Fix tests. Remove tests which test rails functionality

test/controllers/input_validation_test.rb

@@ -0,0 +1,187 @@
+require "test_helper"
+
+class InputValidationTest < ActionDispatch::IntegrationTest
+  # ====================
+  # SQL INJECTION PREVENTION TESTS
+  # ====================
+
+  test "SQL injection is prevented by Rails ORM" do
+    # Rails ActiveRecord prevents SQL injection through parameterized queries
+    # This test verifies the protection is in place
+
+    # Try SQL injection in email field
+    post signin_path, params: {
+      email_address: "admin' OR '1'='1",
+      password: "password123"
+    }
+
+    # Should not authenticate with SQL injection
+    assert_response :redirect
+    assert_redirected_to signin_path
+    assert_match(/invalid/i, flash[:alert].to_s)
+  end
+
+  # ====================
+  # XSS PREVENTION TESTS
+  # ====================
+
+  test "XSS in user input is escaped" do
+    # Create user with XSS payload in name
+    xss_payload = "<script>alert('XSS')</script>"
+    user = User.create!(email_address: "xss_test@example.com", password: "password123", name: xss_payload)
+
+    # Sign in
+    post signin_path, params: { email_address: "xss_test@example.com", password: "password123" }
+    assert_response :redirect
+
+    # Get a page that displays user name
+    get root_path
+    assert_response :success
+
+    # The XSS payload should be escaped, not executed
+    # Rails automatically escapes output in ERB templates
+
+    user.destroy
+  end
+
+  # ====================
+  # PARAMETER TAMPERING TESTS
+  # ====================
+
+  test "parameter tampering in OAuth authorization is prevented" do
+    user = User.create!(email_address: "oauth_tamper_test@example.com", password: "password123")
+    application = Application.create!(
+      name: "OAuth Test App",
+      slug: "oauth-test-app",
+      app_type: "oidc",
+      redirect_uris: ["http://localhost:4000/callback"].to_json,
+      active: true
+    )
+
+    # Sign in
+    post signin_path, params: { email_address: "oauth_tamper_test@example.com", password: "password123" }
+    assert_response :redirect
+
+    # Try to tamper with OAuth authorization parameters
+    get "/oauth/authorize", params: {
+      client_id: application.client_id,
+      redirect_uri: "http://evil.com/callback",  # Tampered redirect URI
+      response_type: "code",
+      scope: "openid profile admin",  # Tampered scope to request admin access
+      user_id: 1  # Tampered user ID
+    }
+
+    # Should reject the tampered redirect URI
+    assert_response :bad_request
+
+    user.sessions.delete_all
+    user.destroy
+    application.destroy
+  end
+
+  test "parameter tampering in token request is prevented" do
+    user = User.create!(email_address: "token_tamper_test@example.com", password: "password123")
+    application = Application.create!(
+      name: "Token Tamper Test App",
+      slug: "token-tamper-test",
+      app_type: "oidc",
+      redirect_uris: ["http://localhost:4000/callback"].to_json,
+      active: true
+    )
+
+    # Try to tamper with token request parameters
+    post "/oauth/token", params: {
+      grant_type: "authorization_code",
+      code: "fake_code",
+      redirect_uri: "http://localhost:4000/callback",
+      client_id: "tampered_client_id",
+      user_id: 999  # Tampered user ID
+    }
+
+    # Should reject tampered client_id
+    assert_response :unauthorized
+
+    user.destroy
+    application.destroy
+  end
+
+  # ====================
+  # JSON INPUT VALIDATION TESTS
+  # ====================
+
+  test "JSON input validation prevents malicious payloads" do
+    # Try to send malformed JSON
+    post "/oauth/token", params: '{"grant_type":"authorization_code",}'.to_json,
+      headers: { "CONTENT_TYPE" => "application/json" }
+
+    # Should handle malformed JSON gracefully
+    assert_includes [400, 422], response.status
+  end
+
+  test "JSON input sanitization prevents injection" do
+    # Try JSON injection attacks
+    post "/oauth/token", params: {
+      grant_type: "authorization_code",
+      code: "test_code",
+      redirect_uri: "http://localhost:4000/callback",
+      nested: { __proto__: "tampered", constructor: { prototype: "tampered" } }
+    }.to_json,
+    headers: { "CONTENT_TYPE" => "application/json" }
+
+    # Should sanitize or reject prototype pollution attempts
+    # The request should be handled (either accept or reject, not crash)
+    assert response.body.present?
+  end
+
+  # ====================
+  # HEADER INJECTION TESTS
+  # ====================
+
+  test "HTTP header injection is prevented" do
+    # Try to inject headers via user input
+    malicious_input = "value\r\nX-Injected-Header: malicious"
+
+    post signin_path, params: {
+      email_address: malicious_input,
+      password: "password123"
+    }
+
+    # Should sanitize or reject header injection attempts
+    assert_nil response.headers["X-Injected-Header"]
+  end
+
+  # ====================
+  # PATH TRAVERSAL TESTS
+  # ====================
+
+  test "path traversal is prevented" do
+    # Try to access files outside intended directory
+    malicious_paths = [
+      "../../../etc/passwd",
+      "..\\..\\..\\windows\\system32\\drivers\\etc\\hosts",
+      "/etc/passwd",
+      "C:\\Windows\\System32\\config\\sam"
+    ]
+
+    malicious_paths.each do |malicious_path|
+      # Try to access files with path traversal
+      get root_path, params: { file: malicious_path }
+
+      # Should prevent access to files outside public directory
+      assert_response :redirect, "Should reject path traversal attempt"
+    end
+  end
+
+  test "null byte injection is prevented" do
+    # Try null byte injection
+    malicious_input = "test\x00@example.com"
+
+    post signin_path, params: {
+      email_address: malicious_input,
+      password: "password123"
+    }
+
+    # Should sanitize null bytes
+    assert_response :redirect
+  end
+end