Constrain Lunchflow base URL to trusted endpoint (#1768)

* Constrain Lunchflow base URL to trusted endpoint Prevent SSRF by ignoring user-provided Lunchflow base_url values unless they match the canonical Lunchflow HTTPS endpoint. Add model tests covering invalid host/scheme and valid canonicalization behavior. * Linter
2026-05-29 23:39:03 +00:00 · 2026-05-12 12:18:17 +02:00
parent 5ceb55be03
commit 73b6077ac3
2 changed files with 45 additions and 1 deletions
--- a/test/models/lunchflow_item_test.rb
+++ b/test/models/lunchflow_item_test.rb
@@ -0,0 +1,31 @@
+require "test_helper"
+
+class LunchflowItemTest < ActiveSupport::TestCase
+  def setup
+    @lunchflow_item = lunchflow_items(:one)
+  end
+
+  test "effective_base_url returns default when base_url blank" do
+    @lunchflow_item.base_url = nil
+
+    assert_equal LunchflowItem::DEFAULT_BASE_URL, @lunchflow_item.effective_base_url
+  end
+
+  test "effective_base_url returns default for non-lunchflow host" do
+    @lunchflow_item.base_url = "https://169.254.169.254/latest/meta-data"
+
+    assert_equal LunchflowItem::DEFAULT_BASE_URL, @lunchflow_item.effective_base_url
+  end
+
+  test "effective_base_url returns default for non-https scheme" do
+    @lunchflow_item.base_url = "http://lunchflow.app/api/v1"
+
+    assert_equal LunchflowItem::DEFAULT_BASE_URL, @lunchflow_item.effective_base_url
+  end
+
+  test "effective_base_url returns canonical default for valid lunchflow url" do
+    @lunchflow_item.base_url = "https://lunchflow.app/api/v1/"
+
+    assert_equal LunchflowItem::DEFAULT_BASE_URL, @lunchflow_item.effective_base_url
+  end
+end