openclawd/docfast
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

test: add HTTP rewrite and block-other-host SSRF branch tests for browser.ts
Some checks failed
Build & Deploy to Staging / Build & Deploy to Staging (push) Failing after 17m40s
Details

Browse source
This commit is contained in:
OpenClaw Subagent 2026-03-15 11:13:49 +01:00
parent bbc106f518
commit f7a999276b
1 changed files with 49 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

49
src/__tests__/browser-coverage.test.ts
View file

@ -149,6 +149,55 @@ describe("browser-coverage: HTTPS request interception", () => {
expect(httpsRequest.continue).toHaveBeenCalledWith();
expect(httpsRequest.abort).not.toHaveBeenCalled();
});
it("rewrites HTTP requests to target host with IP substitution", async () => {
await browserModule.initBrowser();
await browserModule.renderUrlPdf("http://example.com", {
hostResolverRules: "MAP example.com 93.184.216.34",
});
const usedPage = mockBrowsers
.flatMap((b: any) => b._pages.slice(0, 2))
.find((p: any) => p.on.mock.calls.length > 0);
const requestHandler = usedPage.on.mock.calls.find((c: any) => c[0] === "request")[1];
const httpRequest = {
url: () => "http://example.com/page",
headers: () => ({ accept: "text/html" }),
abort: vi.fn(),
continue: vi.fn(),
};
requestHandler(httpRequest);
expect(httpRequest.continue).toHaveBeenCalledWith(expect.objectContaining({
url: expect.stringContaining("93.184.216.34"),
headers: expect.objectContaining({ host: "example.com" }),
}));
expect(httpRequest.abort).not.toHaveBeenCalled();
});
it("blocks requests to non-target hosts (SSRF redirect prevention)", async () => {
await browserModule.initBrowser();
await browserModule.renderUrlPdf("http://example.com", {
hostResolverRules: "MAP example.com 93.184.216.34",
});
const usedPage = mockBrowsers
.flatMap((b: any) => b._pages.slice(0, 2))
.find((p: any) => p.on.mock.calls.length > 0);
const requestHandler = usedPage.on.mock.calls.find((c: any) => c[0] === "request")[1];
const evilRequest = {
url: () => "http://evil.com/steal",
headers: () => ({}),
abort: vi.fn(),
continue: vi.fn(),
};
requestHandler(evilRequest);
expect(evilRequest.abort).toHaveBeenCalledWith("blockedbyclient");
expect(evilRequest.continue).not.toHaveBeenCalled();
});
});
describe("browser-coverage: releasePage error paths", () => {