Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-16 01:35:36 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(search): align content URL guards

Browse Source 
* Stabilize full test collection

* Align search content URL guards
This commit is contained in:
Vykos
2026-06-04 01:34:06 +02:00
committed by GitHub
parent 193dc2f085
commit aaef6b1c49
3 changed files with 61 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/search/content.py
+11 -1
View File
@@ -39,7 +39,17 @@ _PRIVATE_NETWORKS = (
def _is_private_address(addr: ipaddress._BaseAddress) -> bool: def _is_private_address(addr: ipaddress._BaseAddress) -> bool:
return addr.is_private or addr.is_loopback or addr.is_link_local or any(addr in net for net in _PRIVATE_NETWORKS) if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped is not None:
addr = addr.ipv4_mapped
return (
addr.is_private
or addr.is_loopback
or addr.is_link_local
or addr.is_reserved
or addr.is_multicast
or addr.is_unspecified
or any(addr in net for net in _PRIVATE_NETWORKS)
)
def _resolve_hostname_ips(hostname: str) -> list[ipaddress._BaseAddress]: def _resolve_hostname_ips(hostname: str) -> list[ipaddress._BaseAddress]:
src/search/content.py
+13 -1
View File
@@ -39,7 +39,17 @@ _PRIVATE_NETWORKS = (
def _is_private_address(addr: ipaddress._BaseAddress) -> bool: def _is_private_address(addr: ipaddress._BaseAddress) -> bool:
return any(addr in net for net in _PRIVATE_NETWORKS) or addr.is_private or addr.is_loopback if isinstance(addr, ipaddress.IPv6Address) and addr.ipv4_mapped is not None:
addr = addr.ipv4_mapped
return (
addr.is_private
or addr.is_loopback
or addr.is_link_local
or addr.is_reserved
or addr.is_multicast
or addr.is_unspecified
or any(addr in net for net in _PRIVATE_NETWORKS)
)
def _resolve_hostname_ips(hostname: str) -> List[ipaddress._BaseAddress]: def _resolve_hostname_ips(hostname: str) -> List[ipaddress._BaseAddress]:
@@ -57,6 +67,8 @@ def _public_http_url(url: str) -> bool:
host = parsed.hostname.strip().lower() host = parsed.hostname.strip().lower()
if host in ("localhost", "metadata.google.internal", "metadata"): if host in ("localhost", "metadata.google.internal", "metadata"):
return False return False
if host.endswith((".local", ".localhost", ".internal", ".lan", ".intranet")):
return False
try: try:
return not _is_private_address(ipaddress.ip_address(host)) return not _is_private_address(ipaddress.ip_address(host))
except ValueError: except ValueError:
tests/test_search_content_url_guards.py
+37
View File
@@ -0,0 +1,37 @@
import ipaddress
import pytest
from services.search import content as service_content
from src.search import content as src_content
@pytest.mark.parametrize("module", [src_content, service_content])
@pytest.mark.parametrize("url", [
"http://printer.local/",
"http://nas.lan/",
"http://admin.internal/",
"http://service.intranet/",
"http://[::ffff:169.254.169.254]/latest/meta-data/",
"http://224.0.0.1/",
"http://[ff02::1]/",
"http://[::]/",
])
def test_search_content_url_guard_blocks_internal_names_and_address_classes(module, url):
assert module._public_http_url(url) is False
@pytest.mark.parametrize("module", [src_content, service_content])
def test_search_content_url_guard_blocks_dns_to_multicast(monkeypatch, module):
monkeypatch.setattr(
module,
"_resolve_hostname_ips",
lambda host: [ipaddress.ip_address("224.0.0.1")],
)
assert module._public_http_url("https://example.test/page") is False
@pytest.mark.parametrize("module", [src_content, service_content])
def test_search_content_url_guard_still_allows_public_ip(module):
assert module._public_http_url("https://93.184.216.34/") is True