nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

test: simplify ssrf hostname coverage

This commit is contained in:
Peter Steinberger 2026-03-13 18:20:08 +00:00
parent 3e8d9bc6ea
commit f3d4bb4103
1 changed files with 25 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
src/infra/net/ssrf.test.ts
View File

@ -111,19 +111,23 @@ describe("normalizeFingerprint", () => {
});
describe("isBlockedHostnameOrIp", () => {
it("blocks localhost.localdomain and metadata hostname aliases", () => {
expect(isBlockedHostnameOrIp("localhost.localdomain")).toBe(true);
expect(isBlockedHostnameOrIp("metadata.google.internal")).toBe(true);
it.each([
"localhost.localdomain",
"metadata.google.internal",
"api.localhost",
"svc.local",
"db.internal",
])("blocks reserved hostname %s", (hostname) => {
expect(isBlockedHostnameOrIp(hostname)).toBe(true);
});
it("blocks private transition addresses via shared IP classifier", () => {
expect(isBlockedHostnameOrIp("2001:db8:1234::5efe:127.0.0.1")).toBe(true);
expect(isBlockedHostnameOrIp("2001:db8::1")).toBe(false);
});
it("blocks IPv4 special-use ranges but allows adjacent public ranges", () => {
expect(isBlockedHostnameOrIp("198.18.0.1")).toBe(true);
expect(isBlockedHostnameOrIp("198.20.0.1")).toBe(false);
it.each([
["2001:db8:1234::5efe:127.0.0.1", true],
["2001:db8::1", false],
["198.18.0.1", true],
["198.20.0.1", false],
])("returns %s => %s", (value, expected) => {
expect(isBlockedHostnameOrIp(value)).toBe(expected);
});
it("supports opt-in policy to allow RFC2544 benchmark range", () => {
@ -134,10 +138,15 @@ describe("isBlockedHostnameOrIp", () => {
expect(isBlockedHostnameOrIp("198.51.100.1", policy)).toBe(true);
});
it("blocks legacy IPv4 literal representations", () => {
expect(isBlockedHostnameOrIp("0177.0.0.1")).toBe(true);
expect(isBlockedHostnameOrIp("8.8.2056")).toBe(true);
expect(isBlockedHostnameOrIp("127.1")).toBe(true);
expect(isBlockedHostnameOrIp("2130706433")).toBe(true);
it.each(["0177.0.0.1", "8.8.2056", "127.1", "2130706433"])(
"blocks legacy IPv4 literal %s",
(address) => {
expect(isBlockedHostnameOrIp(address)).toBe(true);
},
);
it("does not block ordinary hostnames", () => {
expect(isBlockedHostnameOrIp("example.com")).toBe(false);
expect(isBlockedHostnameOrIp("api.example.net")).toBe(false);
});
});