roof
a43f9fbf0d
P0 — Broken functionality: - Fix 12+ endpoints with wrong manager method signatures (email/calendar/file/routing) - Fix email_manager.delete_email_user() missing domain arg - Fix cell-link DNS forwarding wiped on every peer change (generate_corefile now accepts cell_links param; add/remove_cell_dns_forward no longer clobber the file) - Fix Flask SECRET_KEY regenerating on every restart (persisted to DATA_DIR) - Fix _next_peer_ip exhaustion returning 500 instead of 409 - Fix ConfigManager Caddyfile path (/app/config-caddy/) - Fix UI double-add and wrong-key peer bugs in Peers.jsx / WireGuard.jsx - Remove hardcoded credentials from Dashboard.jsx P1 — Security: - CSRF token validation on all POST/PUT/DELETE/PATCH to /api/* (double-submit pattern) - enforce_auth: 503 only when users file readable but empty; never bypass on IOError - WireGuard add_cell_peer: validate pubkey, name, endpoint against strict regexes - DNS add_cell_dns_forward: validate IP and domain; reject injection chars - DNS zone write: realpath containment + record content validation - iptables comment /32 suffix prevents substring match deleting wrong peer rules - is_local_request() trusts only loopback + 172.16.0.0/12 (Docker bridge) - POST /api/containers: volume allow-list prevents arbitrary host mounts - file_manager: bcrypt ($2b→$2y) for WebDAV; realpath containment in delete_user - email/calendar: stop persisting plaintext passwords in user records - routing_manager: validate IPs, networks, and interface names - peer_registry: write peers.json at mode 0o600 - vault_manager: Fernet key file at mode 0o600 - CORS: lock down to explicit origin list - domain/cell_name validation: reject newline, brace, semicolon injection chars P2 — Architecture: - Peer add: rollback registry entry if firewall rules fail post-add - restart_service(): base class now calls _restart_container(); email and calendar managers call cell-mail / cell-radicale respectively - email/calendar managers sync user list (no passwords) to cell_config.json - Pending-restart flag cleared only after helper subprocess exits with code 0 - docker-compose.yml: add config-caddy volume to API container P3 — Tests (854 → 1020): - Fill test_email_endpoints.py, test_calendar_endpoints.py, test_network_endpoints.py, test_routing_endpoints.py - New: test_peer_management_update.py, test_peer_management_edge_cases.py, test_input_validation.py, test_enforce_auth_configured.py, test_cell_link_dns.py, test_logs_endpoints.py, test_cells_endpoints.py, test_is_local_request_per_endpoint.py, test_caddy_routing.py - E2E conftest: skip WireGuard suite when wg-quick absent - Update existing tests to match fixed signatures and comment formats Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
137 lines
4.5 KiB
Python
137 lines
4.5 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Tests for the security input validation on PUT /api/config.
|
|
|
|
Validates that domain and cell_name fields reject injection characters
|
|
while allowing legitimate values (multi-label domains, hyphens, etc.).
|
|
"""
|
|
|
|
import sys
|
|
import json
|
|
import unittest
|
|
from pathlib import Path
|
|
from unittest.mock import patch, MagicMock
|
|
|
|
api_dir = Path(__file__).parent.parent / 'api'
|
|
sys.path.insert(0, str(api_dir))
|
|
|
|
from app import app
|
|
|
|
|
|
def _put(client, payload):
|
|
return client.put(
|
|
'/api/config',
|
|
data=json.dumps(payload),
|
|
content_type='application/json',
|
|
)
|
|
|
|
|
|
class TestDomainValidation(unittest.TestCase):
|
|
|
|
def setUp(self):
|
|
app.config['TESTING'] = True
|
|
self.client = app.test_client()
|
|
|
|
def test_domain_with_newline_returns_400(self):
|
|
r = _put(self.client, {'domain': 'cell\nnewline'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_domain_with_opening_brace_returns_400(self):
|
|
r = _put(self.client, {'domain': 'cell{injection}'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_domain_with_semicolon_returns_400(self):
|
|
r = _put(self.client, {'domain': 'cell;rm -rf /'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_domain_with_space_returns_400(self):
|
|
r = _put(self.client, {'domain': 'my cell'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_domain_multilabel_with_dot_returns_200(self):
|
|
# Multi-label names like 'cell.local' or 'home.lan' must be accepted.
|
|
r = _put(self.client, {'domain': 'cell.local'})
|
|
# The endpoint may also return non-400 on 500 if downstream fails,
|
|
# but the validation itself must not reject dots.
|
|
self.assertNotEqual(r.status_code, 400)
|
|
|
|
def test_domain_simple_word_returns_200(self):
|
|
r = _put(self.client, {'domain': 'myhome'})
|
|
self.assertNotEqual(r.status_code, 400)
|
|
|
|
def test_domain_with_hyphen_returns_200(self):
|
|
r = _put(self.client, {'domain': 'my-cell'})
|
|
self.assertNotEqual(r.status_code, 400)
|
|
|
|
def test_domain_with_at_sign_returns_400(self):
|
|
r = _put(self.client, {'domain': 'cell@evil.com'})
|
|
self.assertEqual(r.status_code, 400)
|
|
self.assertIn('error', json.loads(r.data))
|
|
|
|
def test_domain_with_slash_returns_400(self):
|
|
r = _put(self.client, {'domain': 'cell/etc'})
|
|
self.assertEqual(r.status_code, 400)
|
|
self.assertIn('error', json.loads(r.data))
|
|
|
|
|
|
class TestCellNameValidation(unittest.TestCase):
|
|
|
|
def setUp(self):
|
|
app.config['TESTING'] = True
|
|
self.client = app.test_client()
|
|
|
|
def test_cell_name_with_space_returns_400(self):
|
|
r = _put(self.client, {'cell_name': 'my cell'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_cell_name_with_dot_returns_400(self):
|
|
# cell_name is a single hostname component — dots are not allowed
|
|
r = _put(self.client, {'cell_name': 'my.cell'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_cell_name_with_newline_returns_400(self):
|
|
r = _put(self.client, {'cell_name': 'cell\nevil'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_cell_name_with_semicolon_returns_400(self):
|
|
r = _put(self.client, {'cell_name': 'cell;drop'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
def test_cell_name_valid_hyphenated_returns_200(self):
|
|
r = _put(self.client, {'cell_name': 'valid-name'})
|
|
self.assertNotEqual(r.status_code, 400)
|
|
|
|
def test_cell_name_simple_alpha_returns_200(self):
|
|
r = _put(self.client, {'cell_name': 'mycell'})
|
|
self.assertNotEqual(r.status_code, 400)
|
|
|
|
def test_cell_name_with_digits_returns_200(self):
|
|
r = _put(self.client, {'cell_name': 'cell01'})
|
|
self.assertNotEqual(r.status_code, 400)
|
|
|
|
def test_cell_name_with_brace_returns_400(self):
|
|
r = _put(self.client, {'cell_name': 'cell{x}'})
|
|
self.assertEqual(r.status_code, 400)
|
|
data = json.loads(r.data)
|
|
self.assertIn('error', data)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|