You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
59 lines
1.6 KiB
Python
59 lines
1.6 KiB
Python
import pytest
|
|
from fastapi import HTTPException
|
|
from src.middleware import (
|
|
inspect_value,
|
|
inspect_json,
|
|
has_control_chars,
|
|
XSS_PATTERN,
|
|
SQLI_PATTERN
|
|
)
|
|
|
|
def test_xss_patterns():
|
|
# Test common XSS payloads in be-optimumoh
|
|
payloads = [
|
|
"<script>",
|
|
"javascript:",
|
|
"onerror=",
|
|
"onload=",
|
|
"<svg",
|
|
"<img"
|
|
]
|
|
for payload in payloads:
|
|
assert XSS_PATTERN.search(payload) is not None
|
|
|
|
def test_sqli_patterns():
|
|
# Test common SQLi payloads in be-optimumoh
|
|
payloads = [
|
|
"UNION",
|
|
"SELECT",
|
|
"INSERT",
|
|
"DELETE",
|
|
"DROP",
|
|
"--",
|
|
"OR 1=1"
|
|
]
|
|
for payload in payloads:
|
|
assert SQLI_PATTERN.search(payload) is not None
|
|
|
|
def test_inspect_value_raises():
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
inspect_value("<script>", "source")
|
|
assert excinfo.value.status_code == 400
|
|
assert "Potential XSS payload" in excinfo.value.detail
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
inspect_value("UNION SELECT", "source")
|
|
assert excinfo.value.status_code == 400
|
|
assert "Potential SQL injection" in excinfo.value.detail
|
|
|
|
def test_inspect_json_raises():
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
inspect_json({"__proto__": "polluted"})
|
|
assert excinfo.value.status_code == 400
|
|
assert "Forbidden JSON key" in excinfo.value.detail
|
|
|
|
def test_has_control_chars():
|
|
assert has_control_chars("normal string") is False
|
|
assert has_control_chars("string with \x00 null") is True
|
|
assert has_control_chars("string with \n newline") is False
|