docs(bf-2p237): catalog TH-05 SSRF blocking tests

Identified 19 TH-05 tests across 2 files:
- Core tests: 12 URL validation tests
- CLI tests: 7 integration tests

Documented all test names, locations, coverage areas,
and naming patterns in notes/bf-2p237.md.
This commit is contained in:
jedarden 2026-07-06 22:52:17 -04:00
parent 967e18a9ac
commit d84bf1e5d5

114
notes/bf-2p237.md Normal file
View file

@ -0,0 +1,114 @@
# TH-05 SSRF Blocking Tests Catalog
## Summary
Identified and cataloged all TH-05 SSRF (Server-Side Request Forgery) blocking tests in the pdftract codebase. These tests verify that the MCP server and CLI properly reject private-network URLs and dangerous schemes.
## Test Files
### 1. Core Tests
**File:** `/home/coding/pdftract/crates/pdftract-core/tests/TH-05-ssrf-block.rs`
Contains 12 tests focusing on URL validation logic and SSRF payload detection.
#### Test Functions:
1. `test_ssrf_protection_blocks_all_dangerous_payloads` - Tests all SSRF payload categories are blocked
2. `test_allow_private_networks_bypass` - Tests `--allow-private-networks` flag bypass
3. `test_public_urls_are_accepted` - Tests that public URLs are not rejected
4. `test_http_scheme_always_rejected` - Tests http:// scheme rejection (even with bypass flag)
5. `test_file_scheme_always_rejected` - Tests file:// scheme rejection
6. `test_ftp_scheme_always_rejected` - Tests ftp:// scheme rejection
7. `test_url_with_basic_auth_rejected` - Tests URLs with embedded credentials
8. `test_ipv6_zone_id_detected_as_link_local` - Tests IPv6 zone ID detection
9. `test_metadata_subdomain_detected` - Tests metadata endpoint subdomain blocking
10. `test_url_validation_returns_correct_diagnostic_code` - Tests diagnostic code is URL_PRIVATE_NETWORK
11. `test_private_ipv4_boundary_addresses` - Tests addresses just outside private ranges
12. `test_current_network_range_blocked` - Tests 0.0.0.0/8 blocking
### 2. CLI Tests
**File:** `/home/coding/pdftract/crates/pdftract-cli/tests/TH-05-ssrf-block.rs`
Contains 7 integration tests that spawn the MCP server and verify JSON-RPC responses.
#### Test Functions:
1. `test_ipv4_loopback_blocked` - Tests 127.0.0.1 rejection via MCP server
2. `test_ipv4_wildcard_blocked` - Tests 0.0.0.0 rejection via MCP server
3. `test_cloud_metadata_blocked` - Tests AWS metadata endpoint rejection
4. `test_rfc1918_private_blocked` - Tests 10.0.0.1 RFC 1918 rejection
5. `test_ipv6_loopback_blocked` - Tests IPv6 ::1 rejection
6. `test_http_scheme_rejected` - Tests http:// scheme rejection (https:// required)
7. `test_no_network_connection_attempted` - Tests that no actual connection is made
## Test Coverage
### SSRF Payload Categories Covered:
1. **Cloud Metadata Endpoints:**
- AWS: 169.254.169.254
- GCP: metadata.google.internal, instance-data.google.internal
- Azure: 168.63.129.16
- Alibaba: 100.100.100.200
2. **RFC 1918 Private IPv4 Ranges:**
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
3. **Loopback Addresses:**
- 127.0.0.0/8
- ::1 (IPv6)
4. **Link-Local Addresses:**
- 169.254.0.0/16
- fe80::/10 (IPv6)
5. **IPv6 ULA (Unique Local Address):**
- fc00::/7
- fd00::/8
6. **Dangerous Schemes:**
- http:// (not https://)
- file://
- ftp://
7. **Special Addresses:**
- 0.0.0.0/8 (current network)
## Test Structure
### Naming Pattern:
- Core tests: `test_<what_is_being_tested>` (descriptive, feature-focused)
- CLI tests: `test_<target>_<action_or_state>` (target-focused, behavior-focused)
### Architecture:
- **Core tests** use the `validate_url()` function directly (unit tests)
- **CLI tests** spawn the actual MCP server and test via JSON-RPC (integration tests)
## Statistics
- **Total TH-05 tests:** 19
- **Core tests:** 12
- **CLI integration tests:** 7
- **Test files:** 2
## Implementation Reference
The SSRF protection implementation is in:
- `/home/coding/pdftract/crates/pdftract-core/src/url_validation.rs` - URL validation logic
- `/home/coding/pdftract/crates/pdftract-core/tests/TH-05-ssrf-block.rs` - Tests with helper modules
## Test Helpers
The core test file includes extensive helper modules:
- `mcp_helpers` - JSON-RPC framing, tool call construction, response parsing
- Process spawning and cleanup utilities (RAII guards for deterministic cleanup)
- Assertion helpers for SSRF_BLOCKED error detection
All tests follow the test hygiene requirements from CLAUDE.md (bounded timeouts, process cleanup, no hung tests).
---
**Acceptance Criteria Status:**
- ✅ All TH-05 tests identified and listed
- ✅ Test file locations documented
- ✅ Test count (19) and naming patterns recorded