Charon

akanealw/Charon

Fork 0

Commit Graph

Author	SHA1	Message	Date
GitHub Actions	17b1899450	style: format code for consistency in URL test and validation functions	2025-12-23 05:47:09 +00:00
GitHub Actions	6564381492	test: increase test coverage to 86.1% and fix SSRF test failures - Add 16 comprehensive tests for user_handler.go covering PreviewInviteURL, getAppName, email normalization, permission/role defaults, and edge cases - Add 14 unit tests for url.go functions (GetBaseURL, ConstructURL, NormalizeURL) - Refactor URL connectivity tests to use mock HTTP transport pattern - Fix 21 test failures caused by SSRF protection blocking localhost - Maintain full SSRF security - no production code security changes - Coverage increased from 66.67% to 86.1% (exceeds 85% target) - All security scans pass with zero Critical/High vulnerabilities - 38 SSRF protection tests verified passing Technical details: - Added optional http.RoundTripper parameter to TestURLConnectivity() - Created mockTransport for test isolation without network calls - Changed settings handler test to use public URL for validation - Verified no regressions in existing test suite Closes: Coverage gap identified in Codecov report See: docs/plans/user_handler_coverage_fix.md See: docs/plans/qa_remediation.md See: docs/reports/qa_report_final.md	2025-12-23 05:46:44 +00:00
GitHub Actions	0c90ab04d8	fix: login page warnings and implement secure URL testing Fix browser console warnings on login page: - Make COOP header conditional on development mode (suppress HTTP warnings) - Add autocomplete attributes to 11 email/password inputs across 5 pages Implement server-side URL testing with enterprise-grade SSRF protection: - Replace window.open() with API-based connectivity check - Block private IPs (RFC 1918, loopback, link-local, ULA, IPv6 ranges) - DNS validation with 3s timeout before HTTP request - Block AWS metadata endpoint (169.254.169.254) - Block GCP metadata endpoint (metadata.google.internal) - HTTP HEAD request with 5s timeout - Maximum 2 redirects - Admin-only access enforcement Technical Implementation: - Backend: url_testing.go utility with isPrivateIP validation - Handler: TestPublicURL in settings_handler.go - Route: POST /settings/test-url (authenticated, admin-only) - Frontend: testPublicURL API call in settings.ts - UI: testPublicURLHandler in SystemSettings.tsx with toast feedback Test Coverage: - Backend: 85.8% (72 SSRF protection test cases passing) - Frontend: 86.85% (1,140 tests passing) - Security scans: Clean (Trivy, Go vuln check) - TypeScript: 0 type errors Closes: [issue number if applicable]	2025-12-22 01:31:57 +00:00

Author

SHA1

Message

Date

GitHub Actions

17b1899450

style: format code for consistency in URL test and validation functions

2025-12-23 05:47:09 +00:00

GitHub Actions

6564381492

test: increase test coverage to 86.1% and fix SSRF test failures

- Add 16 comprehensive tests for user_handler.go covering PreviewInviteURL,
  getAppName, email normalization, permission/role defaults, and edge cases
- Add 14 unit tests for url.go functions (GetBaseURL, ConstructURL, NormalizeURL)
- Refactor URL connectivity tests to use mock HTTP transport pattern
- Fix 21 test failures caused by SSRF protection blocking localhost
- Maintain full SSRF security - no production code security changes
- Coverage increased from 66.67% to 86.1% (exceeds 85% target)
- All security scans pass with zero Critical/High vulnerabilities
- 38 SSRF protection tests verified passing

Technical details:
- Added optional http.RoundTripper parameter to TestURLConnectivity()
- Created mockTransport for test isolation without network calls
- Changed settings handler test to use public URL for validation
- Verified no regressions in existing test suite

Closes: Coverage gap identified in Codecov report
See: docs/plans/user_handler_coverage_fix.md
See: docs/plans/qa_remediation.md
See: docs/reports/qa_report_final.md

2025-12-23 05:46:44 +00:00

GitHub Actions

0c90ab04d8

fix: login page warnings and implement secure URL testing

Fix browser console warnings on login page:
- Make COOP header conditional on development mode (suppress HTTP warnings)
- Add autocomplete attributes to 11 email/password inputs across 5 pages

Implement server-side URL testing with enterprise-grade SSRF protection:
- Replace window.open() with API-based connectivity check
- Block private IPs (RFC 1918, loopback, link-local, ULA, IPv6 ranges)
- DNS validation with 3s timeout before HTTP request
- Block AWS metadata endpoint (169.254.169.254)
- Block GCP metadata endpoint (metadata.google.internal)
- HTTP HEAD request with 5s timeout
- Maximum 2 redirects
- Admin-only access enforcement

Technical Implementation:
- Backend: url_testing.go utility with isPrivateIP validation
- Handler: TestPublicURL in settings_handler.go
- Route: POST /settings/test-url (authenticated, admin-only)
- Frontend: testPublicURL API call in settings.ts
- UI: testPublicURLHandler in SystemSettings.tsx with toast feedback

Test Coverage:
- Backend: 85.8% (72 SSRF protection test cases passing)
- Frontend: 86.85% (1,140 tests passing)
- Security scans: Clean (Trivy, Go vuln check)
- TypeScript: 0 type errors

Closes: [issue number if applicable]

2025-12-22 01:31:57 +00:00

3 Commits