[feature] enable + document explicit IP dialer allowing/denying (#1950)v0.10.0-rc1

* [feature] enable + document explicit IP dialer allowing/denying * lord have mercy * allee jonge * shortcut check ipv6 prefixes * comment * separate httpclient_test, export Sanitizer
author: tobi <31960611+tsmethurst@users.noreply.github.com> 2023-07-07 16:17:39 +0200
committer: GitHub <noreply@github.com> 2023-07-07 16:17:39 +0200
commit: 2a99df0588e168660d3b528209d8f51689ca92b7 (patch)
tree: a5835c3a0adf81ad4f07938919699fbc0de4a69b /internal/httpclient/sanitizer_test.go
parent: [bugfix] Reorder web view logic, other small fixes (#1954) (diff)
download: gotosocial-2a99df0588e168660d3b528209d8f51689ca92b7.tar.xz
1 files changed, 154 insertions, 0 deletions
diff --git a/internal/httpclient/sanitizer_test.go b/internal/httpclient/sanitizer_test.go
new file mode 100644
index 000000000..1cb8a7d2e
--- /dev/null
+++ b/internal/httpclient/sanitizer_test.go
@@ -0,0 +1,154 @@
+// GoToSocial
+// Copyright (C) GoToSocial Authors admin@gotosocial.org
+// SPDX-License-Identifier: AGPL-3.0-or-later
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package httpclient_test
+
+import (
+	"errors"
+	"net/netip"
+	"testing"
+
+	"github.com/superseriousbusiness/gotosocial/internal/httpclient"
+)
+
+func TestSafeIP(t *testing.T) {
+	tests := []struct {
+		name string
+		ip   netip.Addr
+	}{
+		// IPv4 tests
+		{
+			name: "IPv4 this host on this network",
+			ip:   netip.MustParseAddr("0.0.0.0"),
+		},
+		{
+			name: "IPv4 dummy address",
+			ip:   netip.MustParseAddr("192.0.0.8"),
+		},
+		{
+			name: "IPv4 Port Control Protocol Anycast",
+			ip:   netip.MustParseAddr("192.0.0.9"),
+		},
+		{
+			name: "IPv4 Traversal Using Relays around NAT Anycast",
+			ip:   netip.MustParseAddr("192.0.0.10"),
+		},
+		{
+			name: "IPv4 NAT64/DNS64 Discovery 1",
+			ip:   netip.MustParseAddr("192.0.0.17"),
+		},
+		{
+			name: "IPv4 NAT64/DNS64 Discovery 2",
+			ip:   netip.MustParseAddr("192.0.0.171"),
+		},
+		// IPv6 tests
+		{
+			name: "IPv4-mapped address",
+			ip:   netip.MustParseAddr("::ffff:169.254.169.254"),
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if safe := httpclient.SafeIP(tc.ip); safe {
+				t.Fatalf("Expected IP %s to not safe (%t), got: %t", tc.ip, false, safe)
+			}
+		})
+	}
+}
+
+func TestSanitizer(t *testing.T) {
+	s := httpclient.Sanitizer{
+		Allow: []netip.Prefix{
+			netip.MustParsePrefix("192.0.0.8/32"),
+			netip.MustParsePrefix("::ffff:169.254.169.254/128"),
+		},
+		Block: []netip.Prefix{
+			netip.MustParsePrefix("93.184.216.34/32"), // example.org
+		},
+	}
+
+	tests := []struct {
+		name     string
+		ntwrk    string
+		addr     string
+		expected error
+	}{
+		// IPv4 tests
+		{
+			name:     "IPv4 this host on this network",
+			ntwrk:    "tcp4",
+			addr:     "0.0.0.0:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 dummy address",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.8:80",
+			expected: nil, // We allowed this explicitly.
+		},
+		{
+			name:     "IPv4 Port Control Protocol Anycast",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.9:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 Traversal Using Relays around NAT Anycast",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.10:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 NAT64/DNS64 Discovery 1",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.17:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "IPv4 NAT64/DNS64 Discovery 2",
+			ntwrk:    "tcp4",
+			addr:     "192.0.0.171:80",
+			expected: httpclient.ErrReservedAddr,
+		},
+		{
+			name:     "example.org",
+			ntwrk:    "tcp4",
+			addr:     "93.184.216.34:80",
+			expected: httpclient.ErrReservedAddr, // We blocked this explicitly.
+		},
+		// IPv6 tests
+		{
+			name:     "IPv4-mapped address",
+			ntwrk:    "tcp6",
+			addr:     "[::ffff:169.254.169.254]:80",
+			expected: nil, // We allowed this explicitly.
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			if err := s.Sanitize(tc.ntwrk, tc.addr, nil); !errors.Is(err, tc.expected) {
+				t.Fatalf("Expected error %q for addr %s, got: %q", tc.expected, tc.addr, err)
+			}
+		})
+	}
+}
author	tobi <31960611+tsmethurst@users.noreply.github.com>	2023-07-07 16:17:39 +0200
committer	GitHub <noreply@github.com>	2023-07-07 16:17:39 +0200
commit	2a99df0588e168660d3b528209d8f51689ca92b7 (patch)
tree	a5835c3a0adf81ad4f07938919699fbc0de4a69b /internal/httpclient/sanitizer_test.go
parent	[bugfix] Reorder web view logic, other small fixes (#1954) (diff)
download	gotosocial-2a99df0588e168660d3b528209d8f51689ca92b7.tar.xz