Add comprehensive security tests for OWASP A03 (Injection) and A10 (SSRF)

- Implemented InjectionTests.cs to cover various injection vulnerabilities including SQL, NoSQL, Command, LDAP, and XPath injections.
- Created SsrfTests.cs to test for Server-Side Request Forgery (SSRF) vulnerabilities, including internal URL access, cloud metadata access, and URL allowlist bypass attempts.
- Introduced MaliciousPayloads.cs to store a collection of malicious payloads for testing various security vulnerabilities.
- Added SecurityAssertions.cs for common security-specific assertion helpers.
- Established SecurityTestBase.cs as a base class for security tests, providing common infrastructure and mocking utilities.
- Configured the test project StellaOps.Security.Tests.csproj with necessary dependencies for testing.

tests/security/StellaOps.Security.Tests/Infrastructure/SecurityAssertions.cs

@@ -0,0 +1,171 @@
+// =============================================================================
+// SecurityAssertions.cs
+// Security-specific assertion helpers for testing
+// =============================================================================
+
+using FluentAssertions;
+using System.Net;
+using System.Text.RegularExpressions;
+
+namespace StellaOps.Security.Tests.Infrastructure;
+
+/// <summary>
+/// Security-specific assertion methods for common security test patterns.
+/// </summary>
+public static partial class SecurityAssertions
+{
+    /// <summary>
+    /// Assert that a URL is safe (not an internal/metadata endpoint).
+    /// </summary>
+    public static void AssertUrlIsSafe(string url)
+    {
+        var uri = new Uri(url, UriKind.RelativeOrAbsolute);
+        
+        if (!uri.IsAbsoluteUri) return;
+
+        // Check for localhost/loopback
+        uri.Host.Should().NotBe("localhost", "URL should not point to localhost");
+        uri.Host.Should().NotBe("127.0.0.1", "URL should not point to loopback");
+        uri.Host.Should().NotBe("::1", "URL should not point to IPv6 loopback");
+        uri.Host.Should().NotBe("0.0.0.0", "URL should not point to all interfaces");
+
+        // Check for metadata endpoints
+        uri.Host.Should().NotBe("169.254.169.254", "URL should not point to cloud metadata");
+        uri.Host.Should().NotContain("metadata.google.internal", "URL should not point to GCP metadata");
+
+        // Check for private IP ranges
+        if (IPAddress.TryParse(uri.Host, out var ip))
+        {
+            IsPrivateIp(ip).Should().BeFalse("URL should not point to private IP addresses");
+        }
+
+        // Check for file:// scheme
+        uri.Scheme.Should().NotBe("file", "URL should not use file:// scheme");
+    }
+
+    /// <summary>
+    /// Assert that a path does not contain traversal sequences.
+    /// </summary>
+    public static void AssertNoPathTraversal(string path)
+    {
+        path.Should().NotContain("..", "Path should not contain traversal sequences");
+        path.Should().NotContain("%2e%2e", "Path should not contain encoded traversal");
+        path.Should().NotContain("%252e", "Path should not contain double-encoded traversal");
+        path.Should().NotContain("\0", "Path should not contain null bytes");
+    }
+
+    /// <summary>
+    /// Assert that content is properly escaped for HTML context.
+    /// </summary>
+    public static void AssertHtmlEscaped(string content, string originalInput)
+    {
+        if (originalInput.Contains('<'))
+        {
+            content.Should().NotContain("<script", "Content should have escaped script tags");
+            content.Should().NotContain("<img", "Content should have escaped img tags");
+            content.Should().NotContain("<svg", "Content should have escaped svg tags");
+        }
+    }
+
+    /// <summary>
+    /// Assert that a command string is safe from injection.
+    /// </summary>
+    public static void AssertCommandSafe(string command)
+    {
+        var dangerousChars = new[] { ";", "|", "&", "`", "$(" };
+        foreach (var c in dangerousChars)
+        {
+            command.Should().NotContain(c, $"Command should not contain dangerous character: {c}");
+        }
+    }
+
+    /// <summary>
+    /// Assert that an HTTP response indicates proper authorization failure.
+    /// </summary>
+    public static void AssertProperAuthorizationDenial(HttpStatusCode statusCode)
+    {
+        statusCode.Should().BeOneOf(
+            HttpStatusCode.Unauthorized,
+            HttpStatusCode.Forbidden,
+            "Response should properly deny unauthorized access");
+    }
+
+    /// <summary>
+    /// Assert that no SQL injection was successful (result should not contain injected data).
+    /// </summary>
+    public static void AssertNoSqlInjectionSuccess(string response)
+    {
+        // Check for common signs that injection succeeded
+        response.Should().NotMatchRegex(SqlPatternSuccess(), 
+            "Response should not indicate successful SQL injection");
+    }
+
+    /// <summary>
+    /// Assert that cryptographic parameters meet minimum strength requirements.
+    /// </summary>
+    public static void AssertCryptographicStrength(int keyBits, string algorithm)
+    {
+        algorithm.ToUpperInvariant().Should().NotBe("MD5", "MD5 should not be used for security");
+        algorithm.ToUpperInvariant().Should().NotBe("SHA1", "SHA1 should not be used for security");
+        
+        if (algorithm.Contains("RSA", StringComparison.OrdinalIgnoreCase))
+        {
+            keyBits.Should().BeGreaterOrEqualTo(2048, "RSA keys should be at least 2048 bits");
+        }
+        else if (algorithm.Contains("AES", StringComparison.OrdinalIgnoreCase))
+        {
+            keyBits.Should().BeGreaterOrEqualTo(128, "AES keys should be at least 128 bits");
+        }
+    }
+
+    /// <summary>
+    /// Assert that a JWT token has proper structure and is not tampered with.
+    /// </summary>
+    public static void AssertJwtNotTampered(string token)
+    {
+        var parts = token.Split('.');
+        parts.Length.Should().Be(3, "JWT should have three parts");
+        parts[2].Should().NotBeEmpty("JWT signature should not be empty");
+    }
+
+    /// <summary>
+    /// Assert that headers do not contain injected values.
+    /// </summary>
+    public static void AssertNoHeaderInjection(IDictionary<string, string> headers)
+    {
+        foreach (var header in headers)
+        {
+            header.Key.Should().NotContain("\r", "Header name should not contain CR");
+            header.Key.Should().NotContain("\n", "Header name should not contain LF");
+            header.Value.Should().NotContain("\r\n", "Header value should not contain CRLF");
+        }
+    }
+
+    /// <summary>
+    /// Check if an IP address is in a private range.
+    /// </summary>
+    private static bool IsPrivateIp(IPAddress ip)
+    {
+        var bytes = ip.GetAddressBytes();
+        
+        // IPv4 private ranges
+        if (bytes.Length == 4)
+        {
+            // 10.0.0.0/8
+            if (bytes[0] == 10) return true;
+            // 172.16.0.0/12
+            if (bytes[0] == 172 && bytes[1] >= 16 && bytes[1] <= 31) return true;
+            // 192.168.0.0/16
+            if (bytes[0] == 192 && bytes[1] == 168) return true;
+            // 127.0.0.0/8 (loopback)
+            if (bytes[0] == 127) return true;
+            // 169.254.0.0/16 (link-local)
+            if (bytes[0] == 169 && bytes[1] == 254) return true;
+        }
+        
+        return false;
+    }
+
+    [GeneratedRegex(@"(syntax error|mysql|postgresql|sqlite|ora-\d{5}|sql server)", RegexOptions.IgnoreCase)]
+    private static partial Regex SqlPatternSuccess();
+}