aweiker
8c8f3ab4b3
CI / test (pull_request) Successful in 18s
CI / review (anthropic--claude-4.6-sonnet, sonnet, SONNET_REVIEW_TOKEN) (pull_request) Successful in 44s
CI / review (gpt-5, security, ., rodin/security-patterns, SECURITY_REVIEW.md, SECURITY_REVIEW_TOKEN) (pull_request) Successful in 1m57s
CI / review (gpt-5, gpt, GPT_REVIEW_TOKEN) (pull_request) Successful in 2m21s
## Changes ### Go: IP-level SSRF protection in gitea.Client (primary defense) - Add gitea/ipcheck.go with IsBlockedIP() covering all blocked CIDR ranges: loopback (127.0.0.0/8, ::1), RFC1918 (10/8, 172.16/12, 192.168/16), link-local (169.254/16, fe80::/10), ULA (fc00::/7), CGN (100.64/10), multicast, reserved, and unspecified ranges. - IPv6-mapped IPv4 addresses (::ffff:x.x.x.x) are normalized before checking. - Add safeDialContext to gitea.Client: resolves DNS, rejects any IP in a blocked CIDR, then dials the resolved IP directly to narrow the DNS rebinding window. NewClient now uses this safe transport by default. - Add WithUnsafeDialer() for test code using httptest.Server (127.0.0.1). - Update NewTestClient helper in export_test.go for all gitea unit tests. - Update SetHTTPClient(nil) to restore the safe transport (not the plain one). ### Go: validate-url subcommand (defense-in-depth for future bash callers) - Add 'review-bot validate-url <url>' subcommand: validates https scheme, no user-info, resolves hostname, rejects any blocked IP. - Exit 0=safe, 1=blocked, 2=validation error/dns failure. - Add outWriter/errWriter vars to main.go for testable output capture. ### action.yml: Python3 IP check in 'Determine version' step - After the https scheme validation, resolve SERVER_URL hostname with socket.getaddrinfo and reject any result where ipaddress.ip_address(ip).is_private/is_loopback/is_link_local/etc. is true. - python3 is required on ubuntu-* runners (noted in existing comments). - Covers the version-check curl that sends ACTION_TOKEN to SERVER_URL. - SERVER_URL for install-step curls is covered by the same pre-check. ### Tests - gitea/ipcheck_test.go: 30+ cases covering all blocked families + public IPs - gitea/client_test.go: safe transport presence, WithUnsafeDialer, SSRF blocking - cmd/review-bot/validateurl_test.go: scheme validation, user-info, exit codes Closes #123
128 lines
3.4 KiB
Go
128 lines
3.4 KiB
Go
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"strings"
|
|
"testing"
|
|
)
|
|
|
|
func TestRunValidateURL_Usage(t *testing.T) {
|
|
var errBuf bytes.Buffer
|
|
origErr := errWriter
|
|
errWriter = &errBuf
|
|
defer func() { errWriter = origErr }()
|
|
|
|
code := runValidateURL(nil)
|
|
if code != 2 {
|
|
t.Errorf("expected exit code 2 for no args, got %d", code)
|
|
}
|
|
if !strings.Contains(errBuf.String(), "usage") {
|
|
t.Errorf("expected usage in stderr, got %q", errBuf.String())
|
|
}
|
|
|
|
errBuf.Reset()
|
|
code = runValidateURL([]string{"arg1", "arg2"})
|
|
if code != 2 {
|
|
t.Errorf("expected exit code 2 for too many args, got %d", code)
|
|
}
|
|
}
|
|
|
|
func TestValidateURL_MalformedURL(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
url string
|
|
wantMsg string
|
|
}{
|
|
{"empty", "", "must be https"},
|
|
{"http scheme", "http://example.com/", "must be https"},
|
|
{"ftp scheme", "ftp://example.com/", "must be https"},
|
|
{"no scheme", "example.com", "must be https"},
|
|
{"user info", "https://user:pass@example.com/", "user-info"},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
err := validateURL(tc.url)
|
|
if err == nil {
|
|
t.Errorf("expected error for URL %q, got nil", tc.url)
|
|
return
|
|
}
|
|
if !strings.Contains(err.Error(), tc.wantMsg) {
|
|
t.Errorf("error %q does not contain %q", err.Error(), tc.wantMsg)
|
|
}
|
|
var ve *validateError
|
|
if !isValidateError(err, &ve) {
|
|
t.Fatalf("expected *validateError, got %T", err)
|
|
}
|
|
if ve.code != 2 {
|
|
t.Errorf("expected code 2, got %d", ve.code)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestValidateURL_BlockedPrivateIP(t *testing.T) {
|
|
// localhost always resolves to 127.0.0.1 (loopback).
|
|
err := validateURL("https://localhost/")
|
|
if err == nil {
|
|
t.Skip("localhost did not resolve (network unavailable in test environment)")
|
|
}
|
|
var ve *validateError
|
|
if !isValidateError(err, &ve) {
|
|
t.Fatalf("expected *validateError, got %T: %v", err, err)
|
|
}
|
|
if ve.code != 1 && ve.code != 2 {
|
|
t.Errorf("expected code 1 (blocked) or 2 (dns fail), got %d: %s", ve.code, ve.message)
|
|
}
|
|
// If it resolved (code 1), the message must say "blocked".
|
|
if ve.code == 1 && !strings.Contains(ve.message, "blocked") {
|
|
t.Errorf("expected 'blocked' in message, got %q", ve.message)
|
|
}
|
|
}
|
|
|
|
func TestValidateURL_ExitCodes(t *testing.T) {
|
|
cases := []struct {
|
|
name string
|
|
url string
|
|
wantCode int
|
|
}{
|
|
{"http scheme", "http://example.com/", 2},
|
|
{"no scheme", "example.com", 2},
|
|
{"user info", "https://admin:secret@example.com/", 2},
|
|
}
|
|
for _, tc := range cases {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
err := validateURL(tc.url)
|
|
if err == nil {
|
|
t.Fatalf("expected error for %q", tc.url)
|
|
}
|
|
var ve *validateError
|
|
if !isValidateError(err, &ve) {
|
|
t.Fatalf("expected *validateError, got %T", err)
|
|
}
|
|
if ve.code != tc.wantCode {
|
|
t.Errorf("code = %d, want %d (url=%q, msg=%s)", ve.code, tc.wantCode, tc.url, ve.message)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestRunValidateURL_WithCapture(t *testing.T) {
|
|
var outBuf, errBuf bytes.Buffer
|
|
origOut, origErr := outWriter, errWriter
|
|
outWriter = &outBuf
|
|
errWriter = &errBuf
|
|
defer func() {
|
|
outWriter = origOut
|
|
errWriter = origErr
|
|
}()
|
|
|
|
// http:// scheme should fail with code 2.
|
|
code := runValidateURL([]string{"http://example.com/"})
|
|
if code != 2 {
|
|
t.Errorf("expected code 2 for http:// URL, got %d", code)
|
|
}
|
|
if !strings.Contains(errBuf.String(), "must be https") {
|
|
t.Errorf("expected error about https in stderr, got %q", errBuf.String())
|
|
}
|
|
}
|