git.stella-ops.org/tests/security/StellaOps.Security.Tests/A03_Injection/InjectionTests.cs

// =============================================================================
// A03_Injection/InjectionTests.cs
// OWASP A03:2021 - Injection
// Tests for SQL, Command, and other injection vulnerabilities
// =============================================================================

using FluentAssertions;
using StellaOps.Security.Tests.Infrastructure;
using System.Text.RegularExpressions;

namespace StellaOps.Security.Tests.A03_Injection;

/// <summary>
/// Tests for injection vulnerabilities including:
/// - SQL Injection (SQLi)
/// - NoSQL Injection
/// - Command Injection
/// - LDAP Injection
/// - XPath Injection
/// </summary>
[Trait("Category", "Security")]
[Trait("OWASP", "A03")]
[OwaspCategory("A03:2021", "Injection")]
public partial class InjectionTests : SecurityTestBase
{
    [Theory]
    [MemberData(nameof(GetSqlInjectionPayloads))]
    public void Should_Reject_SQL_Injection_Payloads(string payload)
    {
        // Arrange
        var sanitizer = new InputSanitizer();
        
        // Act
        var sanitized = sanitizer.SanitizeForSql(payload);
        var isSafe = sanitizer.IsSafeForSql(payload);
        
        // Assert
        isSafe.Should().BeFalse($"SQL injection payload '{payload}' should be detected as unsafe");
        sanitized.Should().NotBe(payload, "Payload should be sanitized");
    }

    [Theory]
    [MemberData(nameof(GetCommandInjectionPayloads))]
    public void Should_Reject_Command_Injection_Payloads(string payload)
    {
        // Arrange
        var sanitizer = new InputSanitizer();
        
        // Act
        var isSafe = sanitizer.IsSafeForCommand(payload);
        
        // Assert
        isSafe.Should().BeFalse($"Command injection payload '{payload}' should be detected as unsafe");
        SecurityAssertions.AssertCommandSafe(sanitizer.SanitizeForCommand(payload));
    }

    [Theory]
    [MemberData(nameof(GetNoSqlInjectionPayloads))]
    public void Should_Reject_NoSQL_Injection_Payloads(string payload)
    {
        // Arrange
        var sanitizer = new InputSanitizer();
        
        // Act
        var isSafe = sanitizer.IsSafeForNoSql(payload);
        
        // Assert
        isSafe.Should().BeFalse($"NoSQL injection payload '{payload}' should be detected as unsafe");
    }

    [Fact]
    public void Should_Use_Parameterized_Queries()
    {
        // This test verifies the pattern for parameterized queries
        var query = "SELECT * FROM users WHERE id = @userId AND tenant_id = @tenantId";
        var parameters = new Dictionary<string, object>
        {
            ["userId"] = Guid.NewGuid(),
            ["tenantId"] = GenerateTestTenantId()
        };

        // Assert query uses parameters, not string concatenation
        query.Should().NotContain("' +", "Query should not use string concatenation");
        query.Should().Contain("@", "Query should use parameterized placeholders");
        parameters.Should().ContainKey("userId");
        parameters.Should().ContainKey("tenantId");
    }

    [Theory]
    [InlineData("SELECT * FROM users WHERE id = '" + "user-input" + "'", false)]
    [InlineData("SELECT * FROM users WHERE id = @userId", true)]
    [InlineData("SELECT * FROM users WHERE name LIKE '%" + "user-input" + "%'", false)]
    [InlineData("SELECT * FROM users WHERE name LIKE @pattern", true)]
    public void Should_Detect_Unsafe_Query_Patterns(string query, bool isSafe)
    {
        // Act
        var isParameterized = QueryPatternRegex().IsMatch(query);
        var hasConcatenation = query.Contains("' +") || query.Contains("+ '") || 
                               (query.Contains("'") && !query.Contains("@"));

        // Assert
        if (isSafe)
        {
            isParameterized.Should().BeTrue("Safe queries should use parameters");
        }
        else
        {
            hasConcatenation.Should().BeTrue("Unsafe queries use string concatenation");
        }
    }

    [Fact]
    public void Should_Escape_Special_Characters_In_LDAP_Queries()
    {
        // Arrange
        var maliciousInput = "admin)(|(cn=*";
        var sanitizer = new InputSanitizer();
        
        // Act
        var sanitized = sanitizer.SanitizeForLdap(maliciousInput);
        
        // Assert
        sanitized.Should().NotContain(")(", "LDAP special characters should be escaped");
        sanitized.Should().NotContain("|(", "LDAP injection should be prevented");
    }

    [Theory]
    [InlineData("valid_filename.txt", true)]
    [InlineData("../../../etc/passwd", false)]
    [InlineData("file.txt; rm -rf /", false)]
    [InlineData("file`whoami`.txt", false)]
    public void Should_Validate_Filename_Input(string filename, bool expectedSafe)
    {
        // Arrange
        var sanitizer = new InputSanitizer();
        
        // Act
        var isSafe = sanitizer.IsSafeFilename(filename);
        
        // Assert
        isSafe.Should().Be(expectedSafe, $"Filename '{filename}' safety check failed");
    }

    public static TheoryData<string> GetSqlInjectionPayloads()
    {
        var data = new TheoryData<string>();
        foreach (var payload in MaliciousPayloads.SqlInjection.Common)
        {
            data.Add(payload);
        }
        return data;
    }

    public static TheoryData<string> GetCommandInjectionPayloads()
    {
        var data = new TheoryData<string>();
        foreach (var payload in MaliciousPayloads.CommandInjection.Generic)
        {
            data.Add(payload);
        }
        return data;
    }

    public static TheoryData<string> GetNoSqlInjectionPayloads()
    {
        var data = new TheoryData<string>();
        foreach (var payload in MaliciousPayloads.SqlInjection.NoSql)
        {
            data.Add(payload);
        }
        return data;
    }

    [GeneratedRegex(@"@\w+")]
    private static partial Regex QueryPatternRegex();
}

/// <summary>
/// Input sanitizer for testing injection prevention.
/// In production, this would be the actual sanitization service.
/// </summary>
file class InputSanitizer
{
    private static readonly char[] DangerousSqlChars = ['\'', ';', '-', '/', '*'];
    private static readonly char[] DangerousCommandChars = [';', '|', '&', '`', '$', '(', ')', '\n', '\r'];
    private static readonly string[] DangerousNoSqlPatterns = ["$gt", "$lt", "$ne", "$where", "$regex"];
    private static readonly char[] DangerousFilenameChars = ['/', '\\', ';', '|', '&', '`', '$', '(', ')', '<', '>'];

    public bool IsSafeForSql(string input)
    {
        if (string.IsNullOrEmpty(input)) return true;
        return !DangerousSqlChars.Any(c => input.Contains(c)) &&
               !input.Contains("OR", StringComparison.OrdinalIgnoreCase) &&
               !input.Contains("UNION", StringComparison.OrdinalIgnoreCase) &&
               !input.Contains("DROP", StringComparison.OrdinalIgnoreCase);
    }

    public string SanitizeForSql(string input)
    {
        if (string.IsNullOrEmpty(input)) return input;
        var result = input;
        foreach (var c in DangerousSqlChars)
        {
            result = result.Replace(c.ToString(), string.Empty);
        }
        return result;
    }

    public bool IsSafeForCommand(string input)
    {
        if (string.IsNullOrEmpty(input)) return true;
        return !DangerousCommandChars.Any(c => input.Contains(c));
    }

    public string SanitizeForCommand(string input)
    {
        if (string.IsNullOrEmpty(input)) return input;
        var result = input;
        foreach (var c in DangerousCommandChars)
        {
            result = result.Replace(c.ToString(), string.Empty);
        }
        return result;
    }

    public bool IsSafeForNoSql(string input)
    {
        if (string.IsNullOrEmpty(input)) return true;
        return !DangerousNoSqlPatterns.Any(p => input.Contains(p, StringComparison.OrdinalIgnoreCase));
    }

    public string SanitizeForLdap(string input)
    {
        if (string.IsNullOrEmpty(input)) return input;
        return input
            .Replace("\\", "\\5c")
            .Replace("*", "\\2a")
            .Replace("(", "\\28")
            .Replace(")", "\\29")
            .Replace("\0", "\\00");
    }

    public bool IsSafeFilename(string input)
    {
        if (string.IsNullOrEmpty(input)) return false;
        if (input.Contains("..")) return false;
        return !DangerousFilenameChars.Any(c => input.Contains(c));
    }
}