edward/ip-reflect
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

tests

Browse source
This commit is contained in:
Edward Shen 2021-10-03 20:17:58 -07:00
parent 282b12b62d
commit d899fc1649
Signed by: edward
GPG key ID: 19182661E818369F
3 changed files with 219 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
Cargo.lock generated
View file

@ -73,6 +73,12 @@ version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "either"
version = "1.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457"
[[package]] [[package]]
name = "fnv" name = "fnv"
version = "1.0.7" version = "1.0.7"
@ -200,7 +206,19 @@ name = "ip_reflect"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"axum", "axum",
"hyper",
"itertools",
"tokio", "tokio",
"tower",
]
[[package]]
name = "itertools"
version = "0.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "69ddb889f9d0d08a67338271fa9b62996bc788c7796a5c18cf057420aaed5eaf"
dependencies = [
"either",
] ]
[[package]] [[package]]

5
Cargo.toml
View file

@ -8,3 +8,8 @@ edition = "2018"
[dependencies] [dependencies]
axum = "0.2" axum = "0.2"
tokio = { version = "1", features = ["macros", "rt-multi-thread"] } tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
[dev-dependencies]
tower = "0.4"
hyper = { version = "0.14", features = ["client"] }
itertools = "0.10"

198
src/main.rs
View file

@ -4,7 +4,7 @@ use axum::extract::ConnectInfo;
use axum::handler::get; use axum::handler::get;
use axum::http::{HeaderMap, HeaderValue}; use axum::http::{HeaderMap, HeaderValue};
use axum::{Router, Server}; use axum::{Router, Server};
use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr}; use std::net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr};
#[tokio::main] #[tokio::main]
async fn main() { async fn main() {
@ -32,7 +32,9 @@ async fn root(header: HeaderMap, ConnectInfo(socket_info): ConnectInfo<SocketAdd
// skip first character, since we know it's an `"` // skip first character, since we know it's an `"`
chars.next(); chars.next();
let res: String = chars.take_while(|c| *c != '"').collect(); // skip next character, since we know it's an [
chars.next();
let res: String = chars.take_while(|c| *c != ']').collect();
if res.parse::<Ipv6Addr>().is_ok() { if res.parse::<Ipv6Addr>().is_ok() {
return res; return res;
} }
@ -46,12 +48,202 @@ async fn root(header: HeaderMap, ConnectInfo(socket_info): ConnectInfo<SocketAdd
} }
if let Some(Ok(value)) = header.get("X-Forwarded-For").map(HeaderValue::to_str) { if let Some(Ok(value)) = header.get("X-Forwarded-For").map(HeaderValue::to_str) {
return match value.split_once(',').map(|v| v.0) { let value = match value.split_once(',').map(|v| v.0) {
Some(v) => v, Some(v) => v,
None => value, None => value,
} }
.to_string(); .to_string();
if value.parse::<IpAddr>().is_ok() {
return value;
}
} }
socket_info.ip().to_string() socket_info.ip().to_string()
} }
#[cfg(test)]
mod tests {
use crate::root;
use axum::body::Body;
use axum::handler::get;
use axum::http::{Request, StatusCode};
use axum::Router;
use itertools::Itertools;
use std::net::{SocketAddr, TcpListener};
#[tokio::test]
async fn benign_requests() {
let app = Router::new().route("/", get(root));
let listener = TcpListener::bind("0.0.0.0:0".parse::<SocketAddr>().unwrap()).unwrap();
let addr = listener.local_addr().unwrap();
tokio::spawn(async move {
axum::Server::from_tcp(listener)
.unwrap()
.serve(app.into_make_service_with_connect_info::<SocketAddr, _>())
.await
.unwrap();
});
let uri = format!("http://{}", addr);
let client = hyper::Client::new();
// No headers
let resp = client
.request(
Request::builder()
.uri(format!("http://{}", addr))
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = hyper::body::to_bytes(resp.into_body()).await.unwrap();
assert_eq!(body, "127.0.0.1");
// X-Forwarded-For
let ip_combinations =
IntoIterator::into_iter(["0.1.2.3", "255.255.255.0", "ff00::0", "ffab::1"])
.powerset()
.skip(1) // skip empty set
.collect::<Vec<_>>();
for ips in &ip_combinations {
let first = ips[0];
let resp = client
.request(
Request::builder()
.uri(&uri)
.header("X-Forwarded-For", ips.join(", "))
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = hyper::body::to_bytes(resp.into_body()).await.unwrap();
assert_eq!(body, first);
}
// Forwarded
let ip_combinations =
IntoIterator::into_iter(["0.1.2.3", "255.255.255.0", "\"[ff00::0]\"", "\"[ffab::1]\""])
.powerset()
.skip(1) // skip empty set
.collect::<Vec<_>>();
for ips in &ip_combinations {
let first = ips[0];
let resp = client
.request(
Request::builder()
.uri(&uri)
.header(
"Forwarded",
ips.into_iter().map(|v| format!("for={}", v)).join(", "),
)
.body(Body::empty())
.unwrap(),
)
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = hyper::body::to_bytes(resp.into_body()).await.unwrap();
if matches!(first.chars().next(), Some('"')) {
assert_eq!(body, first[2..first.len() - 2]);
} else {
assert_eq!(body, first);
}
}
}
macro_rules! assert_passthrough {
($resp:expr) => {
let body = hyper::body::to_bytes($resp.into_body()).await.unwrap();
assert_eq!(body, "127.0.0.1");
};
}
#[tokio::test]
async fn malicious_requests() {
let app = Router::new().route("/", get(root));
let listener = TcpListener::bind("0.0.0.0:0".parse::<SocketAddr>().unwrap()).unwrap();
let addr = listener.local_addr().unwrap();
tokio::spawn(async move {
axum::Server::from_tcp(listener)
.unwrap()
.serve(app.into_make_service_with_connect_info::<SocketAddr, _>())
.await
.unwrap();
});
let uri = format!("http://{}", addr);
let client = hyper::Client::new();
// X-Forwarded-For incomplete IPv4
assert_passthrough!(client
.request(
Request::builder()
.uri(&uri)
.header("X-Forwarded-For", "1.2.3")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap());
// X-Forwarded-For incomplete IPv6
assert_passthrough!(client
.request(
Request::builder()
.uri(&uri)
.header("X-Forwarded-For", "1:4")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap());
// X-Forwarded-For bad ipv4
assert_passthrough!(client
.request(
Request::builder()
.uri(&uri)
.header("X-Forwarded-For", "256.0.0.1")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap());
// X-Forwarded-For bad ipv6
assert_passthrough!(client
.request(
Request::builder()
.uri(&uri)
.header("X-Forwarded-For", "ff::ff::ff")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap());
// nonsensical X-Forwarded-For
assert_passthrough!(client
.request(
Request::builder()
.uri(&uri)
.header("X-Forwarded-For", "hello world")
.body(Body::empty())
.unwrap(),
)
.await
.unwrap());
}
}