@@ -100,3 +100,105 @@ def test_no_raises_if_diff_url(monkeypatch):
100
100
monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
101
101
with pytest .raises (requests .exceptions .ConnectionError ):
102
102
requests .get (SSRF_TEST_DOMAIN_TWICE )
103
+
104
+
105
+ def test_localhost_is_same_as_context (monkeypatch ):
106
+ set_context_and_lifecycle ("http://localhost:8080" )
107
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
108
+ with pytest .raises (requests .exceptions .ConnectionError ):
109
+ requests .get ("http://localhost:8080" )
110
+
111
+
112
+ def test_localhost_raises_ssrf (monkeypatch ):
113
+ set_context_and_lifecycle ("http://localhost:8081" )
114
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
115
+ with pytest .raises (AikidoSSRF ):
116
+ requests .get ("http://localhost:8081" )
117
+ with pytest .raises (AikidoSSRF ):
118
+ requests .get ("http://localhost:8081/test" )
119
+ with pytest .raises (requests .exceptions .ConnectionError ):
120
+ requests .get ("http://localhost:5002/test" )
121
+
122
+ set_context_and_lifecycle ("http://localhost:8081/test" )
123
+ with pytest .raises (AikidoSSRF ):
124
+ requests .get ("http://localhost:8081/test" )
125
+ set_context_and_lifecycle ("http://localhost:8081/test/2" )
126
+ with pytest .raises (AikidoSSRF ):
127
+ requests .get ("http://localhost:8081/chicken/3" )
128
+
129
+
130
+ def test_loopback_ipv6_raises_ssrf (monkeypatch ):
131
+ set_context_and_lifecycle ("http://[::1]:8081" )
132
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
133
+ with pytest .raises (AikidoSSRF ):
134
+ requests .get ("http://[::1]:8081" )
135
+ with pytest .raises (AikidoSSRF ):
136
+ requests .get ("http://[::1]:8081/" )
137
+ with pytest .raises (AikidoSSRF ):
138
+ requests .get ("http://[::1]:8081/test" )
139
+
140
+
141
+ def test_loopback_ipv6_with_zeros_raises_ssrf (monkeypatch ):
142
+ set_context_and_lifecycle ("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081" )
143
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
144
+ with pytest .raises (AikidoSSRF ):
145
+ requests .get ("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081" )
146
+ with pytest .raises (AikidoSSRF ):
147
+ requests .get ("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081/" )
148
+ with pytest .raises (AikidoSSRF ):
149
+ requests .get ("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081/test" )
150
+
151
+
152
+ def test_different_capitalization_raises_ssrf (monkeypatch ):
153
+ set_context_and_lifecycle ("http://localHost:8081" )
154
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
155
+ with pytest .raises (AikidoSSRF ):
156
+ requests .get ("http://LOCALHOST:8081" )
157
+ with pytest .raises (AikidoSSRF ):
158
+ requests .get ("http://Localhost:8081/" )
159
+ with pytest .raises (AikidoSSRF ):
160
+ requests .get ("http://localHost:8081/test" )
161
+
162
+
163
+ def test_2130706433_raises_ssrf (monkeypatch ):
164
+ set_context_and_lifecycle ("http://2130706433:8081" )
165
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
166
+ with pytest .raises (AikidoSSRF ):
167
+ requests .get ("http://2130706433:8081" )
168
+ with pytest .raises (AikidoSSRF ):
169
+ requests .get ("http://2130706433:8081/" )
170
+ with pytest .raises (AikidoSSRF ):
171
+ requests .get ("http://2130706433:8081/test" )
172
+
173
+
174
+ def test_0x7f000001_raises_ssrf (monkeypatch ):
175
+ set_context_and_lifecycle ("http://0x7f000001:8081/" )
176
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
177
+ with pytest .raises (AikidoSSRF ):
178
+ requests .get ("http://0x7f000001:8081" )
179
+ with pytest .raises (AikidoSSRF ):
180
+ requests .get ("http://0x7f000001:8081/" )
181
+ with pytest .raises (AikidoSSRF ):
182
+ requests .get ("http://0x7f000001:8081/test" )
183
+
184
+
185
+ def test_0177_0_0_01_raises_ssrf (monkeypatch ):
186
+ set_context_and_lifecycle ("http://0177.0.0.01:8081/" )
187
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
188
+ with pytest .raises (AikidoSSRF ):
189
+ requests .get ("http://0177.0.0.01:8081/api/pets" )
190
+ with pytest .raises (AikidoSSRF ):
191
+ requests .get ("http://0177.0.0.01:8081/" )
192
+ with pytest .raises (AikidoSSRF ):
193
+ requests .get ("http://0177.0.0.01:8081/test" )
194
+
195
+
196
+ def test_0x7f_0x0_0x0_0x1_raises_ssrf (monkeypatch ):
197
+ set_context_and_lifecycle ("http://0x7f.0x0.0x0.0x1:8081/" )
198
+ monkeypatch .setenv ("AIKIDO_BLOCK" , "1" )
199
+ with pytest .raises (AikidoSSRF ):
200
+ requests .get ("http://0x7f.0x0.0x0.0x1:8081/api/pets" )
201
+ with pytest .raises (AikidoSSRF ):
202
+ requests .get ("http://0x7f.0x0.0x0.0x1:8081/" )
203
+ with pytest .raises (AikidoSSRF ):
204
+ requests .get ("http://0x7f.0x0.0x0.0x1:8081/test" )
0 commit comments