"""
Fuzz tests for security-critical functions using Hypothesis.
These tests verify that security functions don't crash on arbitrary input
and properly reject malicious inputs.
"""
import html
import json
import tempfile
from pathlib import Path
from urllib.parse import quote, unquote
import pytest
from hypothesis import assume, given, settings, strategies as st
from local_deep_research.security.path_validator import PathValidator
from local_deep_research.utilities.url_utils import normalize_url
# =============================================================================
# Custom Strategies for Security Testing
# =============================================================================
def path_traversal_payloads():
"""Generate various path traversal attack payloads."""
basic = [
"../",
"..\\",
"../" * 10,
"..\\..\\",
"....//",
"..../",
".../",
"..%2f",
"..%5c",
"%2e%2e/",
"%2e%2e%2f",
"..%252f", # Double encoding
"..%c0%af", # Overlong UTF-8
"..%c1%9c",
"..;/", # Parameter injection
"..%00/", # Null byte
"..//",
".\\.\\",
"..\\../",
]
return st.sampled_from(basic)
def null_byte_payloads():
"""Generate null byte injection payloads."""
return st.sampled_from(
[
"\x00",
"%00",
"\x00\x00",
"file\x00.txt",
"file%00.txt",
"\x00/../etc/passwd",
]
)
def xss_payloads():
"""Generate XSS attack payloads for HTML contexts."""
return st.sampled_from(
[
"",
'">',
"javascript:alert(1)",
"
",
"