statelessagent

Overview Schema Related Servers Score Discussions

web_security_test.go•4.41 KiB

package web import ( "net/http" "net/http/httptest" "testing" ) // --- localhostOnly middleware --- func TestLocalhostOnly_AllowsLocalhost(t *testing.T) { inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) }) handler := localhostOnly(inner) tests := []struct { name string host string }{ {"localhost", "localhost:4078"}, {"127.0.0.1", "127.0.0.1:4078"}, {"ipv6 loopback", "[::1]:4078"}, {"localhost no port", "localhost"}, {"127.0.0.1 no port", "127.0.0.1"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) req.Host = tt.host w := httptest.NewRecorder() handler.ServeHTTP(w, req) if w.Code != http.StatusOK { t.Errorf("expected 200 for host %q, got %d", tt.host, w.Code) } }) } } func TestLocalhostOnly_BlocksRemoteHosts(t *testing.T) { inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) }) handler := localhostOnly(inner) tests := []struct { name string host string }{ {"external domain", "evil.com:4078"}, {"external IP", "192.168.1.1:4078"}, {"DNS rebinding", "attacker.example.com:4078"}, {"internal IP", "10.0.0.1:4078"}, {"cloud metadata", "169.254.169.254:4078"}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { req := httptest.NewRequest("GET", "/", nil) req.Host = tt.host w := httptest.NewRecorder() handler.ServeHTTP(w, req) if w.Code != http.StatusForbidden { t.Errorf("expected 403 for host %q, got %d", tt.host, w.Code) } }) } } // --- securityHeaders middleware --- func TestSecurityHeaders_Present(t *testing.T) { inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) }) handler := securityHeaders(inner) req := httptest.NewRequest("GET", "/", nil) w := httptest.NewRecorder() handler.ServeHTTP(w, req) tests := []struct { header string want string }{ {"X-Frame-Options", "DENY"}, {"X-Content-Type-Options", "nosniff"}, {"Content-Security-Policy", "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src 'self' data:"}, } for _, tt := range tests { t.Run(tt.header, func(t *testing.T) { got := w.Header().Get(tt.header) if got != tt.want { t.Errorf("%s = %q, want %q", tt.header, got, tt.want) } }) } } // --- isPrivatePath --- func TestIsPrivatePath_Variants(t *testing.T) { tests := []struct { path string want bool }{ {"_PRIVATE/secret.md", true}, {"_private/secret.md", true}, {"_Private/deep/file.md", true}, {"_PRIVATE\\secret.md", true}, {"notes/public.md", false}, {"private/not-actually-private.md", false}, {"notes/_PRIVATE_note.md", false}, {"", false}, } for _, tt := range tests { t.Run(tt.path, func(t *testing.T) { got := isPrivatePath(tt.path) if got != tt.want { t.Errorf("isPrivatePath(%q) = %v, want %v", tt.path, got, tt.want) } }) } } // --- Path traversal in handleNoteByPath --- func TestHandleNoteByPath_PathTraversal(t *testing.T) { // We can't easily test the full handler without a DB, but we can test // the path validation logic by checking that traversal paths get rejected. traversalPaths := []string{ "../etc/passwd", "../../etc/shadow", "notes/../../etc/passwd", "/etc/passwd", ".git/config", ".same/config.toml", "_PRIVATE/secret.md", } for _, path := range traversalPaths { t.Run(path, func(t *testing.T) { // Simulate the path validation logic from handleNoteByPath clean := path if len(clean) > 0 && (clean[0] == '.' || clean[0] == '/') { return // would be rejected } if len(clean) > 1 && clean[:2] == ".." { return // would be rejected } if isPrivatePath(clean) { return // would be rejected } // If we get here for a traversal path, that's a problem if path == "../etc/passwd" || path == "../../etc/shadow" || path == "/etc/passwd" { t.Errorf("traversal path %q was not caught by validation", path) } }) } } // --- XSS in note content --- func TestFilterPrivateNotes_SnippetTruncation(t *testing.T) { // Verify snippets are truncated to 300 chars to limit XSS surface longText := make([]byte, 500) for i := range longText { longText[i] = 'a' } // filterPrivateNotes is tested indirectly — verify the constant if maxNoteSize != 5*1024*1024 { t.Errorf("maxNoteSize = %d, want %d", maxNoteSize, 5*1024*1024) } }

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/sgx-labs/statelessagent'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

web_security_test.go•4.41 KiB