1 files changed, 49 insertions, 0 deletions

diff --git a/src/lib/Utility/pushEndpoint.test.ts b/src/lib/Utility/pushEndpoint.test.ts
new file mode 100644
index 00000000..5a2e90c8
--- /dev/null
+++ b/src/lib/Utility/pushEndpoint.test.ts
@@ -0,0 +1,49 @@
+import { describe, expect, it } from "vitest";
+import { isAllowedPushEndpoint } from "./pushEndpoint";
+
+describe("isAllowedPushEndpoint", () => {
+	// Behaviour gate: real subscriptions minted by the browser must keep working.
+	it("allows genuine vendor push endpoints", () => {
+		expect(
+			isAllowedPushEndpoint("https://fcm.googleapis.com/fcm/send/abc123"),
+		).toBe(true);
+		expect(
+			isAllowedPushEndpoint(
+				"https://updates.push.services.mozilla.com/wpush/v2/abc",
+			),
+		).toBe(true);
+		expect(isAllowedPushEndpoint("https://web.push.apple.com/QABC/def")).toBe(
+			true,
+		);
+		expect(
+			isAllowedPushEndpoint("https://db5p.notify.windows.com/w/?token=abc"),
+		).toBe(true);
+	});
+
+	// The fix: arbitrary / internal / non-https endpoints must not be reachable.
+	it("blocks SSRF and non-vendor endpoints", () => {
+		expect(isAllowedPushEndpoint("http://fcm.googleapis.com/fcm/send/x")).toBe(
+			false,
+		); // not https
+		expect(isAllowedPushEndpoint("https://evil.example.com/collect")).toBe(
+			false,
+		);
+		expect(
+			isAllowedPushEndpoint("http://169.254.169.254/latest/meta-data"),
+		).toBe(false); // cloud metadata
+		expect(isAllowedPushEndpoint("http://localhost:8080/internal")).toBe(false);
+		expect(isAllowedPushEndpoint("https://127.0.0.1/internal")).toBe(false);
+		expect(isAllowedPushEndpoint("http://10.0.0.5/admin")).toBe(false);
+	});
+
+	it("rejects look-alike hostnames", () => {
+		expect(isAllowedPushEndpoint("https://fcm.googleapis.com.evil.com/x")).toBe(
+			false,
+		);
+		expect(isAllowedPushEndpoint("https://notfcm.googleapis.com/x")).toBe(
+			false,
+		);
+		expect(isAllowedPushEndpoint("not a url")).toBe(false);
+		expect(isAllowedPushEndpoint("")).toBe(false);
+	});
+});