66 lines
2.4 KiB
Python
66 lines
2.4 KiB
Python
# tests/integration/security/test_input_validation.py
|
|
import pytest
|
|
|
|
|
|
@pytest.mark.integration
|
|
@pytest.mark.security
|
|
class TestInputValidation:
|
|
def test_sql_injection_prevention(self, client, auth_headers):
|
|
"""Test SQL injection prevention in search parameters"""
|
|
# Try SQL injection in search parameter
|
|
malicious_search = "'; DROP TABLE products; --"
|
|
|
|
response = client.get(
|
|
f"/api/v1/product?search={malicious_search}", headers=auth_headers
|
|
)
|
|
|
|
# Should not crash and should return normal response
|
|
assert response.status_code == 200
|
|
# Database should still be intact (no products dropped)
|
|
|
|
# def test_input_validation(self, client, auth_headers):
|
|
# # TODO: implement sanitization
|
|
# """Test input validation and sanitization"""
|
|
# # Test XSS attempt in product creation
|
|
# xss_payload = "<script>alert('xss')</script>"
|
|
#
|
|
# product_data = {
|
|
# "product_id": "XSS_TEST",
|
|
# "title": xss_payload,
|
|
# "description": xss_payload,
|
|
# }
|
|
#
|
|
# response = client.post("/api/v1/product", headers=auth_headers, json=product_data)
|
|
#
|
|
# assert response.status_code == 200
|
|
# data = response.json()
|
|
# assert "<script>" not in data["title"]
|
|
# assert "<script>" in data["title"]
|
|
|
|
def test_parameter_validation(self, client, auth_headers):
|
|
"""Test parameter validation for API endpoints"""
|
|
# Test invalid pagination parameters
|
|
response = client.get("/api/v1/product?limit=-1", headers=auth_headers)
|
|
assert response.status_code == 422 # Validation error
|
|
|
|
response = client.get("/api/v1/product?skip=-1", headers=auth_headers)
|
|
assert response.status_code == 422 # Validation error
|
|
|
|
def test_json_validation(self, client, auth_headers):
|
|
"""Test JSON validation for POST requests"""
|
|
# Test invalid JSON structure
|
|
response = client.post(
|
|
"/api/v1/product",
|
|
headers=auth_headers,
|
|
content="invalid json content"
|
|
)
|
|
assert response.status_code == 422 # JSON decode error
|
|
|
|
# Test missing required fields
|
|
response = client.post(
|
|
"/api/v1/product",
|
|
headers=auth_headers,
|
|
json={"title": "Test Product"} # Missing required product_id
|
|
)
|
|
assert response.status_code == 422 # Validation error
|