orion/tests/integration/security/test_input_validation.py

# tests/integration/security/test_input_validation.py
"""
Input validation tests for the API.

Tests SQL injection prevention, parameter validation, and JSON validation.
"""
import pytest


@pytest.mark.integration
@pytest.mark.security
class TestInputValidation:
    def test_sql_injection_prevention(self, client, admin_headers):
        """Test SQL injection prevention in search parameters"""
        # Try SQL injection in search parameter
        malicious_search = "'; DROP TABLE products; --"

        response = client.get(
            f"/api/v1/admin/products?search={malicious_search}",
            headers=admin_headers,
        )

        # Should not crash and should return normal response
        assert response.status_code == 200
        # Database should still be intact (no products dropped)

    def test_parameter_validation(self, client, admin_headers):
        """Test parameter validation for API endpoints"""
        # Test invalid pagination parameters
        response = client.get(
            "/api/v1/admin/products?limit=-1", headers=admin_headers
        )
        assert response.status_code == 422  # Validation error

        response = client.get(
            "/api/v1/admin/products?skip=-1", headers=admin_headers
        )
        assert response.status_code == 422  # Validation error

    def test_json_validation(self, client, admin_headers, test_company):
        """Test JSON validation for POST requests"""
        # Test invalid JSON structure
        response = client.post(
            "/api/v1/admin/vendors",
            headers=admin_headers,
            content="invalid json content",
        )
        assert response.status_code == 422  # JSON decode error

        # Test missing required fields
        response = client.post(
            "/api/v1/admin/vendors",
            headers=admin_headers,
            json={
                "name": "Test Vendor"
            },  # Missing required company_id, vendor_code
        )
        assert response.status_code == 422  # Validation error