kenmirrors/MagicMirror
1
0
Fork 0
mirror of https://github.com/MichMich/MagicMirror.git synced 2026-06-14 10:50:41 +00:00
Code Issues Projects Releases Wiki Activity
Files
b9be026df677ebd5fce77eb683efcc0f2e9a6b72
MagicMirror/tests/e2e/ipWhitelist_spec.js
Kristjan ESPERANTO 58c2a5e675 fix(server): enforce ipWhitelist for Socket.IO too (#4169) 
ipWhitelist was only applied to HTTP routes, so Socket.IO module
namespaces could still be reached from disallowed clients.

This adds the same whitelist check to Socket.IO handshakes
(allowRequest), and reuses the same client IP resolution for both HTTP
and Socket.IO (forwarded IP is only trusted for loopback peers).

Also adds tests for handshake allow/deny and forwarded-header behavior.

Fixes: GHSA-w26r-fwg8-rcp3
2026-06-01 10:26:16 -05:00

48 lines
1.5 KiB
JavaScript
Raw Blame History

const helpers = require("./helpers/global-setup");
describe("ipWhitelist directive configuration", () => {
describe("When IP is not in whitelist", () => {
beforeAll(async () => {
await helpers.startApplication("tests/configs/noIpWhiteList.js");
});
afterAll(async () => {
await helpers.stopApplication();
});
it("should reject request with 403 (Forbidden)", async () => {
const port = global.testPort || 8080;
const res = await fetch(`http://localhost:${port}`);
expect(res.status).toBe(403);
});
it("should also reject Socket.IO handshake with 403 (Forbidden) — not just HTTP routes", async () => {
const port = global.testPort || 8080;
const res = await fetch(`http://localhost:${port}/socket.io/?EIO=4&transport=polling`);
expect(res.status).toBe(403);
});
});
describe("When whitelist is empty (allow all IPs)", () => {
beforeAll(async () => {
await helpers.startApplication("tests/configs/empty_ipWhiteList.js");
});
afterAll(async () => {
await helpers.stopApplication();
});
it("should allow request with 200 (OK)", async () => {
const port = global.testPort || 8080;
const res = await fetch(`http://localhost:${port}`);
expect(res.status).toBe(200);
});
it("should also allow Socket.IO handshake with 200 (OK) — not just HTTP routes", async () => {
const port = global.testPort || 8080;
const res = await fetch(`http://localhost:${port}/socket.io/?EIO=4&transport=polling`);
expect(res.status).toBe(200);
});
});
});
Reference in New Issue View Git Blame Copy Permalink