vh/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2026-03-30 23:03:03 -07:00
Code Issues Actions 15 Packages Projects Releases Wiki Activity

Add timeouts for tests per coderabbit guideline

Browse Source
This commit is contained in:
Adam Outler
2026-01-28 03:41:08 +00:00
parent 6916cd7611
commit f202b506c3
1 changed files with 16 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
test/api_endpoints/test_nginx_proxy_security.py
View File

@@ -7,6 +7,11 @@ PORT = os.environ.get("PORT", "20211")
BACKEND_PORT = os.environ.get("BACKEND_PORT", "20212") BACKEND_PORT = os.environ.get("BACKEND_PORT", "20212")
BASE_URL = f"http://localhost:{PORT}/server/" BASE_URL = f"http://localhost:{PORT}/server/"
REQUEST_TIMEOUT = int(os.environ.get("REQUEST_TIMEOUT", 5))
def http_get(url, headers=None):
return requests.get(url, headers=headers, timeout=REQUEST_TIMEOUT)
def test_nginx_proxy_security_modern_check(): def test_nginx_proxy_security_modern_check():
""" """
@@ -16,7 +21,7 @@ def test_nginx_proxy_security_modern_check():
"Sec-Fetch-Site": "same-origin" "Sec-Fetch-Site": "same-origin"
} }
try: try:
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
# 200 (OK), 401 (Auth), 404 (Not Found on backend), or 502 (Bad Gateway) means Nginx let it through. # 200 (OK), 401 (Auth), 404 (Not Found on backend), or 502 (Bad Gateway) means Nginx let it through.
# 403 means Nginx blocked it. # 403 means Nginx blocked it.
assert response.status_code in [200, 401, 404, 502], f"Expected access allowed, got {response.status_code}" assert response.status_code in [200, 401, 404, 502], f"Expected access allowed, got {response.status_code}"
@@ -34,7 +39,7 @@ def test_nginx_proxy_security_legacy_check():
"Referer": f"http://localhost:{PORT}/some/page" "Referer": f"http://localhost:{PORT}/some/page"
} }
try: try:
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code in [200, 401, 404, 502], f"Expected access allowed, got {response.status_code}" assert response.status_code in [200, 401, 404, 502], f"Expected access allowed, got {response.status_code}"
except requests.exceptions.ConnectionError: except requests.exceptions.ConnectionError:
pytest.fail("Could not connect to Nginx. Is it running?") pytest.fail("Could not connect to Nginx. Is it running?")
@@ -47,7 +52,7 @@ def test_nginx_proxy_security_block_cross_site():
headers = { headers = {
"Sec-Fetch-Site": "cross-site" "Sec-Fetch-Site": "cross-site"
} }
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}" assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}"
@@ -56,7 +61,7 @@ def test_nginx_proxy_security_block_no_headers():
Test that access is BLOCKED when no security headers are present. Test that access is BLOCKED when no security headers are present.
""" """
headers = {} headers = {}
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}" assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}"
@@ -66,7 +71,7 @@ def test_nginx_proxy_security_block_same_site():
(Strict same-origin enforcement) (Strict same-origin enforcement)
""" """
headers = {"Sec-Fetch-Site": "same-site"} headers = {"Sec-Fetch-Site": "same-site"}
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code == 403, f"Expected 403 for same-site, got {response.status_code}" assert response.status_code == 403, f"Expected 403 for same-site, got {response.status_code}"
@@ -75,7 +80,7 @@ def test_nginx_proxy_security_block_referer_suffix_spoof():
Test that access is BLOCKED when Referer merely ends with the valid host. Test that access is BLOCKED when Referer merely ends with the valid host.
""" """
headers = {"Referer": f"http://attacker.com/path?target=localhost:{PORT}"} headers = {"Referer": f"http://attacker.com/path?target=localhost:{PORT}"}
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code == 403 assert response.status_code == 403
@@ -86,7 +91,7 @@ def test_nginx_proxy_security_block_bad_referer():
headers = { headers = {
"Referer": "http://evil.com/page" "Referer": "http://evil.com/page"
} }
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}" assert response.status_code == 403, f"Expected 403 Forbidden, got {response.status_code}"
@@ -97,7 +102,7 @@ def test_nginx_proxy_security_block_subdomain_referer():
headers = { headers = {
"Referer": f"http://subdomain.localhost:{PORT}/" "Referer": f"http://subdomain.localhost:{PORT}/"
} }
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code == 403, f"Expected 403 for subdomain referer, got {response.status_code}" assert response.status_code == 403, f"Expected 403 for subdomain referer, got {response.status_code}"
@@ -106,7 +111,7 @@ def test_nginx_proxy_security_legacy_protocol_agnostic():
Test that the legacy check allows both http and https referers. Test that the legacy check allows both http and https referers.
""" """
headers = {"Referer": f"https://localhost:{PORT}/path"} headers = {"Referer": f"https://localhost:{PORT}/path"}
response = requests.get(BASE_URL, headers=headers) response = http_get(BASE_URL, headers=headers)
assert response.status_code in [200, 401, 404, 502] assert response.status_code in [200, 401, 404, 502]
@@ -116,7 +121,7 @@ def test_nginx_proxy_security_block_server_docs():
""" """
url = f"http://localhost:{PORT}/server/docs" url = f"http://localhost:{PORT}/server/docs"
try: try:
response = requests.get(url) response = http_get(url)
# Backend may return 404 if it doesn't have the path; Nginx should never allow a 200 here. # Backend may return 404 if it doesn't have the path; Nginx should never allow a 200 here.
assert response.status_code == 403, f"Expected 403 for /server/docs, got {response.status_code}" assert response.status_code == 403, f"Expected 403 for /server/docs, got {response.status_code}"
except requests.exceptions.ConnectionError: except requests.exceptions.ConnectionError:
@@ -130,7 +135,7 @@ def test_nginx_proxy_security_allow_port():
headers = {"Referer": f"https://localhost:{BACKEND_PORT}/path"} headers = {"Referer": f"https://localhost:{BACKEND_PORT}/path"}
url = f"http://localhost:{BACKEND_PORT}/docs" url = f"http://localhost:{BACKEND_PORT}/docs"
try: try:
response = requests.get(url, headers=headers) response = http_get(url, headers=headers)
assert response.status_code == 200, f"Expected 200 for /server/docs on allowed port, got {response.status_code}" assert response.status_code == 200, f"Expected 200 for /server/docs on allowed port, got {response.status_code}"
except requests.exceptions.ConnectionError: except requests.exceptions.ConnectionError:
pytest.fail("Could not connect to Nginx. Is it running?") pytest.fail("Could not connect to Nginx. Is it running?")