iflow-mcp_democratize-technology-chronos-mcp 2.0.0__py3-none-any.whl

tests/unit/test_server_input_validation.py

@@ -0,0 +1,219 @@
+"""
+Security-focused tests for server input validation
+"""
+
+import pytest
+
+from chronos_mcp.exceptions import ValidationError
+from chronos_mcp.validation import InputValidator
+
+
+class TestServerInputValidation:
+    """Test input validation that should be applied in MCP server tools"""
+
+    def test_url_validation_enforces_https(self):
+        """Test that URL validation enforces HTTPS"""
+        validator = InputValidator()
+
+        # Valid HTTPS URLs should pass
+        assert validator.PATTERNS["url"].match("https://caldav.example.com/")
+        assert validator.PATTERNS["url"].match("https://localhost:8443/caldav")
+        assert validator.PATTERNS["url"].match("https://192.168.1.100:8443/caldav")
+
+        # HTTP URLs should be rejected
+        assert not validator.PATTERNS["url"].match("http://caldav.example.com/")
+        assert not validator.PATTERNS["url"].match("http://localhost:8080/caldav")
+
+    def test_text_field_validation_rejects_dangerous_content(self):
+        """Test that text field validation rejects dangerous content"""
+        validator = InputValidator()
+
+        # Valid text should pass
+        result = validator.validate_text_field(
+            "Valid Account Name", "alias", required=True
+        )
+        assert result == "Valid Account Name"
+
+        # Dangerous script content should be rejected
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_text_field(
+                "<script>alert('xss')</script>", "alias", required=True
+            )
+        assert "dangerous content" in str(exc_info.value)
+
+        # JavaScript protocol should be rejected
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_text_field("javascript:alert(1)", "alias", required=True)
+        assert "dangerous content" in str(exc_info.value)
+
+    def test_text_field_validation_enforces_length_limits(self):
+        """Test that text field validation enforces length limits"""
+        validator = InputValidator()
+
+        # Text within limits should pass
+        short_text = "a" * 49  # Within alias limit of 50
+        result = validator.validate_text_field(short_text, "alias", required=True)
+        assert result == short_text
+
+        # Text exceeding limits should be rejected
+        long_text = "a" * 1000  # Exceeds alias limit
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_text_field(long_text, "alias", required=True)
+        assert "exceeds maximum length" in str(exc_info.value)
+
+    def test_required_field_validation(self):
+        """Test that required fields are validated"""
+        validator = InputValidator()
+
+        # Empty required field should be rejected
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_text_field("", "alias", required=True)
+        assert "required" in str(exc_info.value)
+
+        # None for required field should be rejected
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_text_field(None, "alias", required=True)
+        assert "required" in str(exc_info.value)
+
+        # Empty optional field should return empty string
+        result = validator.validate_text_field("", "description", required=False)
+        assert result == ""
+
+    def test_uid_validation_rejects_invalid_characters(self):
+        """Test that UID validation rejects invalid characters"""
+        validator = InputValidator()
+
+        # Valid UID should pass
+        result = validator.validate_uid("valid-uid-123_test.example@domain")
+        assert result == "valid-uid-123_test.example@domain"
+
+        # UID with dangerous characters should be rejected
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_uid("<script>alert('xss')</script>")
+        assert "invalid characters" in str(exc_info.value)
+
+        # UID with spaces should be rejected
+        with pytest.raises(ValidationError) as exc_info:
+            validator.validate_uid("uid with spaces")
+        assert "invalid characters" in str(exc_info.value)
+
+    def test_color_validation_enforces_hex_format(self):
+        """Test that color validation enforces hex format"""
+        validator = InputValidator()
+
+        # Valid hex colors should pass
+        valid_colors = ["#FF0000", "#00FF00", "#0000FF", "#123456", "#ABCDEF"]
+        for color in valid_colors:
+            assert validator.PATTERNS["color"].match(
+                color
+            ), f"Valid color should match: {color}"
+
+        # Invalid colors should be rejected
+        invalid_colors = ["FF0000", "#GG0000", "#12345", "#1234567", "red"]
+        for color in invalid_colors:
+            assert not validator.PATTERNS["color"].match(
+                color
+            ), f"Invalid color should be rejected: {color}"
+
+        # Note: #ff0000 is actually valid (lowercase hex is allowed)
+
+    def test_unicode_normalization(self):
+        """Test that Unicode text is properly normalized"""
+        validator = InputValidator()
+
+        # Unicode text should be normalized
+        unicode_text = "Tést Àccount with ünicode"
+        result = validator.validate_text_field(
+            unicode_text, "display_name", required=True
+        )
+
+        # Should not raise an error and should normalize the text
+        assert result is not None
+        assert len(result) > 0
+
+    def test_dangerous_pattern_detection(self):
+        """Test that various dangerous patterns are detected"""
+        validator = InputValidator()
+
+        dangerous_inputs = [
+            "<script>alert('xss')</script>",
+            "javascript:alert(1)",
+            "data:text/html,<script>alert(1)</script>",
+            "expression(alert(1))",
+            '<iframe src="evil.com"></iframe>',
+        ]
+
+        for dangerous_input in dangerous_inputs:
+            with pytest.raises(ValidationError) as exc_info:
+                validator.validate_text_field(
+                    dangerous_input, "description", required=False
+                )
+            assert "dangerous content" in str(
+                exc_info.value
+            ), f"Should reject: {dangerous_input}"
+
+        # Some patterns might not match exactly - that's OK as long as major threats are caught
+        potentially_dangerous = [
+            "on<event>=handler",  # Might not match our specific patterns
+            "\\u003cscript\\u003ealert(1)\\u003c/script\\u003e",  # Unicode escapes
+        ]
+
+        # These should ideally be caught, but if not, it's not a critical failure for this test
+
+    def test_validation_preserves_safe_content(self):
+        """Test that validation preserves safe content"""
+        validator = InputValidator()
+
+        safe_inputs = [
+            "Normal text content",
+            "Email: user@example.com",
+            "URL: https://example.com/path",
+            "Special chars: !@#$%^&*()",
+            "Numbers: 12345",
+            "Mixed: Test123!@#",
+            "Unicode: café résumé naïve",
+        ]
+
+        for safe_input in safe_inputs:
+            result = validator.validate_text_field(
+                safe_input, "description", required=False
+            )
+            assert result is not None, f"Should preserve safe content: {safe_input}"
+            assert len(result) > 0
+
+    def test_url_validation_allows_common_caldav_patterns(self):
+        """Test that URL validation allows common CalDAV server patterns"""
+        validator = InputValidator()
+
+        common_caldav_urls = [
+            "https://caldav.fastmail.com/dav/calendars/user/",
+            "https://calendar.google.com/calendar/dav/",
+            "https://outlook.office365.com/EWS/Exchange.asmx",
+            "https://dav.mailbox.org/caldav/",
+            "https://caldav.icloud.com/",
+            "https://server.example.com:8443/caldav/",
+            "https://192.168.1.100:8080/radicale/",
+        ]
+
+        for url in common_caldav_urls:
+            assert validator.PATTERNS["url"].match(
+                url
+            ), f"Common CalDAV URL should be allowed: {url}"
+
+    def test_validation_error_sanitization(self):
+        """Test that validation errors don't leak sensitive information"""
+        validator = InputValidator()
+
+        # Test with potentially sensitive information
+        try:
+            validator.validate_text_field(
+                "password123secret<script>", "alias", required=True
+            )
+            assert False, "Should have raised ValidationError"
+        except ValidationError as e:
+            error_msg = str(e)
+            # Error message should not contain the original sensitive content
+            assert "password123secret" not in error_msg
+            assert "<script>" not in error_msg
+            # Should contain generic message
+            assert "dangerous content" in error_msg