.0.1", { lookupFn: lookup }),
).rejects.toThrow(SsrFBlockedError);
expect(lookup).not.toHaveBeenCalled();
});
it("blocks unsupported short-form IPv4 literals before DNS lookup", async () => {
const lookup = vi.fn(async () => [
{ address: "93.184.216.34", family: 4 },
]) as unknown as LookupFn;
await expect(resolvePinnedHostnameWithPolicy("8.8.2056", { lookupFn: lookup })).rejects.toThrow(
SsrFBlockedError, SsrFBlockedError,
); );
expect(lookup).not.toHaveBeenCalled(); expect(lookup).not.toHaveBeenCalled();