mirror of
https://github.com/discourse/discourse.git
synced 2025-01-10 16:44:32 +08:00
52ef44f43b
`FinalDestination::HTTP` is our patch of `Net::HTTP` which defend us against SSRF and DNS rebinding attacks.
61 lines
1.6 KiB
Ruby
61 lines
1.6 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
klass = defined?(WebPush) ? WebPush : Webpush
|
|
|
|
RSpec.describe klass do
|
|
before do
|
|
FinalDestination::SSRFDetector.allow_ip_lookups_in_test!
|
|
WebMock.enable!(except: [:final_destination])
|
|
end
|
|
|
|
after do
|
|
WebMock.enable!
|
|
FinalDestination::SSRFDetector.disallow_ip_lookups_in_test!
|
|
end
|
|
|
|
it "should filter endpoint hostname through our SSRF detector" do
|
|
klass::Request.any_instance.expects(:encrypt_payload)
|
|
klass::Request.any_instance.expects(:headers)
|
|
|
|
stub_ip_lookup("example.com", %W[0.0.0.0])
|
|
|
|
expect do
|
|
klass.payload_send(
|
|
endpoint: "http://example.com",
|
|
message: "test",
|
|
p256dh: "somep256dh",
|
|
auth: "someauth",
|
|
vapid: {
|
|
subject: "someurl",
|
|
public_key: "somepublickey",
|
|
private_key: "someprivatekey",
|
|
},
|
|
)
|
|
end.to raise_error(FinalDestination::SSRFDetector::DisallowedIpError)
|
|
end
|
|
|
|
it "should send the right request if endpoint hostname resolves to a public ip address" do
|
|
klass::Request.any_instance.expects(:encrypt_payload)
|
|
klass::Request.any_instance.expects(:headers)
|
|
|
|
stub_ip_lookup("example.com", %W[52.125.123.12])
|
|
|
|
success = Class.new(StandardError)
|
|
TCPSocket.stubs(:open).with { |addr| "52.125.123.12" == addr }.once.raises(success)
|
|
|
|
expect do
|
|
klass.payload_send(
|
|
endpoint: "http://example.com",
|
|
message: "test",
|
|
p256dh: "somep256dh",
|
|
auth: "someauth",
|
|
vapid: {
|
|
subject: "someurl",
|
|
public_key: "somepublickey",
|
|
private_key: "someprivatekey",
|
|
},
|
|
)
|
|
end.to raise_error(success)
|
|
end
|
|
end
|