""" Fuzz tests for security-critical functions using Hypothesis. These tests verify that security functions don't crash on arbitrary input and properly reject malicious inputs. """ import html import json import tempfile from pathlib import Path from urllib.parse import quote, unquote import pytest from hypothesis import assume, given, settings, strategies as st from local_deep_research.security.path_validator import PathValidator from local_deep_research.utilities.url_utils import normalize_url # ============================================================================= # Custom Strategies for Security Testing # ============================================================================= def path_traversal_payloads(): """Generate various path traversal attack payloads.""" basic = [ "../", "..\\", "../" * 10, "..\\..\\", "....//", "..../", ".../", "..%2f", "..%5c", "%2e%2e/", "%2e%2e%2f", "..%252f", # Double encoding "..%c0%af", # Overlong UTF-8 "..%c1%9c", "..;/", # Parameter injection "..%00/", # Null byte "..//", ".\\.\\", "..\\../", ] return st.sampled_from(basic) def null_byte_payloads(): """Generate null byte injection payloads.""" return st.sampled_from( [ "\x00", "%00", "\x00\x00", "file\x00.txt", "file%00.txt", "\x00/../etc/passwd", ] ) def xss_payloads(): """Generate XSS attack payloads for HTML contexts.""" return st.sampled_from( [ "", '">', "javascript:alert(1)", "", "", "'-alert(1)-'", '">', "", "{{constructor.constructor('alert(1)')()}}", "${alert(1)}", "#{alert(1)}", "