feat: implement secure image upload pipeline and backend XSS guard (Stage 2 Task A)
This commit is contained in:
@@ -17,5 +17,6 @@
|
||||
<ProjectReference Include="..\..\src\NexusReader.Application\NexusReader.Application.csproj" />
|
||||
<ProjectReference Include="..\..\src\NexusReader.Infrastructure\NexusReader.Infrastructure.csproj" />
|
||||
<ProjectReference Include="..\..\src\NexusReader.UI.Shared\NexusReader.UI.Shared.csproj" />
|
||||
<ProjectReference Include="..\..\src\NexusReader.Web\NexusReader.Web.csproj" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
@@ -51,4 +51,20 @@ public class HtmlSanitizerServiceTests
|
||||
result.Should().NotContain("alert");
|
||||
result.Should().Contain("<img src=\"x\">");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Sanitize_WithMarkdownCodeBlockContainingAngleBrackets_DoesNotStripAngleBrackets()
|
||||
{
|
||||
// Arrange
|
||||
var service = new HtmlSanitizerService();
|
||||
var input = "Here is some code:\n\n```csharp\nif (x < y && y > z) { Console.WriteLine(\"test\"); }\n```";
|
||||
|
||||
// Act
|
||||
var result = service.Sanitize(input);
|
||||
|
||||
// Assert
|
||||
result.Should().Contain("<");
|
||||
result.Should().Contain(">");
|
||||
result.Should().NotContain("<script>");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,118 @@
|
||||
using FluentAssertions;
|
||||
using Xunit;
|
||||
|
||||
namespace NexusReader.Application.Tests.Services;
|
||||
|
||||
public class ValidateImageSignatureTests
|
||||
{
|
||||
[Fact]
|
||||
public void Validate_PNG_WithCorrectSignature_ReturnsTrue()
|
||||
{
|
||||
// Arrange
|
||||
byte[] pngBytes = [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A];
|
||||
string fileName = "image.png";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(pngBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeTrue();
|
||||
contentType.Should().Be("image/png");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_JPEG_WithCorrectSignature_ReturnsTrue()
|
||||
{
|
||||
// Arrange
|
||||
byte[] jpegBytes = [0xFF, 0xD8, 0xFF, 0xE0, 0x00, 0x10, 0x4A, 0x46];
|
||||
string fileName = "photo.jpg";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(jpegBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeTrue();
|
||||
contentType.Should().Be("image/jpeg");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_WEBP_WithCorrectSignature_ReturnsTrue()
|
||||
{
|
||||
// Arrange
|
||||
byte[] webpBytes = [
|
||||
0x52, 0x49, 0x46, 0x46, // RIFF
|
||||
0x00, 0x00, 0x00, 0x00, // length
|
||||
0x57, 0x45, 0x42, 0x50 // WEBP
|
||||
];
|
||||
string fileName = "graphic.webp";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(webpBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeTrue();
|
||||
contentType.Should().Be("image/webp");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_GIF_WithCorrectSignature_ReturnsTrue()
|
||||
{
|
||||
// Arrange
|
||||
byte[] gifBytes = [
|
||||
0x47, 0x49, 0x46, 0x38, 0x39, 0x61, // GIF89a
|
||||
0x01, 0x00, 0x01, 0x00
|
||||
];
|
||||
string fileName = "animation.gif";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(gifBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeTrue();
|
||||
contentType.Should().Be("image/gif");
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_WithMismatchingExtension_ReturnsFalse()
|
||||
{
|
||||
// Arrange: Valid PNG bytes but JPEG extension
|
||||
byte[] pngBytes = [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A];
|
||||
string fileName = "spoofed.jpg";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(pngBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeFalse();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_WithInvalidSignature_ReturnsFalse()
|
||||
{
|
||||
// Arrange: Plain text bytes but PNG extension
|
||||
byte[] txtBytes = [0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0x77, 0x6F]; // "Hello wo"
|
||||
string fileName = "not_a_png.png";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(txtBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeFalse();
|
||||
contentType.Should().BeEmpty();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Validate_WithShortBytes_ReturnsFalse()
|
||||
{
|
||||
// Arrange
|
||||
byte[] shortBytes = [0x89, 0x50];
|
||||
string fileName = "short.png";
|
||||
|
||||
// Act
|
||||
bool isValid = ImageValidator.ValidateImageSignature(shortBytes, fileName, out string contentType);
|
||||
|
||||
// Assert
|
||||
isValid.Should().BeFalse();
|
||||
contentType.Should().BeEmpty();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user