Home Explore Help
Sign In
txlyre
/
3x-ui
mirror of https://github.com/MHSanaei/3x-ui
1
0
Fork 0
Files Issues 0 Wiki
Tree: 102df7a290
Branches Tags
3x-ui
/
web
/
service
/
setting_security_test.go

setting_security_test.go 2.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 
  1. package service
    2. 

  2. 

  3. import (
    4. 

  4. 	"path/filepath"
    5. 

  5. 	"testing"
    6. 

  6. 

  7. 	"github.com/mhsanaei/3x-ui/v3/database"
    8. 

  8. )
    9. 

  9. 

  10. func setupSettingTestDB(t *testing.T) {
    11. 

  11. 	t.Helper()
    12. 

  12. 	if err := database.InitDB(filepath.Join(t.TempDir(), "x-ui.db")); err != nil {
    13. 

  13. 		t.Fatal(err)
    14. 

  14. 	}
    15. 

  15. 	t.Cleanup(func() {
    16. 

  16. 		if err := database.CloseDB(); err != nil {
    17. 

  17. 			t.Fatal(err)
    18. 

  18. 		}
    19. 

  19. 	})
    20. 

  20. }
    21. 

  21. 

  22. func TestGetAllSettingViewRedactsSecrets(t *testing.T) {
    23. 

  23. 	setupSettingTestDB(t)
    24. 

  24. 	s := &SettingService{}
    25. 

  25. 	if err := s.saveSetting("tgBotToken", "telegram-secret"); err != nil {
    26. 

  26. 		t.Fatal(err)
    27. 

  27. 	}
    28. 

  28. 	if err := s.saveSetting("twoFactorToken", "totp-secret"); err != nil {
    29. 

  29. 		t.Fatal(err)
    30. 

  30. 	}
    31. 

  31. 	if err := s.saveSetting("ldapPassword", "ldap-secret"); err != nil {
    32. 

  32. 		t.Fatal(err)
    33. 

  33. 	}
    34. 

  34. 	if err := s.saveSetting("apiToken", "api-secret"); err != nil {
    35. 

  35. 		t.Fatal(err)
    36. 

  36. 	}
    37. 

  37. 

  38. 	view, err := s.GetAllSettingView()
    39. 

  39. 	if err != nil {
    40. 

  40. 		t.Fatal(err)
    41. 

  41. 	}
    42. 

  42. 	if view.TgBotToken != "" || view.TwoFactorToken != "" || view.LdapPassword != "" {
    43. 

  43. 		t.Fatalf("settings view leaked secrets: %#v", view)
    44. 

  44. 	}
    45. 

  45. 	if !view.HasTgBotToken || !view.HasTwoFactorToken || !view.HasLdapPassword || !view.HasApiToken {
    46. 

  46. 		t.Fatalf("settings view did not report configured secret flags: %#v", view)
    47. 

  47. 	}
    48. 

  48. }
    49. 

  49. 

  50. func TestUpdateAllSettingPreservesRedactedSecrets(t *testing.T) {
    51. 

  51. 	setupSettingTestDB(t)
    52. 

  52. 	s := &SettingService{}
    53. 

  53. 	if err := s.saveSetting("tgBotToken", "telegram-secret"); err != nil {
    54. 

  54. 		t.Fatal(err)
    55. 

  55. 	}
    56. 

  56. 	if err := s.saveSetting("ldapPassword", "ldap-secret"); err != nil {
    57. 

  57. 		t.Fatal(err)
    58. 

  58. 	}
    59. 

  59. 	if err := s.saveSetting("twoFactorEnable", "true"); err != nil {
    60. 

  60. 		t.Fatal(err)
    61. 

  61. 	}
    62. 

  62. 	if err := s.saveSetting("twoFactorToken", "totp-secret"); err != nil {
    63. 

  63. 		t.Fatal(err)
    64. 

  64. 	}
    65. 

  65. 

  66. 	view, err := s.GetAllSettingView()
    67. 

  67. 	if err != nil {
    68. 

  68. 		t.Fatal(err)
    69. 

  69. 	}
    70. 

  70. 	settings := &view.AllSetting
    71. 

  71. 	if err := s.UpdateAllSetting(settings); err != nil {
    72. 

  72. 		t.Fatal(err)
    73. 

  73. 	}
    74. 

  74. 	if got, _ := s.GetTgBotToken(); got != "telegram-secret" {
    75. 

  75. 		t.Fatalf("tg token = %q, want preserved secret", got)
    76. 

  76. 	}
    77. 

  77. 	if got, _ := s.GetLdapPassword(); got != "ldap-secret" {
    78. 

  78. 		t.Fatalf("ldap password = %q, want preserved secret", got)
    79. 

  79. 	}
    80. 

  80. 	if got, _ := s.GetTwoFactorToken(); got != "totp-secret" {
    81. 

  81. 		t.Fatalf("2fa token = %q, want preserved secret", got)
    82. 

  82. 	}
    83. 

  83. }
    84. 

  84. 

  85. func TestSanitizePublicHTTPURLBlocksPrivateAddressUnlessAllowed(t *testing.T) {
    86. 

  86. 	if _, err := SanitizePublicHTTPURL("http://127.0.0.1:8080/hook", false); err == nil {
    87. 

  87. 		t.Fatal("expected localhost URL to be blocked")
    88. 

  88. 	}
    89. 

  89. 	if got, err := SanitizePublicHTTPURL("http://127.0.0.1:8080/hook", true); err != nil || got != "http://127.0.0.1:8080/hook" {
    90. 

  90. 		t.Fatalf("allowPrivate result = %q, %v", got, err)
    91. 

  91. 	}
    92. 

  92. }
    93.