package webhook import ( "context" "net/http" "net/http/httptest" "testing" "time" "github.com/charmbracelet/soft-serve/pkg/db/models" ) // TestSSRFProtection tests that the webhook system blocks SSRF attempts. func TestSSRFProtection(t *testing.T) { tests := []struct { name string webhookURL string shouldBlock bool description string }{ { name: "block localhost", webhookURL: "http://localhost:8080/webhook", shouldBlock: true, description: "should block localhost addresses", }, { name: "block 127.0.0.1", webhookURL: "http://127.0.0.1:8080/webhook", shouldBlock: true, description: "should block loopback addresses", }, { name: "block 169.254.169.254", webhookURL: "http://169.254.169.254/latest/meta-data/", shouldBlock: true, description: "should block cloud metadata service", }, { name: "block private network", webhookURL: "http://192.168.1.1/webhook", shouldBlock: true, description: "should block private networks", }, { name: "allow public IP", webhookURL: "http://8.8.8.8/webhook", shouldBlock: false, description: "should allow public IP addresses", }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { // Create a test webhook webhook := models.Webhook{ URL: tt.webhookURL, ContentType: int(ContentTypeJSON), Secret: "", } // Try to send a webhook ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) defer cancel() // Create a simple payload payload := map[string]string{"test": "data"} err := sendWebhookWithContext(ctx, webhook, EventPush, payload) if tt.shouldBlock { if err == nil { t.Errorf("%s: expected error but got none", tt.description) } } else { // For public IPs, we expect a connection error (since 8.8.8.8 won't be listening) // but NOT an SSRF blocking error if err != nil && isSSRFError(err) { t.Errorf("%s: should not block public IPs, got: %v", tt.description, err) } } }) } } // TestSecureHTTPClientBlocksRedirects tests that redirects are not followed. func TestSecureHTTPClientBlocksRedirects(t *testing.T) { // Create a test server on a public-looking address that redirects redirectServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "http://8.8.8.8:8080/safe", http.StatusFound) })) defer redirectServer.Close() // Try to make a request that would redirect req, err := http.NewRequestWithContext(t.Context(), http.MethodGet, redirectServer.URL, nil) if err != nil { t.Fatalf("Failed to create request: %v", err) } resp, err := secureHTTPClient.Do(req) if err != nil { // httptest.NewServer uses 127.0.0.1, which will be blocked by our SSRF protection // This is actually correct behavior - we're blocking the initial connection if !isSSRFError(err) { t.Fatalf("Request failed with non-SSRF error: %v", err) } // Test passed - we blocked the loopback connection return } defer resp.Body.Close() // If we got here, check that we got the redirect response (not followed) if resp.StatusCode != http.StatusFound { t.Errorf("Expected redirect response (302), got %d", resp.StatusCode) } } // TestDialContextBlocksPrivateIPs tests the DialContext function directly. func TestDialContextBlocksPrivateIPs(t *testing.T) { transport := secureHTTPClient.Transport.(*http.Transport) tests := []struct { name string addr string wantErr bool }{ {"block loopback", "127.0.0.1:80", true}, {"block private 10.x", "10.0.0.1:80", true}, {"block private 192.168.x", "192.168.1.1:80", true}, {"block link-local", "169.254.169.254:80", true}, {"allow public IP", "8.8.8.8:80", false}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) defer cancel() conn, err := transport.DialContext(ctx, "tcp", tt.addr) if conn != nil { conn.Close() } if tt.wantErr { if err == nil { t.Errorf("Expected error for %s, got none", tt.addr) } } else { // For public IPs, we expect a connection timeout/refused (not an SSRF block) if err != nil && isSSRFError(err) { t.Errorf("Should not block %s with SSRF error, got: %v", tt.addr, err) } } }) } } // sendWebhookWithContext is a test helper that doesn't require database. func sendWebhookWithContext(ctx context.Context, w models.Webhook, _ Event, _ any) error { // This is a simplified version for testing that just attempts the HTTP connection req, err := http.NewRequestWithContext(ctx, "POST", w.URL, nil) if err != nil { return err //nolint:wrapcheck } req = req.WithContext(ctx) resp, err := secureHTTPClient.Do(req) if resp != nil { resp.Body.Close() } return err //nolint:wrapcheck } // isSSRFError checks if an error is related to SSRF blocking. func isSSRFError(err error) bool { if err == nil { return false } errMsg := err.Error() return contains(errMsg, "private IP") || contains(errMsg, "blocked connection") || err == ErrPrivateIP } func contains(s, substr string) bool { return len(s) >= len(substr) && (s == substr || len(substr) == 0 || indexOfSubstring(s, substr) >= 0) } func indexOfSubstring(s, substr string) int { for i := 0; i <= len(s)-len(substr); i++ { if s[i:i+len(substr)] == substr { return i } } return -1 } // TestPrivateIPResolution tests that hostnames resolving to private IPs are blocked. func TestPrivateIPResolution(t *testing.T) { // This test verifies that even if a hostname looks public, if it resolves to a private IP, it's blocked webhook := models.Webhook{ URL: "http://127.0.0.1:9999/webhook", ContentType: int(ContentTypeJSON), } ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second) defer cancel() err := sendWebhookWithContext(ctx, webhook, EventPush, map[string]string{"test": "data"}) if err == nil { t.Error("Expected error when connecting to loopback address") return } if !isSSRFError(err) { t.Errorf("Expected SSRF blocking error, got: %v", err) } }