stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

fix tests. new product advisories enhancements

Browse Source
This commit is contained in:
master
2026-01-25 19:11:36 +02:00
parent c70e83719e
commit 6e687b523a
504 changed files with 40610 additions and 3785 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/__Tests/security/StellaOps.Security.Tests/A03_Injection/InjectionTests.cs
View File

@@ -182,8 +182,8 @@ public partial class InjectionTests : SecurityTestBase
file class InputSanitizer
{
private static readonly char[] DangerousSqlChars = ['\'', ';', '-', '/', '*'];
private static readonly char[] DangerousCommandChars = [';', '|', '&', '`', '$', '(', ')', '\n', '\r'];
private static readonly string[] DangerousNoSqlPatterns = ["$gt", "$lt", "$ne", "$where", "$regex"];
private static readonly char[] DangerousCommandChars = [';', '|', '&', '`', '$', '(', ')', '\n', '\r', '#', '%'];
private static readonly string[] DangerousNoSqlPatterns = ["$gt", "$lt", "$ne", "$where", "$regex", "; return", "'; return"];
private static readonly char[] DangerousFilenameChars = ['/', '\\', ';', '|', '&', '`', '$', '(', ')', '<', '>'];
public bool IsSafeForSql(string input)

15
src/__Tests/security/StellaOps.Security.Tests/A10_SSRF/SsrfTests.cs
View File

@@ -192,11 +192,18 @@ file class UrlValidator
private readonly bool _allowlistMode;
private readonly HashSet<string> _allowlist = new(StringComparer.OrdinalIgnoreCase);
private static readonly string[] BlockedHosts =
private static readonly string[] BlockedHosts =
[
"localhost", "127.0.0.1", "::1", "0.0.0.0", "[::1]",
"169.254.169.254", "metadata.google.internal"
];
// Domains that look like they could redirect to internal IPs (DNS rebinding)
private static readonly string[] SuspiciousDomains =
[
"nip.io", "xip.io", "sslip.io", "localtest.me",
"burpcollaborator.net", "oastify.com", "interact.sh"
];
private static readonly string[] BlockedSchemes =
[
@@ -252,6 +259,12 @@ file class UrlValidator
return false;
}
// Block suspicious DNS rebinding domains
if (SuspiciousDomains.Any(d => uri.Host.EndsWith(d, StringComparison.OrdinalIgnoreCase)))
{
return false;
}
// In allowlist mode, only allow explicitly listed hosts
if (_allowlistMode)
{