lollms-webui/tests/pentests/code_injection/test_code_injection.py

import json

from fastapi.testclient import TestClient
from main import app  # Replace with the actual name of your FastAPI app

client = TestClient(app)


def test_open_code_in_vs_code_valid():
    response = client.post(
        "/open_code_in_vs_code",
        data=json.dumps(
            {"discussion_id": 1, "message_id": 1, "code": "print('Hello, World!')"}
        ),
        headers={"content-type": "application/json"},
    )
    assert response.status_code == 200
    assert response.json()["status"] == True


def test_open_code_in_vs_code_invalid():
    response = client.post(
        "/open_code_in_vs_code",
        data=json.dumps(
            {
                "discussion_id": "1; copy file.exe /some/path/",
                "message_id": "1",
                "code": "print('Hello, World!')",
            }
        ),
        headers={"content-type": "application/json"},
    )
    assert response.status_code == 422  # Unprocessable Entity


def test_open_code_in_vs_code_attack():
    response = client.post(
        "/open_code_in_vs_code",
        data=json.dumps(
            {
                "discussion_id": 1,
                "message_id": 1,
                "code": "print('This is a harmless test.')",  # Dangerous code
            }
        ),
        headers={"content-type": "application/json"},
    )
    assert response.status_code == 200
    assert response.json()["status"] == False  # The code should not be executed
upgraded linting 2024-12-19 13:48:57 +01:00			`import json`

fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`from fastapi.testclient import TestClient`
			`from main import app # Replace with the actual name of your FastAPI app`

			`client = TestClient(app)`

upgraded linting 2024-12-19 13:48:57 +01:00
fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`def test_open_code_in_vs_code_valid():`
			`response = client.post(`
			`"/open_code_in_vs_code",`
upgraded linting 2024-12-19 13:48:57 +01:00			`data=json.dumps(`
			`{"discussion_id": 1, "message_id": 1, "code": "print('Hello, World!')"}`
			`),`
fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`headers={"content-type": "application/json"},`
			`)`
			`assert response.status_code == 200`
			`assert response.json()["status"] == True`

upgraded linting 2024-12-19 13:48:57 +01:00
fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`def test_open_code_in_vs_code_invalid():`
			`response = client.post(`
			`"/open_code_in_vs_code",`
upgraded linting 2024-12-19 13:48:57 +01:00			`data=json.dumps(`
			`{`
			`"discussion_id": "1; copy file.exe /some/path/",`
			`"message_id": "1",`
			`"code": "print('Hello, World!')",`
			`}`
			`),`
fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`headers={"content-type": "application/json"},`
			`)`
			`assert response.status_code == 422 # Unprocessable Entity`

upgraded linting 2024-12-19 13:48:57 +01:00
fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`def test_open_code_in_vs_code_attack():`
			`response = client.post(`
			`"/open_code_in_vs_code",`
upgraded linting 2024-12-19 13:48:57 +01:00			`data=json.dumps(`
			`{`
			`"discussion_id": 1,`
			`"message_id": 1,`
			`"code": "print('This is a harmless test.')", # Dangerous code`
			`}`
			`),`
fixed code injection vulenerabilities 2024-02-15 01:01:55 +01:00			`headers={"content-type": "application/json"},`
			`)`
			`assert response.status_code == 200`
			`assert response.json()["status"] == False # The code should not be executed`