Skip to content

Commit 0631e6e

Browse files
committed
Add unit tests for distinct SSRF rejection paths
Add tests that explicitly exercise the token mismatch path (recognized header with wrong value) and the missing header path (no recognized SSRF header present) to verify both branches produce the expected 403 response. Also fix doc comment to use Err(HttpError) instead of Err((u16, String)).
1 parent 467251c commit 0631e6e

2 files changed

Lines changed: 31 additions & 1 deletion

File tree

aws_secretsmanager_provider/src/lib.rs

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -715,6 +715,36 @@ mod tests {
715715
assert_eq!(status, StatusCode::BAD_REQUEST);
716716
}
717717

718+
// Verify that a request with a recognized SSRF header but wrong value is rejected (token mismatch path).
719+
#[tokio::test]
720+
async fn ssrf_token_mismatch() {
721+
let (status, body) = run_requests_with_headers(
722+
vec![("GET", "/secretsmanager/get?secretId=MyTest")],
723+
vec![("X-Aws-Parameters-Secrets-Token", "wrong-value")],
724+
)
725+
.await
726+
.expect("request failed")
727+
.pop()
728+
.unwrap();
729+
assert_eq!(status, StatusCode::FORBIDDEN);
730+
assert_eq!(body, "Bad Token");
731+
}
732+
733+
// Verify that a request with no recognized SSRF header at all is rejected (missing header path).
734+
#[tokio::test]
735+
async fn ssrf_token_missing_header() {
736+
let (status, body) = run_requests_with_headers(
737+
vec![("GET", "/secretsmanager/get?secretId=MyTest")],
738+
vec![("X-Unrelated-Header", "some-value")],
739+
)
740+
.await
741+
.expect("request failed")
742+
.pop()
743+
.unwrap();
744+
assert_eq!(status, StatusCode::FORBIDDEN);
745+
assert_eq!(body, "Bad Token");
746+
}
747+
718748
// Verify max conn is enforced (max conn set to 1 for testing)
719749
#[tokio::test]
720750
async fn max_conn_test() {

aws_secretsmanager_provider/src/server.rs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -227,7 +227,7 @@ impl Server {
227227
/// # Returns
228228
///
229229
/// * `Ok(())` - For health checks or when the request has the correct token.
230-
/// * `Err((u16, String))` - A 400 or 403 error code (if header is set or token is missing or wrong) and error message.
230+
/// * `Err(HttpError)` - A 400 or 403 error code (if header is set or token is missing or wrong) and error message.
231231
#[doc(hidden)]
232232
fn validate_token(
233233
&self,

0 commit comments

Comments
 (0)