admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

test(web): add SSRF guard cases

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-14 18:53:05 +01:00
parent cb3290fca3
commit 7cc6add9b8
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/web/media.test.ts
View File

@@ -163,6 +163,28 @@ describe("web media loading", () => {
fetchMock.mockRestore();
});
it("blocks private network URL fetches (SSRF guard)", async () => {
const fetchMock = vi.spyOn(globalThis, "fetch");
await expect(loadWebMedia("http://127.0.0.1:8080/internal-api", 1024 * 1024)).rejects.toThrow(
/blocked|private|internal/i,
);
expect(fetchMock).not.toHaveBeenCalled();
fetchMock.mockRestore();
});
it("blocks cloud metadata hostnames (SSRF guard)", async () => {
const fetchMock = vi.spyOn(globalThis, "fetch");
await expect(
loadWebMedia("http://metadata.google.internal/computeMetadata/v1/", 1024 * 1024),
).rejects.toThrow(/blocked|private|internal|metadata/i);
expect(fetchMock).not.toHaveBeenCalled();
fetchMock.mockRestore();
});
it("respects maxBytes for raw URL fetches", async () => {
const fetchMock = vi.spyOn(globalThis, "fetch").mockResolvedValueOnce({
ok: true,