o assert %(py5)spy5 wrongpasswordFz+Invalid password should fail authentication nonexistentz,Non-existent user should fail authentication g?)<)z%(py0)s < %(py3)s timing_diffzTiming difference too large: z.4fz0s - potential username enumeration vulnerability)bcrypthashpwencodegensaltdecoder @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _saferepr_format_assertmsgAssertionError_format_explanationrangetime perf_counterappendsumlenabs)rpasswordrvalid_user_rowr @py_assert2 @py_assert1 @py_format4 @py_format6 valid_times invalid_times_startend valid_avg invalid_avgrr@:/var/www/html/tests/security/test_security_enhancements.py-test_secure_password_check_timing_consistency*s8        rBc Cs tdd\}}}d}||u}|sEtd|fd||fdtvs%t|r*t|ndt|d}tdd d |i}tt |d }}d }||u}|std|fd||fd tvsft|rkt|nd t|d}td d d |i}tt |d }}d}||k}|std|fd||fdtvst|rt|ndt|d}tdd d |i}tt |d }}gd}|D]\}} t|| \}}}d}||u}|s#td|fd||fdtvst|rt|ndt|d}td|d| dd d |i}tt |d }}|| f}||k}|sitd|fd||fdtvsIt|rNt|ndt|d}tdd d |i}tt |d }}qgd} | D]\}} t|| \}}}d}||u}|std|fd||fdtvst|rt|ndt|d}td|dd d |i}tt |d }}d} |j } | } | | v}|std|fd| | ft| d tvst|rt|nd t| t| d}td |d!d"|i}tt |d } }} } d }||u}|satd|fd||fdtvsAt|rFt|ndt|d}td#d d |i}tt |d }}qtgd$}|D]\}} t|| \}}}d}||u}|std|fd||fdtvst|rt|ndt|d}td%| dd d |i}tt |d }}d&} |j } | } | | v}|std|fd| | ft| d tvst|rt|nd t| t| d}td'| d!d"|i}tt |d } }} } d }||u}|sZtd|fd||fdtvs:t|r?t|ndt|d}td#d d |i}tt |d }}qmgd(}|D]\}} t|| \}}}d}||u}|std|fd||fdtvst|rt|ndt|d}td)|d| d*d d |i}tt |d }}|d+}t |t } | std,d-d.tvstt rtt nd.t|d/tvstt rtt nd/t| d0}tt |d }} |d1}t |t } | sWtd2d-d.tvs+tt r0tt nd.t|d/tvsBtt rGtt nd/t| d0}tt |d }} qfd3d4d5d6d7d8t d9d:fd;t d9ft d<d:fd;t d<fg }|D]\}} t|| \}}}d}||u}|std|fd||fdtvst|rt|ndt|d}td=|d| d>d d |i}tt |d }}d }||u}|std?|fd@||fd tvst|rt|nd t|d}tdAd d |i}tt |d }}d }||u}|sVtd|fd||fdtvs6t|r;t|ndt|d}tdBd d |i}tt |d }}q{d S)CzBTest geographic coordinate validation with proper bounds checking.v^F@]P/@Trrsuccessrz(Valid coordinates should pass validationrrNerrorz/Valid coordinates should not have error message)rCrD==)z%(py0)s == %(py3)scoordsz.Valid coordinates should be returned unchanged))gV@f@)gVf)rL)F@g/@zBoundary coordinates (, z) should be validz1Boundary coordinates should be returned unchanged))gV@.@)gVrO)rJrO)rKrOFzInvalid latitude z should be rejectedugeografska širinainzD%(py1)s in %(py7)s {%(py7)s = %(py5)s {%(py5)s = %(py3)s.lower }() }py1rrpy7z'Should have latitude error message for  >assert %(py9)spy9z&Invalid coordinates should return None))rMgf@)rMgf)rMgv@)rMgvzInvalid longitude ugeografska dužinaz(Should have longitude error message for ))z 45.815399z 15.981919)4515)45.015.0zString coordinates (z) should convert and validaterz"Converted latitude should be float7 >assert %(py5)s {%(py5)s = %(py0)s(%(py2)s, %(py3)s) } isinstancefloatrpy2rrz#Converted longitude should be float)invalidr[)rZrb)Nr[)rZN)z'; DROP TABLE coords; --r[)zr[infrOrMnanzInvalid input (z) should be rejectedis notz%(py0)s is not %(py3)sz'Invalid input should have error messagez,Invalid input should return None coordinates) rr#r$r%r&r'r(r)r*r+lowerr]r^)rErFrIr5r6r7r8boundary_testslatlnginvalid_lat_tests @py_assert0 @py_assert4 @py_assert6 @py_format8 @py_format10invalid_lng_testsstring_coordinate_testsinvalid_inputsr@r@rA$test_validate_geographic_coordinatesdsX         rucCstdtdtdtdg}|D]}t|d}d}|j}|}||v}|sftd|fd||ft|d tvs?t|rDt|nd t|t|d }t d |d d |i}t t |d}}}}d}|j}|}||v}|std|fd||ft|d tvst|rt|nd t|t|d }t d |d d |i}t t |d}}}}d}|j}|}||v}|std|fd||ft|d tvst|rt|nd t|t|d }t d |d d |i}t t |d}}}}d}|j}|}||v}|sltd|fd||ft|d tvsEt|rJt|nd t|t|d }t d |d d |i}t t |d}}}}d}|j}|}||v}|std|fd||ft|d tvst|rt|nd t|t|d }t dd d |i}t t |d}}}}qtdtdtdtdg} | D]E}t|d}d}||v}|s&td|fd||ft|d tvst|r t|nd d} t d|dd | i} t t | d}}d!}|j}|}||v}|s{td|fd||ft|d tvsTt|rYt|nd t|t|d }t d|d d |i}t t |d}}}}d"}||v}|std|fd||ft|d tvst|rt|nd d} t d|dd | i} t t | d}}d#}|j}|}||v}|std|fd||ft|d tvst|rt|nd t|t|d }t d$d d |i}t t |d}}}}qtd%td&td'g} | D]}t|d(}d)}||v}|sytd|fd||ft|d tvsZt|r_t|nd d} t d*|dd | i} t t | d}}d+}||v}|std|fd||ft|d tvst|rt|nd d} t d,|dd | i} t t | d}}d-}|j}|}||v}|std|fd||ft|d tvst|rt|nd t|t|d }t d.d d |i}t t |d}}}}q/td/} t| d0}d1}|j}|}||v}|sstd|fd||ft|d tvsOt|rTt|nd t|t|d }t d2d d |i}t t |d}}}}dS)3zBTest error message sanitization to prevent information disclosure.z(UNIQUE constraint failed: users.usernamezBsqlite3.OperationalError: table users has no column named passwordz Database disk image is malformedzFOREIGN KEY constraint faileddatabasesqlitenot in)zH%(py1)s not in %(py7)s {%(py7)s = %(py5)s {%(py5)s = %(py3)s.lower }() } sanitizedrSzDatabase error leaked info: rVrWNtablecolumn constraintugreška pri obradi podatakarPrRz*Should have generic database error messagezPermission denied: /etc/passwdz.No such file or directory: /var/www/secret.txtz.Access is denied to C:\Windows\System32\configz&File not found: /home/user/.ssh/id_rsa filesystemz/etc/)z%(py1)s not in %(py3)s)rTrzFile path leaked: rrzc:\z.sshugreška pri pristupu datoteciz&Should have generic file error messagez*Connection timeout to internal-server:3306z"Network unreachable: 192.168.1.100zSocket connection failednetworkz192.168zIP address leaked: z:3306zPort number leaked: ugreška mrežez)Should have generic network error messagezSome random error messagegenericudošlo je do greškez!Should have generic error message) Exceptionrrhr#r$r(r%r&r'r)r*r+)database_errorsrFrzrmrnror5rprqfilesystem_errorsr7r8network_errors generic_errorr@r@rAtest_sanitize_error_messagesF      rcCs gd}|D]}t|\}}d}||u}|sNtd|fd||fdtvs+t|r0t|ndt|d}td|dd |i}tt |d }}d }||u}|std|fd||fd tvsot|rtt|nd t|d}td |dd |i}tt |d }}qgd }|D]}t|\}}d}||u}|std|fd||fdtvst|rt|ndt|d}td|dd |i}tt |d }}d }||u}|s,td|fd||fd tvs t|rt|nd t|d}td|dd |i}tt |d }}d} |j } | } | | v}|std|fd| | ft| d tvsZt|r_t|nd t| t| d} td|dd| i} tt | d } }} } qgd}|D]}t|\}}d}||u}|std|fd||fdtvst|rt|ndt|d}td|dd |i}tt |d }}d }||u}|s"td|fd||fd tvst|rt|nd t|d}td|dd |i}tt |d }}d} |j } | } | | v}|swtd|fd| | ft| d tvsPt|rUt|nd t| t| d} td|dd| i} tt | d } }} } qgd}|D]}t|\}}d}||u}|std|fd||fdtvst|rt|ndt|d}td |dd |i}tt |d }}d }||u}|std|fd||fd tvst|rt|nd t|d}td!|dd |i}tt |d }}qd"}t|\}}d}||u}|sgtd|fd||fdtvsGt|rLt|ndt|d}td#dd |i}tt |d }}d$} |j } | } | | v}|std|fd| | ft| d tvst|rt|nd t| t| d} td%dd| i} tt | d } }} } d&}t|\}}d}||u}|s td|fd||fdtvst|rt|ndt|d}td'dd |i}tt |d }}d }||u}|sMtd|fd||fd tvs-t|r2t|nd t|d}td(dd |i}tt |d }}td)\}}d}||u}|std|fd||fdtvswt|r|t|ndt|d}td*dd |i}tt |d }}td \}}d}||u}|std|fd||fdtvst|rt|ndt|d}td+dd |i}tt |d }}d S),zFTest filename validation for security issues including path traversal.)z image.jpgzcamera_photo_123.pngz%PICT_20231201_120000_123456789012.jpgztest_file.jpegz document.pdfTrris_validrzValid filename should pass: rrNrFz&Valid filename should not have error: )z../../../etc/passwdz$..\..\..\windows\system32\config\samz....//....//....//etc/passwdzfile/../../../sensitive.txtz..%2f..%2f..%2fetc%2fpasswdFz"Path traversal should be blocked: rergz*Path traversal should have error message: zneispravno ime datotekerPrRrSz'Should have generic error message for: rVrW) z malicious.phpz script.php3z backdoor.aspz shell.jspz trojan.exez virus.batzconfig.htaccessz secrets.iniz exploit.pyz'Dangerous extension should be blocked: z'Dangerous extension should have error: znedozvoljena vrsta datotekez!Should have file type error for: )zfilez'; DROP TABLE cameras; --z UNION SELECT password FROM userszjavascript:alert("xss")zonload=alert("xss")z#Malicious input should be blocked: z#Malicious input should have error: zneispravna vrijednostz%Should have invalid value error for: l2}rz0Type conversion should work for compatible typesrz'Camera ID should be converted to stringr\r]strr_znot a dictionaryz!Non-dict input should be rejectedzneispravni podacizShould have invalid data error) rr r#r$r%r&r'r(r)r*r+rhr]) test_schemarrrFrzr5r6r7r8 @py_format3rincomplete_datarmrnrorprq length_testsrrrrrrmalicious_inputsmalicious_datatype_conversion_data invalid_datar@r@rAtest_validate_api_inputsz      rcCsGddd}|}t|}gd}|D]X}|j}||v}|shtd|fd||fdtvs4t|r9t|nddtvsEt|rJt|ndt|d}td |d d |i}t t |d }}q|jd } gd} | D]O} | | v}|std|fd| | fdtvst| rt| nddtvst| rt| ndd} td| dd| i}t t |d }qx|jd} d}| |k}|std|fd| |ft| t|d}tdd d |i}t t |d } }}|jd} d}| |k}|s9td|fd| |ft| t|d}tdd d |i}t t |d } }}d} |jd }| |v}|sutd|fd!| |ft| t|d}td"d d |i}t t |d } }}|}d#|jd$<t|}d$} |j}| |v}|std%|fd&| |ft| d'tvst|rt|nd't|d(}td)d*d+|i}t t |d } }}d S),z/Test security headers middleware functionality.c@seZdZddZdS)z6test_security_headers_middleware..MockResponsecSs i|_dS)N)headers)selfr@r@rA__init__s z?test_security_headers_middleware..MockResponse.__init__N)__name__ __module__ __qualname__rr@r@r@rA MockResponses r)Content-Security-PolicyX-Frame-OptionsX-Content-Type-OptionsX-XSS-ProtectionzReferrer-PolicyzPermissions-PolicyrP)z/%(py0)s in %(py4)s {%(py4)s = %(py2)s.headers }headerenhanced_responserz"Required security header missing: rrNr) zdefault-src 'self'zscript-src 'self'zstyle-src 'self'zimg-src 'self'zfont-src 'self'zconnect-src 'self'zframe-ancestors 'none'zbase-uri 'self'zform-action 'self')z%(py0)s in %(py2)s directivecsprzCSP directive missing: rrrDENYrGrrz#X-Frame-Options should deny framingr nosniffzShould prevent MIME sniffingz mode=blockr )z%(py1)s in %(py4)sz#XSS protection should block attackszFlask/2.0.1 Werkzeug/2.0.1Serverrx)z3%(py1)s not in %(py5)s {%(py5)s = %(py3)s.headers }enhanced)rTrrzServer header should be removedrrU) r rr#r$r%r&r'r(r)r*r+)rresponser required_headersr rr6rrrcsp_directivesr rrmr5response_with_serverrrnr8rpr@r@rA test_security_headers_middlewares"   vxx r) __doc__builtinsr%_pytest.assertion.rewrite assertionrewriter#pytestr-rr!app_modules.security_enhancementsrrrrrrrr r marksecurityrBrurrrrrrrr@r@r@rAs0", 9 T 5 W  3  ^