Skip to content

Commit 8846cbd

Browse files
committed
expand by adding a lot of test cases to requests_test
1 parent 777e7f9 commit 8846cbd

File tree

1 file changed

+102
-0
lines changed

1 file changed

+102
-0
lines changed

aikido_zen/sinks/tests/requests_test.py

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,3 +100,105 @@ def test_no_raises_if_diff_url(monkeypatch):
100100
monkeypatch.setenv("AIKIDO_BLOCK", "1")
101101
with pytest.raises(requests.exceptions.ConnectionError):
102102
requests.get(SSRF_TEST_DOMAIN_TWICE)
103+
104+
105+
def test_localhost_is_same_as_context(monkeypatch):
106+
set_context_and_lifecycle("http://localhost:8080")
107+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
108+
with pytest.raises(requests.exceptions.ConnectionError):
109+
requests.get("http://localhost:8080")
110+
111+
112+
def test_localhost_raises_ssrf(monkeypatch):
113+
set_context_and_lifecycle("http://localhost:8081")
114+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
115+
with pytest.raises(AikidoSSRF):
116+
requests.get("http://localhost:8081")
117+
with pytest.raises(AikidoSSRF):
118+
requests.get("http://localhost:8081/test")
119+
with pytest.raises(requests.exceptions.ConnectionError):
120+
requests.get("http://localhost:5002/test")
121+
122+
set_context_and_lifecycle("http://localhost:8081/test")
123+
with pytest.raises(AikidoSSRF):
124+
requests.get("http://localhost:8081/test")
125+
set_context_and_lifecycle("http://localhost:8081/test/2")
126+
with pytest.raises(AikidoSSRF):
127+
requests.get("http://localhost:8081/chicken/3")
128+
129+
130+
def test_loopback_ipv6_raises_ssrf(monkeypatch):
131+
set_context_and_lifecycle("http://[::1]:8081")
132+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
133+
with pytest.raises(AikidoSSRF):
134+
requests.get("http://[::1]:8081")
135+
with pytest.raises(AikidoSSRF):
136+
requests.get("http://[::1]:8081/")
137+
with pytest.raises(AikidoSSRF):
138+
requests.get("http://[::1]:8081/test")
139+
140+
141+
def test_loopback_ipv6_with_zeros_raises_ssrf(monkeypatch):
142+
set_context_and_lifecycle("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081")
143+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
144+
with pytest.raises(AikidoSSRF):
145+
requests.get("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081")
146+
with pytest.raises(AikidoSSRF):
147+
requests.get("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081/")
148+
with pytest.raises(AikidoSSRF):
149+
requests.get("http://[0000:0000:0000:0000:0000:0000:0000:0001]:8081/test")
150+
151+
152+
def test_different_capitalization_raises_ssrf(monkeypatch):
153+
set_context_and_lifecycle("http://localHost:8081")
154+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
155+
with pytest.raises(AikidoSSRF):
156+
requests.get("http://LOCALHOST:8081")
157+
with pytest.raises(AikidoSSRF):
158+
requests.get("http://Localhost:8081/")
159+
with pytest.raises(AikidoSSRF):
160+
requests.get("http://localHost:8081/test")
161+
162+
163+
def test_2130706433_raises_ssrf(monkeypatch):
164+
set_context_and_lifecycle("http://2130706433:8081")
165+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
166+
with pytest.raises(AikidoSSRF):
167+
requests.get("http://2130706433:8081")
168+
with pytest.raises(AikidoSSRF):
169+
requests.get("http://2130706433:8081/")
170+
with pytest.raises(AikidoSSRF):
171+
requests.get("http://2130706433:8081/test")
172+
173+
174+
def test_0x7f000001_raises_ssrf(monkeypatch):
175+
set_context_and_lifecycle("http://0x7f000001:8081/")
176+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
177+
with pytest.raises(AikidoSSRF):
178+
requests.get("http://0x7f000001:8081")
179+
with pytest.raises(AikidoSSRF):
180+
requests.get("http://0x7f000001:8081/")
181+
with pytest.raises(AikidoSSRF):
182+
requests.get("http://0x7f000001:8081/test")
183+
184+
185+
def test_0177_0_0_01_raises_ssrf(monkeypatch):
186+
set_context_and_lifecycle("http://0177.0.0.01:8081/")
187+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
188+
with pytest.raises(AikidoSSRF):
189+
requests.get("http://0177.0.0.01:8081/api/pets")
190+
with pytest.raises(AikidoSSRF):
191+
requests.get("http://0177.0.0.01:8081/")
192+
with pytest.raises(AikidoSSRF):
193+
requests.get("http://0177.0.0.01:8081/test")
194+
195+
196+
def test_0x7f_0x0_0x0_0x1_raises_ssrf(monkeypatch):
197+
set_context_and_lifecycle("http://0x7f.0x0.0x0.0x1:8081/")
198+
monkeypatch.setenv("AIKIDO_BLOCK", "1")
199+
with pytest.raises(AikidoSSRF):
200+
requests.get("http://0x7f.0x0.0x0.0x1:8081/api/pets")
201+
with pytest.raises(AikidoSSRF):
202+
requests.get("http://0x7f.0x0.0x0.0x1:8081/")
203+
with pytest.raises(AikidoSSRF):
204+
requests.get("http://0x7f.0x0.0x0.0x1:8081/test")

0 commit comments

Comments
 (0)