(t *testing.T)
| 562 | } |
| 563 | |
| 564 | func TestURLSource_Read_RejectsLocalAddresses(t *testing.T) { |
| 565 | t.Parallel() |
| 566 | |
| 567 | // Hosts whose only resolution is a non-public IP must be refused at |
| 568 | // dial time. We test the SSRF dialer via the HTTPS code path even |
| 569 | // though the TLS handshake will never complete, because the dial is |
| 570 | // aborted before any bytes are sent. |
| 571 | tests := []string{ |
| 572 | "https://127.0.0.1/agent.yaml", // loopback |
| 573 | "https://[::1]/agent.yaml", // IPv6 loopback |
| 574 | "https://10.0.0.1/agent.yaml", // RFC1918 |
| 575 | "https://192.168.1.1/agent.yaml", // RFC1918 |
| 576 | "https://169.254.169.254/agent.yaml", // AWS/GCP/Azure metadata |
| 577 | "https://0.0.0.0/agent.yaml", // unspecified |
| 578 | } |
| 579 | for _, rawURL := range tests { |
| 580 | t.Run(rawURL, func(t *testing.T) { |
| 581 | t.Parallel() |
| 582 | |
| 583 | // Clear any cached content so the dial is actually attempted. |
| 584 | urlCacheDir := getURLCacheDir() |
| 585 | urlHash := hashURL(rawURL) |
| 586 | _ = os.Remove(filepath.Join(urlCacheDir, urlHash)) |
| 587 | _ = os.Remove(filepath.Join(urlCacheDir, urlHash+".etag")) |
| 588 | |
| 589 | _, err := NewURLSource(rawURL, nil).Read(t.Context()) |
| 590 | require.Error(t, err) |
| 591 | assert.Contains(t, err.Error(), "non-public address") |
| 592 | }) |
| 593 | } |
| 594 | } |
| 595 | |
| 596 | func TestURLSource_Read_RejectsHTTPRedirect(t *testing.T) { |
| 597 | t.Parallel() |
nothing calls this directly
no test coverage detected