Files
InvoiceShelf/tests/Feature/Admin/FileDiskSsrfTest.php
Darko Gjorgjijoski ac2a8ca939 fix(security): gate AI tools by user ability and block admin-URL SSRF
The AI chat assistant scoped tool queries by company but ignored the
per-user Bouncer abilities the rest of the app enforces, so any `use ai`
holder could read customers, invoices, payments, and company financials
their role couldn't otherwise see. Each AiTool now declares a required
ability (entity-aligned); the registry hides unauthorized tools from the
model and refuses to execute them as a backstop.

Separately, admin/owner-supplied URLs were fetched server-side with no
guard against private/reserved targets (SSRF): the AI base URL, the
CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk
endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl
validation rule (save-time) and runtime guards in each driver.

- AiTool::requiredAbility() + mapping across all 12 tools
- AiToolRegistry filters schemas() by ability and re-checks in execute()
- PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new)
- Rule wired into AI config (service + 3 controllers), exchange-rate,
  and file-disk endpoints; runtime guards in OpenRouterDriver,
  CurrencyConverterDriver, and FileDiskService
- Tests for ability filtering, the guard, the rule, and 422 rejections
2026-06-05 00:01:09 +02:00

53 lines
1.6 KiB
PHP

<?php
use App\Models\User;
use Illuminate\Support\Facades\Artisan;
use Laravel\Sanctum\Sanctum;
use function Pest\Laravel\postJson;
/**
* S3 / DigitalOcean Spaces endpoints are admin-supplied and fetched server-side
* during credential validation, so a private/reserved endpoint must be rejected.
*/
beforeEach(function () {
Artisan::call('db:seed', ['--class' => 'DatabaseSeeder', '--force' => true]);
Artisan::call('db:seed', ['--class' => 'DemoSeeder', '--force' => true]);
$user = User::find(1);
$this->withHeaders(['company' => $user->companies()->first()->id]);
Sanctum::actingAs($user, ['*']);
});
test('rejects a doSpaces disk whose endpoint targets a private host', function () {
postJson('/api/v1/disks', [
'name' => 'evil-spaces',
'driver' => 'doSpaces',
'credentials' => [
'key' => 'k',
'secret' => 's',
'region' => 'nyc3',
'bucket' => 'b',
'endpoint' => 'http://169.254.169.254',
'root' => '/',
],
'set_as_default' => false,
])->assertStatus(422)->assertJsonValidationErrors('credentials.endpoint');
});
test('rejects an s3 disk whose endpoint targets a private host', function () {
postJson('/api/v1/disks', [
'name' => 'evil-s3',
'driver' => 's3',
'credentials' => [
'key' => 'k',
'secret' => 's',
'region' => 'us-east-1',
'bucket' => 'b',
'endpoint' => 'http://10.1.2.3',
'root' => '/',
],
'set_as_default' => false,
])->assertStatus(422)->assertJsonValidationErrors('credentials.endpoint');
});