External/ignis
1
0
Fork 0
mirror of https://github.com/Nystik-gh/ignis.git synced 2026-06-17 04:35:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

rewrite proxy for better SSRF

Browse Source
This commit is contained in:
Nystik
2026-06-09 19:53:12 +02:00
parent 542360c681
commit 911ebc00af
2 changed files with 217 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
apps/ignis-server/server/routes/proxy.test.mjs
View File

@@ -2,7 +2,7 @@ import { describe, it, expect } from "vitest";
import { createRequire } from "module";
const require = createRequire(import.meta.url);
const { isPrivateIp } = require("./proxy.js");
const { isPrivateIp, proxyRequest } = require("./proxy.js");
describe("isPrivateIp", () => {
it("flags private and link-local IPv4", () => {
@@ -60,3 +60,17 @@ describe("isPrivateIp", () => {
expect(isPrivateIp("")).toBe(false);
});
});
describe("proxyRequest guard", () => {
it("rejects a hostname that resolves to a private address", async () => {
await expect(
proxyRequest({ url: "http://localhost/", method: "GET", headers: {} }),
).rejects.toMatchObject({ statusCode: 403 });
});
it("rejects a private IP literal (no DNS lookup runs for literals)", async () => {
await expect(
proxyRequest({ url: "http://127.0.0.1/", method: "GET", headers: {} }),
).rejects.toMatchObject({ statusCode: 403 });
});
});