Skip to content

Add unit tests for SsrfGuard #45

Description

@JVBotelho

Summary

SsrfGuard has no dedicated unit test file — only indirect coverage via integration tests.
Add Rasp.Core.Tests/Guard/SsrfGuardTests.cs covering both of its public entry points'
block/audit/no-threat/no-op branches in isolation.

Background

Every *DetectionEngine has a dedicated test file; most Guard classes don't. This is one
of five identical-shaped issues — see docs/good-first-issues-dotnet.md for the full list
and the shared rationale (this is about naming concrete gaps, not chasing a coverage
percentage). SsrfGuard has two public methods to cover, unlike the other four guards in
this set, which have one.

Pattern to copy

Rasp.Core.Tests/Guard/SqlSinkGuardTaintTests.csNoOpRaspMetrics fake, a real
RaspAlertBus, Options.Create(new RaspOptions {...}), NullLogger<T>.Instance.

What to test

Both AnalyzeUri(Uri? requestUri, context) and AnalyzeIp(IPAddress ip, context)
(src/Rasp.Core/Guard/SsrfGuard.cs), both gated by RaspOptions.BlockOnSsrfDetection:

  • Threat detected + audit mode (each method): alert pushed via RaspAlertBus, no exception thrown.
  • Threat detected + block mode (each method): RaspSecurityException thrown, alert still pushed before the throw.
  • No threat (each method): no alert, no exception.
  • No-op cases: null URI for AnalyzeUri, null IP for AnalyzeIp — neither reaches the engine or calls _metrics.RecordInspection.

Metadata

Metadata

Assignees

No one assigned

    Labels

    .NETPull requests that update .NET codegood first issueGood for newcomershelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions