Files
fizzy/test/controllers/users/push_subscriptions_controller_test.rb
T
Jeremy Daer 496851b255 Security: Web Push SSRF and IP range bypass
Add SSRF protection for web push endpoints:
- Resolve endpoint IP once and pin it for connection
- Validate endpoints resolve to public IPs
- Whitelist permitted push service hosts

Add missing IP ranges to SsrfProtection:
- 100.64.0.0/10 (Carrier-grade NAT, RFC6598)
- 198.18.0.0/15 (Benchmark testing, RFC2544)

Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
2025-12-04 21:35:55 -08:00

85 lines
2.9 KiB
Ruby

require "test_helper"
class Users::PushSubscriptionsControllerTest < ActionDispatch::IntegrationTest
PUBLIC_TEST_IP = "142.250.185.206"
setup do
sign_in_as :david
stub_dns_resolution(PUBLIC_TEST_IP)
end
test "create new push subscription" do
subscription_params = { "endpoint" => "https://fcm.googleapis.com/fcm/send/abc123", "p256dh_key" => "123", "auth_key" => "456" }
post user_push_subscriptions_path(users(:david)),
params: { push_subscription: subscription_params }, headers: { "HTTP_USER_AGENT" => "Mozilla/5.0" }
assert_response :ok
assert_equal subscription_params, users(:david).push_subscriptions.last.attributes.slice("endpoint", "p256dh_key", "auth_key")
assert_equal "Mozilla/5.0", users(:david).push_subscriptions.last.user_agent
end
test "touch existing subscription" do
existing_subscription = users(:david).push_subscriptions.create!(
endpoint: "https://fcm.googleapis.com/fcm/send/abc123",
p256dh_key: "123",
auth_key: "456"
)
assert_no_difference -> { users(:david).push_subscriptions.count } do
assert_changes -> { existing_subscription.reload.updated_at } do
post user_push_subscriptions_path(users(:david)), params: {
push_subscription: existing_subscription.attributes.slice("endpoint", "p256dh_key", "auth_key")
}
end
end
assert_response :ok
end
test "destroy a push subscription" do
subscription = users(:david).push_subscriptions.create!(
endpoint: "https://fcm.googleapis.com/fcm/send/abc123",
p256dh_key: "123",
auth_key: "456"
)
assert_difference -> { Push::Subscription.count }, -1 do
delete user_push_subscription_path(users(:david), subscription)
assert_redirected_to user_push_subscriptions_path(users(:david))
end
end
test "rejects subscription with non-permitted endpoint" do
subscription_params = { "endpoint" => "https://attacker.example.com/steal", "p256dh_key" => "123", "auth_key" => "456" }
assert_no_difference -> { Push::Subscription.count } do
post user_push_subscriptions_path(users(:david)),
params: { push_subscription: subscription_params }
end
assert_response :unprocessable_entity
end
test "rejects subscription with endpoint resolving to private IP" do
stub_dns_resolution("192.168.1.1")
subscription_params = { "endpoint" => "https://fcm.googleapis.com/fcm/send/abc123", "p256dh_key" => "123", "auth_key" => "456" }
assert_no_difference -> { Push::Subscription.count } do
post user_push_subscriptions_path(users(:david)),
params: { push_subscription: subscription_params }
end
assert_response :unprocessable_entity
end
private
def stub_dns_resolution(*ips)
dns_mock = mock("dns")
dns_mock.stubs(:each_address).multiple_yields(*ips)
Resolv::DNS.stubs(:open).yields(dns_mock)
end
end