Files
wehub-resource-sync 7a0da7932b
OSV-Scanner (Scheduled) / scan-scheduled (push) Failing after 0s
Create Release / test-gate (push) Has been cancelled
Create Release / release-gate (push) Has been cancelled
Create Release / ci-gate (push) Has been cancelled
Create Release / version-check (push) Has been cancelled
Create Release / e2e-test-gate (push) Has been cancelled
Create Release / responsive-test-gate (push) Has been cancelled
Create Release / compat-test-gate (push) Has been cancelled
Create Release / compose-integration-gate (push) Has been cancelled
Create Release / vulture-gate (push) Has been cancelled
Create Release / build (push) Has been cancelled
Create Release / provenance (push) Has been cancelled
Create Release / prerelease-docker (push) Has been cancelled
Create Release / publish-docker (push) Has been cancelled
Create Release / create-release (push) Has been cancelled
Create Release / cleanup-changelog (push) Has been cancelled
Create Release / trigger-pypi (push) Has been cancelled
Create Release / monitor-pypi (push) Has been cancelled
Create Release / Clean up orphan prerelease tags and signatures (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-form] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-metrics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [research-workflow] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-core] (push) Has been cancelled
CodeQL Advanced / Analyze (javascript-typescript) (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [history-news] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [library] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [link-analytics] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-core] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [chat-lifecycle] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [error-benchmark] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [settings-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) (push) Has been cancelled
Docker Tests (Consolidated) / Accessibility Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Unit Tests (push) Has been cancelled
Docker Tests (Consolidated) / LLM Example Tests (push) Has been cancelled
Docker Tests (Consolidated) / Production Image Smoke Test (push) Has been cancelled
Docker Tests (Consolidated) / Infrastructure Tests (push) Has been cancelled
OSSF Scorecard / OSSF Security Scorecard Analysis (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [mobile] (push) Has been cancelled
Backwards Compatibility / Verify Encryption Constants (push) Has been cancelled
Backwards Compatibility / PyPI Version Compatibility (push) Has been cancelled
Backwards Compatibility / Database Migration Tests (push) Has been cancelled
CodeQL Advanced / Analyze (python) (push) Has been cancelled
Docker Tests (Consolidated) / detect-changes (push) Has been cancelled
Docker Tests (Consolidated) / Build Test Image (push) Has been cancelled
Docker Tests (Consolidated) / All Pytest Tests + Coverage (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [accessibility] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [api-crud] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-login] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-pages] (push) Has been cancelled
Docker Tests (Consolidated) / UI Tests (Puppeteer) [auth-register] (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:08:55 +08:00

296 lines
10 KiB
Python

"""High-value tests for security/ssrf_validator.py - SSRF Prevention."""
import socket
from unittest.mock import patch
import pytest
from local_deep_research.security.ssrf_validator import (
is_ip_blocked,
validate_url,
get_safe_url,
ALLOWED_SCHEMES,
ALWAYS_BLOCKED_METADATA_IPS,
)
# ---------------------------------------------------------------------------
# is_ip_blocked - loopback / RFC1918 / CGNAT / link-local / IPv6
# ---------------------------------------------------------------------------
class TestIsIpBlockedLoopback:
"""Loopback address blocking."""
def test_ipv4_loopback_blocked_by_default(self):
assert is_ip_blocked("127.0.0.1") is True
def test_ipv4_loopback_127_0_0_2_blocked(self):
assert is_ip_blocked("127.0.0.2") is True
def test_ipv6_loopback_blocked_by_default(self):
assert is_ip_blocked("::1") is True
def test_ipv4_loopback_allowed_with_flag(self):
assert is_ip_blocked("127.0.0.1", allow_localhost=True) is False
def test_ipv6_loopback_allowed_with_flag(self):
assert is_ip_blocked("::1", allow_localhost=True) is False
class TestIsIpBlockedRFC1918:
"""RFC 1918 private ranges."""
def test_10_network_blocked(self):
assert is_ip_blocked("10.0.0.1") is True
def test_172_16_blocked(self):
assert is_ip_blocked("172.16.0.1") is True
def test_192_168_blocked(self):
assert is_ip_blocked("192.168.1.1") is True
def test_10_network_allowed_with_private_flag(self):
assert is_ip_blocked("10.0.0.1", allow_private_ips=True) is False
def test_172_16_allowed_with_private_flag(self):
assert is_ip_blocked("172.16.0.1", allow_private_ips=True) is False
def test_192_168_allowed_with_private_flag(self):
assert is_ip_blocked("192.168.1.1", allow_private_ips=True) is False
class TestIsIpBlockedSpecialRanges:
"""CGNAT, link-local, IPv6 private ranges."""
def test_cgnat_blocked(self):
assert is_ip_blocked("100.64.0.1") is True
def test_link_local_blocked(self):
assert is_ip_blocked("169.254.1.1") is True
def test_ipv6_unique_local_blocked(self):
assert is_ip_blocked("fc00::1") is True
def test_ipv6_link_local_blocked(self):
assert is_ip_blocked("fe80::1") is True
def test_cgnat_allowed_with_private_flag(self):
assert is_ip_blocked("100.64.0.1", allow_private_ips=True) is False
def test_link_local_allowed_with_private_flag(self):
assert is_ip_blocked("169.254.1.1", allow_private_ips=True) is False
def test_loopback_also_allowed_with_private_flag(self):
assert is_ip_blocked("127.0.0.1", allow_private_ips=True) is False
class TestIsIpBlockedCloudMetadata:
"""Cloud-provider metadata endpoints always blocked under all flags."""
@pytest.mark.parametrize("ip", sorted(ALWAYS_BLOCKED_METADATA_IPS))
def test_metadata_ip_blocked_default(self, ip):
assert is_ip_blocked(ip) is True
@pytest.mark.parametrize("ip", sorted(ALWAYS_BLOCKED_METADATA_IPS))
def test_metadata_ip_blocked_with_allow_localhost(self, ip):
assert is_ip_blocked(ip, allow_localhost=True) is True
@pytest.mark.parametrize("ip", sorted(ALWAYS_BLOCKED_METADATA_IPS))
def test_metadata_ip_blocked_with_allow_private_ips(self, ip):
assert is_ip_blocked(ip, allow_private_ips=True) is True
class TestIsIpBlockedIPv4Mapped:
"""IPv4-mapped IPv6 address unwrapping."""
def test_ipv4_mapped_loopback_blocked(self):
assert is_ip_blocked("::ffff:127.0.0.1") is True
def test_ipv4_mapped_private_blocked(self):
assert is_ip_blocked("::ffff:10.0.0.1") is True
def test_ipv4_mapped_aws_metadata_blocked(self):
assert is_ip_blocked("::ffff:169.254.169.254") is True
def test_ipv4_mapped_public_not_blocked(self):
assert is_ip_blocked("::ffff:8.8.8.8") is False
class TestIsIpBlockedPublicAndInvalid:
"""Public IPs and invalid input."""
def test_public_ip_not_blocked(self):
assert is_ip_blocked("8.8.8.8") is False
def test_another_public_ip(self):
assert is_ip_blocked("1.1.1.1") is False
def test_invalid_ip_returns_false(self):
assert is_ip_blocked("not-an-ip") is False
def test_empty_string_returns_false(self):
assert is_ip_blocked("") is False
# ---------------------------------------------------------------------------
# validate_url
# ---------------------------------------------------------------------------
class TestValidateUrlScheme:
"""Scheme validation."""
def test_ftp_scheme_rejected(self):
assert validate_url("ftp://example.com/file") is False
def test_file_scheme_rejected(self):
assert validate_url("file:///etc/passwd") is False
def test_javascript_scheme_rejected(self):
assert validate_url("javascript:alert(1)") is False
class TestValidateUrlHostname:
"""Hostname and IP-based URL validation."""
def test_missing_hostname_rejected(self):
assert validate_url("http://") is False
def test_ip_loopback_url_blocked(self):
assert validate_url("http://127.0.0.1/admin") is False
def test_ip_private_url_blocked(self):
assert validate_url("http://192.168.1.1/") is False
def test_aws_metadata_url_blocked(self):
assert validate_url("http://169.254.169.254/latest/meta-data/") is False
@patch("local_deep_research.security.ssrf_validator.socket.getaddrinfo")
def test_hostname_resolving_to_public_ip_allowed(self, mock_dns):
mock_dns.return_value = [
(socket.AF_INET, socket.SOCK_STREAM, 0, "", ("93.184.216.34", 0))
]
assert validate_url("http://example.com") is True
@patch("local_deep_research.security.ssrf_validator.socket.getaddrinfo")
def test_hostname_resolving_to_private_ip_blocked(self, mock_dns):
mock_dns.return_value = [
(socket.AF_INET, socket.SOCK_STREAM, 0, "", ("10.0.0.1", 0))
]
assert validate_url("http://internal.corp") is False
@patch("local_deep_research.security.ssrf_validator.socket.getaddrinfo")
def test_dns_failure_blocks_url(self, mock_dns):
mock_dns.side_effect = socket.gaierror("Name resolution failed")
assert validate_url("http://nonexistent.test") is False
class TestValidateUrlFlagPassthrough:
"""Flag pass-through to is_ip_blocked."""
@patch("local_deep_research.security.ssrf_validator.socket.getaddrinfo")
def test_allow_localhost_passes_loopback(self, mock_dns):
mock_dns.return_value = [
(socket.AF_INET, socket.SOCK_STREAM, 0, "", ("127.0.0.1", 0))
]
assert validate_url("http://127.0.0.1/", allow_localhost=True) is True
@patch("local_deep_research.security.ssrf_validator.socket.getaddrinfo")
def test_allow_private_ips_passes_private(self, mock_dns):
mock_dns.return_value = [
(socket.AF_INET, socket.SOCK_STREAM, 0, "", ("10.0.0.1", 0))
]
assert validate_url("http://10.0.0.1/", allow_private_ips=True) is True
@patch("local_deep_research.security.ssrf_validator.socket.getaddrinfo")
def test_multi_address_dns_one_private_blocked(self, mock_dns):
mock_dns.return_value = [
(socket.AF_INET, socket.SOCK_STREAM, 0, "", ("93.184.216.34", 0)),
(socket.AF_INET, socket.SOCK_STREAM, 0, "", ("10.0.0.1", 0)),
]
assert validate_url("http://dual.example.com") is False
class TestIsIpBlockedZeroNetwork:
"""0.0.0.0/8 range blocking."""
def test_0001_blocked(self):
assert is_ip_blocked("0.0.0.1") is True
def test_0001_blocked_even_with_allow_private(self):
"""0.0.0.0/8 is NOT in PRIVATE_RANGES, so it stays blocked."""
assert is_ip_blocked("0.0.0.1", allow_private_ips=True) is True
class TestValidateUrlNoBypass:
"""Verify validate_url performs real validation (no test bypass)."""
def test_ftp_scheme_blocked(self):
assert validate_url("ftp://evil.com") is False
def test_https_public_url_allowed(self):
with patch("socket.getaddrinfo") as mock_dns:
mock_dns.return_value = [(2, 1, 6, "", ("93.184.216.34", 0))]
assert validate_url("https://example.com") is True
# ---------------------------------------------------------------------------
# get_safe_url
# ---------------------------------------------------------------------------
class TestGetSafeUrl:
"""get_safe_url() wrapper."""
def test_none_returns_default(self):
assert get_safe_url(None, "fallback") == "fallback"
def test_empty_returns_default(self):
assert get_safe_url("", "fallback") == "fallback"
def test_safe_url_passes_through(self):
"""Exercises real validate_url end-to-end. Mocking only DNS means
a regression in scheme/IP/host-extraction logic would surface
here, not just whichever code path the mock previously covered.
"""
with patch(
"local_deep_research.security.ssrf_validator.socket.getaddrinfo",
return_value=[(2, 1, 6, "", ("93.184.216.34", 0))],
):
assert get_safe_url("http://example.com") == "http://example.com"
def test_unsafe_url_returns_default(self):
"""Real-validator pass-through: the IP literal 10.0.0.5 is
rejected without DNS, so removing the RFC1918 entry from
PRIVATE_IP_RANGES would cause this test to fail.
"""
assert get_safe_url("http://10.0.0.5/", "safe") == "safe"
def test_none_url_none_default(self):
assert get_safe_url(None) is None
# ---------------------------------------------------------------------------
# Constants
# ---------------------------------------------------------------------------
class TestConstants:
def test_allowed_schemes_http_https(self):
assert ALLOWED_SCHEMES == {"http", "https"}
def test_always_blocked_metadata_ips_membership(self):
"""Lock in the exact membership of the always-blocked set so a
future contributor accidentally removing an IP fails loudly."""
assert ALWAYS_BLOCKED_METADATA_IPS == frozenset(
{
"169.254.169.254",
"169.254.170.2",
"169.254.170.23",
"169.254.0.23",
"100.100.100.200",
}
)