repo-webhook-ssrf.txtar

 1# vi: set ft=conf
 2
 3# Test SSRF protection in webhook creation
 4
 5# start soft serve
 6exec soft serve &
 7# wait for SSH server to start
 8ensureserverrunning SSH_PORT
 9
10# create a repo
11soft repo create test-repo
12stderr 'Created repository test-repo.*'
13
14# Try to create webhook with localhost - should fail
15! soft repo webhook create test-repo http://localhost:8080/webhook -e push
16
17# Try to create webhook with 127.0.0.1 - should fail
18! soft repo webhook create test-repo http://127.0.0.1:8080/webhook -e push
19
20# Try to create webhook with AWS metadata service - should fail
21! soft repo webhook create test-repo http://169.254.169.254/latest/meta-data/ -e push
22
23# Try to create webhook with private network - should fail
24! soft repo webhook create test-repo http://192.168.1.1/webhook -e push
25
26# Try to create webhook with private 10.x network - should fail
27! soft repo webhook create test-repo http://10.0.0.1/webhook -e push
28
29# Create webhook with valid public IP - should succeed
30new-webhook WH_PUBLIC
31soft repo webhook create test-repo $WH_PUBLIC -e push
32
33# List webhooks - should show only the valid one
34soft repo webhook list test-repo
35stdout 'webhook.site'
36
37# Try to update webhook to localhost - should fail
38! soft repo webhook update test-repo 1 --url http://localhost:9090/hook
39
40# stop the server
41[windows] stopserver
42[windows] ! stderr .