Hartmut
4ff7bc90c3
Expand the SSRF blocklist from IPv4-only to IPv6 loopback/ULA (fc00::/7)/
link-local (fe80::/10)/multicast/IPv4-mapped, plus the missing IPv4 ranges
0.0.0.0/8, 100.64.0.0/10 CGNAT, and TEST-NET/benchmark ranges. Replace the
single-lookup SSRF guard with resolveAndValidate(): resolves all DNS records
(lookup { all: true }) so a hostname returning "public + private" is
rejected, and returns the first validated address for connection pinning.
The webhook dispatcher now switches from plain fetch() to https.request()
with a custom Agent.lookup that returns the pre-validated IP. A DNS rebind
between the guard check and the TCP connect() can no longer redirect the
dial to an internal address. Hostname still flows through for SNI and
certificate validation.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
113 lines
3.2 KiB
TypeScript
113 lines
3.2 KiB
TypeScript
import { beforeEach, describe, expect, it, vi } from "vitest";
|
|
import { SystemRole } from "@capakraken/shared";
|
|
import {
|
|
createToolContext,
|
|
executeTool,
|
|
totpValidateMock,
|
|
} from "./assistant-tools-user-self-service-mfa-test-helpers.js";
|
|
|
|
describe("assistant user self-service MFA tools - enable flow", () => {
|
|
beforeEach(() => {
|
|
vi.clearAllMocks();
|
|
totpValidateMock.mockReset();
|
|
});
|
|
|
|
it("generates a TOTP secret through the real user router path", async () => {
|
|
const db = {
|
|
user: {
|
|
update: vi.fn().mockResolvedValue({}),
|
|
},
|
|
};
|
|
const ctx = createToolContext(db, SystemRole.ADMIN);
|
|
|
|
const result = await executeTool("generate_totp_secret", "{}", ctx);
|
|
|
|
expect(db.user.update).toHaveBeenCalledWith({
|
|
where: { id: "user_1" },
|
|
data: { totpSecret: "MOCKSECRET" },
|
|
});
|
|
expect(JSON.parse(result.content)).toEqual({
|
|
success: true,
|
|
secret: "MOCKSECRET",
|
|
uri: "otpauth://mock",
|
|
message: "Generated a new MFA TOTP secret.",
|
|
});
|
|
expect(result.action).toEqual({
|
|
type: "invalidate",
|
|
scope: ["user"],
|
|
});
|
|
});
|
|
|
|
it("enables TOTP through the real user router path when the token is valid", async () => {
|
|
totpValidateMock.mockReturnValue(0);
|
|
|
|
const db = {
|
|
user: {
|
|
findUnique: vi.fn().mockResolvedValue({
|
|
id: "user_1",
|
|
name: "Assistant User",
|
|
email: "assistant@example.com",
|
|
totpSecret: "MOCKSECRET",
|
|
totpEnabled: false,
|
|
}),
|
|
update: vi.fn().mockResolvedValue({}),
|
|
updateMany: vi.fn().mockResolvedValue({ count: 1 }),
|
|
},
|
|
auditLog: {
|
|
create: vi.fn().mockResolvedValue({ id: "audit_1" }),
|
|
},
|
|
};
|
|
const ctx = createToolContext(db, SystemRole.ADMIN);
|
|
|
|
const result = await executeTool(
|
|
"verify_and_enable_totp",
|
|
JSON.stringify({ token: "123456" }),
|
|
ctx,
|
|
);
|
|
|
|
expect(db.user.findUnique).toHaveBeenCalledWith({
|
|
where: { id: "user_1" },
|
|
select: {
|
|
id: true,
|
|
name: true,
|
|
email: true,
|
|
totpSecret: true,
|
|
totpEnabled: true,
|
|
lastTotpAt: true,
|
|
},
|
|
});
|
|
// Atomic-CAS replay guard: lastTotpAt is set by updateMany with a
|
|
// conditional WHERE; the subsequent update toggles totpEnabled only.
|
|
expect(db.user.updateMany).toHaveBeenCalledWith(
|
|
expect.objectContaining({
|
|
where: expect.objectContaining({ id: "user_1" }),
|
|
data: { lastTotpAt: expect.any(Date) },
|
|
}),
|
|
);
|
|
expect(db.user.update).toHaveBeenCalledWith({
|
|
where: { id: "user_1" },
|
|
data: { totpEnabled: true },
|
|
});
|
|
expect(db.auditLog.create).toHaveBeenCalledWith({
|
|
data: expect.objectContaining({
|
|
entityType: "User",
|
|
entityId: "user_1",
|
|
action: "UPDATE",
|
|
userId: "user_1",
|
|
source: "ui",
|
|
entityName: "Assistant User (assistant@example.com)",
|
|
summary: "Enabled TOTP MFA",
|
|
}),
|
|
});
|
|
expect(JSON.parse(result.content)).toEqual({
|
|
success: true,
|
|
enabled: true,
|
|
message: "Enabled MFA TOTP.",
|
|
});
|
|
expect(result.action).toEqual({
|
|
type: "invalidate",
|
|
scope: ["user"],
|
|
});
|
|
});
|
|
});
|