outbound_subscription_ssrf_test.go 1.0 KB

123456789101112131415161718192021222324252627282930313233
  1. package service
  2. import (
  3. "context"
  4. "net/http"
  5. "strings"
  6. "testing"
  7. "time"
  8. "github.com/mhsanaei/3x-ui/v3/internal/util/netsafe"
  9. )
  10. // The direct subscription-fetch client must dial through the SSRF guard so a
  11. // subscription host that resolves to a private/internal address (including a
  12. // DNS-rebinding flip after validation) is blocked at dial time, not connected to.
  13. func TestSubscriptionFetchClientBlocksPrivateDial(t *testing.T) {
  14. setupSettingTestDB(t)
  15. client := (&OutboundSubscriptionService{}).subscriptionFetchClient(5 * time.Second)
  16. ctx := netsafe.ContextWithAllowPrivate(context.Background(), false)
  17. req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://127.0.0.1:1/", nil)
  18. if err != nil {
  19. t.Fatalf("new request: %v", err)
  20. }
  21. _, err = client.Do(req)
  22. if err == nil {
  23. t.Fatal("the fetch client dialed a private address instead of blocking it")
  24. }
  25. if !strings.Contains(err.Error(), "blocked private") {
  26. t.Fatalf("expected an SSRF-guard block, got a plain dial error: %v", err)
  27. }
  28. }