feat(#123): add IP-level SSRF defense to Gitea client and action
CI / test (pull_request) Successful in 18s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 44s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m57s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 2m21s
CI / test (pull_request) Successful in 18s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 44s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m57s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 2m21s
## Changes ### Go: IP-level SSRF protection in gitea.Client (primary defense) - Add gitea/ipcheck.go with IsBlockedIP() covering all blocked CIDR ranges: loopback (127.0.0.0/8, ::1), RFC1918 (10/8, 172.16/12, 192.168/16), link-local (169.254/16, fe80::/10), ULA (fc00::/7), CGN (100.64/10), multicast, reserved, and unspecified ranges. - IPv6-mapped IPv4 addresses (::ffff:x.x.x.x) are normalized before checking. - Add safeDialContext to gitea.Client: resolves DNS, rejects any IP in a blocked CIDR, then dials the resolved IP directly to narrow the DNS rebinding window. NewClient now uses this safe transport by default. - Add WithUnsafeDialer() for test code using httptest.Server (127.0.0.1). - Update NewTestClient helper in export_test.go for all gitea unit tests. - Update SetHTTPClient(nil) to restore the safe transport (not the plain one). ### Go: validate-url subcommand (defense-in-depth for future bash callers) - Add 'review-bot validate-url <url>' subcommand: validates https scheme, no user-info, resolves hostname, rejects any blocked IP. - Exit 0=safe, 1=blocked, 2=validation error/dns failure. - Add outWriter/errWriter vars to main.go for testable output capture. ### action.yml: Python3 IP check in 'Determine version' step - After the https scheme validation, resolve SERVER_URL hostname with socket.getaddrinfo and reject any result where ipaddress.ip_address(ip).is_private/is_loopback/is_link_local/etc. is true. - python3 is required on ubuntu-* runners (noted in existing comments). - Covers the version-check curl that sends ACTION_TOKEN to SERVER_URL. - SERVER_URL for install-step curls is covered by the same pre-check. ### Tests - gitea/ipcheck_test.go: 30+ cases covering all blocked families + public IPs - gitea/client_test.go: safe transport presence, WithUnsafeDialer, SSRF blocking - cmd/review-bot/validateurl_test.go: scheme validation, user-info, exit codes Closes #123
This commit is contained in:
@@ -0,0 +1,127 @@
|
||||
package gitea
|
||||
|
||||
import (
|
||||
"net"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestIsBlockedIP(t *testing.T) {
|
||||
blocked := []struct {
|
||||
name string
|
||||
ip string
|
||||
}{
|
||||
// IPv4 loopback
|
||||
{"loopback 127.0.0.1", "127.0.0.1"},
|
||||
{"loopback 127.0.0.2", "127.0.0.2"},
|
||||
{"loopback 127.255.255.255", "127.255.255.255"},
|
||||
// IPv4 unspecified
|
||||
{"unspecified 0.0.0.0", "0.0.0.0"},
|
||||
{"unspecified 0.1.2.3", "0.1.2.3"},
|
||||
// RFC1918
|
||||
{"RFC1918 10.0.0.1", "10.0.0.1"},
|
||||
{"RFC1918 10.255.255.255", "10.255.255.255"},
|
||||
{"RFC1918 172.16.0.1", "172.16.0.1"},
|
||||
{"RFC1918 172.31.255.255", "172.31.255.255"},
|
||||
{"RFC1918 192.168.0.1", "192.168.0.1"},
|
||||
{"RFC1918 192.168.255.255", "192.168.255.255"},
|
||||
// Link-local (APIPA / AWS metadata)
|
||||
{"link-local 169.254.0.1", "169.254.0.1"},
|
||||
{"link-local 169.254.169.254", "169.254.169.254"},
|
||||
// Shared address space (carrier-grade NAT)
|
||||
{"CGN 100.64.0.1", "100.64.0.1"},
|
||||
{"CGN 100.127.255.255", "100.127.255.255"},
|
||||
// Multicast
|
||||
{"multicast 224.0.0.1", "224.0.0.1"},
|
||||
{"multicast 239.255.255.255", "239.255.255.255"},
|
||||
// Reserved
|
||||
{"reserved 240.0.0.1", "240.0.0.1"},
|
||||
{"broadcast 255.255.255.255", "255.255.255.255"},
|
||||
// IPv6 loopback
|
||||
{"IPv6 loopback ::1", "::1"},
|
||||
// IPv6 unspecified
|
||||
{"IPv6 unspecified ::", "::"},
|
||||
// IPv6 link-local
|
||||
{"IPv6 link-local fe80::1", "fe80::1"},
|
||||
{"IPv6 link-local fe80::dead:beef", "fe80::dead:beef"},
|
||||
// IPv6 ULA
|
||||
{"IPv6 ULA fc00::1", "fc00::1"},
|
||||
{"IPv6 ULA fd00::1", "fd00::1"},
|
||||
// IPv6 multicast
|
||||
{"IPv6 multicast ff02::1", "ff02::1"},
|
||||
}
|
||||
|
||||
for _, tc := range blocked {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
ip := net.ParseIP(tc.ip)
|
||||
if ip == nil {
|
||||
t.Fatalf("failed to parse IP %q", tc.ip)
|
||||
}
|
||||
if !IsBlockedIP(ip) {
|
||||
t.Errorf("IsBlockedIP(%q) = false, want true", tc.ip)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
allowed := []struct {
|
||||
name string
|
||||
ip string
|
||||
}{
|
||||
{"public 8.8.8.8", "8.8.8.8"},
|
||||
{"public 1.1.1.1", "1.1.1.1"},
|
||||
{"public 198.51.100.1", "198.51.100.1"}, // TEST-NET-2, but not blocked — public-looking
|
||||
{"public 151.101.1.1", "151.101.1.1"}, // Fastly
|
||||
{"public IPv6 2001:4860:4860::8888", "2001:4860:4860::8888"}, // Google DNS
|
||||
{"public IPv6 2606:4700:4700::1111", "2606:4700:4700::1111"}, // Cloudflare DNS
|
||||
}
|
||||
|
||||
for _, tc := range allowed {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
ip := net.ParseIP(tc.ip)
|
||||
if ip == nil {
|
||||
t.Fatalf("failed to parse IP %q", tc.ip)
|
||||
}
|
||||
if IsBlockedIP(ip) {
|
||||
t.Errorf("IsBlockedIP(%q) = true, want false", tc.ip)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsBlockedIPv6MappedIPv4(t *testing.T) {
|
||||
// ::ffff:192.168.1.1 is an IPv6-mapped IPv4 address — should be blocked as RFC1918.
|
||||
// Construct it manually as a 16-byte IP.
|
||||
mapped := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 192, 168, 1, 1}
|
||||
if !IsBlockedIP(mapped) {
|
||||
t.Errorf("IsBlockedIP(::ffff:192.168.1.1) = false, want true (IPv6-mapped IPv4 must be normalized)")
|
||||
}
|
||||
|
||||
// ::ffff:8.8.8.8 — IPv6-mapped public IP — should be allowed.
|
||||
mappedPublic := net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 8, 8, 8, 8}
|
||||
if IsBlockedIP(mappedPublic) {
|
||||
t.Errorf("IsBlockedIP(::ffff:8.8.8.8) = true, want false")
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsBlockedIPEdgeCases(t *testing.T) {
|
||||
// The boundary between RFC1918 and public ranges.
|
||||
// 172.15.255.255 is NOT private (just below 172.16.0.0/12).
|
||||
notPrivate := net.ParseIP("172.15.255.255")
|
||||
if IsBlockedIP(notPrivate) {
|
||||
t.Errorf("IsBlockedIP(172.15.255.255) = true, want false (outside 172.16.0.0/12)")
|
||||
}
|
||||
// 172.32.0.0 is NOT private (just above 172.31.255.255).
|
||||
notPrivate2 := net.ParseIP("172.32.0.0")
|
||||
if IsBlockedIP(notPrivate2) {
|
||||
t.Errorf("IsBlockedIP(172.32.0.0) = true, want false (outside 172.16.0.0/12)")
|
||||
}
|
||||
// CGN: 100.63.255.255 is NOT in 100.64.0.0/10.
|
||||
notCGN := net.ParseIP("100.63.255.255")
|
||||
if IsBlockedIP(notCGN) {
|
||||
t.Errorf("IsBlockedIP(100.63.255.255) = true, want false (outside 100.64.0.0/10)")
|
||||
}
|
||||
// CGN: 100.128.0.0 is NOT in 100.64.0.0/10.
|
||||
notCGN2 := net.ParseIP("100.128.0.0")
|
||||
if IsBlockedIP(notCGN2) {
|
||||
t.Errorf("IsBlockedIP(100.128.0.0) = true, want false (outside 100.64.0.0/10)")
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user