1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
/*
* SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
* SPDX-License-Identifier: AGPL-3.0-only
*/
import { describe, jest } from '@jest/globals';
import type { Mock } from 'jest-mock';
import type { PrivateNetwork } from '@/config.js';
import type { Socket } from 'net';
import { HttpRequestService, isAllowedPrivateIp, isPrivateUrl, resolveIp, validateSocketConnect } from '@/core/HttpRequestService.js';
import { parsePrivateNetworks } from '@/config.js';
describe(HttpRequestService, () => {
let allowedPrivateNetworks: PrivateNetwork[] | undefined;
beforeEach(() => {
allowedPrivateNetworks = parsePrivateNetworks([
'10.0.0.1/32',
{ network: '127.0.0.1/32', ports: [1] },
{ network: '127.0.0.1/32', ports: [3, 4, 5] },
]);
});
describe(isAllowedPrivateIp, () => {
it('should return false when ip public', () => {
const result = isAllowedPrivateIp(allowedPrivateNetworks, '74.125.127.100', 80);
expect(result).toBeFalsy();
});
it('should return false when ip private and port matches', () => {
const result = isAllowedPrivateIp(allowedPrivateNetworks, '127.0.0.1', 1);
expect(result).toBeFalsy();
});
it('should return false when ip private and all ports undefined', () => {
const result = isAllowedPrivateIp(allowedPrivateNetworks, '10.0.0.1', undefined);
expect(result).toBeFalsy();
});
it('should return true when ip private and no ports specified', () => {
const result = isAllowedPrivateIp(allowedPrivateNetworks, '10.0.0.2', 80);
expect(result).toBeTruthy();
});
it('should return true when ip private and port does not match', () => {
const result = isAllowedPrivateIp(allowedPrivateNetworks, '127.0.0.1', 80);
expect(result).toBeTruthy();
});
it('should return true when ip private and port is null but ports are specified', () => {
const result = isAllowedPrivateIp(allowedPrivateNetworks, '127.0.0.1', undefined);
expect(result).toBeTruthy();
});
});
const fakeLookup = (host: string, _: unknown, callback: (err: Error | null, ip: string) => void) => {
if (host === 'localhost') {
callback(null, '127.0.0.1');
} else {
callback(null, '23.192.228.80');
}
};
describe(resolveIp, () => {
it('should parse inline IPs', async () => {
const result = await resolveIp(new URL('https://10.0.0.1'), fakeLookup);
expect(result.toString()).toEqual('10.0.0.1');
});
it('should resolve domain names', async () => {
const result = await resolveIp(new URL('https://localhost'), fakeLookup);
expect(result.toString()).toEqual('127.0.0.1');
});
});
describe(isPrivateUrl, () => {
it('should return false when URL is public host', async () => {
const result = await isPrivateUrl(new URL('https://example.com'), fakeLookup);
expect(result).toBe(false);
});
it('should return true when URL is private host', async () => {
const result = await isPrivateUrl(new URL('https://localhost'), fakeLookup);
expect(result).toBe(true);
});
it('should return false when IP is public', async () => {
const result = await isPrivateUrl(new URL('https://23.192.228.80'), fakeLookup);
expect(result).toBe(false);
});
it('should return true when IP is private', async () => {
const result = await isPrivateUrl(new URL('https://127.0.0.1'), fakeLookup);
expect(result).toBe(true);
});
it('should return true when IP is private with port and path', async () => {
const result = await isPrivateUrl(new URL('https://127.0.0.1:443/some/path'), fakeLookup);
expect(result).toBe(true);
});
});
describe('validateSocketConnect', () => {
let fakeSocket: Socket;
let fakeSocketMutable: {
remoteAddress: string | undefined;
remotePort: number | undefined;
destroy: Mock<(error?: Error) => void>;
};
beforeEach(() => {
fakeSocketMutable = {
remoteAddress: '74.125.127.100',
remotePort: 80,
destroy: jest.fn<(error?: Error) => void>(),
};
fakeSocket = fakeSocketMutable as unknown as Socket;
});
it('should accept when IP is empty', () => {
fakeSocketMutable.remoteAddress = undefined;
validateSocketConnect(allowedPrivateNetworks, fakeSocket);
expect(fakeSocket.destroy).not.toHaveBeenCalled();
});
it('should accept when IP is invalid', () => {
fakeSocketMutable.remoteAddress = 'AB939ajd9jdajsdja8jj';
validateSocketConnect(allowedPrivateNetworks, fakeSocket);
expect(fakeSocket.destroy).not.toHaveBeenCalled();
});
it('should accept when IP is valid', () => {
validateSocketConnect(allowedPrivateNetworks, fakeSocket);
expect(fakeSocket.destroy).not.toHaveBeenCalled();
});
it('should accept when IP is private and port match', () => {
fakeSocketMutable.remoteAddress = '127.0.0.1';
fakeSocketMutable.remotePort = 1;
validateSocketConnect(allowedPrivateNetworks, fakeSocket);
expect(fakeSocket.destroy).not.toHaveBeenCalled();
});
it('should reject when IP is private and port no match', () => {
fakeSocketMutable.remoteAddress = '127.0.0.1';
fakeSocketMutable.remotePort = 2;
validateSocketConnect(allowedPrivateNetworks, fakeSocket);
expect(fakeSocket.destroy).toHaveBeenCalled();
});
});
});
|
