Infrastructure/ghost
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-03-11 02:12:21 -05:00
Code Issues Activity
ghost/test/api-acceptance
History
Kevin Ansfield 6875796417 Blocked 0.* IP addresses when making oembed requests 
no issue

It was possible for authenticated/trusted admin users to make GET requests to localhost via the oembed service by crafting a redirect that used 0.0.0.0.

- added the 0.* default route/routing block to the private IP regex used to block requests when we're contacting external sites
- added an additional IP or localhost check in the oembed service when fetching bookmark card data
2021-09-14 11:35:14 +01:00
..
admin Blocked 0.* IP addresses when making oembed requests 2021-09-14 11:35:14 +01:00
content Renamed tests to .test.js & updated commands 2021-07-06 20:45:01 +01:00
README.md Updated acceptance&regression test suite readmes 2021-01-22 16:42:02 +13:00

README.md

Acceptance Tests

This folder should only contain a set of basic API use cases.

The goal for acceptance tests is to keep test cases to basic usecases e.g. upload an image, schedule a post, download a theme. Otherwise tests should be written as a part of regression test suite.

Future improvement notes:

  • We probably need a differentiation for the acceptance tests for session and api_key authentication.