chore: adjust test scheme

Bulletdev · Bulletdev · commit d4fa09cc8bd8 · 2026-04-26T17:29:23.000-03:00
diff --git a/.pentest/test-secrets-quick.sh b/.pentest/test-secrets-quick.sh
@@ -44,7 +44,7 @@ fi
 
 # 3. Check .env is in .gitignore
 echo "[3/5] Checking .env is ignored..."
-if grep -q "^\.env$" .gitignore 2>/dev/null; then
+if grep -qP "^\.env\r?$" .gitignore 2>/dev/null; then
   echo -e "${GREEN}[PASS]${NC} .env is in .gitignore"
 else
   echo -e "${RED}[FAIL]${NC} .env should be in .gitignore"
@@ -80,7 +80,6 @@ if [ $ISSUES -eq 0 ]; then
   echo -e "${GREEN}✓ No secrets exposed${NC}"
   exit 0
 else
-  echo -e "${YELLOW}⚠ $ISSUES potential issues detected${NC}"
-  echo "Review findings above"
-  exit 0  # Warning, not critical failure
+  echo -e "${RED}✗ $ISSUES issue(s) detected — review findings above${NC}"
+  exit 1
 fi
diff --git a/.pentest/test-ssrf-quick.sh b/.pentest/test-ssrf-quick.sh
@@ -1,8 +1,6 @@
 #!/bin/bash
 # Quick SSRF Protection Test (works without auth since we check rejection)
 
-set -e
-
 API_URL="http://localhost:3333"
 GREEN='\033[0;32m'
 RED='\033[0;31m'
@@ -25,8 +23,8 @@ test_result() {
   fi
 }
 
-# Note: Image proxy now requires authentication
-# So all these should return 401 Unauthorized (which is good - not vulnerable to SSRF from unauthenticated users)
+# Note: Image proxy intentionally skips JWT auth (browsers can't send Authorization on <img> src).
+# Security is enforced via domain allowlist + HTTPS-only + private IP/scheme blocking.
 
 echo "[1/9] Testing localhost access (should be blocked)..."
 RESULT=$(curl -s -w "\n%{http_code}" "$API_URL/api/v1/images/proxy?url=http://localhost:6379")
@@ -108,14 +106,14 @@ else
   test_result "FAIL" "Should block HTTP (got HTTP $HTTP_CODE)"
 fi
 
-echo "[9/9] Authentication required check..."
-RESULT=$(curl -s -w "\n%{http_code}" "$API_URL/api/v1/images/proxy?url=https://upload.wikimedia.org/test.png")
+echo "[9/9] Testing file:// scheme (local file read)..."
+RESULT=$(curl -s -w "\n%{http_code}" "$API_URL/api/v1/images/proxy?url=file:///etc/passwd")
 HTTP_CODE=$(echo "$RESULT" | tail -n1)
 
-if [ "$HTTP_CODE" = "401" ]; then
-  test_result "PASS" "Endpoint requires authentication (HTTP 401)"
+if [ "$HTTP_CODE" = "400" ] || [ "$HTTP_CODE" = "403" ]; then
+  test_result "PASS" "Blocks file:// scheme (HTTP $HTTP_CODE)"
 else
-  test_result "FAIL" "Endpoint should require authentication (got HTTP $HTTP_CODE)"
+  test_result "FAIL" "Should block file:// scheme (got HTTP $HTTP_CODE)"
 fi
 
 echo ""
@@ -127,7 +125,7 @@ echo -e "${GREEN}Passed: $PASSED${NC}"
 echo -e "${RED}Failed: $FAILED${NC}"
 echo ""
 
-if [ $PASSED -ge 8 ]; then
+if [ $FAILED -eq 0 ]; then
   echo -e "${GREEN}✓ SSRF protection is SECURE${NC}"
   echo ""
   echo "Notes:"
@@ -136,6 +134,6 @@ if [ $PASSED -ge 8 ]; then
   echo "- Private IPs, localhost, and metadata endpoints protected"
   exit 0
 else
-  echo -e "${RED}✗ SSRF vulnerabilities detected!${NC}"
+  echo -e "${RED}✗ SSRF vulnerabilities detected ($FAILED failure(s))!${NC}"
   exit 1
 fi
