lukas.pupkalipinski/Aniworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Aniworld/tests/security/README.md
Lukas 77da614091 feat: Add database migrations, performance testing, and security testing 
 Features Added:

Database Migration System:
- Complete migration framework with base classes, runner, and validator
- Initial schema migration for all core tables (users, anime, episodes, downloads, config)
- Rollback support with error handling
- Migration history tracking
- 22 passing unit tests

Performance Testing Suite:
- API load testing with concurrent request handling
- Download system stress testing
- Response time benchmarks
- Memory leak detection
- Concurrency testing
- 19 comprehensive performance tests
- Complete documentation in tests/performance/README.md

Security Testing Suite:
- Authentication and authorization security tests
- Input validation and XSS protection
- SQL injection prevention (classic, blind, second-order)
- NoSQL and ORM injection protection
- File upload security
- OWASP Top 10 coverage
- 40+ security test methods
- Complete documentation in tests/security/README.md

📊 Test Results:
- Migration tests: 22/22 passing (100%)
- Total project tests: 736+ passing (99.8% success rate)
- New code: ~2,600 lines (code + tests + docs)

📝 Documentation:
- Updated instructions.md (removed completed tasks)
- Added COMPLETION_SUMMARY.md with detailed implementation notes
- Comprehensive README files for test suites
- Type hints and docstrings throughout

🎯 Quality:
- Follows PEP 8 standards
- Comprehensive error handling
- Structured logging
- Type annotations
- Full test coverage
2025-10-24 10:11:51 +02:00

8.5 KiB
Raw Blame History

Security Testing Suite

This directory contains comprehensive security tests for the Aniworld application.

Test Categories

Authentication Security (test_auth_security.py)

Tests authentication and authorization security:

  • Password Security: Hashing, strength validation, exposure prevention
  • Token Security: JWT validation, expiration, format checking
  • Session Security: Fixation prevention, regeneration, timeout
  • Brute Force Protection: Rate limiting, account lockout
  • Authorization: Role-based access control, privilege escalation prevention

Input Validation (test_input_validation.py)

Tests input validation and sanitization:

  • XSS Protection: Script injection, HTML injection
  • Path Traversal: Directory traversal attempts
  • Size Limits: Oversized input handling
  • Special Characters: Unicode, null bytes, control characters
  • Type Validation: Email, numbers, arrays, objects
  • File Upload Security: Extension validation, size limits, MIME type checking

SQL Injection Protection (test_sql_injection.py)

Tests database injection vulnerabilities:

  • Classic SQL Injection: OR 1=1, UNION attacks, comment injection
  • Blind SQL Injection: Time-based, boolean-based
  • Second-Order Injection: Stored malicious data
  • NoSQL Injection: MongoDB operator injection
  • ORM Injection: Attribute and method injection
  • Error Disclosure: Information leakage in error messages

Running Security Tests

Run all security tests:

conda run -n AniWorld python -m pytest tests/security/ -v -m security

Run specific test file:

conda run -n AniWorld python -m pytest tests/security/test_auth_security.py -v

Run specific test class:

conda run -n AniWorld python -m pytest \
    tests/security/test_sql_injection.py::TestSQLInjection -v

Run with detailed output:

conda run -n AniWorld python -m pytest tests/security/ -vv -s

Security Test Markers

Tests are marked with @pytest.mark.security for easy filtering:

# Run only security tests
pytest -m security

# Run all tests except security
pytest -m "not security"

Expected Security Posture

Authentication

  • Passwords never exposed in responses
  • Weak passwords rejected
  • Proper password hashing (bcrypt/argon2)
  • Brute force protection
  • Token expiration enforced
  • Session regeneration on privilege change

Input Validation

  • XSS attempts blocked or sanitized
  • Path traversal prevented
  • File uploads validated and restricted
  • Size limits enforced
  • Type validation on all inputs
  • Special characters handled safely

SQL Injection

  • All SQL injection attempts blocked
  • Prepared statements used
  • No database errors exposed
  • ORM used safely
  • No raw SQL with user input

Common Vulnerabilities Tested

OWASP Top 10 Coverage

  1. Injection

    • SQL injection
    • NoSQL injection
    • Command injection
    • XSS

  2. Broken Authentication

    • Weak passwords
    • Session fixation
    • Token security
    • Brute force

  3. Sensitive Data Exposure

    • Password exposure
    • Error message disclosure
    • Token leakage

  4. XML External Entities (XXE) ⚠️

    • Not applicable (no XML processing)

  5. Broken Access Control

    • Authorization bypass
    • Privilege escalation
    • IDOR (Insecure Direct Object Reference)

  6. Security Misconfiguration ⚠️

    • Partially covered

  7. Cross-Site Scripting (XSS)

    • Reflected XSS
    • Stored XSS
    • DOM-based XSS

  8. Insecure Deserialization ⚠️

    • Partially covered

  9. Using Components with Known Vulnerabilities ⚠️

    • Requires dependency scanning

  10. Insufficient Logging & Monitoring ⚠️

    • Requires log analysis

Adding New Security Tests

When adding new security tests:

  1. Mark with @pytest.mark.security
  2. Test both positive and negative cases
  3. Include variety of attack payloads
  4. Document expected behavior
  5. Follow OWASP guidelines

Example:

@pytest.mark.security
class TestNewFeatureSecurity:
    \"\"\"Security tests for new feature.\"\"\"

    @pytest.mark.asyncio
    async def test_injection_protection(self, client):
        \"\"\"Test injection protection.\"\"\"
        malicious_inputs = [...]
        for payload in malicious_inputs:
            response = await client.post("/api/endpoint", json={"data": payload})
            assert response.status_code in [400, 422]

Security Testing Best Practices

1. Test All Entry Points

  • API endpoints
  • WebSocket connections
  • File uploads
  • Query parameters
  • Headers
  • Cookies

2. Use Comprehensive Payloads

  • Classic attack vectors
  • Obfuscated variants
  • Unicode bypasses
  • Encoding variations

3. Verify Both Prevention and Handling

  • Attacks should be blocked
  • Errors should not leak information
  • Application should remain stable
  • Logs should capture attempts

4. Test Edge Cases

  • Empty inputs
  • Maximum sizes
  • Special characters
  • Unexpected types
  • Concurrent requests

Continuous Security Testing

These tests should be run:

  • Before each release
  • After security-related code changes
  • Weekly as part of regression testing
  • As part of CI/CD pipeline
  • After dependency updates

Remediation Guidelines

If a test fails:

  1. Identify the vulnerability

    • What attack succeeded?
    • Which endpoint is affected?
    • What data was compromised?

  2. Assess the risk

    • CVSS score
    • Potential impact
    • Exploitability

  3. Implement fix

    • Input validation
    • Output encoding
    • Parameterized queries
    • Access controls

  4. Verify fix

    • Re-run failing test
    • Add additional tests
    • Test related functionality

  5. Document

    • Update security documentation
    • Add to changelog
    • Notify team

Security Tools Integration

Recommended Tools

Static Analysis:

  • Bandit (Python security linter)
  • Safety (dependency vulnerability scanner)
  • Semgrep (pattern-based scanner)

Dynamic Analysis:

  • OWASP ZAP (penetration testing)
  • Burp Suite (security testing)
  • SQLMap (SQL injection testing)

Dependency Scanning:

# Check for vulnerable dependencies
pip-audit
safety check

Code Scanning:

# Run Bandit security linter
bandit -r src/

Incident Response

If a security vulnerability is discovered:

  1. Do not discuss publicly until patched
  2. Document the vulnerability privately
  3. Create fix in private branch
  4. Test thoroughly
  5. Deploy hotfix if critical
  6. Notify users if data affected
  7. Update tests to prevent regression

Security Contacts

For security concerns:

  • Create private security advisory on GitHub
  • Contact maintainers directly
  • Do not create public issues for vulnerabilities

References

Compliance

These tests help ensure compliance with:

  • GDPR (data protection)
  • PCI DSS (if handling payments)
  • HIPAA (if handling health data)
  • SOC 2 (security controls)

Automated Security Scanning

GitHub Actions Example

name: Security Tests

on: [push, pull_request]

jobs:
    security:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v2

            - name: Set up Python
              uses: actions/setup-python@v2
              with:
                  python-version: 3.13

            - name: Install dependencies
              run: |
                  pip install -r requirements.txt
                  pip install bandit safety

            - name: Run security tests
              run: pytest tests/security/ -v -m security

            - name: Run Bandit
              run: bandit -r src/

            - name: Check dependencies
              run: safety check

Conclusion

Security testing is an ongoing process. These tests provide a foundation, but regular security audits, penetration testing, and staying updated with new vulnerabilities are essential for maintaining a secure application.