[AZ-289] [AZ-290] Batch 3 tests: integration ZIP cap, perf, security, queue

AZ-289 — RL-01 50MB ZIP cap added to RunRouteWithTilesZipTest; existing integration tests already cover BT-08/BT-09 + AC-1/AC-2. AZ-290: - scripts/run-performance-tests.sh extended with PT-01/03/04/05 - SatelliteProvider.IntegrationTests/SecurityTests.cs (SEC-01..SEC-04), wired into Program.cs - SatelliteProvider.Tests/RegionRequestQueueTests.cs covering RS-04 / RL-02 queue capacity behavior Notes: - RS-04 spec wording ("rejects overflow") drifts from the channel's BoundedChannelFullMode.Wait back-pressure semantics. Tests assert the actual behavior; spec to be reconciled in Step 12 (Test-Spec Sync). Tracked as Low/Spec-Gap in batch_03_review.md. - Unit tests: 35/35 passed (Docker .NET 8 SDK). - Integration test project builds clean (0 warnings, 0 errors). Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-22 13:31:15 +00:00 · 2026-05-10 05:10:30 +03:00
parent dea0b8b4c0
commit 7822841587
10 changed files with 473 additions and 1 deletions
@@ -204,6 +204,13 @@ public static class ExtendedRouteTests
            throw new Exception($"ZIP file seems too small: {zipInfo.Length} bytes");
        }

+        const long maxZipBytes = 50L * 1024 * 1024;
+        if (zipInfo.Length > maxZipBytes)
+        {
+            throw new Exception($"ZIP file exceeds 50MB cap: {zipInfo.Length} bytes (max {maxZipBytes})");
+        }
+        Console.WriteLine($"  ZIP size within 50MB cap: {zipInfo.Length / 1024.0 / 1024.0:F2} MB");
+
        Console.WriteLine("✓ Route with Tiles ZIP File Test: PASSED");
    }
 }
@@ -42,6 +42,8 @@ class Program
            await ComplexRouteTests.RunComplexRouteWithStitchingAndGeofences(httpClient);
            await ExtendedRouteTests.RunExtendedRouteEast(httpClient);

+            await SecurityTests.RunAll(httpClient);
+
            Console.WriteLine();
            Console.WriteLine("=========================");
            Console.WriteLine("All tests completed successfully!");
@@ -0,0 +1,99 @@
+using System.Net;
+using System.Text;
+
+namespace SatelliteProvider.IntegrationTests;
+
+public static class SecurityTests
+{
+    public static async Task RunAll(HttpClient httpClient)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: Security (SEC-01..SEC-04)");
+
+        await Sec01_SqlInjectionViaCoordinates(httpClient);
+        await Sec02_PathTraversalInTileServing(httpClient);
+        await Sec03_OversizedRegionRequest(httpClient);
+        await Sec04_MalformedJson(httpClient);
+
+        Console.WriteLine("✓ Security Tests: PASSED");
+    }
+
+    private static async Task Sec01_SqlInjectionViaCoordinates(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("SEC-01: SQL injection attempt in coordinate query string");
+
+        var injection = "' OR 1=1 --";
+        var url = $"/api/satellite/tiles/latlon?Latitude={Uri.EscapeDataString(injection)}&Longitude=37.647063&ZoomLevel=18";
+        var response = await httpClient.GetAsync(url);
+
+        if (response.StatusCode != HttpStatusCode.BadRequest && response.StatusCode != HttpStatusCode.UnprocessableEntity)
+        {
+            throw new Exception($"SEC-01 expected 400/422 for non-numeric coordinate, got {(int)response.StatusCode}");
+        }
+
+        Console.WriteLine($"  ✓ Non-numeric coordinate rejected with HTTP {(int)response.StatusCode}");
+    }
+
+    private static async Task Sec02_PathTraversalInTileServing(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("SEC-02: Path traversal attempt against tile serving endpoint");
+
+        var traversalPaths = new[]
+        {
+            "/tiles/../../etc/passwd",
+            "/tiles/18/..%2F..%2Fetc%2Fpasswd/0",
+            "/tiles/18/0/..%2F..%2Fetc%2Fpasswd"
+        };
+
+        foreach (var path in traversalPaths)
+        {
+            var response = await httpClient.GetAsync(path);
+            var status = (int)response.StatusCode;
+
+            if (status == 200)
+            {
+                throw new Exception($"SEC-02 expected non-200 for traversal '{path}', got 200");
+            }
+
+            Console.WriteLine($"  ✓ Traversal '{path}' rejected with HTTP {status}");
+        }
+    }
+
+    private static async Task Sec03_OversizedRegionRequest(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("SEC-03: Oversized region request (sizeMeters beyond allowed cap)");
+
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"latitude\":47.461747,\"longitude\":37.647063,\"sizeMeters\":1000000,\"zoomLevel\":18,\"stitchTiles\":false}}";
+        var content = new StringContent(body, Encoding.UTF8, "application/json");
+        var response = await httpClient.PostAsync("/api/satellite/request", content);
+        var status = (int)response.StatusCode;
+
+        if (status != 400 && status != 422)
+        {
+            throw new Exception($"SEC-03 expected 400/422 for oversized region (1,000,000m), got {status}");
+        }
+
+        Console.WriteLine($"  ✓ Oversized region rejected with HTTP {status}");
+    }
+
+    private static async Task Sec04_MalformedJson(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("SEC-04: Malformed JSON body");
+
+        var malformed = "{ this is not json ::";
+        var content = new StringContent(malformed, Encoding.UTF8, "application/json");
+        var response = await httpClient.PostAsync("/api/satellite/request", content);
+        var status = (int)response.StatusCode;
+
+        if (status != 400 && status != 415 && status != 422)
+        {
+            throw new Exception($"SEC-04 expected 400/415/422 for malformed JSON, got {status}");
+        }
+
+        Console.WriteLine($"  ✓ Malformed JSON rejected with HTTP {status}");
+    }
+}