chore: git cache cleanup

2026-03-04 18:34:49 +00:00
parent c32cce2a88
commit 27c252600a
2001 changed files with 683185 additions and 0 deletions
--- a/backend/internal/security/internal_service_url_validator_test.go
+++ b/backend/internal/security/internal_service_url_validator_test.go
@@ -0,0 +1,139 @@
+package security
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestParseExactHostnameAllowlist(t *testing.T) {
+	allow := ParseExactHostnameAllowlist(" crowdsec , CADDY, ,http://example.com,example.com/path,user@host,::1 ")
+
+	if _, ok := allow["crowdsec"]; !ok {
+		t.Fatalf("expected allowlist to contain crowdsec")
+	}
+	if _, ok := allow["caddy"]; !ok {
+		t.Fatalf("expected allowlist to contain caddy")
+	}
+	if _, ok := allow["::1"]; !ok {
+		t.Fatalf("expected allowlist to contain ::1")
+	}
+
+	if _, ok := allow["http://example.com"]; ok {
+		t.Fatalf("expected scheme-containing entry to be ignored")
+	}
+	if _, ok := allow["example.com/path"]; ok {
+		t.Fatalf("expected path-containing entry to be ignored")
+	}
+	if _, ok := allow["user@host"]; ok {
+		t.Fatalf("expected userinfo-containing entry to be ignored")
+	}
+}
+
+func TestValidateInternalServiceBaseURL(t *testing.T) {
+	allowed := map[string]struct{}{"localhost": {}, "127.0.0.1": {}, "::1": {}}
+
+	cases := []struct {
+		name         string
+		raw          string
+		expectedPort int
+		want         string
+		wantErr      bool
+		errContains  string
+	}{
+		{
+			name:         "OK http localhost explicit port",
+			raw:          "http://localhost:2019",
+			expectedPort: 2019,
+			want:         "http://localhost:2019",
+		},
+		{
+			name:         "OK http localhost path normalized",
+			raw:          "http://localhost:2019/config/",
+			expectedPort: 2019,
+			want:         "http://localhost:2019",
+		},
+		{
+			name:         "OK https localhost default port",
+			raw:          "https://localhost",
+			expectedPort: 443,
+			want:         "https://localhost:443",
+		},
+		{
+			name:         "OK ipv6 loopback explicit port",
+			raw:          "http://[::1]:2019",
+			expectedPort: 2019,
+			want:         "http://[::1]:2019",
+		},
+		{
+			name:         "Reject userinfo",
+			raw:          "http://user:pass@localhost:2019",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "embedded credentials",
+		},
+		{
+			name:         "Reject unsupported scheme",
+			raw:          "file://localhost:2019",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "unsupported scheme",
+		},
+		{
+			name:         "Reject missing hostname",
+			raw:          "http://:2019",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "missing hostname",
+		},
+		{
+			name:         "Reject hostname not allowed",
+			raw:          "http://evil.example:2019",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "hostname not allowed",
+		},
+		{
+			name:         "Reject unexpected port when omitted",
+			raw:          "http://localhost",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "unexpected port",
+		},
+		{
+			name:         "Reject invalid port",
+			raw:          "http://localhost:0",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "invalid port",
+		},
+		{
+			name:         "Reject out-of-range port",
+			raw:          "http://localhost:99999",
+			expectedPort: 2019,
+			wantErr:      true,
+			errContains:  "invalid port",
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			u, err := ValidateInternalServiceBaseURL(tc.raw, tc.expectedPort, allowed)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				if tc.errContains != "" && !strings.Contains(err.Error(), tc.errContains) {
+					t.Fatalf("expected error to contain %q, got %q", tc.errContains, err.Error())
+				}
+				return
+			}
+
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if u.String() != tc.want {
+				t.Fatalf("expected %q, got %q", tc.want, u.String())
+			}
+		})
+	}
+}