zishuo/nip
1
0
Fork 0
mirror of https://github.com/cunnie/sslip.io.git synced 2025-10-07 00:23:44 +08:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Ensure _acme-challenge can't be set on k-v.io subdomains

Browse Source 
The integration tests confirm that a user can't set the TXT record of,
say, `_acme-challenge.random-subdomain.k-v.io`
This commit is contained in:
Brian Cunnie
2022-04-27 16:41:51 -07:00
parent 3e98b9215e
commit 03972dc565
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/sslip.io-dns-server/integration_test.go
View File

@@ -165,6 +165,14 @@ var _ = Describe("sslip.io-dns-server", func() {
"@127.0.0.1 _acme-challenge.k-v.io txt +short", "@127.0.0.1 _acme-challenge.k-v.io txt +short",
`Please don't try to procure a k-v.io cert via DNS-01 challenge`, `Please don't try to procure a k-v.io cert via DNS-01 challenge`,
`TypeTXT _acme-challenge.k-v.io. \? \["Please don't try to procure a k-v.io cert via DNS-01 challenge"\]`), `TypeTXT _acme-challenge.k-v.io. \? \["Please don't try to procure a k-v.io cert via DNS-01 challenge"\]`),
Entry(`setting a TXT for _acme-challenge.subdomain-key.k-v.io doesn't expose DNS-01 vulnerability because all keys are on the main domain'"`,
"@127.0.0.1 put.baffled-boy._acme-challenge.subdomain-key.k-v.io txt +short",
`baffled-boy`,
`TypeTXT put.baffled-boy._acme-challenge.subdomain-key.k-v.io. \? \["baffled-boy._acme-challenge"\]`),
Entry(`get a TXT for _acme-challenge.a.b.c.subdomain-key.k-v.io ignores labels between "get" and the key`,
"@127.0.0.1 get._acme-challenge.a.b.c.subdomain-key.k-v.io txt +short",
`baffled-boy._acme-challenge`,
`TypeTXT get._acme-challenge.a.b.c.subdomain-key.k-v.io. \? \["baffled-boy._acme-challenge"\]`),
) )
}) })
Describe("for more complex assertions", func() { Describe("for more complex assertions", func() {