SSRF Guard for Laravel
Testing
Testing
Real DNS is non-deterministic and slow, and you want to prove the guard blocks
addresses you can't actually route to in CI. Bind the shipped FakeResolver to
make resolution a fixture.
use Cbox\Ssrf\Contracts\Resolver;
use Cbox\Ssrf\Testing\FakeResolver;
beforeEach(function () {
$this->app->instance(Resolver::class, new FakeResolver([
'good.test' => ['93.184.216.34'],
'evil.test' => ['169.254.169.254'],
]));
});
it('blocks a webhook that resolves to cloud metadata', function () {
expect(fn () => app(UrlGuard::class)->assertSafe('https://evil.test'))
->toThrow(Cbox\Ssrf\Exceptions\BlockedUrl::class);
});
Testing your webhook delivery without real hosts
Combine FakeResolver with Laravel's Http::fake():
Http::fake(['good.test/*' => Http::response(['ok' => true])]);
$response = Http::ssrf('https://good.test/hook')->post('https://good.test/hook');
expect($response->json('ok'))->toBeTrue();
What the package's own suite covers
The package is proven against real SSRF vectors, not mocks that return success:
private/loopback/link-local/CGNAT addresses, cloud-metadata IPs, IPv6 transition
forms (6to4, NAT64, IPv4-mapped), integer/hex IP literals, embedded credentials,
disallowed schemes, and blocked host suffixes. See tests/Feature/.