Skip to content

Commit 839709e

Browse files
committed
add e2e test case to verify ssrf direct hits still blocked
1 parent 186f5b6 commit 839709e

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

end2end/flask_mysql_test.py

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,27 @@ def test_dangerous_response_with_firewall_query_params():
8585
assert attacks[2]["attack"]["source"] == "query"
8686

8787

88+
def test_direct_imds_ips_are_still_ssrf_ips():
89+
imds_url = "http://169.254.169.254/metadata/test"
90+
res = requests.post(base_url_fw + "/request", data={'url': imds_url})
91+
assert res.status_code == 500
92+
93+
time.sleep(5) # Wait for attack to be reported
94+
events = fetch_events_from_mock("http://localhost:5000")
95+
attacks = filter_on_event_type(events, "detected_attack")
96+
97+
assert len(attacks) == 4
98+
print(attacks[3]["attack"])
99+
assert attacks[3]["attack"]["blocked"] == True
100+
assert attacks[3]["attack"]["kind"] == "ssrf"
101+
assert attacks[3]["attack"]['metadata'] == {}
102+
assert attacks[3]["attack"]["operation"] == 'subprocess.Popen'
103+
assert attacks[3]["attack"]["pathToPayload"] == '.command'
104+
assert attacks[3]["attack"]["payload"] == '"ls -la"'
105+
assert attacks[3]["attack"]["source"] == "route_params"
106+
assert attacks[3]["attack"]["user"]["id"] == "123"
107+
assert attacks[3]["attack"]["user"]["name"] == "John Doe"
108+
88109
def test_dangerous_response_without_firewall():
89110
dog_name = 'Dangerous bobby", 1); -- '
90111
res = requests.post(base_url_nofw + "/create", data={'dog_name': dog_name})

0 commit comments

Comments
 (0)