github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 03:31:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d51929ecb52fe65e90bf36795f4247feb29eb8aa
openclaw/src/infra/net/ssrf.test.ts
Peter Steinberger d51929ecb5 fix: block ISATAP SSRF bypass via shared host/ip guard
2026-02-19 09:59:47 +01:00

78 lines
2.3 KiB
TypeScript
Raw Blame History

import { describe, expect, it } from "vitest";
import { normalizeFingerprint } from "../tls/fingerprint.js";
import { isBlockedHostnameOrIp, isPrivateIpAddress } from "./ssrf.js";
const privateIpCases = [
"::ffff:127.0.0.1",
"0:0:0:0:0:ffff:7f00:1",
"0000:0000:0000:0000:0000:ffff:7f00:0001",
"::127.0.0.1",
"0:0:0:0:0:0:7f00:1",
"[0:0:0:0:0:ffff:7f00:1]",
"::ffff:169.254.169.254",
"0:0:0:0:0:ffff:a9fe:a9fe",
"64:ff9b::127.0.0.1",
"64:ff9b::169.254.169.254",
"64:ff9b:1::192.168.1.1",
"64:ff9b:1::10.0.0.1",
"2002:7f00:0001::",
"2002:a9fe:a9fe::",
"2001:0000:0:0:0:0:80ff:fefe",
"2001:0000:0:0:0:0:3f57:fefe",
"::",
"::1",
"fe80::1%lo0",
"fd00::1",
"fec0::1",
"2001:db8:1234::5efe:127.0.0.1",
"2001:db8:1234:1:200:5efe:7f00:1",
];
const publicIpCases = [
"93.184.216.34",
"2606:4700:4700::1111",
"2001:db8::1",
"64:ff9b::8.8.8.8",
"64:ff9b:1::8.8.8.8",
"2002:0808:0808::",
"2001:0000:0:0:0:0:f7f7:f7f7",
"2001:db8:1234::5efe:8.8.8.8",
"2001:db8:1234:1:1111:5efe:7f00:1",
];
const malformedIpv6Cases = ["::::", "2001:db8::gggg"];
describe("ssrf ip classification", () => {
it.each(privateIpCases)("classifies %s as private", (address) => {
expect(isPrivateIpAddress(address)).toBe(true);
});
it.each(publicIpCases)("classifies %s as public", (address) => {
expect(isPrivateIpAddress(address)).toBe(false);
});
it.each(malformedIpv6Cases)("fails closed for malformed IPv6 %s", (address) => {
expect(isPrivateIpAddress(address)).toBe(true);
});
});
describe("normalizeFingerprint", () => {
it("strips sha256 prefixes and separators", () => {
expect(normalizeFingerprint("sha256:AA:BB:cc")).toBe("aabbcc");
expect(normalizeFingerprint("SHA-256 11-22-33")).toBe("112233");
expect(normalizeFingerprint("aa:bb:cc")).toBe("aabbcc");
});
});
describe("isBlockedHostnameOrIp", () => {
it("blocks localhost.localdomain and metadata hostname aliases", () => {
expect(isBlockedHostnameOrIp("localhost.localdomain")).toBe(true);
expect(isBlockedHostnameOrIp("metadata.google.internal")).toBe(true);
});
it("blocks private transition addresses via shared IP classifier", () => {
expect(isBlockedHostnameOrIp("2001:db8:1234::5efe:127.0.0.1")).toBe(true);
expect(isBlockedHostnameOrIp("2001:db8::1")).toBe(false);
});
});
Reference in New Issue View Git Blame Copy Permalink