def test_manual_ip_blacklist(self): """Test manually blacklisting based on IP""" validator = AddrValidator( allow_ipv6=True, ip_blacklist=( ipaddress.ip_network("132.0.5.0/24"), ipaddress.ip_network("152.0.0.0/8"), ipaddress.ip_network("::1"), ), ) self.assertFalse(validator.is_ip_allowed("132.0.5.1")) self.assertFalse(validator.is_ip_allowed("152.254.90.1")) self.assertTrue(validator.is_ip_allowed("178.254.90.1")) self.assertFalse(validator.is_ip_allowed("::1")) # Google, found via `dig google.com AAAA` self.assertTrue(validator.is_ip_allowed("2607:f8b0:400a:807::200e"))
def test_ip_whitelist_blacklist_conflict(self): """Manual whitelist should take precedence over manual blacklist""" validator = AddrValidator( ip_whitelist=(ipaddress.ip_network("127.0.0.1"), ), ip_blacklist=(ipaddress.ip_network("127.0.0.1"), ), ) self.assertTrue(validator.is_ip_allowed("127.0.0.1"))
def test_safecurl_blacklist(self): """Test that we at least disallow everything SafeCurl does""" # All IPs that SafeCurl would disallow bad_netblocks = (ipaddress.ip_network(x) for x in ('0.0.0.0/8', '10.0.0.0/8', '100.64.0.0/10', '127.0.0.0/8', '169.254.0.0/16', '172.16.0.0/12', '192.0.0.0/29', '192.0.2.0/24', '192.88.99.0/24', '192.168.0.0/16', '198.18.0.0/15', '198.51.100.0/24', '203.0.113.0/24', '224.0.0.0/4', '240.0.0.0/4')) i = 0 validator = AddrValidator() for bad_netblock in bad_netblocks: num_ips = bad_netblock.num_addresses # Don't test *every* IP in large netblocks step_size = int(min(max(num_ips / 255, 1), 128)) for ip_idx in six.moves.range(0, num_ips, step_size): i += 1 bad_ip = bad_netblock[ip_idx] bad_ip_allowed = validator.is_ip_allowed(bad_ip) if bad_ip_allowed: print(i, bad_ip) self.assertFalse(bad_ip_allowed)
def test_ip_whitelist(self): """Test manually whitelisting based on IP""" validator = AddrValidator( ip_whitelist=(ipaddress.ip_network("127.0.0.1"), ), ) self.assertTrue(validator.is_ip_allowed("127.0.0.1"))