aboutsummaryrefslogtreecommitdiffstats
path: root/internal/safehttp/safehttp_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/safehttp/safehttp_test.go')
-rw-r--r--internal/safehttp/safehttp_test.go25
1 files changed, 23 insertions, 2 deletions
diff --git a/internal/safehttp/safehttp_test.go b/internal/safehttp/safehttp_test.go
index dc428e4..19f9f51 100644
--- a/internal/safehttp/safehttp_test.go
+++ b/internal/safehttp/safehttp_test.go
@@ -143,11 +143,13 @@ func TestNewSafeClientProperties(t *testing.T) {
t.Errorf("expected timeout 5s, got %v", client.Timeout)
}
- transport, ok := client.Transport.(*http.Transport)
+ h2Transport, ok := client.Transport.(*H2FallbackTransport)
if !ok {
- t.Fatal("expected *http.Transport")
+ t.Fatal("expected *H2FallbackTransport")
}
+ transport := h2Transport.Transport
+
// Proxy should be nil to prevent SSRF bypass
if transport.Proxy != nil {
t.Error("transport.Proxy should be nil to prevent SSRF bypass")
@@ -159,6 +161,25 @@ func TestNewSafeClientProperties(t *testing.T) {
}
}
+func TestIsHTTP2Error(t *testing.T) {
+ tests := []struct {
+ err error
+ expected bool
+ }{
+ {fmt.Errorf("http2: stream error"), true},
+ {fmt.Errorf("random error"), false},
+ {fmt.Errorf("PROTOCOL_ERROR"), true},
+ {fmt.Errorf("GOAWAY"), true},
+ {nil, false},
+ }
+
+ for _, tc := range tests {
+ if res := isHTTP2Error(tc.err); res != tc.expected {
+ t.Errorf("isHTTP2Error(%v) = %v, want %v", tc.err, res, tc.expected)
+ }
+ }
+}
+
func TestNewSafeClientRedirectToPrivateIP(t *testing.T) {
// Create a server that redirects to a private IP
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-25 20:20:24 +0000