$url], ['url' => $rule]); expect($validator->passes())->toBeTrue("Expected valid: {$url}"); } }); it('rejects private IPv4 addresses', function (string $url) { $rule = new SafeExternalUrl; $validator = Validator::make(['url' => $url], ['url' => $rule]); expect($validator->fails())->toBeTrue("Expected rejection: {$url}"); })->with([ 'loopback' => 'http://127.0.0.1', 'loopback with port' => 'http://127.0.0.1:6379', '10.x range' => 'http://10.0.0.1', '172.16.x range' => 'http://172.16.0.1', '192.168.x range' => 'http://192.168.1.1', ]); it('rejects cloud metadata IP', function () { $rule = new SafeExternalUrl; $validator = Validator::make(['url' => 'http://169.254.169.254'], ['url' => $rule]); expect($validator->fails())->toBeTrue('Expected rejection: cloud metadata IP'); }); it('rejects localhost and internal hostnames', function (string $url) { $rule = new SafeExternalUrl; $validator = Validator::make(['url' => $url], ['url' => $rule]); expect($validator->fails())->toBeTrue("Expected rejection: {$url}"); })->with([ 'localhost' => 'http://localhost', 'localhost with port' => 'http://localhost:8080', 'zero address' => 'http://0.0.0.0', '.local domain' => 'http://myservice.local', '.internal domain' => 'http://myservice.internal', ]); it('rejects non-URL strings', function (string $value) { $rule = new SafeExternalUrl; $validator = Validator::make(['url' => $value], ['url' => $rule]); expect($validator->fails())->toBeTrue("Expected rejection: {$value}"); })->with([ 'plain string' => 'not-a-url', 'ftp scheme' => 'ftp://example.com', 'javascript scheme' => 'javascript:alert(1)', 'no scheme' => 'example.com', ]); it('rejects URLs with IPv6 loopback', function () { $rule = new SafeExternalUrl; $validator = Validator::make(['url' => 'http://[::1]'], ['url' => $rule]); expect($validator->fails())->toBeTrue('Expected rejection: IPv6 loopback'); });