&ۤh:cfdZddlZddlmcmZddlZddlZddl Z ddl Z ddl m Z m Z mZmZmZmZmZmZmZej*j,dZej*j,dZej*j,dZej*j,dZej*j,dZej*j,d Zej*j,d Zej*j,d Zej*j,d Zy) a test_security_enhancements.py Purpose: Unit tests for the security enhancement functions that implement protection against sophisticated attack vectors. These tests validate that security functions work correctly under normal conditions and properly block malicious inputs while maintaining usability for legitimate users. Test Coverage: - Timing attack protection validation - Geographic coordinate validation with bounds checking - Error message sanitization to prevent information disclosure - Filename security validation including path traversal prevention - Cryptographic token generation and verification - API input validation with security pattern detection - Security headers middleware functionality Security Testing Philosophy: Each test validates both positive cases (legitimate inputs work correctly) and negative cases (malicious inputs are properly blocked). Tests ensure security measures are transparent to legitimate users while effectively blocking attacks. N) secure_password_checkvalidate_geographic_coordinatessanitize_error_messagevalidate_filename_securitygenerate_secure_tokenverify_hmac_token#rate_limit_with_exponential_backoffvalidate_api_inputsecurity_headers_middlewarecddl}d}|j|jd|jj d}d|d}t d||}d}||u}|st jd|fd ||fd tjvst j|rt j|nd t j|d z}t jd d zd|iz}tt j|dx}}t dd|}d}||u}|st jd|fd ||fd tjvst j|rt j|nd t j|d z}t jdd zd|iz}tt j|dx}}t d|d}d}||u}|st jd|fd ||fd tjvst j|rt j|nd t j|d z}t jdd zd|iz}tt j|dx}}g} g} tdD]K} t!j"} t dd|t!j"} | j%| | z MtdD]K} t!j"} t dddt!j"} | j%| | z Mt'| t)| z }t'| t)| z }t+||z }d}||k}|st jd|fd||fdtjvst j|rt j|ndt j|d z}t jd|ddd zd|iz}tt j|dx}}y)z Test that password checking maintains consistent timing regardless of username validity. This prevents timing-based username enumeration attacks by ensuring bcrypt operations run in both valid and invalid username scenarios. rNtestpassword123utf-8testuser)username password_hashTisz%(py0)s is %(py3)sresultpy0py3z/Valid password should authenticate successfully >assert %(py5)spy5 wrongpasswordFz+Invalid password should fail authentication nonexistentz,Non-existent user should fail authentication g?)<)z%(py0)s < %(py3)s timing_diffzTiming difference too large: z.4fz0s - potential username enumeration vulnerability)bcrypthashpwencodegensaltdecoder @pytest_ar_call_reprcompare @py_builtinslocals_should_repr_global_name _saferepr_format_assertmsgAssertionError_format_explanationrangetime perf_counterappendsumlenabs)r passwordrvalid_user_rowr @py_assert2 @py_assert1 @py_format4 @py_format6 valid_times invalid_times_startend valid_avg invalid_avgrs \C:\Users\algun\Documents\ceba web\Ceba - Github\tests\security\test_security_enhancements.py-test_secure_password_check_timing_consistencyrC*s4!HMM(//'":FNNLLL6TLLLLLL6LLL6LLLTLLLLLLLLLL#: OFI6U?III6UIIIIII6III6IIIUIIIIIIIIII#=(D AFJ6U?JJJ6UJJJJJJ6JJJ6JJJUJJJJJJJJJJKM2Y!!#j/>J!3;' 2Y!!#m_dC!S5[) K 3{#33Im$s='99Ki+-.KA; AAA;AAAAAA;AAA;AAAAAA!>{3>OO AAAAAAAc <tdd\}}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjdd zd |iz}ttj|d x}}d }||u}|stjd|fd||fd tjvstj |rtj |nd tj |dz}tjd d zd |iz}ttj|d x}}d}||k(}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjdd zd |iz}ttj|d x}}gd}|D]\}} t|| \}}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd|d| dd zd |iz}ttj|d x}}|| f}||k(}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjdd zd |iz}ttj|d x}}gd} | D]\}} t|| \}}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd|dd zd |iz}ttj|d x}}d} |j} | } | | v}|stjd|fd| | ftj | d tjvstj |rtj |nd tj | tj | dz}tjd |d!zd"|iz}ttj|d x} x}x} } d }||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd#d zd |iz}ttj|d x}}gd$}|D]\}} t|| \}}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd%| dd zd |iz}ttj|d x}}d&} |j} | } | | v}|stjd|fd| | ftj | d tjvstj |rtj |nd tj | tj | dz}tjd'| d!zd"|iz}ttj|d x} x}x} } d }||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd#d zd |iz}ttj|d x}}gd(}|D]\}} t|| \}}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd)|d| d*d zd |iz}ttj|d x}}|d+}t|t} | stjd,d-zd.tjvstj trtj tnd.tj |d/tjvstj trtj tnd/tj | d0z}ttj|d x}} |d1}t|t} | stjd2d-zd.tjvstj trtj tnd.tj |d/tjvstj trtj tnd/tj | d0z}ttj|d x}} d3d4d5d6d7d8td9d:fd;td9ftd<d:fd;td<fg }|D]N\}} t|| \}}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd=|d| d>d zd |iz}ttj|d x}}d }||u}|stjd?|fd@||fd tjvstj |rtj |nd tj |dz}tjdAd zd |iz}ttj|d x}}d }||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjdBd zd |iz}ttj|d x}}Qy )CzBTest geographic coordinate validation with proper bounds checking.v^F@]P/@Trrsuccessrz(Valid coordinates should pass validationrrNerrorz/Valid coordinates should not have error message)rFrG==)z%(py0)s == %(py3)scoordsz.Valid coordinates should be returned unchanged))gV@f@)gVf)rO)F@g/@zBoundary coordinates (, z) should be validz1Boundary coordinates should be returned unchanged))gV@.@)gVrR)rMrR)rNrRFzInvalid latitude z should be rejectedugeografska širinainzD%(py1)s in %(py7)s {%(py7)s = %(py5)s {%(py5)s = %(py3)s.lower }() }py1rrpy7z'Should have latitude error message for  >assert %(py9)spy9z&Invalid coordinates should return None))rPgf@)rPgf)rPgv@)rPgvzInvalid longitude ugeografska dužinaz(Should have longitude error message for ))z 45.815399z 15.981919)4515)45.015.0zString coordinates (z) should convert and validaterz"Converted latitude should be float7 >assert %(py5)s {%(py5)s = %(py0)s(%(py2)s, %(py3)s) } isinstancefloatrpy2rrz#Converted longitude should be float)invalidr^)r]re)Nr^)r]N)z'; DROP TABLE coords; --r^)zr^infrRrPnanzInvalid input (z) should be rejectedis notz%(py0)s is not %(py3)sz'Invalid input should have error messagez,Invalid input should return None coordinates) rr%r&r'r(r)r*r+r,r-lowerr`ra)rHrIrLr7r8r9r:boundary_testslatlnginvalid_lat_tests @py_assert0 @py_assert4 @py_assert6 @py_format8 @py_format10invalid_lng_testsstring_coordinate_testsinvalid_inputss rB$test_validate_geographic_coordinatesrxds =Y RGUFF7d?FFF7dFFFFFF7FFF7FFFdFFFFFFFFFFK5D=KKK5DKKKKKK5KKK5KKKDKKKKKKKKKK+]6+ +]]]6+]]]]]]6]]]6]]]+]]]-]]]]]]]N#S!@c!JVw$VVVw$VVVVVVwVVVwVVV$VVV"8RuDU VVVVVVVsYv#YYYvYYYYYYvYYYvYYYYYY'XYYYYYYY# &S!@c!JMw%MMMw%MMMMMMwMMMwMMM%MMM#4SE9L!MMMMMMM#eu{{e{}e#}4eee#}eee#eeeeeeueeeueee{eee}eee8_`c_d6eeeeeeeeGv~GGGvGGGGGGvGGGvGGGGGGGGGGGGGG &&S!@c!JNw%NNNw%NNNNNNwNNNwNNN%NNN#5cU:M!NNNNNNN#fu{{f{}f#}4fff#}fff#ffffffufffufff{fff}fff8`ad`e6ffffffffGv~GGGvGGGGGGvGGGvGGGGGGGGGGGGGG & ,S!@c!J`w$```w$``````w```w```$```"6se2cUB_ ``````` )Qz)U+Q+QQ-QQQQQQQzQQQzQQQ)QQQQQQUQQQUQQQ+QQQQQQ )Rz)U+R+RR-RRRRRRRzRRRzRRR)RRRRRRURRRURRR+RRRRRR , ,1 ut uU| ut uU| N#S!@c!JSw%SSSw%SSSSSSwSSSwSSS%SSS?3%r#>R!SSSSSSS KuD KKKuDKKKKKKuKKKuKKKDKKK"KKKKKKKMv~MMMvMMMMMMvMMMvMMMMMMMMMMMMMM #rDc:tdtdtdtdg}|D]}t|d}d}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd |d zd |iz}ttj|dx}x}x}}d}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd |d zd |iz}ttj|dx}x}x}}d}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd |d zd |iz}ttj|dx}x}x}}d}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd |d zd |iz}ttj|dx}x}x}}d}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjdd zd |iz}ttj|dx}x}x}}tdtdtdtdg} | D]}t|d}d}||v}|stjd|fd||ftj |d t jvstj|rtj |nd dz} tjd|dzd | iz} ttj| dx}}d!}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd|d zd |iz}ttj|dx}x}x}}d"}||v}|stjd|fd||ftj |d t jvstj|rtj |nd dz} tjd|dzd | iz} ttj| dx}}d#}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd$d zd |iz}ttj|dx}x}x}}td%td&td'g} | D]}t|d(}d)}||v}|stjd|fd||ftj |d t jvstj|rtj |nd dz} tjd*|dzd | iz} ttj| dx}}d+}||v}|stjd|fd||ftj |d t jvstj|rtj |nd dz} tjd,|dzd | iz} ttj| dx}}d-}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd.d zd |iz}ttj|dx}x}x}}td/} t| d0}d1}|j}|}||v}|stjd|fd||ftj |d t jvstj|rtj |nd tj |tj |d z}tjd2d zd |iz}ttj|dx}x}x}}y)3zBTest error message sanitization to prevent information disclosure.z(UNIQUE constraint failed: users.usernamezBsqlite3.OperationalError: table users has no column named passwordz Database disk image is malformedzFOREIGN KEY constraint faileddatabasesqlitenot in)zH%(py1)s not in %(py7)s {%(py7)s = %(py5)s {%(py5)s = %(py3)s.lower }() } sanitizedrVzDatabase error leaked info: rYrZNtablecolumn constraintugreška pri obradi podatakarSrUz*Should have generic database error messagezPermission denied: /etc/passwdz.No such file or directory: /var/www/secret.txtz.Access is denied to C:\Windows\System32\configz&File not found: /home/user/.ssh/id_rsa filesystemz/etc/)z%(py1)s not in %(py3)s)rWrzFile path leaked: rrzc:\z.sshugreška pri pristupu datoteciz&Should have generic file error messagez*Connection timeout to internal-server:3306z"Network unreachable: 192.168.1.100zSocket connection failednetworkz192.168zIP address leaked: z:3306zPort number leaked: ugreška mrežez)Should have generic network error messagezSome random error messagegenericudošlo je do greškez!Should have generic error message) Exceptionrrkr%r&r*r'r(r)r+r,r-)database_errorsrIr~rprqrrr7rsrtfilesystem_errorsr9r:network_errors generic_errors rBtest_sanitize_error_messagers <=VW4512 O!*5*= \y\0\x00\\\x0\\\x\\\\\\y\\\y\\\\\\0\\\4PQZP[2\\\\\\\\[ioo[o/[w//[[[w/[[[w[[[[[[i[[[i[[[o[[[/[[[3OPY{1[[[[[[[[\y\0\x00\\\x0\\\x\\\\\\y\\\y\\\\\\0\\\4PQZP[2\\\\\\\\`9??`?#4`|#44```|#4```|``````9```9```?```#4```8TU^T_6````````,o o0Ao,0AAooo,0Aooo,oooooo ooo oooooo0AoooCoooooooo ! 23BCEF:; #*5,? Iwi'IIIwiIIIwIIIIIIiIIIiIIII+=i[)IIIIIIIPY__P_.Pv..PPPv.PPPvPPPPPPYPPPYPPP_PPP.PPP2DYK0PPPPPPPPHvY&HHHvYHHHvHHHHHHYHHHYHHHH*?67,-N  *5)< Ly )LLLy LLLyLLLLLL LLL LLLL-@ +LLLLLLLKwi'KKKwiKKKwKKKKKKiKKKiKKKK+? {)KKKKKKKa9??a?#4a#44aaa#4aaaaaaaaa9aaa9aaa?aaa#4aaa6aaaaaaaa  9:M&}i@I ![Y__[_%6[ !%6 6[[[ !%6[[[ ![[[[[[Y[[[Y[[[_[[[%6[[[8[[[[[[[[rDcjgd}|D]}t|\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd|dzd |iz}ttj|d x}}d }||u}|stjd|fd||fd tjvstj |rtj |nd tj |dz}tjd |dzd |iz}ttj|d x}}gd }|D]}t|\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd|dzd |iz}ttj|d x}}d }||u}|stjd|fd||fd tjvstj |rtj |nd tj |dz}tjd|dzd |iz}ttj|d x}}d} |j} | } | | v}|stjd|fd| | ftj | d tjvstj |rtj |nd tj | tj | dz} tjd|dzd| iz} ttj| d x} x}x} } gd}|D]}t|\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd|dzd |iz}ttj|d x}}d }||u}|stjd|fd||fd tjvstj |rtj |nd tj |dz}tjd|dzd |iz}ttj|d x}}d} |j} | } | | v}|stjd|fd| | ftj | d tjvstj |rtj |nd tj | tj | dz} tjd|dzd| iz} ttj| d x} x}x} } gd}|D]}t|\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd |dzd |iz}ttj|d x}}d }||u}|stjd|fd||fd tjvstj |rtj |nd tj |dz}tjd!|dzd |iz}ttj|d x}}d"}t|\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd#dzd |iz}ttj|d x}}d$} |j} | } | | v}|stjd|fd| | ftj | d tjvstj |rtj |nd tj | tj | dz} tjd%dzd| iz} ttj| d x} x}x} } d&}t|\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd'dzd |iz}ttj|d x}}d }||u}|stjd|fd||fd tjvstj |rtj |nd tj |dz}tjd(dzd |iz}ttj|d x}}td)\}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd*dzd |iz}ttj|d x}}td \}}d}||u}|stjd|fd||fdtjvstj |rtj |ndtj |dz}tjd+dzd |iz}ttj|d x}}y ),zFTest filename validation for security issues including path traversal.)z image.jpgzcamera_photo_123.pngz%PICT_20231201_120000_123456789012.jpgztest_file.jpegz document.pdfTrris_validrzValid filename should pass: rrNrIz&Valid filename should not have error: )z../../../etc/passwdz$..\..\..\windows\system32\config\samz....//....//....//etc/passwdzfile/../../../sensitive.txtz..%2f..%2f..%2fetc%2fpasswdFz"Path traversal should be blocked: rhrjz*Path traversal should have error message: zneispravno ime datotekerSrUrVz'Should have generic error message for: rYrZ) z malicious.phpz script.php3z backdoor.aspz shell.jspz trojan.exez virus.batzconfig.htaccessz secrets.iniz exploit.pyz'Dangerous extension should be blocked: z'Dangerous extension should have error: znedozvoljena vrsta datotekez!Should have file type error for: )zfilez'; DROP TABLE cameras; --z UNION SELECT password FROM userszjavascript:alert("xss")zonload=alert("xss")z#Malicious input should be blocked: z#Malicious input should have error: zneispravna vrijednostz%Should have invalid value error for: l2}rz0Type conversion should work for compatible typesrz'Camera ID should be converted to stringr_r`strrbznot a dictionaryz!Non-dict input should be rejectedzneispravni podacizShould have invalid data error) rr r%r&r'r(r)r*r+r,r-rkr`) test_schemarrrIr~r7r8r9r: @py_format3rincomplete_datarprqrrrsrt length_testsrrrrrrmalicious_inputsmalicious_datatype_conversion_data invalid_datas rBtest_validate_api_inputrsw      K."#$J "4J !LHeYA8t AAA8tAAAAAA8AAA8AAAtAAAAAAAAAA=5D====5D======5===5===D==========  "NNN9 NNNNNN9NNN9NNNNNN NNN NNNN$NNNNNNN MO "4O[!QHeYC8u CCC8uCCCCCC8CCC8CCCuCCCCCCCCCCH5 HHH5HHHHHH5HHH5HHHHHHHHHHHHH RRR: &RRR:RRR:RRRRRRRRRRRRRRRRRR(RRRRRRRR OQ\]^F SUbc wv NP[\ v VXef L&2! >%7 ;%O"% Sx5 SSSx5SSSSSSxSSSxSSS5SSS$G {"SSSSSSS!&\\~.\\\~\\\\\\~\\\~\\\\\\\\\\\\\\\\\\2PQZP[0\\\\\\\\&2 nMlmnMhinMopnMfgnMbc +%7 %T"% Xx5 XXXx5XXXXXXxXXXxXXX5XXX$GGW"XXXXXXX XuD XXXuDXXXXXXuXXXuXXXDXXX$GGW"XXXXXXX&q%++q+-q&-7qqq&-qqq&qqqqqq%qqq%qqq+qqq-qqq;`ao`p9qqqqqqqq +"!$ "44H+!VHeYO8t OOO8tOOOOOO8OOO8OOOtOOOOOOOOOO ,]:,c 2] 2]]4]]]]]]]:]]]:]]],]]]]]]c]]]c]]] 2]]]]]]&L!3L+!NHeYA8u AAA8uAAAAAA8AAA8AAAuAAAAAAAAAA Q%++Q+-Q - /QQQ -QQQ QQQQQQ%QQQ%QQQ+QQQ-QQQ1QQQQQQQQrDc$ Gdd}|}t|}gd}|D] }|j}||v}|stjd|fd||fdt j vstj |rtj|nddt j vstj |rtj|ndtj|dz}tjd |d zd |iz}ttj|d x}}|jd } gd} | D]} | | v}|stjd|fd| | fdt j vstj | rtj| nddt j vstj | rtj| nddz} tjd| dzd| iz}ttj|d }|jd} d}| |k(}|stjd|fd| |ftj| tj|dz}tjdd zd |iz}ttj|d x} x}}|jd} d}| |k(}|stjd|fd| |ftj| tj|dz}tjdd zd |iz}ttj|d x} x}}d} |jd }| |v}|stjd|fd!| |ftj| tj|dz}tjd"d zd |iz}ttj|d x} x}}|}d#|jd$<t|}d$} |j}| |v}|stjd%|fd&| |ftj| d't j vstj |rtj|nd'tj|d(z}tjd)d*zd+|iz}ttj|d x} x}}y ),z/Test security headers middleware functionality.ceZdZdZy)6test_security_headers_middleware..MockResponseci|_y)N)headers)selfs rB__init__z?test_security_headers_middleware..MockResponse.__init__s DLrDN)__name__ __module__ __qualname__r rDrB MockResponser s rDr)Content-Security-PolicyX-Frame-OptionsX-Content-Type-OptionsX-XSS-ProtectionzReferrer-PolicyzPermissions-PolicyrS)z/%(py0)s in %(py4)s {%(py4)s = %(py2)s.headers }headerenhanced_responserz"Required security header missing: rrNr) zdefault-src 'self'zscript-src 'self'zstyle-src 'self'zimg-src 'self'zfont-src 'self'zconnect-src 'self'zframe-ancestors 'none'zbase-uri 'self'zform-action 'self')z%(py0)s in %(py2)s directivecsprzCSP directive missing: rrrDENYrJrrz#X-Frame-Options should deny framingrnosniffzShould prevent MIME sniffingz mode=blockr)z%(py1)s in %(py4)sz#XSS protection should block attackszFlask/2.0.1 Werkzeug/2.0.1Serverr|)z3%(py1)s not in %(py5)s {%(py5)s = %(py3)s.headers }enhanced)rWrrzServer header should be removedrrX) r r r%r&r'r(r)r*r+r,r-)rresponserrequired_headersrrr8rrrcsp_directivesrrrpr7response_with_serverrrqr:rss rB test_security_headers_middlewarer#sE ~H4H=#*22av22aaav2aaaaaavaaavaaaaaa*aaa*aaa2aaa6XY_X`4aaaaaaaa#  # #$= >C N$ CFFFyCFFFFFFyFFFyFFFFFFCFFFCFFFF#:9+!FFFFFFF$  $ $%6 7h6h 76 Ahhh 76hhh 7hhh6hhhChhhhhhhh  $ $%= >k)k >) Kkkk >)kkk >kkk)kkkMkkkkkkkk o,445GHo<H Hooo<Hooo<oooHoooJoooooooo(>-I  **+?@H N8++N8+ +NNN8+NNN8NNNNNN8NNN8NNN+NNN-NNNNNNNNrD) __doc__builtinsr'_pytest.assertion.rewrite assertionrewriter%pytestr/rr!app_modules.security_enhancementsrrrrrrr r r marksecurityrCrxrrrrrrr#rrDrBr-sU0    6A6ArQNQNh2\2\jTATAn^^>00fQQ<[R[R|6O6OrD