Spaces:
Paused
Paused
| """Tests that verify SQL injection mitigations in insights and state modules.""" | |
| import re | |
| from agent.insights import InsightsEngine | |
| def test_session_cols_no_injection_chars(): | |
| """_SESSION_COLS must not contain SQL injection vectors.""" | |
| cols = InsightsEngine._SESSION_COLS | |
| assert ";" not in cols | |
| assert "--" not in cols | |
| assert "'" not in cols | |
| assert "DROP" not in cols.upper() | |
| def test_get_sessions_all_query_is_parameterized(): | |
| """_GET_SESSIONS_ALL must use a ? placeholder for the cutoff value.""" | |
| query = InsightsEngine._GET_SESSIONS_ALL | |
| assert "?" in query | |
| assert "started_at >= ?" in query | |
| # Must not embed any runtime-variable content via brace interpolation | |
| assert "{" not in query | |
| def test_get_sessions_with_source_query_is_parameterized(): | |
| """_GET_SESSIONS_WITH_SOURCE must use ? placeholders for both parameters.""" | |
| query = InsightsEngine._GET_SESSIONS_WITH_SOURCE | |
| assert query.count("?") == 2 | |
| assert "started_at >= ?" in query | |
| assert "source = ?" in query | |
| assert "{" not in query | |
| def test_session_col_names_are_safe_identifiers(): | |
| """Every column name listed in _SESSION_COLS must be a simple identifier.""" | |
| cols = InsightsEngine._SESSION_COLS | |
| identifiers = [c.strip() for c in cols.split(",")] | |
| safe_identifier = re.compile(r"^[a-zA-Z_][a-zA-Z0-9_]*$") | |
| for col in identifiers: | |
| assert safe_identifier.match(col), ( | |
| f"Column name {col!r} is not a safe SQL identifier" | |
| ) | |