From ffd9b86ca4b785bce00b4445c268eec8b27539b1 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 21 Feb 2026 23:33:47 +0000
Subject: [PATCH] test(ssrf): table-drive blocked hostname literal checks

---
 src/infra/net/ssrf.pinning.test.ts | 49 ++++++++++++------------------
 1 file changed, 20 insertions(+), 29 deletions(-)

diff --git a/src/infra/net/ssrf.pinning.test.ts b/src/infra/net/ssrf.pinning.test.ts
index b9e04df3c..63902a62f 100644
--- a/src/infra/net/ssrf.pinning.test.ts
+++ b/src/infra/net/ssrf.pinning.test.ts
@@ -7,6 +7,10 @@ import {
   SsrFBlockedError,
 } from "./ssrf.js";
 
+function createPublicLookupMock(): LookupFn {
+  return vi.fn(async () => [{ address: "93.184.216.34", family: 4 }]) as unknown as LookupFn;
+}
+
 describe("ssrf pinning", () => {
   it("pins resolved addresses for the target hostname", async () => {
     const lookup = vi.fn(async () => [
@@ -109,36 +113,23 @@ describe("ssrf pinning", () => {
     ).rejects.toThrow(/allowlist/i);
   });
 
-  it("blocks ISATAP embedded private IPv4 before DNS lookup", async () => {
-    const lookup = vi.fn(async () => [
-      { address: "93.184.216.34", family: 4 },
-    ]) as unknown as LookupFn;
+  it.each([
+    {
+      name: "ISATAP embedded private IPv4",
+      hostname: "2001:db8:1234::5efe:127.0.0.1",
+    },
+    {
+      name: "legacy loopback IPv4 literal",
+      hostname: "0177.0.0.1",
+    },
+    {
+      name: "unsupported short-form IPv4 literal",
+      hostname: "8.8.2056",
+    },
+  ])("blocks $name before DNS lookup", async ({ hostname }) => {
+    const lookup = createPublicLookupMock();
 
-    await expect(
-      resolvePinnedHostnameWithPolicy("2001:db8:1234::5efe:127.0.0.1", {
-        lookupFn: lookup,
-      }),
-    ).rejects.toThrow(SsrFBlockedError);
-    expect(lookup).not.toHaveBeenCalled();
-  });
-
-  it("blocks legacy loopback IPv4 literals before DNS lookup", async () => {
-    const lookup = vi.fn(async () => [
-      { address: "93.184.216.34", family: 4 },
-    ]) as unknown as LookupFn;
-
-    await expect(
-      resolvePinnedHostnameWithPolicy("0177.0.0.1", { lookupFn: lookup }),
-    ).rejects.toThrow(SsrFBlockedError);
-    expect(lookup).not.toHaveBeenCalled();
-  });
-
-  it("blocks unsupported short-form IPv4 literals before DNS lookup", async () => {
-    const lookup = vi.fn(async () => [
-      { address: "93.184.216.34", family: 4 },
-    ]) as unknown as LookupFn;
-
-    await expect(resolvePinnedHostnameWithPolicy("8.8.2056", { lookupFn: lookup })).rejects.toThrow(
+    await expect(resolvePinnedHostnameWithPolicy(hostname, { lookupFn: lookup })).rejects.toThrow(
       SsrFBlockedError,
     );
     expect(lookup).not.toHaveBeenCalled();