fix(#123): address all review findings from PR #129
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 34s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m25s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 2m30s
PR Ready Gate / clear-labels (pull_request) Successful in 2s
CI / test (pull_request) Successful in 17s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 34s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 1m25s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 2m30s
MAJOR fixes: - gitea/ipcheck.go: replace startup panic with init()+error list pattern Hard-coded CIDRs that fail to parse now recorded in blockedCIDRParseErrors instead of panicking. TestBlockedCIDRsValid catches programming errors in CI without violating CONVENTIONS.md 'never panic' rule. - .gitea/actions/review/action.yml: re-validate SERVER_URL at start of 'Install review-bot' step to close DNS rebinding window between 'Determine version' and install-step curl calls. MINOR fixes: - gitea/client.go: add Timeout: 10*time.Second to net.Dialer per PLAN.md spec - cmd/review-bot/validateurl.go: switch isValidateError to errors.As so wrapped *validateError values are also detected - gitea/ipcheck_test.go: clarify 198.51.100.1 (RFC5737 TEST-NET-2) comment; add TestBlockedCIDRsValid to surface CIDR parse errors as test failures NIT fixes: - .gitea/actions/review/action.yml: refactor Python list comprehension in SSRF check to for-loop (avoids side-effect-only comprehension, runner compat) - gitea/export_test.go: expand comment explaining white-box test pattern (why package gitea not gitea_test, Go stdlib precedent) Remove PLAN.md (implementation complete)
This commit is contained in:
claw
+4
-1
@@ -136,7 +136,10 @@ func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error
|
||||
}
|
||||
}
|
||||
// Dial the first resolved IP directly to avoid a second lookup.
|
||||
d := &net.Dialer{}
|
||||
// Timeout: 10s per the design (PLAN.md); the outer http.Client has a 30s
|
||||
// total timeout, but the dial itself needs an independent bound so a slow
|
||||
// TCP connect does not consume the full 30s without cancellation.
|
||||
d := &net.Dialer{Timeout: 10 * time.Second}
|
||||
return d.DialContext(ctx, network, net.JoinHostPort(addrs[0].IP.String(), port))
|
||||
}
|
||||
|
||||
|
||||
@@ -1,11 +1,18 @@
|
||||
// Package gitea — export_test.go exposes test helpers to test files in this
|
||||
// package. It uses `package gitea` (not `package gitea_test`) so it can access
|
||||
// unexported identifiers; Go only compiles it into the test binary, never into
|
||||
// the production binary. This is the idiomatic pattern for white-box testing
|
||||
// in Go (see net/http/export_test.go in the stdlib for the same approach).
|
||||
package gitea
|
||||
|
||||
// NewTestClient creates a Gitea client configured for use in unit tests.
|
||||
// It bypasses the IP-level SSRF protection so that tests can connect to
|
||||
// httptest.Server instances (which listen on 127.0.0.1).
|
||||
//
|
||||
// This function MUST only be called from _test.go files.
|
||||
// Production code must use NewClient which uses the safe dialer.
|
||||
// Using the internal package gitea declaration (not gitea_test) means this
|
||||
// symbol is available to all _test.go files in this package. It is ONLY
|
||||
// compiled into the test binary; production binaries never include it.
|
||||
// Production code must use NewClient, which enables the safe dialer.
|
||||
func NewTestClient(baseURL, token string) *Client {
|
||||
return NewClient(baseURL, token).WithUnsafeDialer()
|
||||
}
|
||||
|
||||
+57
-44
@@ -8,55 +8,63 @@ import (
|
||||
"net"
|
||||
)
|
||||
|
||||
// blockedCIDRs is the list of CIDR ranges that should never be contacted by
|
||||
// review-bot. These ranges cover private, loopback, link-local, multicast,
|
||||
// and other special-use address spaces that are not reachable from the internet
|
||||
// but may be reachable from a self-hosted runner.
|
||||
// blockedCIDRStrings is the canonical list of CIDR strings that should never
|
||||
// be contacted by review-bot. See IsBlockedIP for the full list of covered
|
||||
// address families.
|
||||
//
|
||||
// Based on:
|
||||
// - RFC1918 private ranges
|
||||
// - RFC5735 / RFC4193 special-use IPv4/IPv6 ranges
|
||||
// - RFC4291 IPv6 link-local / loopback
|
||||
var blockedCIDRs = func() []*net.IPNet {
|
||||
ranges := []string{
|
||||
// IPv4 loopback
|
||||
"127.0.0.0/8",
|
||||
// IPv4 unspecified / "this network"
|
||||
"0.0.0.0/8",
|
||||
// RFC1918 private ranges
|
||||
"10.0.0.0/8",
|
||||
"172.16.0.0/12",
|
||||
"192.168.0.0/16",
|
||||
// IPv4 link-local (APIPA, also used by AWS instance metadata 169.254.169.254)
|
||||
"169.254.0.0/16",
|
||||
// IPv4 shared address space (RFC6598, carrier-grade NAT)
|
||||
"100.64.0.0/10",
|
||||
// IPv4 multicast
|
||||
"224.0.0.0/4",
|
||||
// IPv4 reserved / broadcast
|
||||
"240.0.0.0/4",
|
||||
// IPv6 loopback
|
||||
"::1/128",
|
||||
// IPv6 unspecified
|
||||
"::/128",
|
||||
// IPv6 link-local
|
||||
"fe80::/10",
|
||||
// IPv6 unique local (ULA) — RFC4193
|
||||
"fc00::/7",
|
||||
// IPv6 multicast
|
||||
"ff00::/8",
|
||||
}
|
||||
nets := make([]*net.IPNet, 0, len(ranges))
|
||||
for _, r := range ranges {
|
||||
// These are hard-coded literals: any parse failure is a programming error.
|
||||
// Validity is verified by TestBlockedCIDRsValid in ipcheck_test.go.
|
||||
var blockedCIDRStrings = []string{
|
||||
// IPv4 loopback
|
||||
"127.0.0.0/8",
|
||||
// IPv4 unspecified / "this network"
|
||||
"0.0.0.0/8",
|
||||
// RFC1918 private ranges
|
||||
"10.0.0.0/8",
|
||||
"172.16.0.0/12",
|
||||
"192.168.0.0/16",
|
||||
// IPv4 link-local (APIPA, also used by AWS instance metadata 169.254.169.254)
|
||||
"169.254.0.0/16",
|
||||
// IPv4 shared address space (RFC6598, carrier-grade NAT)
|
||||
"100.64.0.0/10",
|
||||
// IPv4 multicast
|
||||
"224.0.0.0/4",
|
||||
// IPv4 reserved / broadcast
|
||||
"240.0.0.0/4",
|
||||
// IPv6 loopback
|
||||
"::1/128",
|
||||
// IPv6 unspecified
|
||||
"::/128",
|
||||
// IPv6 link-local
|
||||
"fe80::/10",
|
||||
// IPv6 unique local (ULA) — RFC4193
|
||||
"fc00::/7",
|
||||
// IPv6 multicast
|
||||
"ff00::/8",
|
||||
}
|
||||
|
||||
// blockedCIDRs is the parsed form of blockedCIDRStrings.
|
||||
// Any entry that fails to parse is recorded in blockedCIDRParseErrors instead
|
||||
// of panicking; tests verify this slice is always empty via TestBlockedCIDRsValid.
|
||||
var (
|
||||
blockedCIDRs []*net.IPNet
|
||||
blockedCIDRParseErrors []string
|
||||
)
|
||||
|
||||
func init() {
|
||||
blockedCIDRs = make([]*net.IPNet, 0, len(blockedCIDRStrings))
|
||||
for _, r := range blockedCIDRStrings {
|
||||
_, cidr, err := net.ParseCIDR(r)
|
||||
if err != nil {
|
||||
// This is a programming error — panic to catch it at startup/test time.
|
||||
panic(fmt.Sprintf("ipcheck: invalid built-in CIDR %q: %v", r, err))
|
||||
// Record the error rather than panicking; TestBlockedCIDRsValid
|
||||
// will catch this during tests, and the CI build will fail.
|
||||
blockedCIDRParseErrors = append(blockedCIDRParseErrors,
|
||||
fmt.Sprintf("ipcheck: invalid built-in CIDR %q: %v", r, err))
|
||||
continue
|
||||
}
|
||||
nets = append(nets, cidr)
|
||||
blockedCIDRs = append(blockedCIDRs, cidr)
|
||||
}
|
||||
return nets
|
||||
}()
|
||||
}
|
||||
|
||||
// IsBlockedIP reports whether ip is in a blocked address range.
|
||||
// It is exported for use by the validate-url subcommand and tests outside
|
||||
@@ -64,6 +72,11 @@ var blockedCIDRs = func() []*net.IPNet {
|
||||
//
|
||||
// IPv6-mapped IPv4 addresses (e.g. ::ffff:192.168.1.1) are normalized to their
|
||||
// IPv4 form before checking so that IPv4 CIDRs catch them.
|
||||
//
|
||||
// Based on:
|
||||
// - RFC1918 private ranges
|
||||
// - RFC5735 / RFC4193 special-use IPv4/IPv6 ranges
|
||||
// - RFC4291 IPv6 link-local / loopback
|
||||
func IsBlockedIP(ip net.IP) bool {
|
||||
// Normalize IPv6-mapped IPv4 addresses (::ffff:x.x.x.x) to plain IPv4.
|
||||
if v4 := ip.To4(); v4 != nil {
|
||||
|
||||
+18
-1
@@ -68,7 +68,11 @@ func TestIsBlockedIP(t *testing.T) {
|
||||
}{
|
||||
{"public 8.8.8.8", "8.8.8.8"},
|
||||
{"public 1.1.1.1", "1.1.1.1"},
|
||||
{"public 198.51.100.1", "198.51.100.1"}, // TEST-NET-2, but not blocked — public-looking
|
||||
{"public 198.51.100.1", "198.51.100.1"}, // RFC5737 TEST-NET-2 — a documentation-only range;
|
||||
// not assigned to any real host, but intentionally left unblocked here because
|
||||
// it has no special routing treatment (unlike RFC1918/loopback/link-local) and
|
||||
// blocking it would require tracking every RFC5737 range without meaningful
|
||||
// security benefit (no server should ever listen on a TEST-NET address).
|
||||
{"public 151.101.1.1", "151.101.1.1"}, // Fastly
|
||||
{"public IPv6 2001:4860:4860::8888", "2001:4860:4860::8888"}, // Google DNS
|
||||
{"public IPv6 2606:4700:4700::1111", "2606:4700:4700::1111"}, // Cloudflare DNS
|
||||
@@ -125,3 +129,16 @@ func TestIsBlockedIPEdgeCases(t *testing.T) {
|
||||
t.Errorf("IsBlockedIP(100.128.0.0) = true, want false (outside 100.64.0.0/10)")
|
||||
}
|
||||
}
|
||||
|
||||
// TestBlockedCIDRsValid verifies that all entries in blockedCIDRStrings parse
|
||||
// successfully. This catches programming errors in the CIDR list without
|
||||
// requiring a startup panic. The init() function records parse failures in
|
||||
// blockedCIDRParseErrors rather than panicking; this test makes those failures
|
||||
// visible as test failures during CI.
|
||||
func TestBlockedCIDRsValid(t *testing.T) {
|
||||
if len(blockedCIDRParseErrors) > 0 {
|
||||
for _, msg := range blockedCIDRParseErrors {
|
||||
t.Errorf("CIDR parse error: %s", msg)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user