(t *testing.T)
| 1292 | } |
| 1293 | |
| 1294 | func TestHostCheck(t *testing.T) { |
| 1295 | t.Parallel() |
| 1296 | |
| 1297 | // An API service bound to localhost should reject non-localhost host Headers |
| 1298 | |
| 1299 | cfg := newMockedConfig() |
| 1300 | cfg.GUIReturns(config.GUIConfiguration{RawAddress: "127.0.0.1:0"}) |
| 1301 | baseURL := startHTTP(t, cfg) |
| 1302 | |
| 1303 | // A normal HTTP get to the localhost-bound service should succeed |
| 1304 | |
| 1305 | resp, err := http.Get(baseURL) |
| 1306 | if err != nil { |
| 1307 | t.Fatal(err) |
| 1308 | } |
| 1309 | resp.Body.Close() |
| 1310 | if resp.StatusCode != http.StatusOK { |
| 1311 | t.Error("Regular HTTP get: expected 200 OK, not", resp.Status) |
| 1312 | } |
| 1313 | |
| 1314 | // A request with a suspicious Host header should fail |
| 1315 | |
| 1316 | req, _ := http.NewRequest("GET", baseURL, nil) |
| 1317 | req.Host = "example.com" |
| 1318 | resp, err = http.DefaultClient.Do(req) |
| 1319 | if err != nil { |
| 1320 | t.Fatal(err) |
| 1321 | } |
| 1322 | resp.Body.Close() |
| 1323 | if resp.StatusCode != http.StatusForbidden { |
| 1324 | t.Error("Suspicious Host header: expected 403 Forbidden, not", resp.Status) |
| 1325 | } |
| 1326 | |
| 1327 | // A request with an explicit "localhost:8384" Host header should pass |
| 1328 | |
| 1329 | req, _ = http.NewRequest("GET", baseURL, nil) |
| 1330 | req.Host = "localhost:8384" |
| 1331 | resp, err = http.DefaultClient.Do(req) |
| 1332 | if err != nil { |
| 1333 | t.Fatal(err) |
| 1334 | } |
| 1335 | resp.Body.Close() |
| 1336 | if resp.StatusCode != http.StatusOK { |
| 1337 | t.Error("Explicit localhost:8384: expected 200 OK, not", resp.Status) |
| 1338 | } |
| 1339 | |
| 1340 | // A request with an explicit "localhost" Host header (no port) should pass |
| 1341 | |
| 1342 | req, _ = http.NewRequest("GET", baseURL, nil) |
| 1343 | req.Host = "localhost" |
| 1344 | resp, err = http.DefaultClient.Do(req) |
| 1345 | if err != nil { |
| 1346 | t.Fatal(err) |
| 1347 | } |
| 1348 | resp.Body.Close() |
| 1349 | if resp.StatusCode != http.StatusOK { |
| 1350 | t.Error("Explicit localhost: expected 200 OK, not", resp.Status) |
| 1351 | } |
nothing calls this directly
no test coverage detected