akanealw
eec8c28fb3
Go Benchmark / Performance Regression Check (push) Has been cancelled
Cerberus Integration / Cerberus Security Stack Integration (push) Has been cancelled
Upload Coverage to Codecov / Backend Codecov Upload (push) Has been cancelled
Upload Coverage to Codecov / Frontend Codecov Upload (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (go) (push) Has been cancelled
CodeQL - Analyze / CodeQL analysis (javascript-typescript) (push) Has been cancelled
CrowdSec Integration / CrowdSec Bouncer Integration (push) Has been cancelled
Docker Build, Publish & Test / build-and-push (push) Has been cancelled
Quality Checks / Auth Route Protection Contract (push) Has been cancelled
Quality Checks / Codecov Trigger/Comment Parity Guard (push) Has been cancelled
Quality Checks / Backend (Go) (push) Has been cancelled
Quality Checks / Frontend (React) (push) Has been cancelled
Rate Limit integration / Rate Limiting Integration (push) Has been cancelled
Security Scan (PR) / Trivy Binary Scan (push) Has been cancelled
Supply Chain Verification (PR) / Verify Supply Chain (push) Has been cancelled
WAF integration / Coraza WAF Integration (push) Has been cancelled
Docker Build, Publish & Test / Security Scan PR Image (push) Has been cancelled
Repo Health Check / Repo health (push) Has been cancelled
History Rewrite Dry-Run / Dry-run preview for history rewrite (push) Has been cancelled
Prune Renovate Branches / prune (push) Has been cancelled
Renovate / renovate (push) Has been cancelled
Nightly Build & Package / sync-development-to-nightly (push) Has been cancelled
Nightly Build & Package / Trigger Nightly Validation Workflows (push) Has been cancelled
Nightly Build & Package / build-and-push-nightly (push) Has been cancelled
Nightly Build & Package / test-nightly-image (push) Has been cancelled
Nightly Build & Package / verify-nightly-supply-chain (push) Has been cancelled
Update GeoLite2 Checksum / update-checksum (push) Has been cancelled
Container Registry Prune / prune-ghcr (push) Has been cancelled
Container Registry Prune / prune-dockerhub (push) Has been cancelled
Container Registry Prune / summarize (push) Has been cancelled
Supply Chain Verification / Verify SBOM (push) Has been cancelled
Supply Chain Verification / Verify Release Artifacts (push) Has been cancelled
Supply Chain Verification / Verify Docker Image Supply Chain (push) Has been cancelled
Monitor Caddy Major Release / check-caddy-major (push) Has been cancelled
Weekly Nightly to Main Promotion / Verify Nightly Branch Health (push) Has been cancelled
Weekly Nightly to Main Promotion / Create Promotion PR (push) Has been cancelled
Weekly Nightly to Main Promotion / Trigger Missing Required Checks (push) Has been cancelled
Weekly Nightly to Main Promotion / Notify on Failure (push) Has been cancelled
Weekly Nightly to Main Promotion / Workflow Summary (push) Has been cancelled
Weekly Security Rebuild / Security Rebuild & Scan (push) Has been cancelled
295 lines
9.3 KiB
Go
Executable File
295 lines
9.3 KiB
Go
Executable File
package utils
|
|
|
|
import "testing"
|
|
|
|
func TestIsPrivateIP(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
host string
|
|
expected bool
|
|
}{
|
|
// Private IP ranges - Class A (10.0.0.0/8)
|
|
{"10.0.0.1 is private", "10.0.0.1", true},
|
|
{"10.255.255.255 is private", "10.255.255.255", true},
|
|
{"10.10.10.10 is private", "10.10.10.10", true},
|
|
|
|
// Private IP ranges - Class B (172.16.0.0/12)
|
|
{"172.16.0.1 is private", "172.16.0.1", true},
|
|
{"172.31.255.255 is private", "172.31.255.255", true},
|
|
{"172.20.0.1 is private", "172.20.0.1", true},
|
|
|
|
// Private IP ranges - Class C (192.168.0.0/16)
|
|
{"192.168.1.1 is private", "192.168.1.1", true},
|
|
{"192.168.0.1 is private", "192.168.0.1", true},
|
|
{"192.168.255.255 is private", "192.168.255.255", true},
|
|
|
|
// Docker bridge IPs (subset of 172.16.0.0/12)
|
|
{"172.17.0.2 is private", "172.17.0.2", true},
|
|
{"172.18.0.5 is private", "172.18.0.5", true},
|
|
|
|
// Public IPs - should return false
|
|
{"8.8.8.8 is public", "8.8.8.8", false},
|
|
{"1.1.1.1 is public", "1.1.1.1", false},
|
|
{"142.250.80.14 is public", "142.250.80.14", false},
|
|
{"203.0.113.50 is public", "203.0.113.50", false},
|
|
|
|
// Edge cases for 172.x range (outside 172.16-31)
|
|
{"172.15.0.1 is public", "172.15.0.1", false},
|
|
{"172.32.0.1 is public", "172.32.0.1", false},
|
|
|
|
// Hostnames - should return false
|
|
{"nginx hostname", "nginx", false},
|
|
{"my-app hostname", "my-app", false},
|
|
{"app.local hostname", "app.local", false},
|
|
{"example.com hostname", "example.com", false},
|
|
{"my-container.internal hostname", "my-container.internal", false},
|
|
|
|
// Invalid inputs - should return false
|
|
{"empty string", "", false},
|
|
{"malformed IP", "192.168.1", false},
|
|
{"too many octets", "192.168.1.1.1", false},
|
|
{"negative octet", "192.168.-1.1", false},
|
|
{"octet out of range", "192.168.256.1", false},
|
|
{"letters in IP", "192.168.a.1", false},
|
|
{"IPv6 address", "::1", false},
|
|
{"IPv6 full address", "2001:0db8:85a3:0000:0000:8a2e:0370:7334", false},
|
|
|
|
// Localhost and special addresses - these are now blocked for SSRF protection
|
|
{"localhost 127.0.0.1", "127.0.0.1", true},
|
|
{"0.0.0.0", "0.0.0.0", true},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := IsPrivateIP(tt.host)
|
|
if result != tt.expected {
|
|
t.Errorf("IsPrivateIP(%q) = %v, want %v", tt.host, result, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsDockerBridgeIP(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
host string
|
|
expected bool
|
|
}{
|
|
// Docker default bridge (172.17.x.x)
|
|
{"172.17.0.1 is Docker bridge", "172.17.0.1", true},
|
|
{"172.17.0.2 is Docker bridge", "172.17.0.2", true},
|
|
{"172.17.255.255 is Docker bridge", "172.17.255.255", true},
|
|
|
|
// Docker user-defined networks (172.18-31.x.x)
|
|
{"172.18.0.1 is Docker bridge", "172.18.0.1", true},
|
|
{"172.18.0.5 is Docker bridge", "172.18.0.5", true},
|
|
{"172.20.0.1 is Docker bridge", "172.20.0.1", true},
|
|
{"172.31.0.1 is Docker bridge", "172.31.0.1", true},
|
|
{"172.31.255.255 is Docker bridge", "172.31.255.255", true},
|
|
|
|
// Also matches 172.16.x.x (part of 172.16.0.0/12)
|
|
{"172.16.0.1 is in Docker range", "172.16.0.1", true},
|
|
|
|
// Private IPs NOT in Docker bridge range
|
|
{"10.0.0.1 is not Docker bridge", "10.0.0.1", false},
|
|
{"192.168.1.1 is not Docker bridge", "192.168.1.1", false},
|
|
|
|
// Public IPs - should return false
|
|
{"8.8.8.8 is public", "8.8.8.8", false},
|
|
{"1.1.1.1 is public", "1.1.1.1", false},
|
|
|
|
// Edge cases for 172.x range (outside 172.16-31)
|
|
{"172.15.0.1 is outside Docker range", "172.15.0.1", false},
|
|
{"172.32.0.1 is outside Docker range", "172.32.0.1", false},
|
|
|
|
// Hostnames - should return false
|
|
{"nginx hostname", "nginx", false},
|
|
{"my-app hostname", "my-app", false},
|
|
{"container-name hostname", "container-name", false},
|
|
|
|
// Invalid inputs - should return false
|
|
{"empty string", "", false},
|
|
{"malformed IP", "172.17.0", false},
|
|
{"too many octets", "172.17.0.2.1", false},
|
|
{"letters in IP", "172.17.a.1", false},
|
|
{"IPv6 address", "::1", false},
|
|
|
|
// Special addresses
|
|
{"localhost 127.0.0.1", "127.0.0.1", false},
|
|
{"0.0.0.0", "0.0.0.0", false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := IsDockerBridgeIP(tt.host)
|
|
if result != tt.expected {
|
|
t.Errorf("IsDockerBridgeIP(%q) = %v, want %v", tt.host, result, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// TestIsPrivateIP_IPv4Mapped tests IPv4-mapped IPv6 addresses
|
|
func TestIsPrivateIP_IPv4Mapped(t *testing.T) {
|
|
// IPv4-mapped IPv6 addresses should be handled correctly
|
|
tests := []struct {
|
|
name string
|
|
host string
|
|
expected bool
|
|
}{
|
|
// net.ParseIP converts IPv4-mapped IPv6 to IPv4
|
|
{"::ffff:10.0.0.1 mapped", "::ffff:10.0.0.1", true},
|
|
{"::ffff:192.168.1.1 mapped", "::ffff:192.168.1.1", true},
|
|
{"::ffff:8.8.8.8 mapped", "::ffff:8.8.8.8", false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := IsPrivateIP(tt.host)
|
|
if result != tt.expected {
|
|
t.Errorf("IsPrivateIP(%q) = %v, want %v", tt.host, result, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
// ============== Phase 3.3: Additional IP Helpers Tests ==============
|
|
|
|
func TestIsPrivateIP_CIDRParseError(t *testing.T) {
|
|
// Temporarily modify the private IP ranges to include an invalid CIDR
|
|
// This tests graceful handling of CIDR parse errors
|
|
|
|
// Since we can't modify the package-level variable, we test the function behavior
|
|
// with edge cases that might trigger parsing issues
|
|
|
|
// Test with various invalid IP formats (should return false gracefully)
|
|
invalidInputs := []string{
|
|
"10.0.0.1/8", // CIDR notation (not a raw IP)
|
|
"10.0.0.256", // Invalid octet
|
|
"999.999.999.999", // Out of range
|
|
"10.0.0", // Incomplete
|
|
"not-an-ip", // Hostname
|
|
"", // Empty
|
|
"10.0.0.1.1", // Too many octets
|
|
}
|
|
|
|
for _, input := range invalidInputs {
|
|
t.Run(input, func(t *testing.T) {
|
|
result := IsPrivateIP(input)
|
|
// All invalid inputs should return false (not panic)
|
|
if result {
|
|
t.Errorf("IsPrivateIP(%q) = true, want false for invalid input", input)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsDockerBridgeIP_CIDRParseError(t *testing.T) {
|
|
// Test graceful handling of invalid inputs
|
|
invalidInputs := []string{
|
|
"172.17.0.1/16", // CIDR notation
|
|
"172.17.0.256", // Invalid octet
|
|
"999.999.999.999", // Out of range
|
|
"172.17", // Incomplete
|
|
"not-an-ip", // Hostname
|
|
"", // Empty
|
|
}
|
|
|
|
for _, input := range invalidInputs {
|
|
t.Run(input, func(t *testing.T) {
|
|
result := IsDockerBridgeIP(input)
|
|
// All invalid inputs should return false (not panic)
|
|
if result {
|
|
t.Errorf("IsDockerBridgeIP(%q) = true, want false for invalid input", input)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsPrivateIP_IPv6Comprehensive(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
host string
|
|
expected bool
|
|
}{
|
|
// IPv6 Loopback
|
|
{"IPv6 loopback", "::1", false}, // Current implementation treats loopback as non-private
|
|
{"IPv6 loopback expanded", "0000:0000:0000:0000:0000:0000:0000:0001", false},
|
|
|
|
// IPv6 Link-Local (fe80::/10)
|
|
{"IPv6 link-local", "fe80::1", false},
|
|
{"IPv6 link-local 2", "fe80::abcd:ef01:2345:6789", false},
|
|
|
|
// IPv6 Unique Local (fc00::/7)
|
|
{"IPv6 unique local fc00", "fc00::1", false},
|
|
{"IPv6 unique local fd00", "fd00::1", false},
|
|
{"IPv6 unique local fdff", "fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", false},
|
|
|
|
// IPv6 Public addresses
|
|
{"IPv6 public Google DNS", "2001:4860:4860::8888", false},
|
|
{"IPv6 public Cloudflare", "2606:4700:4700::1111", false},
|
|
|
|
// IPv6 mapped IPv4
|
|
{"IPv6 mapped private", "::ffff:10.0.0.1", true},
|
|
{"IPv6 mapped public", "::ffff:8.8.8.8", false},
|
|
|
|
// Invalid IPv6
|
|
{"Invalid IPv6", "gggg::1", false},
|
|
{"Incomplete IPv6", "2001::", false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := IsPrivateIP(tt.host)
|
|
if result != tt.expected {
|
|
t.Errorf("IsPrivateIP(%q) = %v, want %v", tt.host, result, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestIsDockerBridgeIP_EdgeCases(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
host string
|
|
expected bool
|
|
}{
|
|
// Boundaries of 172.16.0.0/12 range
|
|
{"Lower boundary - 1", "172.15.255.255", false}, // Just outside
|
|
{"Lower boundary", "172.16.0.0", true}, // Start of range
|
|
{"Lower boundary + 1", "172.16.0.1", true},
|
|
|
|
{"Upper boundary - 1", "172.31.255.254", true},
|
|
{"Upper boundary", "172.31.255.255", true}, // End of range
|
|
{"Upper boundary + 1", "172.32.0.0", false}, // Just outside
|
|
{"Upper boundary + 2", "172.32.0.1", false},
|
|
|
|
// Docker default bridge (172.17.0.0/16)
|
|
{"Docker default bridge start", "172.17.0.0", true},
|
|
{"Docker default bridge gateway", "172.17.0.1", true},
|
|
{"Docker default bridge host", "172.17.0.2", true},
|
|
{"Docker default bridge end", "172.17.255.255", true},
|
|
|
|
// Docker user-defined networks
|
|
{"User network 1", "172.18.0.1", true},
|
|
{"User network 2", "172.19.0.1", true},
|
|
{"User network 30", "172.30.0.1", true},
|
|
{"User network 31", "172.31.0.1", true},
|
|
|
|
// Edge of 172.x range
|
|
{"172.0.0.1", "172.0.0.1", false}, // Below range
|
|
{"172.15.0.1", "172.15.0.1", false}, // Below range
|
|
{"172.32.0.1", "172.32.0.1", false}, // Above range
|
|
{"172.255.255.255", "172.255.255.255", false}, // Above range
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := IsDockerBridgeIP(tt.host)
|
|
if result != tt.expected {
|
|
t.Errorf("IsDockerBridgeIP(%q) = %v, want %v", tt.host, result, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|