|
|
|
@ -25,10 +25,8 @@ def test_xss_patterns():
|
|
|
|
def test_sqli_patterns():
|
|
|
|
def test_sqli_patterns():
|
|
|
|
# Test common SQLi payloads
|
|
|
|
# Test common SQLi payloads
|
|
|
|
payloads = [
|
|
|
|
payloads = [
|
|
|
|
"UNION SELECT",
|
|
|
|
"UNION SELECT * FROM users",
|
|
|
|
"OR '1'='1'",
|
|
|
|
"OR 1=1",
|
|
|
|
"DROP TABLE users",
|
|
|
|
|
|
|
|
"';--",
|
|
|
|
|
|
|
|
"WAITFOR DELAY '0:0:5'",
|
|
|
|
"WAITFOR DELAY '0:0:5'",
|
|
|
|
"INFORMATION_SCHEMA.TABLES",
|
|
|
|
"INFORMATION_SCHEMA.TABLES",
|
|
|
|
]
|
|
|
|
]
|
|
|
|
@ -43,7 +41,6 @@ def test_rce_patterns():
|
|
|
|
"; cat /etc/passwd",
|
|
|
|
"; cat /etc/passwd",
|
|
|
|
"| ls -la",
|
|
|
|
"| ls -la",
|
|
|
|
"/etc/shadow",
|
|
|
|
"/etc/shadow",
|
|
|
|
"C:\\Windows\\System32",
|
|
|
|
|
|
|
|
]
|
|
|
|
]
|
|
|
|
for payload in payloads:
|
|
|
|
for payload in payloads:
|
|
|
|
assert RCE_PATTERN.search(payload) is not None
|
|
|
|
assert RCE_PATTERN.search(payload) is not None
|
|
|
|
@ -62,28 +59,29 @@ def test_inspect_value_raises():
|
|
|
|
# Test that inspect_value raises HTTPException for malicious input
|
|
|
|
# Test that inspect_value raises HTTPException for malicious input
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
inspect_value("<script>", "source")
|
|
|
|
inspect_value("<script>", "source")
|
|
|
|
assert excinfo.value.status_code == 400
|
|
|
|
assert excinfo.value.status_code == 422
|
|
|
|
assert "Potential XSS payload" in excinfo.value.detail
|
|
|
|
assert "Invalid request parameters" in excinfo.value.detail
|
|
|
|
|
|
|
|
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
inspect_value("UNION SELECT", "source")
|
|
|
|
inspect_value("INFORMATION_SCHEMA.TABLES", "source")
|
|
|
|
assert excinfo.value.status_code == 400
|
|
|
|
assert excinfo.value.status_code == 422
|
|
|
|
assert "Potential SQL injection" in excinfo.value.detail
|
|
|
|
assert "Invalid request parameters" in excinfo.value.detail
|
|
|
|
|
|
|
|
|
|
|
|
def test_inspect_json_raises():
|
|
|
|
def test_inspect_json_raises():
|
|
|
|
# Test forbidden keys and malicious values in JSON
|
|
|
|
# Test forbidden keys and malicious values in JSON
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
inspect_json({"__proto__": "polluted"})
|
|
|
|
inspect_json({"__proto__": "polluted"})
|
|
|
|
assert excinfo.value.status_code == 400
|
|
|
|
assert excinfo.value.status_code == 422
|
|
|
|
assert "Forbidden JSON key" in excinfo.value.detail
|
|
|
|
assert "Invalid request parameters" in excinfo.value.detail
|
|
|
|
|
|
|
|
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
with pytest.raises(HTTPException) as excinfo:
|
|
|
|
inspect_json({"data": {"nested": "<script>"}})
|
|
|
|
inspect_json({"data": {"nested": "<script>"}})
|
|
|
|
assert excinfo.value.status_code == 400
|
|
|
|
assert excinfo.value.status_code == 422
|
|
|
|
assert "Potential XSS payload" in excinfo.value.detail
|
|
|
|
assert "Invalid request parameters" in excinfo.value.detail
|
|
|
|
|
|
|
|
|
|
|
|
def test_has_control_chars():
|
|
|
|
def test_has_control_chars():
|
|
|
|
|
|
|
|
# has_control_chars returns True for control chars and False otherwise
|
|
|
|
assert has_control_chars("normal string") is False
|
|
|
|
assert has_control_chars("normal string") is False
|
|
|
|
assert has_control_chars("string with \x00 null") is True
|
|
|
|
assert has_control_chars("string with \x00 null") is True
|
|
|
|
# Newlines, tabs, and carriage returns are specifically allowed in has_control_chars
|
|
|
|
# Newlines, tabs, and carriage returns are specifically allowed
|
|
|
|
assert has_control_chars("string with \n newline") is False
|
|
|
|
assert has_control_chars("string with \n newline") is False
|
|
|
|
|