mirror of
https://github.com/InvoiceShelf/InvoiceShelf.git
synced 2026-07-16 22:05:20 +00:00
The AI chat assistant scoped tool queries by company but ignored the per-user Bouncer abilities the rest of the app enforces, so any `use ai` holder could read customers, invoices, payments, and company financials their role couldn't otherwise see. Each AiTool now declares a required ability (entity-aligned); the registry hides unauthorized tools from the model and refuses to execute them as a backstop. Separately, admin/owner-supplied URLs were fetched server-side with no guard against private/reserved targets (SSRF): the AI base URL, the CurrencyConverter "DEDICATED" exchange-rate URL, and S3/Spaces file-disk endpoints. A shared PrivateNetworkGuard now backs a PublicHttpUrl validation rule (save-time) and runtime guards in each driver. - AiTool::requiredAbility() + mapping across all 12 tools - AiToolRegistry filters schemas() by ability and re-checks in execute() - PrivateNetworkGuard / BlockedUrlException / PublicHttpUrl rule (new) - Rule wired into AI config (service + 3 controllers), exchange-rate, and file-disk endpoints; runtime guards in OpenRouterDriver, CurrencyConverterDriver, and FileDiskService - Tests for ability filtering, the guard, the rule, and 422 rejections
64 lines
2.2 KiB
PHP
64 lines
2.2 KiB
PHP
<?php
|
|
|
|
use App\Models\User;
|
|
use Illuminate\Support\Facades\Artisan;
|
|
use Laravel\Sanctum\Sanctum;
|
|
|
|
use function Pest\Laravel\postJson;
|
|
|
|
/**
|
|
* The admin/owner-supplied AI base URL must not be allowed to point the server
|
|
* (with the bearer token attached) at a private or reserved address (SSRF).
|
|
*/
|
|
beforeEach(function () {
|
|
Artisan::call('db:seed', ['--class' => 'DatabaseSeeder', '--force' => true]);
|
|
Artisan::call('db:seed', ['--class' => 'DemoSeeder', '--force' => true]);
|
|
|
|
$this->user = User::find(1);
|
|
$this->companyId = $this->user->companies()->first()->id;
|
|
$this->withHeaders(['company' => $this->companyId]);
|
|
Sanctum::actingAs($this->user, ['*']);
|
|
});
|
|
|
|
test('admin AI config rejects a private base URL', function () {
|
|
postJson('/api/v1/ai/config', [
|
|
'ai_enabled' => 'YES',
|
|
'ai_driver' => 'openrouter',
|
|
'ai_api_key' => 'sk-test',
|
|
'ai_base_url' => 'http://169.254.169.254/v1',
|
|
'ai_chat_enabled' => 'YES',
|
|
'ai_chat_model' => 'openai/gpt-4o',
|
|
])->assertStatus(422)->assertJsonValidationErrors('ai_base_url');
|
|
});
|
|
|
|
test('admin AI config still accepts a public base URL', function () {
|
|
postJson('/api/v1/ai/config', [
|
|
'ai_enabled' => 'YES',
|
|
'ai_driver' => 'openrouter',
|
|
'ai_api_key' => 'sk-test',
|
|
'ai_base_url' => 'https://openrouter.ai/api/v1',
|
|
'ai_chat_enabled' => 'YES',
|
|
'ai_chat_model' => 'openai/gpt-4o',
|
|
])->assertOk();
|
|
});
|
|
|
|
test('admin AI test-connection rejects a private base URL', function () {
|
|
postJson('/api/v1/ai/test', [
|
|
'ai_driver' => 'openrouter',
|
|
'ai_api_key' => 'sk-test',
|
|
'ai_base_url' => 'http://127.0.0.1:11434',
|
|
])->assertStatus(422)->assertJsonValidationErrors('ai_base_url');
|
|
});
|
|
|
|
test('company AI config rejects a private base URL', function () {
|
|
postJson('/api/v1/company/ai/config', [
|
|
'use_custom_ai_config' => 'YES',
|
|
'ai_enabled' => 'YES',
|
|
'ai_driver' => 'openrouter',
|
|
'ai_api_key' => 'company-key',
|
|
'ai_base_url' => 'http://10.0.0.5',
|
|
'ai_chat_enabled' => 'YES',
|
|
'ai_chat_model' => 'openai/gpt-4o',
|
|
])->assertStatus(422)->assertJsonValidationErrors('ai_base_url');
|
|
});
|