Harden DAV outbound URL validation (#2819)

tests/test_caldav_url_hardening.py

@@ -1,4 +1,5 @@
 import asyncio
+import ipaddress
 import sys
 import types
 from pathlib import Path
@@ -8,7 +9,12 @@ import pytest
 from src import caldav_sync
 
 
-def test_validate_caldav_url_normalizes_safe_url():
+def test_validate_caldav_url_normalizes_safe_url(monkeypatch):
+    monkeypatch.setattr(
+        caldav_sync,
+        "_resolve_caldav_host_ips",
+        lambda host: [ipaddress.ip_address("93.184.216.34")],
+    )
     assert (
         caldav_sync.validate_caldav_url(" https://calendar.example.com/dav/ ")
         == "https://calendar.example.com/dav"
@@ -42,7 +48,46 @@ def test_validate_caldav_url_blocks_private_ips_unless_explicitly_allowed(monkey
     assert caldav_sync.validate_caldav_url("http://10.0.0.5:5232/dav") == "http://10.0.0.5:5232/dav"
 
 
+def test_validate_caldav_url_blocks_dns_to_private(monkeypatch):
+    monkeypatch.delenv("ODYSSEUS_ALLOW_PRIVATE_CALDAV", raising=False)
+    monkeypatch.setattr(
+        caldav_sync,
+        "_resolve_caldav_host_ips",
+        lambda host: [ipaddress.ip_address("10.0.0.5")],
+    )
+
+    with pytest.raises(ValueError, match="Private CalDAV IPs require"):
+        caldav_sync.validate_caldav_url("https://calendar.example.com/dav")
+
+
+def test_validate_caldav_url_blocks_dns_to_link_local_even_when_private_allowed(monkeypatch):
+    monkeypatch.setenv("ODYSSEUS_ALLOW_PRIVATE_CALDAV", "1")
+    monkeypatch.setattr(
+        caldav_sync,
+        "_resolve_caldav_host_ips",
+        lambda host: [ipaddress.ip_address("169.254.169.254")],
+    )
+
+    with pytest.raises(ValueError, match="host is not allowed"):
+        caldav_sync.validate_caldav_url("https://calendar.example.com/dav")
+
+
+def test_validate_caldav_url_fails_closed_when_hostname_does_not_resolve(monkeypatch):
+    def _no_dns(host):
+        raise OSError("no such host")
+
+    monkeypatch.setattr(caldav_sync, "_resolve_caldav_host_ips", _no_dns)
+
+    with pytest.raises(ValueError, match="host does not resolve"):
+        caldav_sync.validate_caldav_url("https://calendar.example.com/dav")
+
+
 def test_sync_caldav_decrypts_stored_password_and_validates_url(monkeypatch):
+    monkeypatch.setattr(
+        caldav_sync,
+        "_resolve_caldav_host_ips",
+        lambda host: [ipaddress.ip_address("93.184.216.34")],
+    )
     prefs_mod = types.ModuleType("routes.prefs_routes")
     prefs_mod._load_for_user = lambda owner: {
         "caldav": {

tests/test_caldav_url_nonstring.py

@@ -5,9 +5,13 @@ It did `(raw_url or "").strip()`, so a non-string scalar (e.g. an int from a
 mis-typed config) reached `.strip()` and raised TypeError instead of the
 function\'s own ValueError.
 """
+import ipaddress
+
 import pytest
 
-from src.caldav_sync import validate_caldav_url
+from src import caldav_sync
+
+validate_caldav_url = caldav_sync.validate_caldav_url
 
 
 def test_non_string_raises_valueerror_not_typeerror():
@@ -17,6 +21,11 @@ def test_non_string_raises_valueerror_not_typeerror():
         validate_caldav_url(None)
 
 
-def test_valid_url_passes():
+def test_valid_url_passes(monkeypatch):
+    monkeypatch.setattr(
+        caldav_sync,
+        "_resolve_caldav_host_ips",
+        lambda host: [ipaddress.ip_address("93.184.216.34")],
+    )
     out = validate_caldav_url("https://dav.example.com/calendars/")
     assert "example.com" in out

tests/test_caldav_writeback.py

@@ -5,6 +5,9 @@ iCalendar serialization, hash-based remote-calendar discovery, and the
 create/update/delete orchestration.
 """
 
+import asyncio
+import sys
+import types
 from datetime import datetime
 
 from src.caldav_writeback import (
@@ -123,3 +126,102 @@ def test_push_missing_uid_reports_input_error_before_remote_lookup():
     res = push_event([cal], CAL_ID, _ev(uid=""))
     assert res["ok"] is False and "uid" in res["error"]
     assert cal._existing.saved is False
+
+
+def test_writeback_validates_saved_url_before_remote_call(monkeypatch):
+    import src.caldav_sync as sync
+    import src.caldav_writeback as wb
+
+    prefs_mod = types.ModuleType("routes.prefs_routes")
+    prefs_mod._load_for_user = lambda owner: {
+        "caldav": {
+            "url": " https://dav.example.com/calendars/home/ ",
+            "username": owner,
+            "password": "enc:pw",
+        }
+    }
+    secret_mod = types.ModuleType("src.secret_storage")
+    secret_mod.decrypt = lambda value: "plain-password"
+    monkeypatch.setitem(sys.modules, "routes.prefs_routes", prefs_mod)
+    monkeypatch.setitem(sys.modules, "src.secret_storage", secret_mod)
+
+    captured = {}
+
+    def fake_validate(url):
+        captured["validated_url"] = url
+        return "https://dav.example.com/calendars/home"
+
+    def fake_writeback_blocking(local_cal_id, ev, delete, url, username, password):
+        captured.update(
+            {
+                "local_cal_id": local_cal_id,
+                "delete": delete,
+                "url": url,
+                "username": username,
+                "password": password,
+            }
+        )
+        return {"ok": True}
+
+    async def inline_to_thread(func, *args, **kwargs):
+        return func(*args, **kwargs)
+
+    monkeypatch.setattr(sync, "validate_caldav_url", fake_validate)
+    monkeypatch.setattr(wb, "_writeback_blocking", fake_writeback_blocking)
+    monkeypatch.setattr(wb.asyncio, "to_thread", inline_to_thread)
+
+    result = asyncio.run(
+        wb.writeback_event("alice", "caldav", "caldav-123", {"uid": "evt-1"})
+    )
+
+    assert result == {"ok": True}
+    assert captured == {
+        "validated_url": "https://dav.example.com/calendars/home/",
+        "local_cal_id": "caldav-123",
+        "delete": False,
+        "url": "https://dav.example.com/calendars/home",
+        "username": "alice",
+        "password": "plain-password",
+    }
+
+
+def test_writeback_rejects_unsafe_saved_url_before_remote_call(monkeypatch):
+    import src.caldav_sync as sync
+    import src.caldav_writeback as wb
+
+    prefs_mod = types.ModuleType("routes.prefs_routes")
+    prefs_mod._load_for_user = lambda owner: {
+        "caldav": {
+            "url": "http://evil.example/latest/meta-data",
+            "username": owner,
+            "password": "enc:pw",
+        }
+    }
+    secret_mod = types.ModuleType("src.secret_storage")
+    secret_mod.decrypt = lambda value: "plain-password"
+    monkeypatch.setitem(sys.modules, "routes.prefs_routes", prefs_mod)
+    monkeypatch.setitem(sys.modules, "src.secret_storage", secret_mod)
+
+    called = False
+
+    def fake_validate(_url):
+        raise ValueError("CalDAV URL host is not allowed")
+
+    def fake_writeback_blocking(*_args, **_kwargs):
+        nonlocal called
+        called = True
+        return {"ok": True}
+
+    async def inline_to_thread(func, *args, **kwargs):
+        return func(*args, **kwargs)
+
+    monkeypatch.setattr(sync, "validate_caldav_url", fake_validate)
+    monkeypatch.setattr(wb, "_writeback_blocking", fake_writeback_blocking)
+    monkeypatch.setattr(wb.asyncio, "to_thread", inline_to_thread)
+
+    result = asyncio.run(
+        wb.writeback_event("alice", "caldav", "caldav-123", {"uid": "evt-1"})
+    )
+
+    assert result == {"ok": False, "error": "CalDAV URL host is not allowed"}
+    assert called is False

tests/test_contacts_carddav_security.py

@@ -0,0 +1,66 @@
+"""CardDAV outbound URL hardening tests."""
+
+import pytest
+
+import routes.contacts_routes as contacts
+
+
+def test_validate_carddav_url_blocks_metadata_targets(monkeypatch):
+    monkeypatch.setattr(
+        contacts,
+        "check_outbound_url",
+        lambda url, *, block_private=False: (False, "link-local address blocked"),
+    )
+
+    with pytest.raises(ValueError, match="link-local"):
+        contacts._validate_carddav_url("http://169.254.169.254/latest/meta-data")
+
+
+def test_validate_carddav_url_rejects_non_string(monkeypatch):
+    monkeypatch.setattr(
+        contacts,
+        "check_outbound_url",
+        lambda url, *, block_private=False: (False, "URL is required"),
+    )
+
+    with pytest.raises(ValueError, match="URL is required"):
+        contacts._validate_carddav_url(12345)
+
+
+def test_abs_url_pins_cross_origin_href_to_configured_carddav_origin(monkeypatch):
+    monkeypatch.setattr(
+        contacts,
+        "_get_carddav_config",
+        lambda: {"url": "https://dav.example.com/addressbooks/alice", "username": "", "password": ""},
+    )
+    monkeypatch.setattr(
+        contacts,
+        "check_outbound_url",
+        lambda url, *, block_private=False: (True, "ok"),
+    )
+
+    assert (
+        contacts._abs_url("http://169.254.169.254/latest/meta-data")
+        == "https://dav.example.com/latest/meta-data"
+    )
+
+
+def test_vcard_url_validates_base_and_quotes_uid(monkeypatch):
+    seen = []
+    monkeypatch.setattr(
+        contacts,
+        "_get_carddav_config",
+        lambda: {"url": "https://dav.example.com/addressbooks/alice/", "username": "", "password": ""},
+    )
+
+    def _safe(url, *, block_private=False):
+        seen.append((url, block_private))
+        return True, "ok"
+
+    monkeypatch.setattr(contacts, "check_outbound_url", _safe)
+
+    assert (
+        contacts._vcard_url("uid/../../escape")
+        == "https://dav.example.com/addressbooks/alice/uid%2F..%2F..%2Fescape.vcf"
+    )
+    assert seen == [("https://dav.example.com/addressbooks/alice", False)]