cd1d69c689
Mirrors lib/ingest/safe_fetch.js. Same scheme + IP-range checks and VOID_INGEST_ALLOW_PRIVATE env gate. Used by sync.source_doc and any future Python workers that fetch user-controlled URLs. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
28 lines
660 B
Python
28 lines
660 B
Python
import pytest
|
|
from void_workers.safe_fetch import safe_fetch, SafeFetchError
|
|
|
|
|
|
def test_rejects_file_scheme():
|
|
with pytest.raises(SafeFetchError):
|
|
safe_fetch("file:///etc/passwd")
|
|
|
|
|
|
def test_rejects_loopback():
|
|
with pytest.raises(SafeFetchError):
|
|
safe_fetch("http://127.0.0.1/x")
|
|
|
|
|
|
def test_rejects_rfc1918():
|
|
with pytest.raises(SafeFetchError):
|
|
safe_fetch("http://192.168.1.1/x")
|
|
|
|
|
|
def test_rejects_metadata_endpoint():
|
|
with pytest.raises(SafeFetchError):
|
|
safe_fetch("http://169.254.169.254/latest/")
|
|
|
|
|
|
def test_rejects_cgnat():
|
|
with pytest.raises(SafeFetchError):
|
|
safe_fetch("http://100.64.0.1/x")
|