(t *testing.T)
| 12 | ) |
| 13 | |
| 14 | func TestRedirectSecurity(t *testing.T) { |
| 15 | tests := []struct { |
| 16 | reqHost string |
| 17 | testType string // "constructRedirectURL", "serveHTTPNext", "renderIndex" |
| 18 | |
| 19 | // For constructRedirectURL tests |
| 20 | xForwardedProto string |
| 21 | xForwardedHost string |
| 22 | xForwardedUri string |
| 23 | |
| 24 | // For serveHTTPNext tests |
| 25 | redirParam string |
| 26 | name string |
| 27 | |
| 28 | errorContains string |
| 29 | expectedStatus int |
| 30 | |
| 31 | // For renderIndex tests |
| 32 | returnHTTPStatusOnly bool |
| 33 | shouldError bool |
| 34 | shouldNotRedirect bool |
| 35 | shouldBlock bool |
| 36 | }{ |
| 37 | // constructRedirectURL tests - X-Forwarded-Proto validation |
| 38 | { |
| 39 | name: "constructRedirectURL: javascript protocol should be rejected", |
| 40 | testType: "constructRedirectURL", |
| 41 | xForwardedProto: "javascript", |
| 42 | xForwardedHost: "example.com", |
| 43 | xForwardedUri: "alert(1)", |
| 44 | shouldError: true, |
| 45 | errorContains: "invalid", |
| 46 | }, |
| 47 | { |
| 48 | name: "constructRedirectURL: data protocol should be rejected", |
| 49 | testType: "constructRedirectURL", |
| 50 | xForwardedProto: "data", |
| 51 | xForwardedHost: "text/html", |
| 52 | xForwardedUri: ",<script>alert(1)</script>", |
| 53 | shouldError: true, |
| 54 | errorContains: "invalid", |
| 55 | }, |
| 56 | { |
| 57 | name: "constructRedirectURL: file protocol should be rejected", |
| 58 | testType: "constructRedirectURL", |
| 59 | xForwardedProto: "file", |
| 60 | xForwardedHost: "", |
| 61 | xForwardedUri: "/etc/passwd", |
| 62 | shouldError: true, |
| 63 | errorContains: "invalid", |
| 64 | }, |
| 65 | { |
| 66 | name: "constructRedirectURL: ftp protocol should be rejected", |
| 67 | testType: "constructRedirectURL", |
| 68 | xForwardedProto: "ftp", |
| 69 | xForwardedHost: "example.com", |
| 70 | xForwardedUri: "/file.txt", |
| 71 | shouldError: true, |
nothing calls this directly
no test coverage detected