496851b255
Add SSRF protection for web push endpoints: - Resolve endpoint IP once and pin it for connection - Validate endpoints resolve to public IPs - Whitelist permitted push service hosts Add missing IP ranges to SsrfProtection: - 100.64.0.0/10 (Carrier-grade NAT, RFC6598) - 198.18.0.0/15 (Benchmark testing, RFC2544) Note: link-local (169.254.0.0/16) is already covered by ip.link_local?
85 lines
2.9 KiB
Ruby
85 lines
2.9 KiB
Ruby
require "test_helper"
|
|
|
|
class Users::PushSubscriptionsControllerTest < ActionDispatch::IntegrationTest
|
|
PUBLIC_TEST_IP = "142.250.185.206"
|
|
|
|
setup do
|
|
sign_in_as :david
|
|
stub_dns_resolution(PUBLIC_TEST_IP)
|
|
end
|
|
|
|
test "create new push subscription" do
|
|
subscription_params = { "endpoint" => "https://fcm.googleapis.com/fcm/send/abc123", "p256dh_key" => "123", "auth_key" => "456" }
|
|
|
|
post user_push_subscriptions_path(users(:david)),
|
|
params: { push_subscription: subscription_params }, headers: { "HTTP_USER_AGENT" => "Mozilla/5.0" }
|
|
|
|
assert_response :ok
|
|
|
|
assert_equal subscription_params, users(:david).push_subscriptions.last.attributes.slice("endpoint", "p256dh_key", "auth_key")
|
|
assert_equal "Mozilla/5.0", users(:david).push_subscriptions.last.user_agent
|
|
end
|
|
|
|
test "touch existing subscription" do
|
|
existing_subscription = users(:david).push_subscriptions.create!(
|
|
endpoint: "https://fcm.googleapis.com/fcm/send/abc123",
|
|
p256dh_key: "123",
|
|
auth_key: "456"
|
|
)
|
|
|
|
assert_no_difference -> { users(:david).push_subscriptions.count } do
|
|
assert_changes -> { existing_subscription.reload.updated_at } do
|
|
post user_push_subscriptions_path(users(:david)), params: {
|
|
push_subscription: existing_subscription.attributes.slice("endpoint", "p256dh_key", "auth_key")
|
|
}
|
|
end
|
|
end
|
|
|
|
assert_response :ok
|
|
end
|
|
|
|
test "destroy a push subscription" do
|
|
subscription = users(:david).push_subscriptions.create!(
|
|
endpoint: "https://fcm.googleapis.com/fcm/send/abc123",
|
|
p256dh_key: "123",
|
|
auth_key: "456"
|
|
)
|
|
|
|
assert_difference -> { Push::Subscription.count }, -1 do
|
|
delete user_push_subscription_path(users(:david), subscription)
|
|
assert_redirected_to user_push_subscriptions_path(users(:david))
|
|
end
|
|
end
|
|
|
|
test "rejects subscription with non-permitted endpoint" do
|
|
subscription_params = { "endpoint" => "https://attacker.example.com/steal", "p256dh_key" => "123", "auth_key" => "456" }
|
|
|
|
assert_no_difference -> { Push::Subscription.count } do
|
|
post user_push_subscriptions_path(users(:david)),
|
|
params: { push_subscription: subscription_params }
|
|
end
|
|
|
|
assert_response :unprocessable_entity
|
|
end
|
|
|
|
test "rejects subscription with endpoint resolving to private IP" do
|
|
stub_dns_resolution("192.168.1.1")
|
|
|
|
subscription_params = { "endpoint" => "https://fcm.googleapis.com/fcm/send/abc123", "p256dh_key" => "123", "auth_key" => "456" }
|
|
|
|
assert_no_difference -> { Push::Subscription.count } do
|
|
post user_push_subscriptions_path(users(:david)),
|
|
params: { push_subscription: subscription_params }
|
|
end
|
|
|
|
assert_response :unprocessable_entity
|
|
end
|
|
|
|
private
|
|
def stub_dns_resolution(*ips)
|
|
dns_mock = mock("dns")
|
|
dns_mock.stubs(:each_address).multiple_yields(*ips)
|
|
Resolv::DNS.stubs(:open).yields(dns_mock)
|
|
end
|
|
end
|