lukas.pupkalipinski/Aniworld
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Aniworld/tests/security/README.md
Lukas 77da614091 feat: Add database migrations, performance testing, and security testing 
 Features Added:

Database Migration System:
- Complete migration framework with base classes, runner, and validator
- Initial schema migration for all core tables (users, anime, episodes, downloads, config)
- Rollback support with error handling
- Migration history tracking
- 22 passing unit tests

Performance Testing Suite:
- API load testing with concurrent request handling
- Download system stress testing
- Response time benchmarks
- Memory leak detection
- Concurrency testing
- 19 comprehensive performance tests
- Complete documentation in tests/performance/README.md

Security Testing Suite:
- Authentication and authorization security tests
- Input validation and XSS protection
- SQL injection prevention (classic, blind, second-order)
- NoSQL and ORM injection protection
- File upload security
- OWASP Top 10 coverage
- 40+ security test methods
- Complete documentation in tests/security/README.md

📊 Test Results:
- Migration tests: 22/22 passing (100%)
- Total project tests: 736+ passing (99.8% success rate)
- New code: ~2,600 lines (code + tests + docs)

📝 Documentation:
- Updated instructions.md (removed completed tasks)
- Added COMPLETION_SUMMARY.md with detailed implementation notes
- Comprehensive README files for test suites
- Type hints and docstrings throughout

🎯 Quality:
- Follows PEP 8 standards
- Comprehensive error handling
- Structured logging
- Type annotations
- Full test coverage
2025-10-24 10:11:51 +02:00

370 lines
8.5 KiB
Markdown
Raw Blame History

# Security Testing Suite
This directory contains comprehensive security tests for the Aniworld application.
## Test Categories
### Authentication Security (`test_auth_security.py`)
Tests authentication and authorization security:
- **Password Security**: Hashing, strength validation, exposure prevention
- **Token Security**: JWT validation, expiration, format checking
- **Session Security**: Fixation prevention, regeneration, timeout
- **Brute Force Protection**: Rate limiting, account lockout
- **Authorization**: Role-based access control, privilege escalation prevention
### Input Validation (`test_input_validation.py`)
Tests input validation and sanitization:
- **XSS Protection**: Script injection, HTML injection
- **Path Traversal**: Directory traversal attempts
- **Size Limits**: Oversized input handling
- **Special Characters**: Unicode, null bytes, control characters
- **Type Validation**: Email, numbers, arrays, objects
- **File Upload Security**: Extension validation, size limits, MIME type checking
### SQL Injection Protection (`test_sql_injection.py`)
Tests database injection vulnerabilities:
- **Classic SQL Injection**: OR 1=1, UNION attacks, comment injection
- **Blind SQL Injection**: Time-based, boolean-based
- **Second-Order Injection**: Stored malicious data
- **NoSQL Injection**: MongoDB operator injection
- **ORM Injection**: Attribute and method injection
- **Error Disclosure**: Information leakage in error messages
## Running Security Tests
### Run all security tests:
```bash
conda run -n AniWorld python -m pytest tests/security/ -v -m security
```
### Run specific test file:
```bash
conda run -n AniWorld python -m pytest tests/security/test_auth_security.py -v
```
### Run specific test class:
```bash
conda run -n AniWorld python -m pytest \
tests/security/test_sql_injection.py::TestSQLInjection -v
```
### Run with detailed output:
```bash
conda run -n AniWorld python -m pytest tests/security/ -vv -s
```
## Security Test Markers
Tests are marked with `@pytest.mark.security` for easy filtering:
```bash
# Run only security tests
pytest -m security
# Run all tests except security
pytest -m "not security"
```
## Expected Security Posture
### Authentication
- ✅ Passwords never exposed in responses
- ✅ Weak passwords rejected
- ✅ Proper password hashing (bcrypt/argon2)
- ✅ Brute force protection
- ✅ Token expiration enforced
- ✅ Session regeneration on privilege change
### Input Validation
- ✅ XSS attempts blocked or sanitized
- ✅ Path traversal prevented
- ✅ File uploads validated and restricted
- ✅ Size limits enforced
- ✅ Type validation on all inputs
- ✅ Special characters handled safely
### SQL Injection
- ✅ All SQL injection attempts blocked
- ✅ Prepared statements used
- ✅ No database errors exposed
- ✅ ORM used safely
- ✅ No raw SQL with user input
## Common Vulnerabilities Tested
### OWASP Top 10 Coverage
1. **Injection**
- SQL injection
- NoSQL injection
- Command injection
- XSS
2. **Broken Authentication**
- Weak passwords
- Session fixation
- Token security
- Brute force
3. **Sensitive Data Exposure**
- Password exposure
- Error message disclosure
- Token leakage
4. **XML External Entities (XXE)** ⚠️
- Not applicable (no XML processing)
5. **Broken Access Control**
- Authorization bypass
- Privilege escalation
- IDOR (Insecure Direct Object Reference)
6. **Security Misconfiguration** ⚠️
- Partially covered
7. **Cross-Site Scripting (XSS)**
- Reflected XSS
- Stored XSS
- DOM-based XSS
8. **Insecure Deserialization** ⚠️
- Partially covered
9. **Using Components with Known Vulnerabilities** ⚠️
- Requires dependency scanning
10. **Insufficient Logging & Monitoring** ⚠️
- Requires log analysis
## Adding New Security Tests
When adding new security tests:
1. Mark with `@pytest.mark.security`
2. Test both positive and negative cases
3. Include variety of attack payloads
4. Document expected behavior
5. Follow OWASP guidelines
Example:
```python
@pytest.mark.security
class TestNewFeatureSecurity:
\"\"\"Security tests for new feature.\"\"\"
@pytest.mark.asyncio
async def test_injection_protection(self, client):
\"\"\"Test injection protection.\"\"\"
malicious_inputs = [...]
for payload in malicious_inputs:
response = await client.post("/api/endpoint", json={"data": payload})
assert response.status_code in [400, 422]
```
## Security Testing Best Practices
### 1. Test All Entry Points
- API endpoints
- WebSocket connections
- File uploads
- Query parameters
- Headers
- Cookies
### 2. Use Comprehensive Payloads
- Classic attack vectors
- Obfuscated variants
- Unicode bypasses
- Encoding variations
### 3. Verify Both Prevention and Handling
- Attacks should be blocked
- Errors should not leak information
- Application should remain stable
- Logs should capture attempts
### 4. Test Edge Cases
- Empty inputs
- Maximum sizes
- Special characters
- Unexpected types
- Concurrent requests
## Continuous Security Testing
These tests should be run:
- Before each release
- After security-related code changes
- Weekly as part of regression testing
- As part of CI/CD pipeline
- After dependency updates
## Remediation Guidelines
### If a test fails:
1. **Identify the vulnerability**
- What attack succeeded?
- Which endpoint is affected?
- What data was compromised?
2. **Assess the risk**
- CVSS score
- Potential impact
- Exploitability
3. **Implement fix**
- Input validation
- Output encoding
- Parameterized queries
- Access controls
4. **Verify fix**
- Re-run failing test
- Add additional tests
- Test related functionality
5. **Document**
- Update security documentation
- Add to changelog
- Notify team
## Security Tools Integration
### Recommended Tools
**Static Analysis:**
- Bandit (Python security linter)
- Safety (dependency vulnerability scanner)
- Semgrep (pattern-based scanner)
**Dynamic Analysis:**
- OWASP ZAP (penetration testing)
- Burp Suite (security testing)
- SQLMap (SQL injection testing)
**Dependency Scanning:**
```bash
# Check for vulnerable dependencies
pip-audit
safety check
```
**Code Scanning:**
```bash
# Run Bandit security linter
bandit -r src/
```
## Incident Response
If a security vulnerability is discovered:
1. **Do not discuss publicly** until patched
2. **Document** the vulnerability privately
3. **Create fix** in private branch
4. **Test thoroughly**
5. **Deploy hotfix** if critical
6. **Notify users** if data affected
7. **Update tests** to prevent regression
## Security Contacts
For security concerns:
- Create private security advisory on GitHub
- Contact maintainers directly
- Do not create public issues for vulnerabilities
## References
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
- [CWE/SANS Top 25](https://cwe.mitre.org/top25/)
- [NIST Security Guidelines](https://www.nist.gov/cybersecurity)
- [Python Security Best Practices](https://python.readthedocs.io/en/latest/library/security_warnings.html)
## Compliance
These tests help ensure compliance with:
- GDPR (data protection)
- PCI DSS (if handling payments)
- HIPAA (if handling health data)
- SOC 2 (security controls)
## Automated Security Scanning
### GitHub Actions Example
```yaml
name: Security Tests
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.13
- name: Install dependencies
run: |
pip install -r requirements.txt
pip install bandit safety
- name: Run security tests
run: pytest tests/security/ -v -m security
- name: Run Bandit
run: bandit -r src/
- name: Check dependencies
run: safety check
```
## Conclusion
Security testing is an ongoing process. These tests provide a foundation, but regular security audits, penetration testing, and staying updated with new vulnerabilities are essential for maintaining a secure application.
Reference in New Issue View Git Blame Copy Permalink