Accueil Explorer Aide
Connexion
yunoadmin
/
bambuddy
miroir de https://github.com/maziggy/bambuddy
1
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: 6b87cdefd7
Branches Tags
bambuddy
/
backend
/
tests
/
unit
/
test_url_safety.py

test_url_safety.py 2.2 KB
Historique Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374 
  1. """Unit tests for the shared SSRF-data primitives (#1333).
    2. 

  2. 

  3. These primitives are imported by both ``_spoolman_helpers.assert_safe_spoolman_url``
    4. 

  4. and ``_oidc_helpers.assert_safe_public_https_url``. Test them in isolation
    5. 

  5. so a future change to one consumer doesn't accidentally drift the data.
    6. 

  6. """
    7. 

  7. 

  8. import ipaddress
    9. 

  9. 

  10. import pytest
    11. 

  11. 

  12. from backend.app.api.routes._url_safety import (
    13. 

  13.     CLOUD_METADATA_IPS,
    14. 

  14.     NUMERIC_IP_RE,
    15. 

  15.     unwrap_ipv4_mapped,
    16. 

  16. )
    17. 

  17. 

  18. 

  19. def test_cloud_metadata_set_contains_known_endpoints():
    20. 

  20.     # Both v4 and v6 IMDS endpoints, plus Alibaba's variant.
    21. 

  21.     assert ipaddress.ip_address("169.254.169.254") in CLOUD_METADATA_IPS
    22. 

  22.     assert ipaddress.ip_address("100.100.100.200") in CLOUD_METADATA_IPS
    23. 

  23.     assert ipaddress.ip_address("fd00:ec2::254") in CLOUD_METADATA_IPS
    24. 

  24. 

  25. 

  26. def test_cloud_metadata_set_is_frozen():
    27. 

  27.     # frozenset is the right immutable container — protects against
    28. 

  28.     # accidental mutation in tests/imports.
    29. 

  29.     assert isinstance(CLOUD_METADATA_IPS, frozenset)
    30. 

  30. 

  31. 

  32. @pytest.mark.parametrize(
    33. 

  33.     "candidate",
    34. 

  34.     [
    35. 

  35.         "2130706433",  # decimal-encoded 127.0.0.1
    36. 

  36.         "0x7f000001",  # hex-encoded 127.0.0.1
    37. 

  37.         "0xFFFFFFFF",  # uppercase hex
    38. 

  38.         "0",
    39. 

  39.         "4294967295",  # max uint32
    40. 

  40.     ],
    41. 

  41. )
    42. 

  42. def test_numeric_ip_re_matches_encoded_forms(candidate):
    43. 

  43.     assert NUMERIC_IP_RE.match(candidate) is not None
    44. 

  44. 

  45. 

  46. @pytest.mark.parametrize(
    47. 

  47.     "candidate",
    48. 

  48.     [
    49. 

  49.         "127.0.0.1",  # dotted-decimal — not "numeric-encoded"
    50. 

  50.         "example.com",
    51. 

  51.         "spoolman.lan",
    52. 

  52.         "::1",
    53. 

  53.         "localhost",
    54. 

  54.     ],
    55. 

  55. )
    56. 

  56. def test_numeric_ip_re_rejects_normal_forms(candidate):
    57. 

  57.     assert NUMERIC_IP_RE.match(candidate) is None
    58. 

  58. 

  59. 

  60. def test_unwrap_ipv4_mapped_unwraps_mapped_address():
    61. 

  61.     mapped = ipaddress.ip_address("::ffff:127.0.0.1")
    62. 

  62.     result = unwrap_ipv4_mapped(mapped)
    63. 

  63.     assert result == ipaddress.ip_address("127.0.0.1")
    64. 

  64.     assert isinstance(result, ipaddress.IPv4Address)
    65. 

  65. 

  66. 

  67. def test_unwrap_ipv4_mapped_passes_through_pure_ipv4():
    68. 

  68.     addr = ipaddress.ip_address("8.8.8.8")
    69. 

  69.     assert unwrap_ipv4_mapped(addr) is addr
    70. 

  70. 

  71. 

  72. def test_unwrap_ipv4_mapped_passes_through_pure_ipv6():
    73. 

  73.     addr = ipaddress.ip_address("2001:db8::1")
    74. 

  74.     assert unwrap_ipv4_mapped(addr) is addr
    75.